Analysis Report 090811fa_by_Libranalysis

Overview

General Information

Sample Name:	090811fa_by_Libranalysis (renamed file extension from none to xls)
Analysis ID:	412373
MD5:	090811fa4bbb26277eebc82843f3d70e
SHA1:	135d07236adba8e6441c72df1b7f2c459505583c
SHA256:	11dad18ad216bbbf97891c947ef3b70acd0c5a9a0ce80a9f5c4bcaecd7275164
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Found Excel 4.0 Macro with suspicious formulas

Found abnormal large hidden Excel 4.0 Macro sheet

Sigma detected: Microsoft Office Product Spawning Windows Shell

Document contains embedded VBA macros

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: 090811fa_by_Libranalysis.xls

ReversingLabs: Detection: 10%

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 192.185.39.58:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.32.232:443 -> 192.168.2.22:49168 version: TLS 1.2

Software Vulnerabilities:

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: signifysystem.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 192.185.39.58:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 192.185.39.58:443

Networking:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 192.185.39.58 192.185.39.58
Source: Joe Sandbox View	IP Address: 192.185.32.232 192.185.32.232

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ

Jump to behavior

Source: rundll32.exe, 00000002.00000002.2110857791.0000000001AF0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2104381120.0000000001AB0000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: signifysystem.com

Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.0.dr	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: 77EC63BDA74BD0D0E0426DC8F8008506.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 00000002.00000002.2110857791.0000000001AF0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2104381120.0000000001AB0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000002.00000002.2110857791.0000000001AF0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2104381120.0000000001AB0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000002.00000002.2111131035.0000000001CD7000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2104580920.0000000001C97000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000002.00000002.2111131035.0000000001CD7000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2104580920.0000000001C97000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000002.00000002.2111131035.0000000001CD7000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2104580920.0000000001C97000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000002.00000002.2111131035.0000000001CD7000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2104580920.0000000001C97000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000002.00000002.2110857791.0000000001AF0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2104381120.0000000001AB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000002.00000002.2111131035.0000000001CD7000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2104580920.0000000001C97000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000002.00000002.2110857791.0000000001AF0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2104381120.0000000001AB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000003.00000002.2104381120.0000000001AB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443

Source: unknown	HTTPS traffic detected: 192.185.39.58:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.32.232:443 -> 192.168.2.22:49168 version: TLS 1.2

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable Editing 11 from the yellow bar above 12 13 Once You have Enable Editing, pleas ' RunDLL
Source: Document image extraction number: 6	Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing, please click Enable Content
Source: Document image extraction number: 6	Screenshot OCR: Enable Content from the yellow bar above WHY I CANNOT OPEN THIS DOCUMENT? You are using iOS or An

Found Excel 4.0 Macro with suspicious formulas

Source: 090811fa_by_Libranalysis.xls	Initial sample: CALL
Source: 090811fa_by_Libranalysis.xls	Initial sample: CALL
Source: 090811fa_by_Libranalysis.xls	Initial sample: EXEC

Found abnormal large hidden Excel 4.0 Macro sheet

Source: 090811fa_by_Libranalysis.xls

Initial sample: Sheet size: 14902

Document contains embedded VBA macros

Source: 090811fa_by_Libranalysis.xls

OLE indicator, VBA macros: true

Source: rundll32.exe, 00000002.00000002.2110857791.0000000001AF0000.00000002.00000001.sdmp, rundll32.exe, 00000003.00000002.2104381120.0000000001AB0000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal76.expl.evad.winXLS@5/11@2/2

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\3BDE0000

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD1CF.tmp

Jump to behavior

Source: 090811fa_by_Libranalysis.xls

OLE indicator, Workbook stream: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ritofm.cvm,DllRegisterServer

Source: 090811fa_by_Libranalysis.xls

ReversingLabs: Detection: 10%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ritofm.cvm,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ritofm.cvm1,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ritofm.cvm,DllRegisterServer	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\ritofm.cvm1,DllRegisterServer	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.185.39.58	signifysystem.com	United States		46606	UNIFIEDLAYER-AS-1US	false
192.185.32.232	fcventasyservicios.cl	United States		46606	UNIFIEDLAYER-AS-1US	false

Contacted Domains

Name	IP	Active
signifysystem.com	192.185.39.58	true
fcventasyservicios.cl	192.185.32.232	true

ID:	412373
Product:	CloudBasic
Start time:	16:48:06
Start date:	12.05.2021
Sample:	090811fa_by_Libranalysis
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	090811fa4bbb26277eebc82843f3d70e
SHA1:	135d07236adba8e6441c72df1b7f2c459505583c
SHA256:	11dad18ad216bbbf97891c947ef3b70acd0c5a9a0ce80a9f5c4bcaecd7275164
Filetype:	Microsoft Excel sheet (30009/1) 78.94%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 59863 bytes, 1 file	15775D95513782F99CDFB17E65DFCEB1	6C11F8BEE799B093F9FF4841E31041B081B23388	477A9559194EDF48848FCE59E05105168745A46BDC0871EA742A2588CA9FBE00
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A	data	D4AE187B4574036C2D76B6DF8A8C1A30	B06F409FA14BAB33CBAF4A37811B8740B624D9E5	A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	A3A9ECED05E688B6DDEC43E5D0601AB8	982C611DE3164758091BF35A02B07D10A120C6D3	D1C39500E630282EC5B10647DE4E1CA513922679F714AEFE47A5E3107C5AEA34
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A	data	DE5DFDD82260B1AB30F886C0860378B2	D8754F4D49DAFECB6E53456725CFD9D3F10C0454	5E473313114C22B5D8D7FC8D40FFE1BA768EE36C8B8CB3901BFDE86B00BCDAE5
C:\Users\user\AppData\Local\Temp\6ADE0000	data	B79D9070E6CC72295229D1A40281D4EF	1B429D85318ED5612331776142223F8B1B8479E4	A9499AFAD6A1323B863087632535346A85C14A392CE222080D9C26B40F5D89C3
C:\Users\user\AppData\Local\Temp\CabE486.tmp	Microsoft Cabinet archive data, 59863 bytes, 1 file	15775D95513782F99CDFB17E65DFCEB1	6C11F8BEE799B093F9FF4841E31041B081B23388	477A9559194EDF48848FCE59E05105168745A46BDC0871EA742A2588CA9FBE00
C:\Users\user\AppData\Local\Temp\TarE487.tmp	data	78CABD9F1AFFF17BB91A105CF4702188	52FA8144D1FC5F92DEB45E53F076BCC69F5D8CC7	C7B6743B228E40B19443E471081A51041974801D325DB4ED8FD73A1A24CBD066
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\090811fa_by_Libranalysis.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed May 12 22:48:28 2021, mtime=Wed May 12 22:48:41 2021, atime=Wed May 12 22:48:41 2021, length=174080, window=hide	6E8491D2499A905365099A8837E9EEEC	E8C9C7568C37CED833C3B96B4CDE78DC65F2104A	40C9889280F9D606CA4F2D641B667748E9A26CFBFA89AB7CC6103E8861537A3D
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Wed May 12 22:48:41 2021, atime=Wed May 12 22:48:41 2021, length=16384, window=hide	52F6C269F431D729D49C19BD112AAC49	F055FAB4BF4EB976333A5B7727B4A378CAD93A5C	29FFFD5D44E4AE218E6DA12C0BF5665E5CA314B95034128C19A4F3E8310220AD
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	CF3C5C35591A2447C1D979B0EDDE9466	431B45F35402FD3128B853F4C30084C881F7AC0D	13440321B212A4288E328810B16493FD519DD17A33BAB087284704CBE65B4FDA
C:\Users\user\Desktop\3BDE0000	Applesoft BASIC program data, first line number 16	8FA65C75ED4F0930AE76F0648B525EEF	67E3FCA753C7BE39A463E7C9C3F153269A9B7E56	AA8D2D91F70DF9F31C271EC78ADBB1519D567459CE2ED57A8E370C0A6221C6B3

Analysis Report 090811fa_by_Libranalysis

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains