Analysis Report Marine Tiger.xlsm

ID:	349782
Product:	CloudBasic
Start time:	08:21:29
Start date:	08.02.2021
Sample:	Marine Tiger.xlsm
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	18d6c58d438aa199c43cec6503ae2a6c
SHA1:	f2dbad3686195f07db9bac1aa7eba45120069ded
SHA256:	6c92ed33934d5a604f57aac4ff33252720354285291791bed88b6f3f15b9631d
Filetype:	Excel Microsoft Office Open XML Format document with Macro (57504/1) 54.50%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\Desktop\~$Marine Tiger.xlsm	data	797869BB881CFBCDAC2064F92B26E46F	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185

AV Detection:

Multi AV Scanner detection for submitted file

Source: Marine Tiger.xlsm	Virustotal: Detection: 40%			Perma Link
Source: Marine Tiger.xlsm	ReversingLabs: Detection: 29%

Machine Learning detection for sample

Source: Marine Tiger.xlsm

Joe Sandbox ML: detected

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\cmd.exe

Jump to behavior

System Summary:

Document contains an embedded VBA macro with suspicious strings

Source: Marine Tiger.xlsm	OLE, VBA macro line: Set ghhfgfgdsfas = CreateObject("WScript.Shell")
Source: Marine Tiger.xlsm	OLE, VBA macro line: Set ghhfgfgdsfas = CreateObject("WScript.Shell")
Source: Marine Tiger.xlsm	OLE, VBA macro line: Set ghhfgfgdsfas = CreateObject("WScript.Shell")

Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)

Source: Marine Tiger.xlsm

Stream path 'VBA/ThisWorkbook' : found possibly 'WScript.Shell' functions regdelete, regwrite, run

Document contains an embedded VBA with hexadecimal encoded strings

Source: Marine Tiger.xlsm

Stream path 'VBA/ThisWorkbook' : found hex strings

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: Marine Tiger.xlsm

OLE, VBA macro line: Public Sub Workbook_Open()

Document contains embedded VBA macros

Source: Marine Tiger.xlsm

OLE indicator, VBA macros: true

Classification label

Source: classification engine

Classification label: mal76.expl.winXLSM@5/1@0/0

Creates files inside the user directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Marine Tiger.xlsm

Jump to behavior

Creates temporary files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRCC53.tmp

Jump to behavior

Found command line output

Source: C:\Windows\System32\schtasks.exe	Console Write: ................X...............E.R.R.O.R.:. ......................................v.......v......................%.........6...................			Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Console Write: ..".............X................................1.v......................D.......................5...............".....X.................D.....			Jump to behavior

Reads ini files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Sample is known by Antivirus

Source: Marine Tiger.xlsm	Virustotal: Detection: 40%
Source: Marine Tiger.xlsm	ReversingLabs: Detection: 29%

Spawns processes

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
Source: unknown	Process created: C:\Windows\System32\schtasks.exe schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I			Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Checks if Microsoft Office is installed

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Source: unknown

Process created: C:\Windows\System32\schtasks.exe schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\schtasks.exe schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I

Jump to behavior