Source: http://revolet-sa.com/files/countryyelow.php |
Avira URL Cloud: Label: malware |
Source: http://revolet-sa.com/files/countryyelow.php |
Virustotal: Detection: 12% |
Perma Link |
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ySiCz[1].fbx |
Virustotal: Detection: 21% |
Perma Link |
Source: SecuriteInfo.com.Trojan.Agent.FFFK.8079.xls |
Virustotal: Detection: 13% |
Perma Link |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll |
Jump to behavior |
Source: |
Binary string: K:\PrintMyMschartLegends_src\Source Code\PrintMyMschartLegends\Release\PrintMyMschartLegends.pdb source: sdbybsd.fds.0.dr |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: ySiCz[1].fbx.0.dr |
Jump to dropped file |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\rundll32.exe |
Source: global traffic |
DNS query: name: revolet-sa.com |
Source: global traffic |
TCP traffic: 192.168.2.22:49167 -> 192.232.249.186:80 |
Source: global traffic |
TCP traffic: 192.168.2.22:49167 -> 192.232.249.186:80 |
Source: global traffic |
HTTP traffic detected: GET /files/countryyelow.php HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: revolet-sa.comConnection: Keep-Alive |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5826D0B3.emf |
Jump to behavior |
Source: global traffic |
HTTP traffic detected: GET /files/countryyelow.php HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: revolet-sa.comConnection: Keep-Alive |
Source: rundll32.exe, 00000003.00000002.2090922768.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2088951177.0000000001AF0000.00000002.00000001.sdmp |
String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail) |
Source: unknown |
DNS traffic detected: queries for: revolet-sa.com |
Source: rundll32.exe, 00000003.00000002.2090922768.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2088951177.0000000001AF0000.00000002.00000001.sdmp |
String found in binary or memory: http://investor.msn.com |
Source: rundll32.exe, 00000003.00000002.2090922768.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2088951177.0000000001AF0000.00000002.00000001.sdmp |
String found in binary or memory: http://investor.msn.com/ |
Source: rundll32.exe, 00000003.00000002.2091320743.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089129564.0000000001CD7000.00000002.00000001.sdmp |
String found in binary or memory: http://localizability/practices/XML.asp |
Source: rundll32.exe, 00000003.00000002.2091320743.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089129564.0000000001CD7000.00000002.00000001.sdmp |
String found in binary or memory: http://localizability/practices/XMLConfiguration.asp |
Source: rundll32.exe, 00000004.00000002.2090160678.00000000027C0000.00000002.00000001.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous. |
Source: rundll32.exe, 00000003.00000002.2091320743.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089129564.0000000001CD7000.00000002.00000001.sdmp |
String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check |
Source: rundll32.exe, 00000003.00000002.2091320743.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089129564.0000000001CD7000.00000002.00000001.sdmp |
String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true |
Source: rundll32.exe, 00000004.00000002.2090160678.00000000027C0000.00000002.00000001.sdmp |
String found in binary or memory: http://www.%s.comPA |
Source: rundll32.exe, 00000003.00000002.2090922768.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2088951177.0000000001AF0000.00000002.00000001.sdmp |
String found in binary or memory: http://www.hotmail.com/oe |
Source: rundll32.exe, 00000003.00000002.2091320743.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2089129564.0000000001CD7000.00000002.00000001.sdmp |
String found in binary or memory: http://www.icra.org/vocabulary/. |
Source: rundll32.exe, 00000003.00000002.2090922768.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2088951177.0000000001AF0000.00000002.00000001.sdmp |
String found in binary or memory: http://www.msnbc.com/news/ticker.txt |
Source: rundll32.exe, 00000004.00000002.2088951177.0000000001AF0000.00000002.00000001.sdmp |
String found in binary or memory: http://www.windows.com/pctv. |
Source: Screenshot number: 4 |
Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. :54 Protected View Thi |
Source: Screenshot number: 4 |
Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start 18 the decryption of the docum |
Source: Document image extraction number: 2 |
Screenshot OCR: Enable editing" to unlock the editing document downloaded from the internet. Protected View This fi |
Source: Document image extraction number: 2 |
Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of the document |
Source: Document image extraction number: 3 |
Screenshot OCR: Enable Content |
Source: Document image extraction number: 4 |
