Loading ...

Play interactive tourEdit tour

Analysis Report 9177284661-04302021.xlsm

Overview

General Information

Sample Name:9177284661-04302021.xlsm
Analysis ID:403443
MD5:a8b4e37766d35b543884d8882147eaa2
SHA1:4356c14118ea9098dabb6d9af620003b7929058a
SHA256:533c8713c4e10c223a9f8139f9d408ca326aee14a1d88382c91f2ff18cf0f93c
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malicious Excel 4.0 Macro
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Found Excel 4.0 Macro with suspicious formulas
Yara detected MalDoc1
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2156 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
sheet3.xmlJoeSecurity_MalDoc_1Yara detected MalDoc_1Joe Security
    sharedStrings.xmlJoeSecurity_MalDoc_1Yara detected MalDoc_1Joe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for domain / URLShow sources
      Source: http://185.45.193.80/44313,6048108796.datVirustotal: Detection: 6%Perma Link
      Source: http://45.144.31.232/44313,6048108796.datVirustotal: Detection: 8%Perma Link
      Multi AV Scanner detection for submitted fileShow sources
      Source: 9177284661-04302021.xlsmVirustotal: Detection: 38%Perma Link
      Source: 9177284661-04302021.xlsmReversingLabs: Detection: 31%
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior

      Software Vulnerabilities:

      barindex
      Document exploit detected (UrlDownloadToFile)Show sources
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.45.193.80:80
      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.45.193.80:80

      Networking:

      barindex
      Yara detected MalDoc1Show sources
      Source: Yara matchFile source: sheet3.xml, type: SAMPLE
      Source: Yara matchFile source: sharedStrings.xml, type: SAMPLE
      Source: global trafficHTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.45.193.80Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 45.144.31.232Connection: Keep-Alive
      Source: unknownTCP traffic detected without corresponding DNS query: 185.45.193.80
      Source: unknownTCP traffic detected without corresponding DNS query: 185.45.193.80
      Source: unknownTCP traffic detected without corresponding DNS query: 185.45.193.80
      Source: unknownTCP traffic detected without corresponding DNS query: 185.45.193.80
      Source: unknownTCP traffic detected without corresponding DNS query: 82.118.21.70
      Source: unknownTCP traffic detected without corresponding DNS query: 82.118.21.70
      Source: unknownTCP traffic detected without corresponding DNS query: 82.118.21.70
      Source: unknownTCP traffic detected without corresponding DNS query: 82.118.21.70
      Source: unknownTCP traffic detected without corresponding DNS query: 82.118.21.70
      Source: unknownTCP traffic detected without corresponding DNS query: 82.118.21.70
      Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.232
      Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.232
      Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.232
      Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.232
      Source: unknownTCP traffic detected without corresponding DNS query: 185.45.193.80
      Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.232
      Source: unknownTCP traffic detected without corresponding DNS query: 45.144.31.232
      Source: unknownTCP traffic detected without corresponding DNS query: 185.45.193.80
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\307513F9.jpgJump to behavior
      Source: global trafficHTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.45.193.80Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 45.144.31.232Connection: Keep-Alive

      System Summary:

      barindex
      Found malicious Excel 4.0 MacroShow sources
      Source: 9177284661-04302021.xlsmInitial sample: urlmon
      Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
      Source: Screenshot number: 4Screenshot OCR: Enable editing button from the yellow bar above 22 0 Once you have enabled editing please click Ena
      Source: Screenshot number: 4Screenshot OCR: Enable Content button from the yellow bar above 23 24 25 26 27 28 29 30 31 32 33 34 35
      Found Excel 4.0 Macro with suspicious formulasShow sources
      Source: 9177284661-04302021.xlsmInitial sample: EXEC
      Source: 9177284661-04302021.xlsmOLE, VBA macro line: Public Function Auto_Open()
      Source: 9177284661-04302021.xlsmOLE indicator, VBA macros: true
      Source: classification engineClassification label: mal84.troj.expl.evad.winXLSM@1/7@0/3
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$9177284661-04302021.xlsmJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVREBA5.tmpJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: 9177284661-04302021.xlsmVirustotal: Detection: 38%
      Source: 9177284661-04302021.xlsmReversingLabs: Detection: 31%
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: 9177284661-04302021.xlsmInitial sample: OLE zip file path = xl/media/image1.jpg
      Source: 9177284661-04302021.xlsmInitial sample: OLE zip file path = xl/drawings/drawing2.xml
      Source: 9177284661-04302021.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
      Source: 9177284661-04302021.xlsmInitial sample: OLE zip file path = xl/drawings/_rels/drawing2.xml.rels
      Source: 9177284661-04302021.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsScripting22Path InterceptionPath InterceptionMasquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumNon-Application Layer Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsExploitation for Client Execution12Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemorySystem Information Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol11Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Scripting22Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.