Source: http://45.138.157.63/44313,6048108796.dat | Virustotal: Detection: 9% | Perma Link |
Source: http://167.114.48.59/44313,6048108796.dat | Virustotal: Detection: 9% | Perma Link |
Source: http://185.14.31.59/44313,6048108796.dat | Virustotal: Detection: 10% | Perma Link |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA | Jump to behavior |
Source: excel.exe | Memory has grown: Private usage: 4MB later: 36MB |
Source: global traffic | TCP traffic: 192.168.2.22:49167 -> 185.14.31.59:80 |
Source: global traffic | TCP traffic: 192.168.2.22:49167 -> 185.14.31.59:80 |
Source: before.4.91.29.sheet.csv_unpack | Macro 4.0 Deobfuscator: http://185.14.31.59/ |
Source: Joe Sandbox View | IP Address: 45.138.157.63 45.138.157.63 |
Source: Joe Sandbox View | IP Address: 185.14.31.59 185.14.31.59 |
Source: Joe Sandbox View | IP Address: 167.114.48.59 167.114.48.59 |
Source: global traffic | HTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.14.31.59Connection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 45.138.157.63Connection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 167.114.48.59Connection: Keep-Alive |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.14.31.59 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.14.31.59 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.14.31.59 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.14.31.59 |
Source: unknown | TCP traffic detected without corresponding DNS query: 45.138.157.63 |
Source: unknown | TCP traffic detected without corresponding DNS query: 45.138.157.63 |
Source: unknown | TCP traffic detected without corresponding DNS query: 45.138.157.63 |
Source: unknown | TCP traffic detected without corresponding DNS query: 45.138.157.63 |
Source: unknown | TCP traffic detected without corresponding DNS query: 167.114.48.59 |
Source: unknown | TCP traffic detected without corresponding DNS query: 167.114.48.59 |
Source: unknown | TCP traffic detected without corresponding DNS query: 167.114.48.59 |
Source: unknown | TCP traffic detected without corresponding DNS query: 167.114.48.59 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.14.31.59 |
Source: unknown | TCP traffic detected without corresponding DNS query: 45.138.157.63 |
Source: unknown | TCP traffic detected without corresponding DNS query: 167.114.48.59 |
Source: unknown | TCP traffic detected without corresponding DNS query: 167.114.48.59 |
Source: unknown | TCP traffic detected without corresponding DNS query: 45.138.157.63 |
Source: unknown | TCP traffic detected without corresponding DNS query: 185.14.31.59 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6D75894A.jpg | Jump to behavior |
Source: global traffic | HTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.14.31.59Connection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 45.138.157.63Connection: Keep-Alive |
Source: global traffic | HTTP traffic detected: GET /44313,6048108796.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 167.114.48.59Connection: Keep-Alive |
Source: before.4.91.29.sheet.csv_unpack | String found in binary or memory: http://185.14.31.59/ |
Source: Copy-384955799-05102021.xlsm | Initial sample: urlmon |
Source: Copy-384955799-05102021.xlsm | Initial sample: urlmon |
Source: VBA code instrumentation | OLE, VBA macro: Module dfgbfdg, Function Auto_Open, API Microsoft Excel:Application.Run(:Range) | Name: Auto_Open |
Source: Copy-384955799-05102021.xlsm | Initial sample: EXEC |
Source: Copy-384955799-05102021.xlsm | OLE, VBA macro line: Private Sub Auto_Open() | |
Source: VBA code instrumentation | OLE, VBA macro: Module dfgbfdg, Function Auto_Open | Name: Auto_Open |
Source: Copy-384955799-05102021.xlsm | OLE indicator, VBA macros: true |
Source: classification engine | Classification label: mal80.expl.evad.winXLSM@1/7@0/3 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File created: C:\Users\user\Desktop\~$Copy-384955799-05102021.xlsm | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File created: C:\Users\user\AppData\Local\Temp\CVRD789.tmp | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File read: C:\Users\desktop.ini | Jump to behavior |
Source: Window Recorder | Window detected: More than 3 window changes detected |
Source: Copy-384955799-05102021.xlsm | Initial sample: OLE zip file path = xl/media/image1.jpg |
Source: Copy-384955799-05102021.xlsm | Initial sample: OLE zip file path = xl/drawings/drawing2.xml |
Source: Copy-384955799-05102021.xlsm | Initial sample: OLE zip file path = xl/drawings/drawing3.xml |
Source: Copy-384955799-05102021.xlsm | Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels |
Source: Copy-384955799-05102021.xlsm | Initial sample: OLE zip file path = xl/worksheets/_rels/sheet3.xml.rels |
Source: Copy-384955799-05102021.xlsm | Initial sample: OLE zip file path = xl/drawings/_rels/drawing2.xml.rels |
Source: Copy-384955799-05102021.xlsm | Initial sample: OLE zip file path = xl/drawings/_rels/drawing3.xml.rels |
Source: Copy-384955799-05102021.xlsm | Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll | Jump to behavior |
Source: Yara match | File source: sheet2.xml, type: SAMPLE |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.