Analysis Report document-1055791644.xls

Overview

General Information

Sample Name: document-1055791644.xls
Analysis ID: 382839
MD5: a1b03697f4c155ce81cbe1a4d8f87382
SHA1: c38536b8b88cb657f63a5c3ceb83586bd95f1b4b
SHA256: 6083d754351ed13573a015a56de62a51d8755e4ada995406c89abdf5a85e7390
Tags: SilentBuilderxls
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Qbot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Document exploit detected (drops PE files)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Schedule REGSVR windows binary
Yara detected Qbot
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Office process drops PE file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected hidden Macro 4.0 in Excel
Allocates a big amount of memory (probably used for heap spraying)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to query locales information (e.g. system language)
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains embedded VBA macros
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 4.2.rundll32.exe.230174.1.raw.unpack Malware Configuration Extractor: Qbot {"C2 list": ["176.205.222.30:2078", "174.76.188.217:22", "105.226.10.142:443", "87.202.87.210:2222", "203.194.110.74:443", "95.77.223.148:443", "45.77.115.208:2222", "47.146.169.85:443", "76.94.200.148:995", "23.240.70.80:443", "193.252.48.200:443", "154.124.130.140:995", "45.32.211.207:2222", "149.28.98.196:2222", "149.28.98.196:995", "149.28.101.90:995", "207.246.77.75:2222", "45.63.107.192:995", "173.70.165.101:995", "207.246.116.237:995", "149.28.99.97:2222", "149.28.101.90:8443", "207.246.116.237:443", "45.77.115.208:443", "45.32.211.207:8443", "207.246.77.75:8443", "149.28.101.90:443", "45.63.107.192:2222", "207.246.77.75:995", "149.28.99.97:995", "45.32.211.207:443", "144.202.38.185:443", "45.63.107.192:443", "149.28.101.90:2222", "149.28.99.97:443", "45.32.211.207:995", "207.246.116.237:2222", "207.246.116.237:8443", "149.28.98.196:443", "144.202.38.185:2222", "207.246.77.75:443", "144.202.38.185:995", "1.52.227.184:443", "184.189.122.72:443", "201.171.77.138:443", "208.126.142.17:443", "60.50.255.183:443", "172.78.30.215:443", "171.103.138.122:995", "92.59.35.196:2222", "176.181.247.197:443", "82.127.125.209:990", "45.77.115.208:8443", "45.77.115.208:995", "50.29.166.232:995", "172.87.157.235:3389", "85.58.200.50:2222", "196.151.252.84:443", "24.50.118.93:443", "103.51.20.143:2222", "86.236.77.68:2222", "78.63.226.32:443", "82.76.47.211:443", "76.25.142.196:443", "213.60.147.140:443", "151.33.233.193:443", "81.88.254.62:443", "70.126.76.75:443", "160.3.187.114:443", "41.205.16.1:443", "96.61.23.88:995", "86.98.93.124:2078", "2.232.253.79:995", "209.210.187.52:443", "188.25.63.105:443", "115.133.243.6:443", "27.223.92.142:995", "140.82.49.12:443", "80.11.173.82:8443", "2.7.69.217:2222", "190.85.91.154:443", "142.68.28.22:443", "89.211.252.190:995", "178.153.37.196:443", "79.129.121.81:995", "71.88.193.17:443", "86.160.137.132:443", "202.184.20.119:443", "83.110.12.140:2222", "115.69.252.0:22", "105.198.236.101:443", "144.139.47.206:443", "105.198.236.99:443", "197.45.110.165:995", "85.132.36.111:2222", "70.168.130.172:995", "71.187.170.235:443", "80.227.5.69:443", "59.90.246.200:443", "81.214.126.173:2222", "68.225.60.77:995", "108.31.15.10:995", "83.110.108.181:2222", "46.153.119.255:995", "216.201.162.158:443", "197.161.154.132:443", "96.21.251.127:2222", "75.136.40.155:443", "24.95.61.62:443", "68.186.192.69:443", "193.248.221.184:2222", "75.67.192.125:443", "81.97.154.100:443", "75.118.1.141:443", "47.22.148.6:443", "182.48.193.200:443", "203.198.96.37:443", "106.51.52.111:443", "83.110.103.152:443", "75.136.26.147:443", "2.50.2.216:443", "189.223.234.23:995", "74.222.204.82:995", "173.21.10.71:2222", "69.123.179.70:443", "71.74.12.34:443", "45.46.53.140:2222", "86.97.162.85:443", "2.51.171.223:443", "144.139.166.18:443", "71.197.126.250:443", "67.6.12.4:443", "122.148.156.131:995", "64.121.114.87:443", "50.244.112.106:443", "70.54.25.76:2222", "1.32.35.2:443", "89.137.211.239:995", "67.165.206.193:993", "186.28.51.27:443", "98.2
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\0702[1].gif Metadefender: Detection: 27% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\0702[1].gif ReversingLabs: Detection: 93%
Multi AV Scanner detection for submitted file
Source: document-1055791644.xls Virustotal: Detection: 51% Perma Link
Source: document-1055791644.xls ReversingLabs: Detection: 47%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\0702[1].gif Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: unknown HTTPS traffic detected: 103.50.162.157:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00431217 lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,FindFirstFileW,MultiByteToWideChar,GetOEMCP,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,lstrcpynA,MultiByteToWideChar,MultiByteToWideChar,lstrcpynA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,FindNextFileW,GetOEMCP,lstrcpynA,GetOEMCP, 4_2_00431217
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008A4F40 GetModuleHandleA,70D9FFF6,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 4_2_008A4F40
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_00091217 lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,FindFirstFileW,MultiByteToWideChar,GetOEMCP,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,lstrcpynA,MultiByteToWideChar,MultiByteToWideChar,lstrcpynA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,FindNextFileW,GetOEMCP,lstrcpynA,GetOEMCP, 5_2_00091217