Screenshot OCR: Enable Editing |
Source: Document image extraction number: 14 |
Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. Protected View This fi |
Source: Document image extraction number: 14 |
Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of the document |
Source: SecuriteInfo.com.Trojan.Agent.FFFK.8079.xls |
Initial sample: EXEC |
Source: SecuriteInfo.com.Trojan.Agent.FFFK.8079.xls |
Initial sample: CALL |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ySiCz[1].fbx |
Jump to dropped file |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\sdbybsd.fds |
Jump to dropped file |
Source: C:\Windows\SysWOW64\rundll32.exe |
Memory allocated: 76E20000 page execute and read and write |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Memory allocated: 76D20000 page execute and read and write |
Jump to behavior |
Source: SecuriteInfo.com.Trojan.Agent.FFFK.8079.xls |
OLE indicator, VBA macros: true |
Source: Joe Sandbox View |
Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ySiCz[1].fbx AC17E1F54B9F800D874E1D012E541FC037BD1A31EE3E8F631A454F2D1DE6ADA1 |
Source: Joe Sandbox View |
Dropped File: C:\Users\user\sdbybsd.fds AC17E1F54B9F800D874E1D012E541FC037BD1A31EE3E8F631A454F2D1DE6ADA1 |
Source: SecuriteInfo.com.Trojan.Agent.FFFK.8079.xls, type: SAMPLE |
Matched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research |
Source: rundll32.exe, 00000003.00000002.2090922768.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2088951177.0000000001AF0000.00000002.00000001.sdmp |
Binary or memory string: .VBPud<_ |
Source: classification engine |
Classification label: mal100.expl.evad.winXLS@7/8@1/1 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\AppData\Local\Temp\CVRC36D.tmp |
Jump to behavior |
Source: SecuriteInfo.com.Trojan.Agent.FFFK.8079.xls |
OLE indicator, Workbook stream: true |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File read: C:\Users\desktop.ini |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\rundll32.exe rundll32 ..\sdbybsd.fds,StartW |
Source: SecuriteInfo.com.Trojan.Agent.FFFK.8079.xls |
Virustotal: Detection: 13% |
Source: unknown |
Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding |
|
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\rundll32.exe rundll32 ..\sdbybsd.fds,StartW |
|
Source: C:\Windows\System32\rundll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\sdbybsd.fds,StartW |
|
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe |
|
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\rundll32.exe rundll32 ..\sdbybsd.fds,StartW |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\sdbybsd.fds,StartW |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe |
Jump to behavior |
Source: Window Recorder |
Window detected: More than 3 window changes detected |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll |
Jump to behavior |
Source: |
Binary string: K:\PrintMyMschartLegends_src\Source Code\PrintMyMschartLegends\Release\PrintMyMschartLegends.pdb source: sdbybsd.fds.0.dr |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_01ED1030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError, |
4_2_01ED1030 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_02420E20 push dword ptr [edx+14h]; ret |
4_2_02420F2D |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ySiCz[1].fbx |
Jump to dropped file |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\sdbybsd.fds |
Jump to dropped file |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\sdbybsd.fds |
Jump to dropped file |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ySiCz[1].fbx |
Jump to dropped file |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\sdbybsd.fds |
Jump to dropped file |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\sdbybsd.fds |
Jump to dropped file |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ySiCz[1].fbx |
Jump to dropped file |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_01ED1030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError, |
4_2_01ED1030 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_00340456 mov eax, dword ptr fs:[00000030h] |
4_2_00340456 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_0034095E mov eax, dword ptr fs:[00000030h] |
4_2_0034095E |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_01ED1030 mov eax, dword ptr fs:[00000030h] |
4_2_01ED1030 |
Source: C:\Windows\SysWOW64\rundll32.exe |
Code function: 4_2_01ED1030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError, |
4_2_01ED1030 |
Source: C:\Windows\System32\rundll32.exe |
Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\sdbybsd.fds,StartW |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe |
Jump to behavior |
Source: C:\Windows\SysWOW64\rundll32.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |