Analysis Report 9659e9a8_by_Libranalysis

Overview

General Information

Sample Name:	9659e9a8_by_Libranalysis (renamed file extension from none to xls)
Analysis ID:	412182
MD5:	9659e9a80fba8f055fbe4e3757b0fd88
SHA1:	701af32440a369d3bf1533cf3d741904b614a470
SHA256:	252bda62a929c697a8b96035c1a52314d88067e745799cb66ac5d9dd593379b0
Tags:	SilentBuilder
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Found Excel 4.0 Macro with suspicious formulas

Found abnormal large hidden Excel 4.0 Macro sheet

Sigma detected: Microsoft Office Product Spawning Windows Shell

Document contains embedded VBA macros

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Classification

Signatures

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 192.185.39.58:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.32.232:443 -> 192.168.2.22:49170 version: TLS 1.2

Software Vulnerabilities:

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: signifysystem.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 192.185.39.58:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 192.185.39.58:443

Networking:

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ

Jump to behavior

Source: rundll32.exe, 00000003.00000002.2123061273.0000000001BD0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114078046.0000000001B10000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: signifysystem.com

Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.0.dr	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: 77EC63BDA74BD0D0E0426DC8F8008506.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 00000003.00000002.2123061273.0000000001BD0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114078046.0000000001B10000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2123061273.0000000001BD0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114078046.0000000001B10000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2123321230.0000000001DB7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114285157.0000000001CF7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2123321230.0000000001DB7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114285157.0000000001CF7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000003.00000002.2123321230.0000000001DB7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114285157.0000000001CF7000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2123321230.0000000001DB7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114285157.0000000001CF7000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000003.00000002.2123061273.0000000001BD0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114078046.0000000001B10000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2123321230.0000000001DB7000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114285157.0000000001CF7000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2123061273.0000000001BD0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114078046.0000000001B10000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000004.00000002.2114078046.0000000001B10000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443

Source: unknown	HTTPS traffic detected: 192.185.39.58:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.32.232:443 -> 192.168.2.22:49170 version: TLS 1.2

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable Editing 11 from the yellow bar above 12 13 Once You have Enable Editing, pleas' " ' "
Source: Screenshot number: 8	Screenshot OCR: Enable Editing 11 1 from the yellow bar above 12 13 2 Once You have Enable Editing, please click
Source: Screenshot number: 8	Screenshot OCR: Enable Content 14 , from the yellow bar above 15 D e 16 17 I 18 I WHY I CANNOT OPEN THIS DOCUME
Source: Document image extraction number: 5	Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing, please click Enable Content
Source: Document image extraction number: 5	Screenshot OCR: Enable Content from the yellow bar above WHY I CANNOT OPEN THIS DOCUMENT? You are using iOS or An
Source: Document image extraction number: 14	Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing, please click Enable Conte
Source: Document image extraction number: 14	Screenshot OCR: Enable Content from the yellow bar above WHY I CANNOT OPEN THIS DOCUMENT? w You are using IDS or

Found Excel 4.0 Macro with suspicious formulas

Source: 9659e9a8_by_Libranalysis.xls	Initial sample: CALL
Source: 9659e9a8_by_Libranalysis.xls	Initial sample: CALL
Source: 9659e9a8_by_Libranalysis.xls	Initial sample: EXEC

Found abnormal large hidden Excel 4.0 Macro sheet

Source: 9659e9a8_by_Libranalysis.xls

Initial sample: Sheet size: 14902

Document contains embedded VBA macros

Source: 9659e9a8_by_Libranalysis.xls

OLE indicator, VBA macros: true

Source: rundll32.exe, 00000003.00000002.2123061273.0000000001BD0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2114078046.0000000001B10000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal68.expl.evad.winXLS@5/11@2/2

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\5BEE0000

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRE169.tmp

Jump to behavior

Source: 9659e9a8_by_Libranalysis.xls

OLE indicator, Workbook stream: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ritofm.cvm,DllRegisterServer

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ritofm.cvm,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ritofm.cvm1,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ritofm.cvm,DllRegisterServer	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ritofm.cvm1,DllRegisterServer	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.185.39.58	signifysystem.com	United States		46606	UNIFIEDLAYER-AS-1US	false
192.185.32.232	fcventasyservicios.cl	United States		46606	UNIFIEDLAYER-AS-1US	false

Contacted Domains

Name	IP	Active
signifysystem.com	192.185.39.58	true
fcventasyservicios.cl	192.185.32.232	true

ID:	412182
Product:	CloudBasic
Start time:	13:21:16
Start date:	12.05.2021
Sample:	9659e9a8_by_Libranalysis
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	9659e9a80fba8f055fbe4e3757b0fd88
SHA1:	701af32440a369d3bf1533cf3d741904b614a470
SHA256:	252bda62a929c697a8b96035c1a52314d88067e745799cb66ac5d9dd593379b0
Filetype:	Microsoft Excel sheet (30009/1) 78.94%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 59863 bytes, 1 file	15775D95513782F99CDFB17E65DFCEB1	6C11F8BEE799B093F9FF4841E31041B081B23388	477A9559194EDF48848FCE59E05105168745A46BDC0871EA742A2588CA9FBE00
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A	data	D4AE187B4574036C2D76B6DF8A8C1A30	B06F409FA14BAB33CBAF4A37811B8740B624D9E5	A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	61583C14DEFECA35793C16DDAC220E9C	EE30B0A11013CB87E625F37359EFEA6A048CB302	89531B804F2BCDEBC9B54B94FADC0F2F765F7AA94207A91B79E79DED8452F45E
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A	data	DAC4D0CF65B134F6E0DDF0D6576A5E23	E6F8DC7991462F99883A6273F769D7C15A873BDE	2689E3209829D89FCF929DEC9DD9E29BFC03FE196B4E21D612931CF040F3C1AE
C:\Users\user\AppData\Local\Temp\5AEE0000	data	2D18697CE4F8283BD87D590781722413	4996184EC87C8153AF0C34A436936DC69AEF20A7	BCA81AA3781FB5E45B252BD05BAD0AE2E29C176E2B2B73380111F17006887C80
C:\Users\user\AppData\Local\Temp\CabF4BC.tmp	Microsoft Cabinet archive data, 59863 bytes, 1 file	15775D95513782F99CDFB17E65DFCEB1	6C11F8BEE799B093F9FF4841E31041B081B23388	477A9559194EDF48848FCE59E05105168745A46BDC0871EA742A2588CA9FBE00
C:\Users\user\AppData\Local\Temp\TarF4BD.tmp	data	78CABD9F1AFFF17BB91A105CF4702188	52FA8144D1FC5F92DEB45E53F076BCC69F5D8CC7	C7B6743B228E40B19443E471081A51041974801D325DB4ED8FD73A1A24CBD066
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\9659e9a8_by_Libranalysis.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed May 12 19:21:29 2021, mtime=Wed May 12 19:21:45 2021, atime=Wed May 12 19:21:45 2021, length=174080, window=hide	4DF5DD64555829F71B7D83F255CE1DD3	F2D973DB2E59D5832DD7DFA62F83D30DDBA39F90	4E0A99AAFB22184F168E00579374F5B216C8CC45C60BA53F0FE383980CC59D24
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Wed May 12 19:21:45 2021, atime=Wed May 12 19:21:45 2021, length=16384, window=hide	F7EEBE74F5DE2C503E74B84EFE03A80F	8505B640C8995CEFA5752E3E4C33054340E86B5A	0A5F48A40E0B085F5BB7DBCEF72276927E6853F964BD0D0D2313983B0FA1FC7C
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	43AA6DB16A8F46F4ECBA390A0C27654B	F81E4099E1ACBCB5C5C1FDEABD4EF079DBD32D32	41876EF74BEE90E671EC9ACD42CB627C0F108FCE02EEE7523A101F3410D1ABB1
C:\Users\user\Desktop\5BEE0000	Applesoft BASIC program data, first line number 16	6710A832361C30D96BA10094148DA1A2	2F3CD5D57A4F27696123BF16CA6C462104662C7D	7564E394105692E8AD86D085B464C28B7E94F83B81807EBF3211D0302096BB7E

Analysis Report 9659e9a8_by_Libranalysis

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains