Sample Name: | SecuriteInfo.com.Exploit.Siggen3.10350.12632.7055 (renamed file extension from 7055 to xls) |
Analysis ID: | 355602 |
MD5: | 422030b616989ef7bf2f56a2f266068f |
SHA1: | 04ec47e9f08ed7e4861c6f252a381faee4283bf9 |
SHA256: | 6f1c23f3d7e471cf0c4a91f59c94853128413b84065ef42ad2065337b973beab |
Most interesting Screenshot: |
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
AV Detection: |
---|
Antivirus detection for URL or domain |
Source: |
Avira URL Cloud: |
Multi AV Scanner detection for submitted file |
Source: |
ReversingLabs: |
Cryptography: |
---|
Uses Microsoft's Enhanced Cryptographic Provider |
Source: |
Code function: |
6_2_0007BCA0 |
Compliance: |
---|
Uses new MSVCR Dlls |
Source: |
File opened: |
Jump to behavior |
Binary contains paths to debug symbols |
Source: |
Binary string: |
Source: |
Code function: |
6_2_00061290 | |
Source: |
Code function: |
6_2_000646F0 |
Software Vulnerabilities: |
---|
Document exploit detected (drops PE files) |
Source: |
File created: |
Jump to dropped file |
Document exploit detected (UrlDownloadToFile) |
Source: |
Section loaded: |
Jump to behavior |
Document exploit detected (process start blacklist hit) |
Source: |
Process created: |
Jump to behavior |
Allocates a big amount of memory (probably used for heap spraying) |
Source: |
Memory has grown: |
Found inlined nop instructions (likely shell or obfuscated code) |
Source: |
Code function: |
6_2_000784E0 | |
Source: |
Code function: |
6_2_000646F0 | |
Source: |
Code function: |
6_2_000743C0 | |
Source: |
Code function: |
6_2_000743C0 | |
Source: |
Code function: |
6_2_00072C44 | |
Source: |
Code function: |
6_2_0007B050 | |
Source: |
Code function: |
6_2_00073860 | |
Source: |
Code function: |
6_2_00081890 | |
Source: |
Code function: |
6_2_00081890 | |
Source: |
Code function: |
6_2_000698D0 | |
Source: |
Code function: |
6_2_000624E0 | |
Source: |
Code function: |
6_2_00061500 | |
Source: |
Code function: |
6_2_000789B0 | |
Source: |
Code function: |
6_2_00065DF0 | |
Source: |
Code function: |
6_2_00069200 | |
Source: |
Code function: |
6_2_0007BE20 | |
Source: |
Code function: |
6_2_0007B240 | |
Source: |
Code function: |
6_2_000772A0 | |
Source: |
Code function: |
6_2_0006BEC0 | |
Source: |
Code function: |
6_2_00073B00 | |
Source: |
Code function: |
6_2_0006EBE0 |
Potential document exploit detected (performs DNS queries) |
Source: |
DNS query: |
Potential document exploit detected (performs HTTP gets) |
Source: |
TCP traffic: |
Potential document exploit detected (unknown TCP traffic) |
Source: |
TCP traffic: |
Networking: |
---|
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) |
Source: |
Snort IDS: |
||
Source: |
Snort IDS: |
||
Source: |
Snort IDS: |
||
Source: |
Snort IDS: |
IP address seen in connection with other malware |
Source: |
IP Address: |
||
Source: |
IP Address: |
Internet Provider seen in connection with other malware |
Source: |
ASN Name: |
Uses a known web browser user agent for HTTP communication |
Source: |
HTTP traffic detected: |
Source: |
TCP traffic detected without corresponding DNS query: |
||
Source: |
TCP traffic detected without corresponding DNS query: |
||
Source: |
TCP traffic detected without corresponding DNS query: |
||
Source: |
TCP traffic detected without corresponding DNS query: |
||
Source: |
TCP traffic detected without corresponding DNS query: |
Source: |
File created: |
Jump to behavior |
Source: |
HTTP traffic detected: |
Source: |
String found in binary or memory: |
Source: |
DNS traffic detected: |
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
||
Source: |
