Analysis Report papers (71).xls

Overview

General Information

Sample Name: papers (71).xls
Analysis ID: 358604
MD5: 540499ef024a652fea8780e11398f03c
SHA1: 33da766338fa9fd840b1f43a6330a0af8cfa0a39
SHA256: 8dfff9a2ff5cb2b8d70cf43fd0dc7a521570105d623cf28b76f8c66a9a664dd6
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Qbot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Document exploit detected (drops PE files)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Schedule REGSVR windows binary
Yara detected Qbot
Allocates memory in foreign processes
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Office process drops PE file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Microsoft Office Product Spawning Windows Shell
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected hidden Macro 4.0 in Excel
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains embedded VBA macros
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file does not import any functions
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 4.2.rundll32.exe.300000.0.raw.unpack Malware Configuration Extractor: Qbot {"C2 list": ["78.63.226.32:443", "197.51.82.72:443", "193.248.221.184:2222", "95.77.223.148:443", "71.199.192.62:443", "77.211.30.202:995", "80.227.5.69:443", "77.27.204.204:995", "81.97.154.100:443", "173.184.119.153:995", "38.92.225.121:443", "81.150.181.168:2222", "90.65.236.181:2222", "83.110.103.152:443", "73.153.211.227:443", "188.25.63.105:443", "89.137.211.239:995", "202.188.138.162:443", "98.173.34.212:995", "87.202.87.210:2222", "195.12.154.8:443", "47.217.24.69:6881", "182.48.193.200:443", "108.160.123.244:443", "96.57.188.174:2222", "45.118.216.157:443", "84.72.35.226:443", "172.115.177.204:2222", "86.236.77.68:2222", "82.127.125.209:990", "176.181.247.197:443", "97.69.160.4:2222", "90.101.117.122:2222", "189.223.201.91:443", "140.82.49.12:443", "2.7.69.217:2222", "83.110.12.140:2222", "85.132.36.111:2222", "197.45.110.165:995", "149.28.99.97:995", "45.63.107.192:2222", "149.28.98.196:2222", "149.28.99.97:2222", "144.202.38.185:443", "149.28.99.97:443", "45.63.107.192:443", "45.63.107.192:995", "144.202.38.185:2222", "149.28.101.90:995", "149.28.101.90:2222", "149.28.101.90:8443", "45.32.211.207:8443", "149.28.98.196:995", "149.28.98.196:443", "45.32.211.207:995", "149.28.101.90:443", "207.246.77.75:443", "45.77.115.208:8443", "207.246.77.75:995", "207.246.77.75:2222", "45.32.211.207:2222", "45.32.211.207:443", "45.77.115.208:995", "144.202.38.185:995", "45.77.115.208:2222", "207.246.116.237:8443", "207.246.116.237:2222", "207.246.77.75:8443", "207.246.116.237:995", "207.246.116.237:443", "45.77.117.108:443", "45.77.117.108:995", "45.77.117.108:8443", "45.77.117.108:2222", "45.77.115.208:443", "89.3.198.238:443", "2.232.253.79:995", "73.25.124.140:2222", "136.232.34.70:443", "157.131.108.180:443", "217.133.54.140:32100", "195.43.173.70:443", "86.98.93.124:2078", "176.205.222.30:2078", "105.96.8.96:443", "50.29.166.232:995", "27.223.92.142:995", "119.153.62.76:3389", "47.187.115.228:443", "67.6.12.4:443", "65.27.228.247:443", "23.240.70.80:995", "216.201.162.158:443", "139.216.137.189:995", "64.121.114.87:443", "79.129.121.81:995", "172.87.157.235:3389", "75.118.1.141:443", "75.136.26.147:443", "96.250.60.138:443", "50.244.112.106:443", "115.133.243.6:443", "47.196.192.184:443", "45.46.53.140:2222", "105.198.236.101:443", "144.139.166.18:443", "196.151.252.84:443", "71.197.126.250:443", "196.221.207.137:995", "71.117.132.169:443", "74.68.144.202:443", "76.25.142.196:443", "98.240.24.57:443", "144.139.47.206:443", "86.245.46.27:2222", "173.21.10.71:2222", "78.97.207.104:443", "86.220.60.133:2222", "69.245.102.225:443", "94.53.92.42:443", "71.74.12.34:443", "84.247.55.190:8443", "173.25.45.66:443", "46.153.55.149:995", "78.22.58.205:3389", "105.198.236.99:443", "24.152.219.253:995", "82.76.47.211:443", "189.223.234.23:995", "96.37.113.36:993", "47.187.74.181:443", "50.25.89.74:443", "174.104.31.209:443", "199.19.117.131:443", "201.143.235.13:443", "189.146.183.105:443", "181.48.190.78:443", "189.223.97.175:443", "47.22.148.6:443", "
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\1502[1].gif Metadefender: Detection: 18% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\1502[1].gif ReversingLabs: Detection: 89%
Multi AV Scanner detection for submitted file
Source: papers (71).xls Virustotal: Detection: 46% Perma Link
Source: papers (71).xls ReversingLabs: Detection: 44%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\1502[1].gif Joe Sandbox ML: detected

Compliance:

barindex
Uses new MSVCR Dlls
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Uses secure TLS version for HTTPS connections
Source: unknown HTTPS traffic detected: 104.196.7.213:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_003B1217 lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,FindFirstFileW,MultiByteToWideChar,GetOEMCP,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,lstrcpynA,MultiByteToWideChar,MultiByteToWideChar,lstrcpynA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,FindNextFileW,GetOEMCP,lstrcpynA,GetOEMCP, 5_2_003B1217

Software Vulnerabilities:

barindex
Document exploit detected (drops PE files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: 1502[1].gif.0.dr Jump to dropped file
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe Jump to behavior
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: remedial.aaua.edu.ng
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 104.196.7.213:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 104.196.7.213:443

Networking:

barindex
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ Jump to behavior
Source: rundll32.exe, 00000003.00000002.2096147925.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094608383.00000000021A0000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknown DNS traffic detected: queries for: remedial.aaua.edu.ng
Source: rundll32.exe, 00000003.00000002.2096147925.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094608383.00000000021A0000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2096147925.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094608383.00000000021A0000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2097138405.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094775548.0000000002387000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2097138405.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094775548.0000000002387000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000004.00000002.2095412048.0000000002BF0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000002.2356334217.0000000002040000.00000002.00000001.sdmp, taskeng.exe, 00000008.00000002.2356236922.0000000000860000.00000002.00000001.sdmp, regsvr32.exe, 0000000B.00000002.2100983303.0000000000CA0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: regsvr32.exe, 0000000A.00000002.2102220573.0000000000A20000.00000002.00000001.sdmp, regsvr32.exe, 0000000B.00000002.2100622492.0000000000840000.00000002.00000001.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: rundll32.exe, 00000003.00000002.2097138405.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094775548.0000000002387000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2097138405.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094775548.0000000002387000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000004.00000002.2095412048.0000000002BF0000.00000002.00000001.sdmp, explorer.exe, 00000005.00000002.2356334217.0000000002040000.00000002.00000001.sdmp, taskeng.exe, 00000008.00000002.2356236922.0000000000860000.00000002.00000001.sdmp, regsvr32.exe, 0000000B.00000002.2100983303.0000000000CA0000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: rundll32.exe, 00000003.00000002.2096147925.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094608383.00000000021A0000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2097138405.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094775548.0000000002387000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2096147925.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094608383.00000000021A0000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000004.00000002.2094608383.00000000021A0000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown HTTPS traffic detected: 104.196.7.213:443 -> 192.168.2.22:49167 version: TLS 1.2