Software Vulnerabilities:

barindex
Document exploit detected (drops PE files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: 0702[1].gif.0.dr Jump to dropped file
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe
Allocates a big amount of memory (probably used for heap spraying)
Source: excel.exe Memory has grown: Private usage: 4MB later: 46MB
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: tidymasters.com.au
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 103.50.162.157:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 103.50.162.157:443

Networking:

barindex
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 103.50.162.157 103.50.162.157
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ Jump to behavior
Source: rundll32.exe, 00000003.00000002.2109070891.0000000001C20000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102690700.0000000001FB0000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknown DNS traffic detected: queries for: tidymasters.com.au
Source: rundll32.exe, 00000003.00000002.2109070891.0000000001C20000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102690700.0000000001FB0000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2109070891.0000000001C20000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102690700.0000000001FB0000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2109220005.0000000001E07000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102833114.0000000002197000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2109220005.0000000001E07000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102833114.0000000002197000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000004.00000002.2108474827.0000000003620000.00000002.00000001.sdmp, explorer.exe, 00000005.00000002.2371170734.00000000022D0000.00000002.00000001.sdmp, taskeng.exe, 00000009.00000002.2370918414.0000000000840000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: regsvr32.exe, 0000000A.00000002.2117402574.0000000000A30000.00000002.00000001.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: rundll32.exe, 00000003.00000002.2109220005.0000000001E07000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102833114.0000000002197000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2109220005.0000000001E07000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102833114.0000000002197000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000004.00000002.2108474827.0000000003620000.00000002.00000001.sdmp, explorer.exe, 00000005.00000002.2371170734.00000000022D0000.00000002.00000001.sdmp, taskeng.exe, 00000009.00000002.2370918414.0000000000840000.00000002.00000001.sdmp, regsvr32.exe, 0000000B.00000002.2116197122.0000000000D40000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: rundll32.exe, 00000003.00000002.2109070891.0000000001C20000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102690700.0000000001FB0000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2109220005.0000000001E07000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102833114.0000000002197000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2109070891.0000000001C20000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102690700.0000000001FB0000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000004.00000002.2102690700.0000000001FB0000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: unknown Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown HTTPS traffic detected: 103.50.162.157:443 -> 192.168.2.22:49165 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to record screenshots
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008BEE8C GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette, 4_2_008BEE8C
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008EB0B0 GetKeyboardState, 4_2_008EB0B0

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable editing" to unlock the editing document downloaded from the internet.y 0Protected View This
Source: Screenshot number: 4 Screenshot OCR: Enable Content X I F122 -',- jR V ^ Docu&^, THIS STEPS ARE REQUIRED TO FULLY DECRYPT THE DOCUME
Source: Screenshot number: 8 Screenshot OCR: Enable editing" to unlock the editing document downloaded from the internet.y 0Protected View This
Source: Screenshot number: 8 Screenshot OCR: Enable Content X Al " " jR " ^ Docu&nt THIS STEPS ARE REQUIRED TO FULLY DECRYPT THE DOCUMENT,
Source: Screenshot number: 12 Screenshot OCR: Enable Content X F312 " " jR " A B C D E F G H I J K L M N O P Q R S L=j 301 302 303 304 30
Found Excel 4.0 Macro with suspicious formulas
Source: document-1055791644.xls Initial sample: EXEC
Office process drops PE file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\iojhsfgv.dvers
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\0702[1].gif Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_004350CD MultiByteToWideChar,GetOEMCP,GetOEMCP,lstrcpynA,lstrcpynA,MultiByteToWideChar,lstrcpynA,lstrcpynA,memset,GetOEMCP,lstrlenA,GetCurrentProcessId,lstrcpynA,NtProtectVirtualMemory,GetOEMCP,NtWriteVirtualMemory,GetOEMCP,GetOEMCP,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,lstrlenA,GetCurrentProcessId,GetOEMCP, 4_2_004350CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00434981 lstrcpynA,GetOEMCP,lstrlenA,lstrlenA,GetCurrentProcessId,lstrlenA,GetOEMCP,GetOEMCP,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,GetOEMCP,lstrcpynA,MultiByteToWideChar,NtCreateSection,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,lstrcpynA,GetOEMCP,NtMapViewOfSection,lstrlenA,GetCurrentProcessId,lstrcpynA,GetCurrentProcess,NtUnmapViewOfSection,MultiByteToWideChar,GetOEMCP,NtClose,lstrcpynA,lstrcpynA,VirtualAllocEx,lstrlenA,GetCurrentProcessId,GetOEMCP,MultiByteToWideChar,WriteProcessMemory,memcpy,MultiByteToWideChar,lstrlenA, 4_2_00434981
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008EE02C NtdllDefWindowProc_A,GetCapture, 4_2_008EE02C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008DA498 NtdllDefWindowProc_A, 4_2_008DA498
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008DACF0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 4_2_008DACF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008DAC40 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 4_2_008DAC40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008C4FB8 NtdllDefWindowProc_A, 4_2_008C4FB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008E3C20 GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A, 4_2_008E3C20
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00434981 4_2_00434981
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_004355A8 4_2_004355A8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00435A4F 4_2_00435A4F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0043862B 4_2_0043862B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_004343F7 4_2_004343F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_004340C2 4_2_004340C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00441488 4_2_00441488
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0043B0AF 4_2_0043B0AF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00439566 4_2_00439566
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00440D09 4_2_00440D09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_004305E8 4_2_004305E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0042F267 4_2_0042F267
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0042BA65 4_2_0042BA65
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0042A60D 4_2_0042A60D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00431217 4_2_00431217
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00433630 4_2_00433630
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00436AFA 4_2_00436AFA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00443AFF 4_2_00443AFF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0042C6FD 4_2_0042C6FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00441E97 4_2_00441E97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0043CABD 4_2_0043CABD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0043735C 4_2_0043735C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0043AB20 4_2_0043AB20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0043C7C3 4_2_0043C7C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0042FBC4 4_2_0042FBC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0042DBEC 4_2_0042DBEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0043BBFA 4_2_0043BBFA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00431F8B 4_2_00431F8B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0043D3B3 4_2_0043D3B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008D4990 4_2_008D4990
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008BB03C 4_2_008BB03C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008E3C20 4_2_008E3C20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0024C031 4_2_0024C031
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0024606E 4_2_0024606E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0024A094 4_2_0024A094
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0023F138 4_2_0023F138
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0023D160 4_2_0023D160
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0025027D 4_2_0025027D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0024A623 4_2_0024A623
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00243636 4_2_00243636
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0024078B 4_2_0024078B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0023E7DB 4_2_0023E7DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0024C927 4_2_0024C927
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0024396B 4_2_0024396B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_002509FC 4_2_002509FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00248ADA 4_2_00248ADA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00244B1C 4_2_00244B1C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00242BA4 4_2_00242BA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00239B81 4_2_00239B81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00247B9F 4_2_00247B9F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0023BC71 4_2_0023BC71
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0024BD37 4_2_0024BD37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00243EF5 4_2_00243EF5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00244FC3 4_2_00244FC3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0023AFD9 4_2_0023AFD9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0008A60D 5_2_0008A60D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0009862B 5_2_0009862B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_00093630 5_2_00093630
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0008BA65 5_2_0008BA65
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0008C6FD 5_2_0008C6FD
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0008FBC4 5_2_0008FBC4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_000A1488 5_2_000A1488
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0009B0AF 5_2_0009B0AF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_000940C2 5_2_000940C2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_000A0D09 5_2_000A0D09
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_00099566 5_2_00099566
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_00094981 5_2_00094981
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_000955A8 5_2_000955A8
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_000905E8 5_2_000905E8
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_00091217 5_2_00091217
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_00095A4F 5_2_00095A4F
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0008F267 5_2_0008F267
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_000A1E97 5_2_000A1E97
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0009CABD 5_2_0009CABD
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_00096AFA 5_2_00096AFA
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_000A3AFF 5_2_000A3AFF
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0009AB20 5_2_0009AB20
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0009735C 5_2_0009735C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_00091F8B 5_2_00091F8B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0009D3B3 5_2_0009D3B3
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0009C7C3 5_2_0009C7C3
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0008DBEC 5_2_0008DBEC
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0009BBFA 5_2_0009BBFA
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_000943F7 5_2_000943F7
Document contains embedded VBA macros
Source: document-1055791644.xls OLE indicator, VBA macros: true
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\0702[1].gif 63B470971FA827F8E59555C32E966B68EE765120849C23431DD352AEACBBA52B
Source: Joe Sandbox View Dropped File: C:\Users\user\iojhsfgv.dvers 9E6B6797944DD3EDD500BC13B5CDF9B74B9AFD215C9BED6EF3BEC26DB4396A7B
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 008A3E98 appears 76 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 008A5F7C appears 61 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 008A344C appears 34 times
PE file does not import any functions
Source: iojhsfgv.dvers.5.dr Static PE information: No import functions for PE file found
Yara signature match
Source: document-1055791644.xls, type: SAMPLE Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: rundll32.exe, 00000003.00000002.2109070891.0000000001C20000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102690700.0000000001FB0000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.troj.expl.evad.winXLS@18/14@1/1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008BD3AC GetLastError,FormatMessageA, 4_2_008BD3AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008F5FA8 EntryPoint,GetDiskFreeSpaceExA, 4_2_008F5FA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00430483 CreateToolhelp32Snapshot,lstrcpynA,lstrcpynA,memset,GetOEMCP,GetOEMCP,lstrcpynA,Process32First,GetOEMCP,lstrcpynA,GetOEMCP,Process32Next,GetOEMCP,CloseHandle,lstrcpynA,lstrlenA,GetCurrentProcessId, 4_2_00430483
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00436EC8 MultiByteToWideChar,CoInitializeEx,lstrcpynA,CoInitializeSecurity,lstrcpynA,lstrlenA,GetCurrentProcessId,GetOEMCP,GetOEMCP,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,lstrcpynA,SysAllocString,GetOEMCP,MultiByteToWideChar,lstrcpynA,CoSetProxyBlanket,lstrlenA,GetCurrentProcessId,MultiByteToWideChar,MultiByteToWideChar,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,lstrcpynA, 4_2_00436EC8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0042B14A lstrlenA,FindResourceA,lstrlenA,GetCurrentProcessId,GetOEMCP,GetOEMCP,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,GetOEMCP,GetOEMCP,GetOEMCP,MultiByteToWideChar,GetOEMCP,MultiByteToWideChar,lstrlenA,GetCurrentProcessId,lstrcpynA,MultiByteToWideChar, 4_2_0042B14A
