Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Copy of COVID-19 Testing Employee Names and DOB 3.9.2021.xlsx

Overview

General Information

Sample Name:Copy of COVID-19 Testing Employee Names and DOB 3.9.2021.xlsx
Analysis ID:367670
MD5:8ea35bdf2130db8f534db290aaceb9d0
SHA1:ef23db1561ad4a51f3a3ba45e591a0ece7eff702
SHA256:f0ffa6cda325df3c792de8f50f1fba7611c53731588d107bc40a8351d12d7da8
Infos:

Most interesting Screenshot:

Detection

Score:0
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

No high impact signatures.

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 1572 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: classification engineClassification label: clean0.winXLSX@1/1@0/0
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Copy of COVID-19 Testing Employee Names and DOB 3.9.2021.xlsxJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRBB24.tmpJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Copy of COVID-19 Testing Employee Names and DOB 3.9.2021.xlsxInitial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: Copy of COVID-19 Testing Employee Names and DOB 3.9.2021.xlsxInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: Copy of COVID-19 Testing Employee Names and DOB 3.9.2021.xlsxInitial sample: OLE zip file path = xl/calcChain.xml
Source: Copy of COVID-19 Testing Employee Names and DOB 3.9.2021.xlsxInitial sample: OLE zip file path = customXml/item2.xml
Source: Copy of COVID-19 Testing Employee Names and DOB 3.9.2021.xlsxInitial sample: OLE zip file path = customXml/itemProps2.xml
Source: Copy of COVID-19 Testing Employee Names and DOB 3.9.2021.xlsxInitial sample: OLE zip file path = customXml/item3.xml
Source: Copy of COVID-19 Testing Employee Names and DOB 3.9.2021.xlsxInitial sample: OLE zip file path = customXml/itemProps3.xml
Source: Copy of COVID-19 Testing Employee Names and DOB 3.9.2021.xlsxInitial sample: OLE zip file path = docProps/custom.xml
Source: Copy of COVID-19 Testing Employee Names and DOB 3.9.2021.xlsxInitial sample: OLE zip file path = customXml/_rels/item2.xml.rels
Source: Copy of COVID-19 Testing Employee Names and DOB 3.9.2021.xlsxInitial sample: OLE zip file path = customXml/_rels/item3.xml.rels
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionMasquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemorySystem Information Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:31.0.0 Emerald
Analysis ID:367670
Start date:11.03.2021
Start time:23:01:07
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 9m 48s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Copy of COVID-19 Testing Employee Names and DOB 3.9.2021.xlsx
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:2
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean0.winXLSX@1/1@0/0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .xlsx
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\Desktop\~$Copy of COVID-19 Testing Employee Names and DOB 3.9.2021.xlsx
Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:data
Category:dropped
Size (bytes):165
Entropy (8bit):1.4377382811115937
Encrypted:false
SSDEEP:3:vZ/FFDJw2fV:vBFFGS
MD5:797869BB881CFBCDAC2064F92B26E46F
SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:false
Reputation:high, very likely benign file
Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Static File Info

General

File type:Microsoft Excel 2007+
Entropy (8bit):7.610913327812838
TrID:
  • Excel Microsoft Office Open XML Format document (40004/1) 83.33%
  • ZIP compressed archive (8000/1) 16.67%
File name:Copy of COVID-19 Testing Employee Names and DOB 3.9.2021.xlsx
File size:39748
MD5:8ea35bdf2130db8f534db290aaceb9d0
SHA1:ef23db1561ad4a51f3a3ba45e591a0ece7eff702
SHA256:f0ffa6cda325df3c792de8f50f1fba7611c53731588d107bc40a8351d12d7da8
SHA512:3d4a5cc53e70f13ec766424057d38f242576fabcfa98083f60a131d3396403d4ca0f35ff1a86dc2b18464e0232e06f6ca257a22f0cc7149e9165f70cdbd85e54
SSDEEP:768:vU4jvnTUafBbF0OMYDBPfF5hYU7XDYehxPuGsyEj35Jv0as3FP:vU4zTR5PfF5N7XMsxPuGs5v8asl
File Content Preview:PK..........!..B|{............[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon

Icon Hash:e4e2aa8aa4b4bcb4

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: EXCEL.EXE PID: 1572 Parent PID: 584

General

Start time:23:01:32
Start date:11/03/2021
Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):false
Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:0x13f370000
File size:27641504 bytes
MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Chronological Activities

Disassembly

Reset < >