Analysis Report SecuriteInfo.com.Exploit.Siggen3.10350.27303.xls

Overview

General Information

Sample Name: SecuriteInfo.com.Exploit.Siggen3.10350.27303.xls
Analysis ID: 355599
MD5: ad9550ee6ece8322501ed92d374d3928
SHA1: d0617e5cb90b4db4fcf2269ffd8228b9ca4f89af
SHA256: 74423c8236cd5057af8e4ffbf84fdcbb34f5e6dc8f8dc0520c685c7fd6bc100a

Most interesting Screenshot:

Detection

Hidden Macro 4.0 TrickBot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Document exploit detected (drops PE files)
Found malicious Excel 4.0 Macro
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Trickbot
Allocates memory in foreign processes
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates a big amount of memory (probably used for heap spraying)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains embedded VBA macros
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Exploit.Siggen3.10350.27303.xls Virustotal: Detection: 11% Perma Link
Source: SecuriteInfo.com.Exploit.Siggen3.10350.27303.xls ReversingLabs: Detection: 23%

Compliance:

barindex
Uses new MSVCR Dlls
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Binary contains paths to debug symbols
Source: Binary string: F:\projects\cryptor_beta\Bin\Crypter\CrypterDllReleaseNoLogs\Win32\Crypter.pdb source: rundll32.exe, 0000000E.00000002.309993835.0000000067C19000.00000002.00020000.sdmp, BASE.BABAA.0.dr

Software Vulnerabilities:

barindex
Document exploit detected (drops PE files)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: 8[1].jjkes.0.dr Jump to dropped file
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Section loaded: unknown origin: URLDownloadToFileA Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\rundll32.exe Jump to behavior
Allocates a big amount of memory (probably used for heap spraying)
Source: excel.exe Memory has grown: Private usage: 1MB later: 106MB
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then inc dword ptr [esp+40h] 16_2_0000018142C243C0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 16_2_0000018142C243C0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 16_2_0000018142C284E0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 16_2_0000018142C22C44
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then inc ecx 16_2_0000018142C2B050
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 16_2_0000018142C23860
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then mov ebx, edx 16_2_0000018142C1EBE0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then cmp byte ptr [ecx+edx+01h], 00000000h 16_2_0000018142C11500
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 16_2_0000018142C198D0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then inc esp 16_2_0000018142C124E0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec ecx 16_2_0000018142C31890
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 16_2_0000018142C31890
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then inc esp 16_2_0000018142C2B240
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 16_2_0000018142C15DF0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then movzx ecx, word ptr [eax+02h] 16_2_0000018142C19200
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then movzx eax, byte ptr [ebx] 16_2_0000018142C2BE20
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 16_2_0000018142C289B0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then movzx edx, word ptr [eax] 16_2_0000018142C146F0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then movzx ebx, word ptr [eax] 16_2_0000018142C23B00
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then inc edx 16_2_0000018142C1BEC0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 16_2_0000018142C272A0
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: www.chipmania.it
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.3:49708 -> 185.81.0.78:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.3:49708 -> 185.81.0.78:80

Networking:

barindex
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.81.0.78 185.81.0.78
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /mails/open.php HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.chipmania.itConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /mails/open.php HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.chipmania.itConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: www.chipmania.it
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://api.aadrm.com/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://api.cortana.ai
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://api.diagnostics.office.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://api.microsoftstream.com/api/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://api.office.net
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://api.onedrive.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://apis.live.net/v5.0/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://augloop.office.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://augloop.office.com/v2
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://cdn.entity.
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://clients.config.office.net/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://config.edge.skype.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://cortana.ai
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://cortana.ai/api
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://cr.office.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://dataservice.o365filtering.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://dataservice.o365filtering.com/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://dev.cortana.ai
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://devnull.onenote.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://directory.services.
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://graph.ppe.windows.net
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://graph.ppe.windows.net/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://graph.windows.net
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://graph.windows.net/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://incidents.diagnostics.office.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://lifecycle.office.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://login.microsoftonline.com/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://login.windows.local
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://management.azure.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://management.azure.com/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://messaging.office.com/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://ncus-000.contentsync.
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://ncus-000.pagecontentsync.
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://officeapps.live.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://onedrive.live.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://onedrive.live.com/embed?
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://outlook.office.com/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://outlook.office365.com/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://powerlift.acompli.net
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://settings.outlook.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://shell.suite.office.com:1443
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://skyapi.live.net/Activity/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://staging.cortana.ai
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://store.office.cn/addinstemplate
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://store.office.com/addinstemplate
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://store.office.de/addinstemplate
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://tasks.office.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://templatelogging.office.com/client/log
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://web.microsoftstream.com/video/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://webshell.suite.office.com
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://wus2-000.contentsync.
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://wus2-000.pagecontentsync.
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 0A9D11FF-4298-45F3-AA1F-C11C872960F8.0.dr String found in binary or memory: https://www.odwebp.svc.ms

