Analysis Report ACH WIRE PAYMENT ADVICE..xlsx

Overview

General Information

Sample Name: ACH WIRE PAYMENT ADVICE..xlsx
Analysis ID: 339280
MD5: a66a202e970df086cc265cb646127bfb
SHA1: c8986173e16bb9b0703490afba594ec5eef08a4a
SHA256: e29c6206512f1f778f1af9a1ff2af2bb82107271e00c873930398b703294d75e

Most interesting Screenshot:

Detection

HTMLPhisher
Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected HtmlPhish_25
Phishing site detected (based on image similarity)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Steals Internet Explorer cookies

Classification

Phishing:

barindex
Yara detected HtmlPhish_25
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ZlFRrg5s[1].htm, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\ZlFRrg5s[1].htm, type: DROPPED
Phishing site detected (based on image similarity)
Source: https://images.typeform.com/images/nXkRcNPp6wtg/background/large Matcher: Found strong image similarity, brand: Microsoft Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: unknown HTTPS traffic detected: 143.204.93.100:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknown HTTPS traffic detected: 143.204.93.16:443 -> 192.168.2.22:49171 version: TLS 1.2
Source: unknown HTTPS traffic detected: 143.204.93.16:443 -> 192.168.2.22:49172 version: TLS 1.2
Source: unknown HTTPS traffic detected: 143.204.93.100:443 -> 192.168.2.22:49169 version: TLS 1.2
Source: unknown HTTPS traffic detected: 143.204.99.83:443 -> 192.168.2.22:49177 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.224.194.82:443 -> 192.168.2.22:49175 version: TLS 1.2
Source: unknown HTTPS traffic detected: 143.204.99.83:443 -> 192.168.2.22:49178 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.224.194.82:443 -> 192.168.2.22:49173 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.218.160.124:443 -> 192.168.2.22:49181 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.218.160.124:443 -> 192.168.2.22:49182 version: TLS 1.2
Source: unknown HTTPS traffic detected: 143.204.93.117:443 -> 192.168.2.22:49186 version: TLS 1.2
Source: unknown HTTPS traffic detected: 143.204.93.100:443 -> 192.168.2.22:49189 version: TLS 1.2
Source: unknown HTTPS traffic detected: 143.204.93.100:443 -> 192.168.2.22:49190 version: TLS 1.2
Source: unknown HTTPS traffic detected: 143.204.99.83:443 -> 192.168.2.22:49195 version: TLS 1.2
Source: unknown HTTPS traffic detected: 192.168.2.22:49195 -> 143.204.99.83:443 version: TLS 1.2
Source: unknown HTTPS traffic detected: 143.204.99.83:443 -> 192.168.2.22:49196 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.218.160.124:443 -> 192.168.2.22:49197 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.218.160.124:443 -> 192.168.2.22:49198 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.247.242.19:443 -> 192.168.2.22:49199 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.247.242.19:443 -> 192.168.2.22:49200 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.247.242.19:443 -> 192.168.2.22:49201 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.247.242.19:443 -> 192.168.2.22:49202 version: TLS 1.2

Networking:

barindex
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 162.247.242.19 162.247.242.19
Source: Joe Sandbox View IP Address: 143.204.99.83 143.204.99.83
Source: Joe Sandbox View IP Address: 162.247.242.21 162.247.242.21
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FD9543EC.jpeg Jump to behavior
Source: unknown DNS traffic detected: queries for: 24mbw17feyn.typeform.com
Source: vendors~form.965f5dedbb854e83c6c8[1].js.3.dr String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: vendors~form.965f5dedbb854e83c6c8[1].js.3.dr String found in binary or memory: http://www.jacklmoore.com/autosize
Source: ZlFRrg5s[1].htm.3.dr String found in binary or memory: https://24mbw17feyn.typeform.com/oembed?url=https%3A%2F%2F24mbw17feyn.typeform.com%2Fto%2FZlFRrg5s
Source: ZlFRrg5s[1].htm.3.dr, {2F918E46-561B-11EB-ADCF-ECF4BBB5915B}.dat.6.dr String found in binary or memory: https://24mbw17feyn.typeform.com/to/ZlFRrg5s
Source: {2A5BAC65-561B-11EB-ADCF-ECF4BBB5915B}.dat.2.dr String found in binary or memory: https://24mbw17feyn.typeform.com/to/ZlFRrg5s6MlCR0S0FT
Source: ~DFAAE8432BB923397E.TMP.6.dr String found in binary or memory: https://24mbw17feyn.typeform.com/to/ZlFRrg5sNUMBER_OF_PROCESSORS=4OS=Windows_NTPath=C:
Source: {2A5BAC65-561B-11EB-ADCF-ECF4BBB5915B}.dat.2.dr String found in binary or memory: https://24mbw17feyn.typeform.com/to/ZlFRrg5sRoot
Source: {2A5BAC65-561B-11EB-ADCF-ECF4BBB5915B}.dat.2.dr String found in binary or memory: https://24mbw17feyn.typeform.com/to/ZlFRrg5sz
Source: renderer.0f5a683b381b67dbbf89[1].js.3.dr String found in binary or memory: https://github.com/js-cookie/js-cookie
Source: vendors~form.965f5dedbb854e83c6c8[1].js.3.dr String found in binary or memory: https://github.com/kof/animationFrame
Source: ZlFRrg5s[1].htm.3.dr String found in binary or memory: https://images.typeform.com/images/CJr828dpN5yQ/image/default
Source: ZlFRrg5s[1].htm.3.dr String found in binary or memory: https://images.typeform.com/images/FYUps4mFKPYK/image/default
Source: ZlFRrg5s[1].htm.3.dr String found in binary or memory: https://images.typeform.com/images/nXkRcNPp6wtg/background/large
Source: ZlFRrg5s[1].htm.3.dr String found in binary or memory: https://images.typeform.com/images/nXkRcNPp6wtg/background/large);background-position:top
Source: ZlFRrg5s[1].htm.3.dr String found in binary or memory: https://public-assets.typeform.com/public/favicon/apple-touch-icon.png
Source: ZlFRrg5s[1].htm.3.dr String found in binary or memory: https://public-assets.typeform.com/public/favicon/browserconfig.xml
Source: ZlFRrg5s[1].htm.3.dr String found in binary or memory: https://public-assets.typeform.com/public/favicon/favicon-16x16.png
Source: ZlFRrg5s[1].htm.3.dr String found in binary or memory: https://public-assets.typeform.com/public/favicon/favicon-32x32.png
Source: imagestore.dat.3.dr String found in binary or memory: https://public-assets.typeform.com/public/favicon/favicon-32x32.png-
Source: ZlFRrg5s[1].htm.3.dr String found in binary or memory: https://public-assets.typeform.com/public/favicon/favicon.ico
Source: ZlFRrg5s[1].htm.3.dr String found in binary or memory: https://public-assets.typeform.com/public/favicon/safari-pinned-tab.svg
Source: ZlFRrg5s[1].htm.3.dr String found in binary or memory: https://public-assets.typeform.com/public/favicon/site.webmanifest
Source: ZlFRrg5s[1].htm.3.dr String found in binary or memory: https://renderer-assets.typeform.com/
Source: ZlFRrg5s[1].htm.3.dr String found in binary or memory: https://renderer-assets.typeform.com/blocks-matrix.0544beec0e1a4e11a24a.js
Source: ZlFRrg5s[1].htm.3.dr String found in binary or memory: https://renderer-assets.typeform.com/form.9cd5d6381506e5950fe0.js
Source: ZlFRrg5s[1].htm.3.dr String found in binary or memory: https://renderer-assets.typeform.com/modern-renderer.36eec26e0148023415c0.js
Source: ZlFRrg5s[1].htm.3.dr String found in binary or memory: https://renderer-assets.typeform.com/phonenumber.6ea5ec50b9fa21e816ff.js
Source: ZlFRrg5s[1].htm.3.dr String found in binary or memory: https://renderer-assets.typeform.com/renderer.0f5a683b381b67dbbf89.js
Source: ZlFRrg5s[1].htm.3.dr String found in binary or memory: https://renderer-assets.typeform.com/vendors~attachment.6e37d3fcdf703c1517e1.js
Source: ZlFRrg5s[1].htm.3.dr String found in binary or memory: https://renderer-assets.typeform.com/vendors~blocks-ranking.f8aee16223a106724ea1.js
Source: ZlFRrg5s[1].htm.3.dr String found in binary or memory: https://renderer-assets.typeform.com/vendors~form.965f5dedbb854e83c6c8.js
Source: ZlFRrg5s[1].htm.3.dr String found in binary or memory: https://renderer-assets.typeform.com/vendors~phonenumber.32d788474b661d4d3074.js
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49202
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49201
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49189
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49200
Source: unknown Network traffic detected: HTTP traffic on port 49181 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49186
Source: unknown Network traffic detected: HTTP traffic on port 49202 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49189 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49200 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49182
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49181
Source: unknown Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49195 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49197 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49193 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49178 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49199 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49178
Source: unknown Network traffic detected: HTTP traffic on port 49186 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49177
Source: unknown Network traffic detected: HTTP traffic on port 49180 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49199
Source: unknown Network traffic detected: HTTP traffic on port 49182 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49190 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49198
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49175
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49197
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49196
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49195
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown Network traffic detected: HTTP traffic on port 49201 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49190
Source: unknown Network traffic detected: HTTP traffic on port 49196 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49198 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49175 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49194 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49177 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49179 -> 443
Source: unknown HTTPS traffic detected: 143.204.93.100:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknown HTTPS traffic detected: 143.204.93.16:443 -> 192.168.2.22:49171 version: TLS 1.2
Source: unknown HTTPS traffic detected: 143.204.93.16:443 -> 192.168.2.22:49172 version: TLS 1.2
Source: unknown HTTPS traffic detected: 143.204.93.100:443 -> 192.168.2.22:49169 version: TLS 1.2
Source: unknown HTTPS traffic detected: 143.204.99.83:443 -> 192.168.2.22:49177 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.224.194.82:443 -> 192.168.2.22:49175 version: TLS 1.2
Source: unknown HTTPS traffic detected: 143.204.99.83:443 -> 192.168.2.22:49178 version: TLS 1.2
Source: unknown HTTPS traffic detected: 13.224.194.82:443 -> 192.168.2.22:49173 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.218.160.124:443 -> 192.168.2.22:49181 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.218.160.124:443 -> 192.168.2.22:49182 version: TLS 1.2
Source: unknown HTTPS traffic detected: 143.204.93.117:443 -> 192.168.2.22:49186 version: TLS 1.2
Source: unknown HTTPS traffic detected: 143.204.93.100:443 -> 192.168.2.22:49189 version: TLS 1.2
Source: unknown HTTPS traffic detected: 143.204.93.100:443 -> 192.168.2.22:49190 version: TLS 1.2
Source: unknown HTTPS traffic detected: 143.204.99.83:443 -> 192.168.2.22:49195 version: TLS 1.2
Source: unknown HTTPS traffic detected: 192.168.2.22:49195 -> 143.204.99.83:443 version: TLS 1.2
Source: unknown HTTPS traffic detected: 143.204.99.83:443 -> 192.168.2.22:49196 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.218.160.124:443 -> 192.168.2.22:49197 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.218.160.124:443 -> 192.168.2.22:49198 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.247.242.19:443 -> 192.168.2.22:49199 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.247.242.19:443 -> 192.168.2.22:49200 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.247.242.19:443 -> 192.168.2.22:49201 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.247.242.19:443 -> 192.168.2.22:49202 version: TLS 1.2
Source: classification engine Classification label: mal52.phis.winXLSX@8/81@17/8
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$ACH WIRE PAYMENT ADVICE..xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRD9EA.tmp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2792 CREDAT:275457 /prefetch:2
Source: unknown Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' https://24mbw17feyn.typeform.com/to/ZlFRrg5s
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1336 CREDAT:275457 /prefetch:2
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' https://24mbw17feyn.typeform.com/to/ZlFRrg5s Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2792 CREDAT:275457 /prefetch:2 Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1336 CREDAT:275457 /prefetch:2 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior

Stealing of Sensitive Information:

barindex
Steals Internet Explorer cookies
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\SOERHJ3M.txt Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\NT7KOKIT.txt Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 339280 Sample: ACH WIRE PAYMENT ADVICE..xlsx Startdate: 13/01/2021 Architecture: WINDOWS Score: 52 46 Yara detected HtmlPhish_25 2->46 48 Phishing site detected (based on image similarity) 2->48 7 EXCEL.EXE 65 28 2->7         started        10 iexplore.exe 3 35 2->10         started        process3 dnsIp4 32 143.204.93.117, 443, 49186 AMAZON-02US United States 7->32 34 images.typeform.com 7->34 36 2 other IPs or domains 7->36 12 iexplore.exe 1 35 7->12         started        15 iexplore.exe 3 54 10->15         started        process5 dnsIp6 38 24mbw17feyn.typeform.com 12->38 18 iexplore.exe 38 12->18         started        40 162.247.242.19, 443, 49199, 49200 NEWRELIC-AS-1US United States 15->40 42 bam.nr-data.net 162.247.242.21, 443 NEWRELIC-AS-1US United States 15->42 44 11 other IPs or domains 15->44 24 C:\Users\user\AppData\...\ZlFRrg5s[1].htm, HTML 15->24 dropped file7 process8 dnsIp9 26 renderer-assets.typeform.com 18->26 28 js-agent.newrelic.com 18->28 30 6 other IPs or domains 18->30 22 C:\Users\user\AppData\...\ZlFRrg5s[1].htm, HTML 18->22 dropped file10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
162.247.242.19
 unknown United States
23467 NEWRELIC-AS-1US false
143.204.93.117
 unknown United States
16509 AMAZON-02US false
143.204.93.100
 unknown United States
16509 AMAZON-02US false
143.204.99.83
 unknown United States
16509 AMAZON-02US false
162.247.242.21
 unknown United States
23467 NEWRELIC-AS-1US false
13.224.194.82
 unknown United States
16509 AMAZON-02US false
143.204.93.16
 unknown United States
16509 AMAZON-02US false
34.218.160.124
 unknown United States
16509 AMAZON-02US false

Contacted Domains

Name IP Active
d296je7bbdd650.cloudfront.net 143.204.99.83 true
api.segment.io 34.218.160.124 true
d2citsn5wf4j9j.cloudfront.net 143.204.93.100 true
d2nvsmtq2poimt.cloudfront.net 143.204.93.16 true
bam.nr-data.net 162.247.242.21 true
d2p6vz8nayi9a3.cloudfront.net 13.224.194.82 true
cdn.segment.com unknown unknown
renderer-assets.typeform.com unknown unknown
public-assets.typeform.com unknown unknown
js-agent.newrelic.com unknown unknown
images.typeform.com unknown unknown
24mbw17feyn.typeform.com unknown unknown