String found in binary or memory: |
Source: |
Network traffic detected: |
||
Source: |
Network traffic detected: |
System Summary: |
---|
Found malicious Excel 4.0 Macro |
Source: |
Initial sample: |
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) |
Source: |
Screenshot OCR: |
||
Source: |
Screenshot OCR: |
||
Source: |
Screenshot OCR: |
||
Source: |
Screenshot OCR: |
||
Source: |
Screenshot OCR: |
||
Source: |
Screenshot OCR: |
Found Excel 4.0 Macro with suspicious formulas |
Source: |
Initial sample: |
Office process drops PE file |
Source: |
File created: |
Jump to dropped file | ||
Source: |
File created: |
Jump to dropped file |
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc) |
Source: |
Memory allocated: |
Jump to behavior | ||
Source: |
Memory allocated: |
Jump to behavior |
Contains functionality to call native functions |
Source: |
Code function: |
6_2_0007B470 | |
Source: |
Code function: |
6_2_000743C0 |
Detected potential crypto function |
Source: |
Code function: |
6_2_00082060 | |
Source: |
Code function: |
6_2_0007BCA0 | |
Source: |
Code function: |
6_2_00078CA0 | |
Source: |
Code function: |
6_2_0006E0F0 | |
Source: |
Code function: |
6_2_00061290 | |
Source: |
Code function: |
6_2_000743C0 | |
Source: |
Code function: |
6_2_00068010 | |
Source: |
Code function: |
6_2_00077840 | |
Source: |
Code function: |
6_2_00080870 | |
Source: |
Code function: |
6_2_000644C0 | |
Source: |
Code function: |
6_2_000790E0 | |
Source: |
Code function: |
6_2_000714F0 | |
Source: |
Code function: |
6_2_00061500 | |
Source: |
Code function: |
6_2_00076100 | |
Source: |
Code function: |
6_2_00076D10 | |
Source: |
Code function: |
6_2_00072580 | |
Source: |
Code function: |
6_2_000789B0 | |
Source: |
Code function: |
6_2_00069200 | |
Source: |
Code function: |
6_2_0007CA00 | |
Source: |
Code function: |
6_2_0007BE20 | |
Source: |
Code function: |
6_2_00077630 | |
Source: |
Code function: |
6_2_0007CE70 | |
Source: |
Code function: |
6_2_0006A280 | |
Source: |
Code function: |
6_2_0006C290 | |
Source: |
Code function: |
6_2_0006CEB0 | |
Source: |
Code function: |
6_2_0007B700 | |
Source: |
Code function: |
6_2_00073B00 | |
Source: |
Code function: |
6_2_0006E310 | |
Source: |
Code function: |
6_2_00062720 | |
Source: |
Code function: |
6_2_00075F70 | |
Source: |
Code function: |
6_2_000763A8 | |
Source: |
Code function: |
6_2_000717B0 | |
Source: |
Code function: |
6_2_00120040 |
Document contains embedded VBA macros |
Source: |
OLE indicator, VBA macros: |
Dropped file seen in connection with other malware |
Source: |
Dropped File: |
||
Source: |
Dropped File: |
Yara signature match |
Source: |
Matched rule: |
Source: |
Binary or memory string: |
Source: |
Classification label: |
Source: |
Code function: |
6_2_00064C40 |
Source: |
File created: |
Jump to behavior |
Source: |
Mutant created: |
Source: |
File created: |
Jump to behavior |
Source: |
OLE indicator, Workbook stream: |
Source: |
System information queried: |
Jump to behavior |
Source: |
File read: |
Jump to behavior |
Source: |
Key opened: |
Jump to behavior |
Source: |
Process created: |
Source: |
ReversingLabs: |
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
|||
Source: |
Process created: |
Jump to behavior | ||
Source: |
Process created: |
Jump to behavior | ||
Source: |
Process created: |
Jump to behavior | ||
Source: |
Process created: |
Jump to behavior |
Source: |
Window detected: |
Source: |
Key opened: |
Jump to behavior |
Source: |
File opened: |
Jump to behavior |
Source: |
Binary string: |
Data Obfuscation: |
---|
Uses code obfuscation techniques (call, push, ret) |
Source: |
Code function: |
4_2_00811CDD | |
Source: |
Code function: |
4_2_00811CDD | |
Source: |
Code function: |
4_2_00811CDD | |
Source: |
Code function: |
6_2_0007D0F5 |
Persistence and Installation Behavior: |
---|
Drops PE files |
Source: |
File created: |
Jump to dropped file | ||
Source: |
File created: |
Jump to dropped file |
Drops PE files to the user directory |
Source: |
File created: |
Jump to dropped file |
Drops files with a non-matching file extension (content does not match file extension) |
Source: |
File created: |
Jump to dropped file | ||
Source: |
File created: |
Jump to dropped file |
Boot Survival: |
---|
Drops PE files to the user root directory |
Source: |
File created: |
Jump to dropped file |
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior | ||
Source: |
Process information set: |
Jump to behavior |
Malware Analysis System Evasion: |
---|
Found evasive API chain (trying to detect sleep duration tampering with parallel thread) |
Source: |
Function Chain: |
Tries to detect virtualization through RDTSC time measurements |
Source: |
RDTSC instruction interceptor: |
Contains functionality for execution timing, often used to detect debuggers |
Source: |
Code function: |
6_2_0006EAD0 |
Contains functionality to query network adapater information |
Source: |
Code function: |
6_2_000784E0 |
Found dropped PE file which has not been started or loaded |
Source: |
Dropped PE file which has not been started: |
Jump to dropped file |
Sample execution stops while process was sleeping (likely an evasion) |
Source: |
Last function: |
||
Source: |
Last function: |
Source: |
Code function: |
6_2_00061290 | |
Source: |
Code function: |
6_2_000646F0 |
Anti Debugging: |
---|
Contains functionality for execution timing, often used to detect debuggers |
Source: |
Code function: |
6_2_0006EAD0 |
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress) |
Source: |
Code function: |
6_2_00073070 |
Contains functionality to check if a debugger is running (IsDebuggerPresent) |
Source: |
Code function: |
4_2_6E89B044 |
Source: |
Code function: |
4_2_6E89B044 | |
Source: |
Code function: |
4_2_6E897DE5 | |
Source: |
Code function: |
6_2_00082060 |
HIPS / PFW / Operating System Protection Evasion: |
---|
Allocates memory in foreign processes |
Source: |
Memory allocated: |
Jump to behavior |
Writes to foreign memory regions |
Source: |
Memory written: |
Jump to behavior | ||
Source: |
Memory written: |
Jump to behavior |
Creates a process in suspended mode (likely to inject code) |
Source: |
Process created: |
Jump to behavior | ||
Source: |
Process created: |
Jump to behavior | ||
Source: |
Process created: |
Jump to behavior |
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
||
Source: |
Binary or memory string: |
Language, Device and Operating System Detection: |
---|
Queries the volume information (name, serial number etc) of a device |
Source: |
Queries volume information: |
Jump to behavior |
Stealing of Sensitive Information: |
---|
Yara detected Trickbot |
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
Remote Access Functionality: |
---|
Yara detected Trickbot |
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
||
Source: |
File source: |
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
185.81.0.78 | unknown | Italy | 52030 | SERVERPLAN-ASIT | false | |
200.52.147.93 | unknown | Honduras | 27932 | RedesyTelecomunicacionesHN | true |
Name | IP | Active |
---|---|---|
chipmania.it | 185.81.0.78 | true |
www.chipmania.it | unknown | unknown |
api.ip.sb | unknown | unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
|
unknown |