Analysis Report SecuriteInfo.com.Exploit.Siggen3.10350.14349.29189

Overview

General Information

Sample Name: SecuriteInfo.com.Exploit.Siggen3.10350.14349.29189 (renamed file extension from 29189 to xls)
Analysis ID: 355607
MD5: 7810830918f82b2acdcdb05d2d404bad
SHA1: 095201dab7b66c1268e3921356a2870ad1dc628c
SHA256: c217faa8b517c65418d18c7b14ccb3c307cdbd0b477a7d09332aad25dcd52d81

Most interesting Screenshot:

Detection

Hidden Macro 4.0 TrickBot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Document exploit detected (drops PE files)
Found malicious Excel 4.0 Macro
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Trickbot
Allocates memory in foreign processes
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Allocates a big amount of memory (probably used for heap spraying)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains embedded VBA macros
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://www.chipmania.it/mails/open.php Avira URL Cloud: Label: malware

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_000FBCA0 CryptAcquireContextW, 6_2_000FBCA0

Compliance:

barindex
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 142.202.191.164:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown HTTPS traffic detected: 45.155.173.242:443 -> 192.168.2.22:49170 version: TLS 1.0
Uses new MSVCR Dlls
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Binary contains paths to debug symbols
Source: Binary string: F:\projects\cryptor_beta\Bin\Crypter\CrypterDllReleaseNoLogs\Win32\Crypter.pdb source: rundll32.exe, 00000004.00000002.2087666935.000000006E899000.00000002.00020000.sdmp, BASE.BABAA.0.dr
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_000E1290 FindFirstFileW, 6_2_000E1290
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_000E46F0 FindFirstFileW,FindNextFileW, 6_2_000E46F0

Software Vulnerabilities:

barindex
Document exploit detected (drops PE files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: 8[1].jjkes.0.dr Jump to dropped file
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe Jump to behavior
Allocates a big amount of memory (probably used for heap spraying)
Source: excel.exe Memory has grown: Private usage: 4MB later: 60MB
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 6_2_000F84E0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then movzx edx, word ptr [eax] 6_2_000E46F0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then inc dword ptr [esp+40h] 6_2_000F43C0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 6_2_000F43C0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 6_2_000F2C44
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then inc ecx 6_2_000FB050
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 6_2_000F3860
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec ecx 6_2_00101890
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 6_2_00101890
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 6_2_000E98D0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then inc esp 6_2_000E24E0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then cmp byte ptr [ecx+edx+01h], 00000000h 6_2_000E1500
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 6_2_000F89B0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 6_2_000E5DF0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then movzx ecx, word ptr [eax+02h] 6_2_000E9200
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then movzx eax, byte ptr [ebx] 6_2_000FBE20
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then inc esp 6_2_000FB240
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then dec eax 6_2_000F72A0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then inc edx 6_2_000EBEC0
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then movzx ebx, word ptr [eax] 6_2_000F3B00
Source: C:\Windows\System32\wermgr.exe Code function: 4x nop then mov ebx, edx 6_2_000EEBE0
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: www.chipmania.it
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49166 -> 94.140.114.136:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 185.81.0.78:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404348 ET CNC Feodo Tracker Reported CnC Server TCP group 25 192.168.2.22:49166 -> 94.140.114.136:443
Source: Traffic Snort IDS: 2404306 ET CNC Feodo Tracker Reported CnC Server TCP group 4 192.168.2.22:49168 -> 142.202.191.164:443
Source: Traffic Snort IDS: 2404332 ET CNC Feodo Tracker Reported CnC Server TCP group 17 192.168.2.22:49170 -> 45.155.173.242:443
Source: Traffic Snort IDS: 2404324 ET CNC Feodo Tracker Reported CnC Server TCP group 13 192.168.2.22:49173 -> 200.52.147.93:443
Source: Traffic Snort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.22:49175 -> 182.253.107.34:443
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 142.202.191.164 142.202.191.164
Source: Joe Sandbox View IP Address: 45.155.173.242 45.155.173.242
Source: Joe Sandbox View IP Address: 185.81.0.78 185.81.0.78
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DYNUUS DYNUUS
Source: Joe Sandbox View ASN Name: COMBAHTONcombahtonGmbHDE COMBAHTONcombahtonGmbHDE
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 8c4a22651d328568ec66382a84fc505f
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /mails/open.php HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.chipmania.itConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 142.202.191.164:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown HTTPS traffic detected: 45.155.173.242:443 -> 192.168.2.22:49170 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 94.140.114.136
Source: unknown TCP traffic detected without corresponding DNS query: 94.140.114.136
Source: unknown TCP traffic detected without corresponding DNS query: 94.140.114.136
Source: unknown TCP traffic detected without corresponding DNS query: 94.140.114.136
Source: unknown TCP traffic detected without corresponding DNS query: 94.140.114.136
Source: unknown TCP traffic detected without corresponding DNS query: 94.140.114.136
Source: unknown TCP traffic detected without corresponding DNS query: 142.202.191.164
Source: unknown TCP traffic detected without corresponding DNS query: 142.202.191.164
Source: unknown TCP traffic detected without corresponding DNS query: 142.202.191.164
Source: unknown TCP traffic detected without corresponding DNS query: 142.202.191.164
Source: unknown TCP traffic detected without corresponding DNS query: 142.202.191.164
Source: unknown TCP traffic detected without corresponding DNS query: 142.202.191.164
Source: unknown TCP traffic detected without corresponding DNS query: 142.202.191.164
Source: unknown TCP traffic detected without corresponding DNS query: 45.155.173.242
Source: unknown TCP traffic detected without corresponding DNS query: 45.155.173.242
Source: unknown TCP traffic detected without corresponding DNS query: 45.155.173.242
Source: unknown TCP traffic detected without corresponding DNS query: 45.155.173.242
Source: unknown TCP traffic detected without corresponding DNS query: 45.155.173.242
Source: unknown TCP traffic detected without corresponding DNS query: 45.155.173.242
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.249.156
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.249.156
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.249.156
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.249.156
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.249.156
Source: unknown TCP traffic detected without corresponding DNS query: 194.5.249.156
Source: unknown TCP traffic detected without corresponding DNS query: 200.52.147.93
Source: unknown TCP traffic detected without corresponding DNS query: 200.52.147.93
Source: unknown TCP traffic detected without corresponding DNS query: 200.52.147.93
Source: unknown TCP traffic detected without corresponding DNS query: 200.52.147.93
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ Jump to behavior
Source: global traffic HTTP traffic detected: GET /mails/open.php HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.chipmania.itConnection: Keep-Alive
Source: rundll32.exe, 00000003.00000002.2087834825.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2086823918.0000000001D90000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2352494352.0000000033B10000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: wermgr.exe, 00000006.00000002.2347522468.0000000000328000.00000004.00000020.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: unknown DNS traffic detected: queries for: www.chipmania.it
Source: wermgr.exe, 00000006.00000002.2347522468.0000000000328000.00000004.00000020.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: wermgr.exe, 00000006.00000002.2347522468.0000000000328000.00000004.00000020.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: wermgr.exe, 00000006.00000002.2347522468.0000000000328000.00000004.00000020.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: wermgr.exe, 00000006.00000002.2347522468.0000000000328000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wermgr.exe, 00000006.00000002.2347522468.0000000000328000.00000004.00000020.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: wermgr.exe, 00000006.00000002.2347522468.0000000000328000.00000004.00000020.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: wermgr.exe, 00000006.00000002.2347522468.0000000000328000.00000004.00000020.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en&
Source: wermgr.exe, 00000006.00000002.2347522468.0000000000328000.00000004.00000020.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.6.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 00000003.00000002.2087834825.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2086823918.0000000001D90000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2352494352.0000000033B10000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2087834825.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2086823918.0000000001D90000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2352494352.0000000033B10000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2088023481.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2086990491.0000000001F77000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2352700395.0000000033CF7000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2088023481.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2086990491.0000000001F77000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2352700395.0000000033CF7000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: wermgr.exe, 00000006.00000002.2347522468.0000000000328000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: wermgr.exe, 00000006.00000002.2347522468.0000000000328000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: wermgr.exe, 00000006.00000002.2347522468.0000000000328000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: wermgr.exe, 00000006.00000002.2347522468.0000000000328000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: wermgr.exe, 00000006.00000002.2347522468.0000000000328000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: wermgr.exe, 00000006.00000002.2347522468.0000000000328000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: wermgr.exe, 00000006.00000002.2347522468.0000000000328000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: wermgr.exe, 00000006.00000002.2352219199.0000000033720000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: wermgr.exe, 00000006.00000002.2353002125.00000000341D0000.00000002.00000001.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: rundll32.exe, 00000003.00000002.2088023481.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2086990491.0000000001F77000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2352700395.0000000033CF7000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2088023481.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2086990491.0000000001F77000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2352700395.0000000033CF7000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: wermgr.exe, 00000006.00000002.2352219199.0000000033720000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: wermgr.exe, 00000006.00000002.2347522468.0000000000328000.00000004.00000020.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: wermgr.exe, 00000006.00000002.2347522468.0000000000328000.00000004.00000020.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: rundll32.exe, 00000003.00000002.2087834825.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2086823918.0000000001D90000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2352494352.0000000033B10000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2088023481.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2086990491.0000000001F77000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2352700395.0000000033CF7000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2087834825.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2086823918.0000000001D90000.00000002.00000001.sdmp, wermgr.exe, 00000006.00000002.2352494352.0000000033B10000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: wermgr.exe, 00000006.00000002.2352494352.0000000033B10000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: wermgr.exe, 00000006.00000002.2347522468.0000000000328000.00000004.00000020.sdmp String found in binary or memory: https://142.202.191.164/rob60/651689_W617601.4E09BB1E4C0BB7F7B798E195EF9953B3/5/file/
Source: wermgr.exe, 00000006.00000002.2347564361.000000000039F000.00000004.00000020.sdmp String found in binary or memory: https://194.5.249.156/rob60/651689_W617601.4E09BB1E4C0BB7F7B798E195EF9953B3/5/file/
Source: wermgr.exe, 00000006.00000002.2347516377.000000000031A000.00000004.00000020.sdmp, wermgr.exe, 00000006.00000002.2347500342.00000000002EE000.00000004.00000020.sdmp String found in binary or memory: https://200.52.147.93/rob60/651689_W617601.4E09BB1E4C0BB7F7B798E195EF9953B3/5/file/
Source: wermgr.exe, 00000006.00000002.2347558185.000000000038D000.00000004.00000020.sdmp String found in binary or memory: https://45.155.173.242/rob60/651689_W617601.4E09BB1E4C0BB7F7B798E195EF9953B3/5/file/
Source: wermgr.exe, 00000006.00000002.2347522468.0000000000328000.00000004.00000020.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49166 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49174 -> 443

System Summary:

barindex
Found malicious Excel 4.0 Macro
Source: SecuriteInfo.com.Exploit.Siggen3.10350.14349.xls Initial sample: urlmon
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable editing button from the yellow bar above 15 " Once you have enabled editing, please click
Source: Screenshot number: 4 Screenshot OCR: Enable content button jl , ' ' "==~ " from the yellow bar above 1| 24 25 26 27 28 29 30
Source: Document image extraction number: 0 Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enable
Source: Document image extraction number: 0 Screenshot OCR: Enable content button from the yellow bar above I \ , I ' /
Source: Document image extraction number: 1 Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enable
Source: Document image extraction number: 1 Screenshot OCR: Enable content button from the yellow bar above j'
Found Excel 4.0 Macro with suspicious formulas
Source: SecuriteInfo.com.Exploit.Siggen3.10350.14349.xls Initial sample: EXEC
Office process drops PE file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\8[1].jjkes Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\BASE.BABAA Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_000FB470 NtDelayExecution, 6_2_000FB470
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_000F43C0 NtQuerySystemInformation,DuplicateHandle,CLSIDFromString,HeapFree, 6_2_000F43C0
Detected potential crypto function
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_00102060 6_2_00102060
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_000FBCA0 6_2_000FBCA0
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_000F8CA0 6_2_000F8CA0
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_000EE0F0 6_2_000EE0F0
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_000E1290 6_2_000E1290
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_000F43C0 6_2_000F43C0
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_000E8010 6_2_000E8010
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_000F7840 6_2_000F7840
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_00100870 6_2_00100870
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_000E44C0 6_2_000E44C0
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_000F90E0 6_2_000F90E0
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_000F14F0 6_2_000F14F0
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_000E1500 6_2_000E1500
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_000F6100 6_2_000F6100
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_000F6D10 6_2_000F6D10
Source: C:\Windows\System32\wermgr.exe Code function: 6_2_000F2580 6_2_000F2580
Source: C:\Windows\System32\wermgr.exe