Analysis Report SecuriteInfo.com.Exploit.Siggen3.10350.27303.xls

Overview

General Information

Sample Name: SecuriteInfo.com.Exploit.Siggen3.10350.27303.xls
Analysis ID: 355599
MD5: ad9550ee6ece8322501ed92d374d3928
SHA1: d0617e5cb90b4db4fcf2269ffd8228b9ca4f89af
SHA256: 74423c8236cd5057af8e4ffbf84fdcbb34f5e6dc8f8dc0520c685c7fd6bc100a

Most interesting Screenshot:

Detection

Hidden Macro 4.0 TrickBot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Document exploit detected (drops PE files)
Found malicious Excel 4.0 Macro
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Trickbot
Allocates memory in foreign processes
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates a big amount of memory (probably used for heap spraying)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains embedded VBA macros
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Exploit.Siggen3.10350.27303.xls Virustotal: Detection: 11% Perma Link
Source: SecuriteInfo.com.Exploit.Siggen3.10350.27303.xls ReversingLabs: Detection: 23%

Compliance:

barindex
Uses new MSVCR Dlls
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Binary contains paths to debug symbols
Source: Binary string: F:\projects\cryptor_beta\Bin\Crypter\CrypterDllReleaseNoLogs\Win32\Crypter.pdb source: rundll32.exe, 0000000E.00000002.309993835.0000000067C19000.00000002.00020000.sdmp, BASE.BABAA.0.dr

Software Vulnerabilities:

barindex
Document exploit detected (drops PE files)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: 8[1].jjkes.0.dr Jump to dropped file
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Section loaded: unknown origin: URLDownloadToFileA Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\rundll32.exe Jump to behavior
Allocates a big amount of memory (probably used for heap spraying)
Source: excel.exe Memory has grown: Private usage: 1MB later: 106MB
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then inc dword ptr [esp+40h] 16_2_0000018142C243C0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 16_2_0000018142C243C0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 16_2_0000018142C284E0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 16_2_0000018142C22C44
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then inc ecx 16_2_0000018142C2B050
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 16_2_0000018142C23860
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then mov ebx, edx 16_2_0000018142C1EBE0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then cmp byte ptr [ecx+edx+01h], 00000000h 16_2_0000018142C11500
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 16_2_0000018142C198D0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then inc esp 16_2_0000018142C124E0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec ecx 16_2_0000018142C31890
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 16_2_0000018142C31890
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then inc esp 16_2_0000018142C2B240
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 16_2_0000018142C15DF0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then movzx ecx, word ptr [eax+02h] 16_2_0000018142C19200
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then movzx eax, byte ptr [ebx] 16_2_0000018142C2BE20
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 16_2_0000018142C289B0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then movzx edx, word ptr [eax] 16_2_0000018142C146F0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then movzx ebx, word ptr [eax] 16_2_0000018142C23B00
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then inc edx 16_2_0000018142C1BEC0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 16_2_0000018142C272A0
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: www.chipmania.it
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.3:49708 -> 185.81.0.78:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.3:49708 -> 185.81.0.78:80

Networking:

barindex
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.81.0.78 185.81.0.78
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /mails/open.php HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.chipmania.itConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mails/open.php HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.chipmania.itConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: www.chipmania.it
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://api.aadrm.com/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://api.cortana.ai
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://api.diagnostics.office.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://api.microsoftstream.com/api/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://api.office.net
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://api.onedrive.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://apis.live.net/v5.0/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://augloop.office.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://augloop.office.com/v2
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://cdn.entity.
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://clients.config.office.net/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://config.edge.skype.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://cortana.ai
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://cortana.ai/api
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://cr.office.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://dataservice.o365filtering.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://dataservice.o365filtering.com/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://dev.cortana.ai
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://devnull.onenote.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://directory.services.
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://graph.ppe.windows.net
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://graph.ppe.windows.net/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://graph.windows.net
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://graph.windows.net/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://incidents.diagnostics.office.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://lifecycle.office.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://login.microsoftonline.com/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://login.windows.local
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://management.azure.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://management.azure.com/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://messaging.office.com/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://ncus-000.contentsync.
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://ncus-000.pagecontentsync.
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://officeapps.live.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://onedrive.live.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://onedrive.live.com/embed?
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://outlook.office.com/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://outlook.office365.com/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://powerlift.acompli.net
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://settings.outlook.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://shell.suite.office.com:1443
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://skyapi.live.net/Activity/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://staging.cortana.ai
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://store.office.cn/addinstemplate
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://store.office.com/addinstemplate
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://store.office.de/addinstemplate
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://tasks.office.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://templatelogging.office.com/client/log
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://web.microsoftstream.com/video/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://webshell.suite.office.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://wus2-000.contentsync.
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://wus2-000.pagecontentsync.
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://www.odwebp.svc.ms