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable Editing 2CIick on "Enable content" to perform Microsoft Word Decryption Core to start the d
Source: Screenshot number: 4 Screenshot OCR: Enable content" to perform Microsoft Word Decryption Core to start the decryption of the document.
Source: Document image extraction number: 2 Screenshot OCR: Enable editing" to unlock the editing document downloaded from the internet."7, 0Protected View Thi
Source: Document image extraction number: 2 Screenshot OCR: Enable content" to perform Microsoft Word Decryption Core to start the decryption of the document.
Source: Document image extraction number: 3 Screenshot OCR: Enable editing" to unlock the editing document downloaded from the internet.y 0Protected View This
Source: Document image extraction number: 3 Screenshot OCR: Enable content" to perform Microsoft Word Decryption Core to start the decryption of the document.
Found Excel 4.0 Macro with suspicious formulas
Source: papers (71).xls Initial sample: CALL
Source: papers (71).xls Initial sample: EXEC
Found abnormal large hidden Excel 4.0 Macro sheet
Source: papers (71).xls Initial sample: Sheet size: 4604
Office process drops PE file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\kdfe.vbox
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\1502[1].gif Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0013009C NtAllocateVirtualMemory, 4_2_0013009C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00130066 NtAllocateVirtualMemory, 4_2_00130066
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00130285 NtProtectVirtualMemory, 4_2_00130285
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_001308D9 4_2_001308D9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_003B3630 5_2_003B3630
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_003B862B 5_2_003B862B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_003AA60D 5_2_003AA60D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_003ABA65 5_2_003ABA65
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_003AC6FD 5_2_003AC6FD
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_003AFBC4 5_2_003AFBC4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_003BB0AF 5_2_003BB0AF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_003C1488 5_2_003C1488
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_003B40C2 5_2_003B40C2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_003C0D09 5_2_003C0D09
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_003B9566 5_2_003B9566
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_003B55A8 5_2_003B55A8
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_003B4981 5_2_003B4981
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_003B05E8 5_2_003B05E8
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_003B1217 5_2_003B1217
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_003AF267 5_2_003AF267
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_003B5A4F 5_2_003B5A4F
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_003BCABD 5_2_003BCABD
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_003C1E97 5_2_003C1E97
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_003B6AFA 5_2_003B6AFA
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_003C3AFF 5_2_003C3AFF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_003BAB20 5_2_003BAB20
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_003B735C 5_2_003B735C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_003BD3B3 5_2_003BD3B3
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_003B1F8B 5_2_003B1F8B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_003BBBFA 5_2_003BBBFA
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_003B43F7 5_2_003B43F7
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_003ADBEC 5_2_003ADBEC
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_003BC7C3 5_2_003BC7C3
Document contains embedded VBA macros
Source: papers (71).xls OLE indicator, VBA macros: true
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\1502[1].gif 743677C0B3ADCAAD1C801E7B9AB5B116CA6AAC844976A18520151A2310B7F4D8
Source: Joe Sandbox View Dropped File: C:\Users\user\kdfe.vbox 2A6DC00BDCACD9E65A4B99D9D8DD4DB64554A2DB3E5F0A2F9D2702B99D88AC0F
PE file does not import any functions
Source: kdfe.vbox.5.dr Static PE information: No import functions for PE file found
Yara signature match
Source: papers (71).xls, type: SAMPLE Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: rundll32.exe, 00000003.00000002.2096147925.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2094608383.00000000021A0000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.troj.expl.evad.winXLS@18/12@1/1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_003B6EC8 MultiByteToWideChar,CoInitializeEx,lstrcpynA,CoInitializeSecurity,lstrcpynA,lstrlenA,GetCurrentProcessId,GetOEMCP,GetOEMCP,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,lstrcpynA,SysAllocString,GetOEMCP,MultiByteToWideChar,lstrcpynA,CoSetProxyBlanket,lstrlenA,GetCurrentProcessId,MultiByteToWideChar,MultiByteToWideChar,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,lstrcpynA, 5_2_003B6EC8
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\C8CE0000 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{B7826249-FDFD-43D6-956D-968FE05046B6}
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \Sessions\1\BaseNamedObjects\{1EAC1A0A-E127-43E1-A141-1FE4F3758196}
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRC042.tmp Jump to behavior
Source: papers (71).xls OLE indicator, Workbook stream: true
Source: C:\Windows\SysWOW64\schtasks.exe Console Write: .................................&[.....(.P.............@...............Oz...................................................................... Jump to behavior
Source: unknown Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe rundll32 ..\kdfe.vbox,DllRegisterServer
Source: papers (71).xls Virustotal: Detection: 46%
Source: papers (71).xls ReversingLabs: Detection: 44%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Windows\System32\rundll32.exe rundll32 ..\kdfe.vbox,DllRegisterServer
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\kdfe.vbox,DllRegisterServer
Source: unknown Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn sgovokol /tr 'regsvr32.exe -s \'C:\Users\user\kdfe.vbox\'' /SC ONCE /Z /ST 22:40 /ET 22:52
Source: unknown Process created: C:\Windows\System32\taskeng.exe taskeng.exe {DA6299CA-95CA-4E9D-8974-2CC05321254C} S-1-5-18:NT AUTHORITY\System:Service:
Source: unknown Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\kdfe.vbox'
Source: unknown Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\kdfe.vbox'
Source: unknown Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\kdfe.vbox'
Source: unknown Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\kdfe.vbox'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\kdfe.vbox,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\kdfe.vbox,DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn sgovokol /tr 'regsvr32.exe -s \'C:\Users\user\kdfe.vbox\'' /SC ONCE /Z /ST 22:40 /ET 22:52 Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\kdfe.vbox' Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\kdfe.vbox' Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\kdfe.vbox' Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\kdfe.vbox' Jump to behavior
Source: C:\Windows\System32\taskeng.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92BDB7E4-F28B-46A0-B551-45A52BDD5125}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Data Obfuscation:

barindex
PE file contains an invalid checksum
Source: kdfe.vbox.5.dr Static PE information: real checksum: 0x55188 should be: 0x5e339
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00130397 push dword ptr [esp+0Ch]; ret 4_2_001303AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00130397 push dword ptr [esp+10h]; ret 4_2_001303EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0013009C push dword ptr [ebp-000000D8h]; ret 4_2_00130231
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0013009C push dword ptr [ebp-000000E0h]; ret 4_2_00130284
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0013009C push dword ptr [esp+10h]; ret 4_2_00130396
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00130066 push dword ptr [ebp-000000D8h]; ret 4_2_0013009B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00130005 push dword ptr [ebp-000000D8h]; ret 4_2_00130065
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_003CA196 push ebx; ret 5_2_003CA197
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_003C9EE4 push cs; iretd 5_2_003C9FBA
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_003C9FE6 push cs; iretd 5_2_003C9FBA

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\kdfe.vbox Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\1502[1].gif Jump to dropped file
Drops PE files to the user directory
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\kdfe.vbox Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\1502[1].gif Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\kdfe.vbox
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\kdfe.vbox Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\kdfe.vbox Jump to dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn sgovokol /tr 'regsvr32.exe -s \'C:\Users\user\kdfe.vbox\'' /SC ONCE /Z /ST 22:40 /ET 22:52

Hooking and other Techniques for Hiding and Protection:

barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2952 base: B102D value: E9 A4 61 2F 00 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found dropped PE file which has not been started or loaded
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\1502[1].gif Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Windows\SysWOW64\explorer.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\explorer.exe TID: 2940 Thread sleep time: -96000s >= -30000s Jump to behavior
Source: C:\Windows\System32\taskeng.exe TID: 532 Thread sleep time: -60000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_003B1217 lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,FindFirstFileW,MultiByteToWideChar,GetOEMCP,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,lstrcpynA,MultiByteToWideChar,MultiByteToWideChar,lstrcpynA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,FindNextFileW,GetOEMCP,lstrcpynA,GetOEMCP, 5_2_003B1217
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_003B5986 lstrlenA,GetOEMCP,GetSystemInfo,lstrlenA,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,GetOEMCP,MultiByteToWideChar, 5_2_003B5986
Source: rundll32.exe, 00000004.00000002.2094451379.0000000000620000.00000004.00000020.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: rundll32.exe, 00000004.00000002.2094451379.0000000000620000.00000004.00000020.sdmp Binary or memory string: ROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
Source: rundll32.exe, 00000004.00000002.2094451379.0000000000620000.00000004.00000020.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0

Anti Debugging:

barindex
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_001303F0 mov eax, dword ptr fs:[00000030h] 4_2_001303F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00130397 mov eax, dword ptr fs:[00000030h] 4_2_00130397
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0013009C mov eax, dword ptr fs:[00000030h] 4_2_0013009C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00130469 mov eax, dword ptr fs:[00000030h] 4_2_00130469
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_003A75E6 RtlAddVectoredExceptionHandler, 5_2_003A75E6

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 3E0000 protect: page read and write Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2952 base: 3E0000 value: 9C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2952 base: B102D value: E9 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 3E0000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: B102D Jump to behavior
Yara detected hidden Macro 4.0 in Excel
Source: Yara match File source: papers (71).xls, type: SAMPLE
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\kdfe.vbox,DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn sgovokol /tr 'regsvr32.exe -s \'C:\Users\user\kdfe.vbox\'' /SC ONCE /Z /ST 22:40 /ET 22:52 Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\kdfe.vbox' Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\kdfe.vbox' Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\kdfe.vbox' Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\kdfe.vbox' Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_003B3630 lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,lstrcpynA,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,MultiByteToWideChar,SetEntriesInAclA,GetOEMCP,lstrlenA,lstrlenA,GetCurrentProcessId,LocalAlloc,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,GetOEMCP,GetOEMCP,GetOEMCP,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetOEMCP,lstrcpynA,GetOEMCP,MultiByteToWideChar,MultiByteToWideChar,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId, 5_2_003B3630
Source: explorer.exe, 00000005.00000002.2356286176.0000000000B70000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000002.2356286176.0000000000B70000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000002.2356286176.0000000000B70000.00000002.00000001.sdmp Binary or memory string: !Progman

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_003AE9CF GetSystemTimeAsFileTime,GetOEMCP,GetOEMCP,MultiByteToWideChar,GetOEMCP, 5_2_003AE9CF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_003B88FD lstrcpynA,lstrcpynA,lstrcpynA,lstrlenA,GetCurrentProcessId,GetOEMCP,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,LookupAccountNameW,lstrcpynA,MultiByteToWideChar,lstrcpynA,LookupAccountNameW,MultiByteToWideChar,lstrlenA,GetCurrentProcessId,lstrcpynA,Sleep,lstrlenA,GetCurrentProcessId, 5_2_003B88FD
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_003B5411 GetCurrentProcess,MultiByteToWideChar,MultiByteToWideChar,GetModuleFileNameW,lstrcpynA,lstrlenA,GetCurrentProcessId,memset,MultiByteToWideChar,lstrcpynA,GetVersionExA,GetOEMCP,GetOEMCP,GetCurrentProcessId,MultiByteToWideChar,lstrlenA,GetCurrentProcessId,GetOEMCP, 5_2_003B5411
Source: C:\Windows\System32\taskeng.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Qbot
Source: Yara match File source: 00000004.00000002.2094377277.0000000000300000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2356101330.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 5.2.explorer.exe.3a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.300000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.explorer.exe.3a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.300000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected Qbot
Source: Yara match File source: 00000004.00000002.2094377277.0000000000300000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2356101330.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 5.2.explorer.exe.3a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.300000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.explorer.exe.3a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.300000.0.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 358604 Sample: papers (71).xls Startdate: 25/02/2021 Architecture: WINDOWS Score: 100 43 Found malware configuration 2->43 45 Multi AV Scanner detection for dropped file 2->45 47 Sigma detected: Schedule REGSVR windows binary 2->47 49 11 other signatures 2->49 9 EXCEL.EXE 88 41 2->9         started        14 taskeng.exe 1 2->14         started        process3 dnsIp4 39 remedial.aaua.edu.ng 9->39 41 aaua.edu.ng 104.196.7.213, 443, 49167 GOOGLEUS United States 9->41 35 C:\Users\user\AppData\Local\...\1502[1].gif, MS-DOS 9->35 dropped 59 Document exploit detected (process start blacklist hit) 9->59 61 Document exploit detected (UrlDownloadToFile) 9->61 16 rundll32.exe 9->16         started        18 regsvr32.exe 14->18         started        20 regsvr32.exe 14->20         started        file5 signatures6 process7 process8 22 rundll32.exe 16->22         started        25 regsvr32.exe 18->25         started        27 regsvr32.exe 20->27         started        signatures9 51 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->51 53 Injects code into the Windows Explorer (explorer.exe) 22->53 55 Writes to foreign memory regions 22->55 57 2 other signatures 22->57 29 explorer.exe 8 1 22->29         started        process10 file11 37 C:\Users\user\kdfe.vbox, MS-DOS 29->37 dropped 63 Drops PE files to the user root directory 29->63 33 schtasks.exe 29->33         started        signatures12 process13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.196.7.213
 unknown United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
aaua.edu.ng 104.196.7.213 true
remedial.aaua.edu.ng unknown unknown