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\C7DE0000 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \Sessions\1\BaseNamedObjects\{356EE3B6-3452-4DAA-AF55-F855E45BD2D8}
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{E72AFEF2-4BAA-4359-AC99-886389190D2C}
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRCEA4.tmp Jump to behavior
Source: document-1055791644.xls OLE indicator, Workbook stream: true
Source: C:\Windows\SysWOW64\schtasks.exe Console Write: ....................4.%..........&k.....(.P.....p........................x................................................................%..... Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\iojhsfgv.dvers,DllRegisterServer
Source: document-1055791644.xls Virustotal: Detection: 51%
Source: document-1055791644.xls ReversingLabs: Detection: 47%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\iojhsfgv.dvers,DllRegisterServer
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\iojhsfgv.dvers,DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn wwzkbggu /tr 'regsvr32.exe -s \'C:\Users\user\iojhsfgv.dvers\'' /SC ONCE /Z /ST 18:42 /ET 18:54
Source: unknown Process created: C:\Windows\System32\taskeng.exe taskeng.exe {E6DEB525-2047-4F0F-A2D9-FEDA7F895D14} S-1-5-18:NT AUTHORITY\System:Service:
Source: C:\Windows\System32\taskeng.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\iojhsfgv.dvers'
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\iojhsfgv.dvers'
Source: C:\Windows\System32\taskeng.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\iojhsfgv.dvers'
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\iojhsfgv.dvers'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\iojhsfgv.dvers,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\iojhsfgv.dvers,DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn wwzkbggu /tr 'regsvr32.exe -s \'C:\Users\user\iojhsfgv.dvers\'' /SC ONCE /Z /ST 18:42 /ET 18:54 Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\iojhsfgv.dvers' Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\iojhsfgv.dvers' Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\iojhsfgv.dvers' Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\iojhsfgv.dvers' Jump to behavior
Source: C:\Windows\System32\taskeng.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92BDB7E4-F28B-46A0-B551-45A52BDD5125}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0044A196 push ebx; ret 4_2_0044A197
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00449EE4 push cs; iretd 4_2_00449FBA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00449FE6 push cs; iretd 4_2_00449FBA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008F5604 push 008F5691h; ret 4_2_008F5689
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008D001C push ecx; mov dword ptr [esp], edx 4_2_008D0020
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008DE158 push 008DE184h; ret 4_2_008DE17C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008C229C push 008C22C8h; ret 4_2_008C22C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008B02DE push 008B0356h; ret 4_2_008B034E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008B02E0 push 008B0356h; ret 4_2_008B034E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008CE21C push 008CE248h; ret 4_2_008CE240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008C224C push 008C2278h; ret 4_2_008C2270
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008CE384 push 008CE3B0h; ret 4_2_008CE3A8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008BA3A2 push 008BA44Fh; ret 4_2_008BA447
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008BA3A4 push 008BA44Fh; ret 4_2_008BA447
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008D0314 push 008D0340h; ret 4_2_008D0338
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008B0358 push 008B0400h; ret 4_2_008B03F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008B04EC push 008B0518h; ret 4_2_008B0510
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008BA4EC push 008BA77Ch; ret 4_2_008BA774
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008B0402 push 008B0518h; ret 4_2_008B0510
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008BA454 push 008BA4E4h; ret 4_2_008BA4DC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008C6598 push ecx; mov dword ptr [esp], ecx 4_2_008C659D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008C45B4 push 008C45E0h; ret 4_2_008C45D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008C45EC push 008C4618h; ret 4_2_008C4610
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008C4544 push 008C4593h; ret 4_2_008C458B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008C2554 push 008C2580h; ret 4_2_008C2578
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008DC554 push 008DC5AEh; ret 4_2_008DC5A6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008C2688 push 008C26B4h; ret 4_2_008C26AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008C4694 push 008C46C0h; ret 4_2_008C46B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008C46CC push 008C46F8h; ret 4_2_008C46F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008E46D4 push 008E473Fh; ret 4_2_008E4737
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008C4624 push 008C4650h; ret 4_2_008C4648