System Summary:

barindex
Found malicious Excel 4.0 Macro
Source: SecuriteInfo.com.Exploit.Siggen3.10350.27303.xls Initial sample: urlmon
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 8 Screenshot OCR: Enable editing button from the yellow bar above 15 16 Once you have enabled editing, please click
Source: Screenshot number: 8 Screenshot OCR: Enable content button ,. . , 17 from the yellow bar above :: ' 20 . 21 22 23 24 25 26 2
Source: Document image extraction number: 0 Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enable
Source: Document image extraction number: 0 Screenshot OCR: Enable content button from the yellow bar above
Source: Document image extraction number: 1 Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enable
Source: Document image extraction number: 1 Screenshot OCR: Enable content button from the yellow bar above 1/'
Found Excel 4.0 Macro with suspicious formulas
Source: SecuriteInfo.com.Exploit.Siggen3.10350.27303.xls Initial sample: EXEC
Office process drops PE file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\BASE.BABAA Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\8[1].jjkes Jump to dropped file
Abnormal high CPU Usage
Source: C:\Windows\System32\wermgr.exe Process Stats: CPU usage > 98%
Contains functionality to call native functions
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C243C0 NtQuerySystemInformation,DuplicateHandle,RtlDeleteBoundaryDescriptor, 16_2_0000018142C243C0
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C2B470 NtDelayExecution, 16_2_0000018142C2B470
Detected potential crypto function
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142BB0040 16_2_0000018142BB0040
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C32060 16_2_0000018142C32060
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C243C0 16_2_0000018142C243C0
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C2BCA0 16_2_0000018142C2BCA0
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C27840 16_2_0000018142C27840
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C18010 16_2_0000018142C18010
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C263A8 16_2_0000018142C263A8
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C217B0 16_2_0000018142C217B0
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C25F70 16_2_0000018142C25F70
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C1E0F0 16_2_0000018142C1E0F0
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C214F0 16_2_0000018142C214F0
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C26100 16_2_0000018142C26100
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C11500 16_2_0000018142C11500
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C26D10 16_2_0000018142C26D10
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C144C0 16_2_0000018142C144C0
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C290E0 16_2_0000018142C290E0
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C30870 16_2_0000018142C30870
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C28CA0 16_2_0000018142C28CA0
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C27630 16_2_0000018142C27630
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C2CA00 16_2_0000018142C2CA00
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C19200 16_2_0000018142C19200
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C2BE20 16_2_0000018142C2BE20
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C289B0 16_2_0000018142C289B0
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C22580 16_2_0000018142C22580
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C23B00 16_2_0000018142C23B00
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C2B700 16_2_0000018142C2B700
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C1E310 16_2_0000018142C1E310
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C12720 16_2_0000018142C12720
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C1CEB0 16_2_0000018142C1CEB0
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C2CE70 16_2_0000018142C2CE70
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C1A280 16_2_0000018142C1A280
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C11290 16_2_0000018142C11290
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C1C290 16_2_0000018142C1C290
Document contains embedded VBA macros
Source: SecuriteInfo.com.Exploit.Siggen3.10350.27303.xls OLE indicator, VBA macros: true
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\8[1].jjkes AA7931E3E85D3C5BD6FC2052C38BEE389BFBA9281A8616DA3275149A689EC5EB
Source: Joe Sandbox View Dropped File: C:\Users\user\BASE.BABAA AA7931E3E85D3C5BD6FC2052C38BEE389BFBA9281A8616DA3275149A689EC5EB
Yara signature match
Source: SecuriteInfo.com.Exploit.Siggen3.10350.27303.xls, type: SAMPLE Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: classification engine Classification label: mal100.troj.expl.evad.winXLS@7/8@1/1
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C14C40 LookupPrivilegeValueW,AdjustTokenPrivileges,FindCloseChangeNotification, 16_2_0000018142C14C40
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache Jump to behavior
Source: C:\Windows\System32\wermgr.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{0DDB1B33-74F5-8CBE-2F10-2ABF9CE5DA77}
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\{DB1734B8-B67B-4A31-BD29-86C7EF803FEF} - OProcSessId.dat Jump to behavior
Source: SecuriteInfo.com.Exploit.Siggen3.10350.27303.xls OLE indicator, Workbook stream: true
Source: C:\Windows\System32\wermgr.exe System information queried: HandleInformation Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer
Source: SecuriteInfo.com.Exploit.Siggen3.10350.27303.xls Virustotal: Detection: 11%
Source: SecuriteInfo.com.Exploit.Siggen3.10350.27303.xls ReversingLabs: Detection: 23%
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer
Source: unknown Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
Source: unknown Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Source: Binary string: F:\projects\cryptor_beta\Bin\Crypter\CrypterDllReleaseNoLogs\Win32\Crypter.pdb source: rundll32.exe, 0000000E.00000002.309993835.0000000067C19000.00000002.00020000.sdmp, BASE.BABAA.0.dr

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04A01BD0 push dword ptr [edx+14h]; ret 14_2_04A01CDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04A01C7A push dword ptr [edx+14h]; ret 14_2_04A01CDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_04A01CFD push dword ptr [edx+14h]; ret 14_2_04A01CDD
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C2D0F0 push 8B48D233h; iretd 16_2_0000018142C2D0F5

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\BASE.BABAA Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\8[1].jjkes Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\BASE.BABAA Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\8[1].jjkes Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\BASE.BABAA Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\BASE.BABAA Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Source: C:\Windows\System32\wermgr.exe Function Chain: threadCreated,threadDelayed,threadDelayed,userTimerSet,threadDelayed,threadDelayed,fileVolumeQueried,languageOrLocalQueried,languageOrLocalQueried,adjustToken,systemQueried,systemQueried,threadDelayed,threadDelayed,mutantCreated,threadInformationSet,threadInformationSet,threadInformationSet,threadInformationSet,threadDelayed,threadDelayed,threadDelayed,threadDelayed
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\System32\wermgr.exe RDTSC instruction interceptor: First address: 0000018142C1EAD0 second address: 0000018142C1EAD0 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 ret 0x0000000a dec esp 0x0000000b mov edi, eax 0x0000000d call dword ptr [0000E3AEh] 0x00000013 mov ecx, 7FFE0320h 0x00000018 dec eax 0x00000019 mov ecx, dword ptr [ecx] 0x0000001b mov eax, dword ptr [7FFE0004h] 0x00000022 dec eax 0x00000023 imul eax, ecx 0x00000026 dec eax 0x00000027 shr eax, 18h 0x0000002a ret 0x0000002b inc esp 0x0000002c mov esi, eax 0x0000002e dec ecx 0x0000002f mov esi, edi 0x00000031 dec eax 0x00000032 xor esi, FFFFFF00h 0x00000038 dec ecx 0x00000039 and esi, edi 0x0000003b call 00007FD4ECC9DC86h 0x00000040 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C1EAD0 rdtsc 16_2_0000018142C1EAD0
Contains functionality to query network adapater information
Source: C:\Windows\System32\wermgr.exe Code function: GetAdaptersInfo,RtlDeleteBoundaryDescriptor, 16_2_0000018142C284E0
Found dropped PE file which has not been started or loaded
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\8[1].jjkes Jump to dropped file
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\wermgr.exe Last function: Thread delayed
Source: wermgr.exe, 00000010.00000002.569764866.0000018142C81000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C1EAD0 rdtsc 16_2_0000018142C1EAD0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\wermgr.exe Code function: 16_2_0000018142C23070 LdrLoadDll, 16_2_0000018142C23070

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: C:\Windows\System32\wermgr.exe base: 18142C10000 protect: page execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\System32\wermgr.exe base: 18142C10000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\System32\wermgr.exe base: 7FF7CA4F2860 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe Jump to behavior
Source: wermgr.exe, 00000010.00000002.570684815.0000018143480000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: wermgr.exe, 00000010.00000002.570684815.0000018143480000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: wermgr.exe, 00000010.00000002.570684815.0000018143480000.00000002.00000001.sdmp Binary or memory string: Progman
Source: wermgr.exe, 00000010.00000002.570684815.0000018143480000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\wermgr.exe Queries volume information: C:\ VolumeInformation Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Trickbot
Source: Yara match File source: 0000000E.00000003.304386542.0000000000E7F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.308987556.0000000004840000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.304304596.0000000004935000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.309036588.00000000048D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.304224445.0000000000E07000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.304290876.0000000000E7F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.304101028.00000000048D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 14.2.rundll32.exe.4840000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.4840000.2.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected Trickbot
Source: Yara match File source: 0000000E.00000003.304386542.0000000000E7F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.308987556.0000000004840000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.304304596.0000000004935000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.309036588.00000000048D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.304224445.0000000000E07000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.304290876.0000000000E7F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.304101028.00000000048D1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 14.2.rundll32.exe.4840000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.4840000.2.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 355599 Sample: SecuriteInfo.com.Exploit.Si... Startdate: 20/02/2021 Architecture: WINDOWS Score: 100 30 Multi AV Scanner detection for submitted file 2->30 32 Found malicious Excel 4.0 Macro 2->32 34 Document exploit detected (drops PE files) 2->34 36 6 other signatures 2->36 7 EXCEL.EXE 31 48 2->7         started        process3 dnsIp4 26 www.chipmania.it 7->26 28 chipmania.it 185.81.0.78, 49708, 80 SERVERPLAN-ASIT Italy 7->28 20 C:\Users\user\BASE.BABAA, PE32 7->20 dropped 22 C:\Users\user\AppData\Local\...\8[1].jjkes, PE32 7->22 dropped 24 SecuriteInfo.com.E...10350.27303.xls.LNK, MS 7->24 dropped 38 Document exploit detected (process start blacklist hit) 7->38 40 Document exploit detected (UrlDownloadToFile) 7->40 12 rundll32.exe 7->12         started        file5 signatures6 process7 signatures8 42 Writes to foreign memory regions 12->42 44 Allocates memory in foreign processes 12->44 15 wermgr.exe 12->15         started        18 wermgr.exe 12->18         started        process9 signatures10 46 Tries to detect virtualization through RDTSC time measurements 15->46 48 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 15->48
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.81.0.78
 unknown Italy
52030 SERVERPLAN-ASIT false

Contacted Domains

Name IP Active
chipmania.it 185.81.0.78 true
www.chipmania.it unknown unknown