System Summary:

barindex
Found malicious Excel 4.0 Macro
Source: SecuriteInfo.com.Exploit.Siggen3.10350.27303.xls Initial sample: urlmon
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 8 Screenshot OCR: Enable editing button from the yellow bar above 15 16 Once you have enabled editing, please click
Source: Screenshot number: 8 Screenshot OCR: Enable content button ,. . , 17 from the yellow bar above :: ' 20 . 21 22 23 24 25 26 2
Source: Document image extraction number: 0 Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enable
Source: Document image extraction number: 0 Screenshot OCR: Enable content button from the yellow bar above
Source: Document image extraction number: 1 Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enable
Source: Document image extraction number: 1 Screenshot OCR: Enable content button from the yellow bar above 1/'
Found Excel 4.0 Macro with suspicious formulas
Source: SecuriteInfo.com.Exploit.Siggen3.10350.27303.xls Initial sample: EXEC
Office process drops PE file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\BASE.BABAA Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\8[1].jjkes Jump to dropped file
Abnormal high CPU Usage
Source: C:\Windows\System32\wermgr.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C243C0 NtQuerySystemInformation,DuplicateHandle,RtlDeleteBoundaryDescriptor, 16_2_0000018142C243C0
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C2B470 NtDelayExecution, 16_2_0000018142C2B470
Detected potential crypto function
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142BB0040 16_2_0000018142BB0040
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C32060 16_2_0000018142C32060
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C243C0 16_2_0000018142C243C0
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C2BCA0 16_2_0000018142C2BCA0
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C27840 16_2_0000018142C27840
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C18010 16_2_0000018142C18010
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C263A8 16_2_0000018142C263A8
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C217B0 16_2_0000018142C217B0
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C25F70 16_2_0000018142C25F70
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C1E0F0 16_2_0000018142C1E0F0
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C214F0 16_2_0000018142C214F0
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C26100 16_2_0000018142C26100
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C11500 16_2_0000018142C11500
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C26D10 16_2_0000018142C26D10
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C144C0 16_2_0000018142C144C0
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C290E0 16_2_0000018142C290E0
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C30870 16_2_0000018142C30870
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C28CA0 16_2_0000018142C28CA0
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C27630 16_2_0000018142C27630
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C2CA00 16_2_0000018142C2CA00
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C19200 16_2_0000018142C19200
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C2BE20 16_2_0000018142C2BE20
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C289B0 16_2_0000018142C289B0
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C22580 16_2_0000018142C22580
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C23B00 16_2_0000018142C23B00
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C2B700 16_2_0000018142C2B700
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C1E310 16_2_0000018142C1E310
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C12720 16_2_0000018142C12720
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C1CEB0 16_2_0000018142C1CEB0
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C2CE70 16_2_0000018142C2CE70
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C1A280 16_2_0000018142C1A280
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C11290 16_2_0000018142C11290
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C1C290 16_2_0000018142C1C290
Document contains embedded VBA macros
Source: SecuriteInfo.com.Exploit.Siggen3.10350.27303.xls OLE indicator, VBA macros: true
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\8[1].jjkes AA7931E3E85D3C5BD6FC2052C38BEE389BFBA9281A8616DA3275149A689EC5EB
Source: Joe Sandbox View Dropped File: C:\Users\user\BASE.BABAA AA7931E3E85D3C5BD6FC2052C38BEE389BFBA9281A8616DA3275149A689EC5EB
Yara signature match
Source: SecuriteInfo.com.Exploit.Siggen3.10350.27303.xls, type: SAMPLE Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: classification engine Classification label: mal100.troj.expl.evad.winXLS@7/8@1/1
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C14C40 LookupPrivilegeValueW,AdjustTokenPrivileges,FindCloseChangeNotification, 16_2_0000018142C14C40
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache Jump to behavior
Source: C:\Windows\System32\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{0DDB1B33-74F5-8CBE-2F10-2ABF9CE5DA77}
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\{DB1734B8-B67B-4A31-BD29-86C7EF803FEF} - OProcSessId.dat Jump to behavior
Source: SecuriteInfo.com.Exploit.Siggen3.10350.27303.xls OLE indicator, Workbook stream: true
Source: C:\Windows\System32\wermgr.exe System information queried: HandleInformation Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer
Source: SecuriteInfo.com.Exploit.Siggen3.10350.27303.xls Virustotal: Detection: 11%
Source: SecuriteInfo.com.Exploit.Siggen3.10350.27303.xls ReversingLabs: Detection: 23%
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer
Source: unknown Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
Source: unknown Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Source: Binary string: F:\projects\cryptor_beta\Bin\Crypter\CrypterDllReleaseNoLogs\Win32\Crypter.pdb source: rundll32.exe, 0000000E.00000002.309993835.0000000067C19000.00000002.00020000.sdmp, BASE.BABAA.0.dr

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04A01BD0 push dword ptr [edx+14h]; ret 14_2_04A01CDD