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\iojhsfgv.dvers Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\0702[1].gif Jump to dropped file
Drops PE files to the user directory
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\iojhsfgv.dvers Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\0702[1].gif Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\iojhsfgv.dvers
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\iojhsfgv.dvers Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\iojhsfgv.dvers Jump to dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn wwzkbggu /tr 'regsvr32.exe -s \'C:\Users\user\iojhsfgv.dvers\'' /SC ONCE /Z /ST 18:42 /ET 18:54

Hooking and other Techniques for Hiding and Protection:

barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2508 base: 57102D value: E9 A4 61 B1 FF Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008F0004 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 4_2_008F0004
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008DA520 PostMessageA,PostMessageA,SendMessageA,70D9FFF6,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 4_2_008DA520
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008F0928 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 4_2_008F0928
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008DACF0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 4_2_008DACF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008DAC40 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 4_2_008DAC40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008D7548 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 4_2_008D7548
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008EF750 IsIconic,GetCapture, 4_2_008EF750
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008C1D04 IsIconic,GetWindowPlacement,GetWindowRect, 4_2_008C1D04
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008CEF08 4_2_008CEF08
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00430483 CreateToolhelp32Snapshot,lstrcpynA,lstrcpynA,memset,GetOEMCP,GetOEMCP,lstrcpynA,Process32First,GetOEMCP,lstrcpynA,GetOEMCP,Process32Next,GetOEMCP,CloseHandle,lstrcpynA,lstrlenA,GetCurrentProcessId, 4_2_00430483
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject, 4_2_008D9A90
Found dropped PE file which has not been started or loaded
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\0702[1].gif Jump to dropped file
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008CEF08 4_2_008CEF08
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\explorer.exe TID: 2296 Thread sleep time: -104000s >= -30000s Jump to behavior
Source: C:\Windows\System32\taskeng.exe TID: 2792 Thread sleep time: -60000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00431217 lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,FindFirstFileW,MultiByteToWideChar,GetOEMCP,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,lstrcpynA,MultiByteToWideChar,MultiByteToWideChar,lstrcpynA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,FindNextFileW,GetOEMCP,lstrcpynA,GetOEMCP, 4_2_00431217
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_008A4F40 GetModuleHandleA,70D9FFF6,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 4_2_008A4F40
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_00091217 lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,FindFirstFileW,MultiByteToWideChar,GetOEMCP,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,lstrcpynA,MultiByteToWideChar,MultiByteToWideChar,lstrcpynA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,FindNextFileW,GetOEMCP,lstrcpynA,GetOEMCP, 5_2_00091217
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00435986 lstrlenA,GetOEMCP,GetSystemInfo,lstrlenA,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,GetOEMCP,MultiByteToWideChar, 4_2_00435986
Source: rundll32.exe, 00000004.00000002.2102558977.00000000004DF000.00000004.00000020.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
Source: rundll32.exe, 00000004.00000002.2102558977.00000000004DF000.00000004.00000020.sdmp Binary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0

Anti Debugging:

barindex
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00430483 CreateToolhelp32Snapshot,lstrcpynA,lstrcpynA,memset,GetOEMCP,GetOEMCP,lstrcpynA,Process32First,GetOEMCP,lstrcpynA,GetOEMCP,Process32Next,GetOEMCP,CloseHandle,lstrcpynA,lstrlenA,GetCurrentProcessId, 4_2_00430483
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_000875E6 RtlAddVectoredExceptionHandler, 5_2_000875E6
Source: C:\Windows\SysWOW64\rundll32.exe Memory protected: page write copy | page execute | page execute read | page execute and read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: C:\Windows\SysWOW64\explorer.exe base: C0000 protect: page read and write Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2508 base: C0000 value: 9C Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: PID: 2508 base: 57102D value: E9 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: C0000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 57102D Jump to behavior
Yara detected hidden Macro 4.0 in Excel
Source: Yara match File source: document-1055791644.xls, type: SAMPLE
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\iojhsfgv.dvers,DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn wwzkbggu /tr 'regsvr32.exe -s \'C:\Users\user\iojhsfgv.dvers\'' /SC ONCE /Z /ST 18:42 /ET 18:54 Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\iojhsfgv.dvers' Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\iojhsfgv.dvers' Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\iojhsfgv.dvers' Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\iojhsfgv.dvers' Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00433630 lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,lstrcpynA,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,MultiByteToWideChar,GetOEMCP,lstrlenA,lstrlenA,GetCurrentProcessId,LocalAlloc,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,GetOEMCP,GetOEMCP,GetOEMCP,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetOEMCP,lstrcpynA,GetOEMCP,MultiByteToWideChar,MultiByteToWideChar,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId, 4_2_00433630
Source: explorer.exe, 00000005.00000002.2371071962.0000000000ED0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000002.2371071962.0000000000ED0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000002.2371071962.0000000000ED0000.00000002.00000001.sdmp Binary or memory string: !Progman

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 4_2_008A50F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,GetACP, 4_2_008AC030
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 4_2_008AAAD0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 4_2_008AAB1C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 4_2_008A5204
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 4_2_008A59EE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 4_2_008A59F0
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0042E9CF GetSystemTimeAsFileTime,GetOEMCP,GetOEMCP,MultiByteToWideChar,GetOEMCP, 4_2_0042E9CF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_004388FD lstrcpynA,lstrcpynA,lstrcpynA,lstrlenA,GetCurrentProcessId,GetOEMCP,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,LookupAccountNameW,lstrcpynA,MultiByteToWideChar,lstrcpynA,LookupAccountNameW,MultiByteToWideChar,lstrlenA,GetCurrentProcessId,lstrcpynA,lstrlenA,GetCurrentProcessId, 4_2_004388FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00435A4F GetOEMCP,GetOEMCP,MultiByteToWideChar,GetOEMCP,lstrcpynA,GetCurrentProcessId,MultiByteToWideChar,GetTickCount,GetModuleFileNameW,lstrlenA,GetOEMCP,lstrlenA,GetCurrentProcessId,GetCurrentProcess,GetOEMCP,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,GetOEMCP,GetOEMCP,lstrlenA,GetCurrentProcessId,LookupAccountSidW,GetLastError,GetSystemMetrics,GetModuleFileNameW,MultiByteToWideChar,GetOEMCP,GetOEMCP,MultiByteToWideChar,GetOEMCP,MultiByteToWideChar,GetOEMCP,lstrlenW,GetOEMCP,GetOEMCP,lstrlenA,GetCurrentProcess,lstrcpynA,memset,MultiByteToWideChar,lstrlenA,GetCurrentProcessId,GetVersionExA,lstrlenA,GetCurrentProcessId,GetCurrentProcess,GetOEMCP,GetOEMCP,lstrcpynA,lstrcpynA,GetWindowsDirectoryW,lstrlenA,GetCurrentProcessId,GetOEMCP,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,lstrcpynA,lstrlenA,GetCurrentProcessId,MultiByteToWideChar,lstrlenA,GetCurrentProcessId,lstrcpynA,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,lstrlenA,lstrcpynA,MultiByteToWideChar,lstrlenA,GetCurrentProcessId,MultiByteToWideChar,lstrlenA,GetCurrentProcessId,lstrcpynA, 4_2_00435A4F
Source: C:\Windows\System32\taskeng.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Qbot
Source: Yara match File source: 00000004.00000002.2102507416.0000000000420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2102454877.0000000000230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2102490286.00000000003E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2370755015.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 4.2.rundll32.exe.230174.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.420000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.420000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.230174.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.explorer.exe.80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.3e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.explorer.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.3e0000.2.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected Qbot
Source: Yara match File source: 00000004.00000002.2102507416.0000000000420000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2102454877.0000000000230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2102490286.00000000003E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2370755015.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 4.2.rundll32.exe.230174.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.420000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.420000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.230174.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.explorer.exe.80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.3e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.explorer.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.rundll32.exe.3e0000.2.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 382839 Sample: document-1055791644.xls Startdate: 06/04/2021 Architecture: WINDOWS Score: 100 41 Found malware configuration 2->41 43 Multi AV Scanner detection for dropped file 2->43 45 Sigma detected: Schedule REGSVR windows binary 2->45 47 9 other signatures 2->47 9 EXCEL.EXE 89 47 2->9         started        14 taskeng.exe 1 2->14         started        process3 dnsIp4 39 tidymasters.com.au 103.50.162.157, 443, 49165 PUBLIC-DOMAIN-REGISTRYUS India 9->39 35 C:\Users\user\AppData\Local\...\0702[1].gif, PE32 9->35 dropped 57 Document exploit detected (UrlDownloadToFile) 9->57 16 rundll32.exe 9->16         started        18 regsvr32.exe 14->18         started        20 regsvr32.exe 14->20         started        file5 signatures6 process7 process8 22 rundll32.exe 16->22         started        25 regsvr32.exe 18->25         started        27 regsvr32.exe 20->27         started        signatures9 49 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->49 51 Injects code into the Windows Explorer (explorer.exe) 22->51 53 Writes to foreign memory regions 22->53 55 3 other signatures 22->55 29 explorer.exe 8 1 22->29         started        process10 file11 37 C:\Users\user\iojhsfgv.dvers, PE32 29->37 dropped 59 Drops PE files to the user root directory 29->59 61 Uses schtasks.exe or at.exe to add and modify task schedules 29->61 33 schtasks.exe 29->33         started        signatures12 process13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
103.50.162.157
 tidymasters.com.au India
394695 PUBLIC-DOMAIN-REGISTRYUS false

Contacted Domains

Name IP Active
tidymasters.com.au 103.50.162.157 true