Analysis Report Documents_111651917_375818984.xls

Overview

General Information

Sample Name: Documents_111651917_375818984.xls
Analysis ID: 403285
MD5: 72526a505496a9b7da9a6c9651dbda5e
SHA1: 84cf963666314eee0d8ad1ef09e5462a66e3ccbf
SHA256: 3c20530c13d6736ec705786d1694052b2abf42bf87d3bbc359ea95b343fcf681
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Office process drops PE file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains embedded VBA macros
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: unknown HTTPS traffic detected: 172.67.151.10:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: Binary string: c:\Behind\964\Chance_lie\her l\money.pdb source: vegas[1].dll.0.dr
Source: Binary string: c:\Behind\964\Chance_lie\her l\money.pdb@ source: vegas[1].dll.0.dr
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E725D36 FindFirstFileExW, 4_2_6E725D36

Software Vulnerabilities:

barindex
Document exploit detected (creates forbidden files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vegas[1].dll Jump to behavior
Document exploit detected (drops PE files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: vegas[1].dll.0.dr Jump to dropped file
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: otusmail.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.151.10:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 172.67.151.10:443

Networking:

barindex
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\50757093.emf Jump to behavior
Source: rundll32.exe, 00000003.00000002.2174078892.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2173337440.0000000000960000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknown DNS traffic detected: queries for: otusmail.com
Source: rundll32.exe, 00000003.00000002.2174078892.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2173337440.0000000000960000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2174078892.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2173337440.0000000000960000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2174265271.0000000001CC7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2173529258.0000000000B47000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2174265271.0000000001CC7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2173529258.0000000000B47000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000003.00000002.2174265271.0000000001CC7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2173529258.0000000000B47000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2174265271.0000000001CC7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2173529258.0000000000B47000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000003.00000002.2174078892.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2173337440.0000000000960000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2174265271.0000000001CC7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2173529258.0000000000B47000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2174078892.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2173337440.0000000000960000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000004.00000002.2173337440.0000000000960000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: unknown Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown HTTPS traffic detected: 172.67.151.10:443 -> 192.168.2.22:49165 version: TLS 1.2

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable editing Windowscan check onlinefora solution tothe problem. ernet. 13 14 Protected View Thi
Source: Screenshot number: 8 Screenshot OCR: Enable editing Windowscan check onlinefora solution tothe problem. ernet. 13 14 Protected View Thi
Source: Screenshot number: 12 Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 14 0 Protected Vi
Source: Screenshot number: 12 Screenshot OCR: Enable content" to oerform Microsoft Office Decrvotion Core to start LI U 18 the decryption of the
Source: Document image extraction number: 2 Screenshot OCR: Enable editing" to unlock the editing document downloaded from the internet. Protected View This fi
Source: Document image extraction number: 2 Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of the document
Source: Document image extraction number: 3 Screenshot OCR: Enable Content
Source: Document image extraction number: 4 Screenshot OCR: Enable Editing
Source: Document image extraction number: 13 Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. Protected View This fi
Source: Document image extraction number: 13 Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of the document
Found Excel 4.0 Macro with suspicious formulas
Source: Documents_111651917_375818984.xls Initial sample: EXEC
Source: Documents_111651917_375818984.xls Initial sample: CALL
Found abnormal large hidden Excel 4.0 Macro sheet
Source: Documents_111651917_375818984.xls Initial sample: Sheet size: 4672
Office process drops PE file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vegas[1].dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\bsdnbsej.dbw Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E72A4E1 4_2_6E72A4E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E71353B 4_2_6E71353B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E71F5B3 4_2_6E71F5B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E721580 4_2_6E721580
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E777C26 4_2_6E777C26
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E77B44E 4_2_6E77B44E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E78798C 4_2_6E78798C
Document contains embedded VBA macros
Source: Documents_111651917_375818984.xls OLE indicator, VBA macros: true
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vegas[1].dll 0A87BD3BB60320B21E493341B70519AF4E46C2E969038D6D89B536CD37AA11D9
Source: Joe Sandbox View Dropped File: C:\Users\user\bsdnbsej.dbw 0A87BD3BB60320B21E493341B70519AF4E46C2E969038D6D89B536CD37AA11D9
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E71ACF0 appears 34 times
Yara signature match
Source: Documents_111651917_375818984.xls, type: SAMPLE Matched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research
Source: rundll32.exe, 00000003.00000002.2174078892.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2173337440.0000000000960000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal88.expl.evad.winXLS@5/8@1/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRBB52.tmp Jump to behavior
Source: Documents_111651917_375818984.xls OLE indicator, Workbook stream: true
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\bsdnbsej.dbw,PluginInit
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\bsdnbsej.dbw,PluginInit
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\bsdnbsej.dbw,PluginInit
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\bsdnbsej.dbw,PluginInit Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\bsdnbsej.dbw,PluginInit Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: c:\Behind\964\Chance_lie\her l\money.pdb source: vegas[1].dll.0.dr
Source: Binary string: c:\Behind\964\Chance_lie\her l\money.pdb@ source: vegas[1].dll.0.dr

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E72AC21 push ecx; ret 4_2_6E72AC34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E7796ED push ecx; ret 4_2_6E779700
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E73C6D1 push cs; retn 0000h 4_2_6E73C6D6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E73EEC4 push es; iretd 4_2_6E73EEC5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E73D7A9 push esi; iretd 4_2_6E73D7D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E73CAEC push ebx; ret 4_2_6E73CAF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E73E143 push ecx; iretd 4_2_6E73E144
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E79069F push dword ptr [edi]; iretd 4_2_6E7906A8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E791CCC push edx; iretd 4_2_6E791CD7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E792992 push edi; ret 4_2_6E7929F7

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vegas[1].dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\bsdnbsej.dbw Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\bsdnbsej.dbw Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\bsdnbsej.dbw Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\bsdnbsej.dbw Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found dropped PE file which has not been started or loaded
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vegas[1].dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 6.5 %
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E725D36 FindFirstFileExW, 4_2_6E725D36

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E717C49 LdrInitializeThunk, 4_2_6E717C49
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E7237A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_6E7237A2
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E722A8C mov eax, dword ptr fs:[00000030h] 4_2_6E722A8C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E725960 mov eax, dword ptr fs:[00000030h] 4_2_6E725960
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E78FEC2 mov eax, dword ptr fs:[00000030h] 4_2_6E78FEC2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E78FDF8 mov eax, dword ptr fs:[00000030h] 4_2_6E78FDF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E78F9FF push dword ptr fs:[00000030h] 4_2_6E78F9FF
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E717D3A GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree, 4_2_6E717D3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E71A7E7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_6E71A7E7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E7237A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_6E7237A2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E71A9E4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_6E71A9E4

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\bsdnbsej.dbw,PluginInit Jump to behavior

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E71AB0A cpuid 4_2_6E71AB0A
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA, 4_2_6E784633
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 4_2_6E783A74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 4_2_6E783A08
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW, 4_2_6E77FABC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num, 4_2_6E7840E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_6E71AD36 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 4_2_6E71AD36
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 403285 Sample: Documents_111651917_375818984.xls Startdate: 04/05/2021 Architecture: WINDOWS Score: 88 22 Document exploit detected (drops PE files) 2->22 24 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->24 26 Drops PE files to the user root directory 2->26 28 4 other signatures 2->28 7 EXCEL.EXE 90 48 2->7         started        process3 dnsIp4 20 otusmail.com 172.67.151.10, 443, 49165 CLOUDFLARENETUS United States 7->20 16 C:\Users\user\bsdnbsej.dbw, PE32 7->16 dropped 18 C:\Users\user\AppData\Local\...\vegas[1].dll, PE32 7->18 dropped 30 Document exploit detected (creates forbidden files) 7->30 32 Document exploit detected (UrlDownloadToFile) 7->32 12 rundll32.exe 7->12         started        file5 signatures6 process7 process8 14 rundll32.exe 12->14         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.67.151.10
 otusmail.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
otusmail.com 172.67.151.10 true
cdn.digicertcdn.com 104.18.10.39 true