Analysis Report Documents_13134976_1377491379.xlsb

Overview

General Information

Sample Name: Documents_13134976_1377491379.xlsb
Analysis ID: 431937
MD5: 276bf3db434b887bb77adca0bd46e130
SHA1: eee2be9136f2c70a28b6ca5289e73e2a38453da2
SHA256: 27180043ebeb8f2aa8728c5ee020fb5368be3df4e9008b8f01242bf82d5780ce
Tags: xlsbxlsx
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: BlueMashroom DLL Load
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Creates an autostart registry key pointing to binary in C:\Windows
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Regsvr32 Anomaly
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Yara detected Xls With Macro 4.0

Classification

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 107.180.50.232:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 18.117.84.120:443 -> 192.168.2.6:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 18.117.84.120:443 -> 192.168.2.6:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 18.117.84.120:443 -> 192.168.2.6:49750 version: TLS 1.2
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00007FFD696B3714 FindFirstFileExA, 5_2_00007FFD696B3714
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00007FFD69653714 FindFirstFileExA, 11_2_00007FFD69653714

Software Vulnerabilities:

barindex
Document exploit detected (creates forbidden files)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\rtdsgfe[1].dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\iepfusn.dll Jump to behavior
Document exploit detected (drops PE files)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: rtdsgfe[1].dll.0.dr Jump to dropped file
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Section loaded: unknown origin: URLDownloadToFileA Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: tpfcu.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.6:49715 -> 107.180.50.232:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.6:49715 -> 107.180.50.232:443

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 18.117.84.120:443 -> 192.168.2.6:49740
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 18.117.84.120:443 -> 192.168.2.6:49747
Source: Traffic Snort IDS: 2023476 ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) 18.117.84.120:443 -> 192.168.2.6:49750
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 8.8.7.7 -n 2
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: MIT-GATEWAYSUS MIT-GATEWAYSUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 8916410db85077a5460817142dcbc8de
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown TCP traffic detected without corresponding DNS query: 18.117.84.120
Source: unknown TCP traffic detected without corresponding DNS query: 18.117.84.120
Source: unknown TCP traffic detected without corresponding DNS query: 18.117.84.120
Source: unknown TCP traffic detected without corresponding DNS query: 18.117.84.120
Source: unknown TCP traffic detected without corresponding DNS query: 18.117.84.120
Source: unknown TCP traffic detected without corresponding DNS query: 18.117.84.120
Source: unknown TCP traffic detected without corresponding DNS query: 18.117.84.120
Source: unknown TCP traffic detected without corresponding DNS query: 18.117.84.120
Source: unknown TCP traffic detected without corresponding DNS query: 18.117.84.120
Source: unknown TCP traffic detected without corresponding DNS query: 18.117.84.120
Source: unknown TCP traffic detected without corresponding DNS query: 18.117.84.120
Source: unknown TCP traffic detected without corresponding DNS query: 18.117.84.120
Source: unknown TCP traffic detected without corresponding DNS query: 18.117.84.120
Source: unknown TCP traffic detected without corresponding DNS query: 18.117.84.120
Source: unknown TCP traffic detected without corresponding DNS query: 18.117.84.120
Source: unknown TCP traffic detected without corresponding DNS query: 18.117.84.120
Source: unknown TCP traffic detected without corresponding DNS query: 18.117.84.120
Source: unknown TCP traffic detected without corresponding DNS query: 18.117.84.120
Source: unknown TCP traffic detected without corresponding DNS query: 18.117.84.120
Source: unknown TCP traffic detected without corresponding DNS query: 18.117.84.120
Source: unknown TCP traffic detected without corresponding DNS query: 18.117.84.120
Source: unknown TCP traffic detected without corresponding DNS query: 18.117.84.120
Source: unknown DNS traffic detected: queries for: tpfcu.com
Source: regsvr32.exe, 00000019.00000003.540484196.0000000000AAC000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000019.00000003.467970862.0000000000B0D000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/
Source: regsvr32.exe, 00000019.00000003.540484196.0000000000AAC000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.25.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 00000019.00000003.467970862.0000000000B0D000.00000004.00000001.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?c71b863b5b2fa
Source: regsvr32.exe, 00000019.00000002.634452908.0000000000A78000.00000004.00000020.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en9
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: regsvr32.exe, 00000019.00000002.634565601.0000000000AFD000.00000004.00000020.sdmp String found in binary or memory: https://18.117.84.120/
Source: regsvr32.exe, 00000019.00000002.634433415.0000000000A6E000.00000004.00000020.sdmp String found in binary or memory: https://18.117.84.120/#
Source: regsvr32.exe, 00000019.00000002.636067995.00000000029E5000.00000004.00000001.sdmp String found in binary or memory: https://18.117.84.120/18.188.86.8/
Source: regsvr32.exe, 00000019.00000002.634565601.0000000000AFD000.00000004.00000020.sdmp String found in binary or memory: https://18.117.84.120/89b
Source: regsvr32.exe, 00000019.00000002.634433415.0000000000A6E000.00000004.00000020.sdmp, regsvr32.exe, 00000019.00000002.634483097.0000000000A9A000.00000004.00000020.sdmp String found in binary or memory: https://18.117.84.120/kenichi/special21new/trailer2a5
Source: regsvr32.exe, 00000019.00000002.634500391.0000000000AAC000.00000004.00000020.sdmp String found in binary or memory: https://18.117.84.120/kenichi/special21new/trailer2a5T0
Source: regsvr32.exe, 00000019.00000002.634565601.0000000000AFD000.00000004.00000020.sdmp String found in binary or memory: https://18.188.86.8/
Source: regsvr32.exe, 00000019.00000002.634565601.0000000000AFD000.00000004.00000020.sdmp String found in binary or memory: https://18.188.86.8/Z
Source: regsvr32.exe, 00000019.00000002.634500391.0000000000AAC000.00000004.00000020.sdmp String found in binary or memory: https://18.188.86.8/kenichi/special21new/trailer2a5
Source: regsvr32.exe, 00000019.00000002.634565601.0000000000AFD000.00000004.00000020.sdmp String found in binary or memory: https://18.188.86.8/railer2a55b
Source: regsvr32.exe, 00000019.00000002.636079030.0000000002A44000.00000004.00000001.sdmp String found in binary or memory: https://18.188.86.8:443/kenichi/special21new/trailer2a55
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://api.aadrm.com/
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://api.cortana.ai
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://api.diagnostics.office.com
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://api.microsoftstream.com/api/
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://api.office.net
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://api.onedrive.com
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://apis.live.net/v5.0/
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://augloop.office.com
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://augloop.office.com/v2
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://cdn.entity.
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://clients.config.office.net/
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://config.edge.skype.com
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://cortana.ai
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://cortana.ai/api
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://cr.office.com
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://dataservice.o365filtering.com
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://dataservice.o365filtering.com/
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://dev.cortana.ai
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://devnull.onenote.com
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://directory.services.
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://graph.ppe.windows.net
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://graph.ppe.windows.net/
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://graph.windows.net
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://graph.windows.net/
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://incidents.diagnostics.office.com
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://lifecycle.office.com
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://login.microsoftonline.com/
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://login.windows.local
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://management.azure.com
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://management.azure.com/
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://messaging.office.com/
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://ncus.contentsync.
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://ncus.pagecontentsync.
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://officeapps.live.com
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://onedrive.live.com
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://onedrive.live.com/embed?
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://outlook.office.com/
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://outlook.office365.com/
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://powerlift.acompli.net
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://settings.outlook.com
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://shell.suite.office.com:1443
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://skyapi.live.net/Activity/
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://staging.cortana.ai
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://store.office.cn/addinstemplate
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://store.office.com/addinstemplate
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://store.office.de/addinstemplate
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://tasks.office.com
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://templatelogging.office.com/client/log
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://web.microsoftstream.com/video/
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://webshell.suite.office.com
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://wus2.contentsync.
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://wus2.pagecontentsync.
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 2CA63FBD-E4D0-4324-9237-CB578953FC60.0.dr String found in binary or memory: https://www.odwebp.svc.ms
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown HTTPS traffic detected: 107.180.50.232:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 18.117.84.120:443 -> 192.168.2.6:49740 version: TLS 1.2
Source: unknown HTTPS traffic detected: 18.117.84.120:443 -> 192.168.2.6:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 18.117.84.120:443 -> 192.168.2.6:49750 version: TLS 1.2

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 8 Screenshot OCR: Enable editing " to unlock the editing document downloaded from the ir 13 " 14 PROTECTED VIEW Th
Source: Screenshot number: 8 Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start : '8 the decryption of documen
Source: Screenshot number: 12 Screenshot OCR: Enable editing " to unlock the editing document downloaded from the ir 13 " 14 PROTECTED VIEW Th
Source: Screenshot number: 12 Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start : '8 the decryption of documen
Source: Screenshot number: 16 Screenshot OCR: Enable editing " to unlock the editing document downloaded from the Internet. PROTECTED VIEW This f
Source: Screenshot number: 16 Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of document. E
Found Excel 4.0 Macro with suspicious formulas
Source: Documents_13134976_1377491379.xlsb Initial sample: CALL
Source: Documents_13134976_1377491379.xlsb Initial sample: EXEC
Source: Documents_13134976_1377491379.xlsb Initial sample: CALL
Office process drops PE file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\iepfusn.dll Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\rtdsgfe[1].dll Jump to dropped file
Detected potential crypto function
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00007FFD696A6DAE 5_2_00007FFD696A6DAE
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00007FFD696B2254 5_2_00007FFD696B2254
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00007FFD696B8E18 5_2_00007FFD696B8E18
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00007FFD696AF1F0 5_2_00007FFD696AF1F0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00007FFD696B3508 5_2_00007FFD696B3508
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00007FFD696A1788 5_2_00007FFD696A1788
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00007FFD696A204C 5_2_00007FFD696A204C
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00007FFD696A1284 5_2_00007FFD696A1284
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_012D8D11 5_2_012D8D11
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_012D4554 5_2_012D4554
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_012E02A4 5_2_012E02A4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_012D8282 5_2_012D8282
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_012D6537 5_2_012D6537
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_012D6118 5_2_012D6118
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_012D1517 5_2_012D1517
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_012DD57B 5_2_012DD57B
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_012D8598 5_2_012D8598
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_012DE007 5_2_012DE007
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_012DFC4D 5_2_012DFC4D
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_012E0CE8 5_2_012E0CE8
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_012DA8E0 5_2_012DA8E0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_012D2B26 5_2_012D2B26
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_012D9F06 5_2_012D9F06
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_012D3B01 5_2_012D3B01
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_012D7F12 5_2_012D7F12
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_012D5372 5_2_012D5372
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_012E26AC 5_2_012E26AC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_012DC6ED 5_2_012DC6ED
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_012D5EF8 5_2_012D5EF8
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00007FFD69646DAE 11_2_00007FFD69646DAE
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00007FFD69652254 11_2_00007FFD69652254
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00007FFD69658E18 11_2_00007FFD69658E18
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00007FFD6964F1F0 11_2_00007FFD6964F1F0
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00007FFD69653508 11_2_00007FFD69653508
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00007FFD69641788 11_2_00007FFD69641788
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00007FFD6964204C 11_2_00007FFD6964204C
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00007FFD69641284 11_2_00007FFD69641284
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_005C8282 11_2_005C8282
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_005D02A4 11_2_005D02A4
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_005CFC4D 11_2_005CFC4D
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_005CE007 11_2_005CE007
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_005D0CE8 11_2_005D0CE8
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_005CA8E0 11_2_005CA8E0
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_005C4554 11_2_005C4554
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_005CD57B 11_2_005CD57B
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_005C6118 11_2_005C6118
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_005C1517 11_2_005C1517
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_005C8D11 11_2_005C8D11
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_005C6537 11_2_005C6537
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_005C8598 11_2_005C8598
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_005C5EF8 11_2_005C5EF8
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_005CC6ED 11_2_005CC6ED
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_005D26AC 11_2_005D26AC
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_005C5372 11_2_005C5372
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_005C7F12 11_2_005C7F12
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_005C9F06 11_2_005C9F06
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_005C3B01 11_2_005C3B01
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_005C2B26 11_2_005C2B26
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_0045A8E0 18_2_0045A8E0
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_00458282 18_2_00458282
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_004602A4 18_2_004602A4
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_0045FC4D 18_2_0045FC4D
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_00454554 18_2_00454554
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_0045C6ED 18_2_0045C6ED
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_00460CE8 18_2_00460CE8
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_00455372 18_2_00455372
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_00455EF8 18_2_00455EF8
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_0045D57B 18_2_0045D57B
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_0045E007 18_2_0045E007
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_00459F06 18_2_00459F06
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_00453B01 18_2_00453B01
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_00451517 18_2_00451517
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_00458D11 18_2_00458D11
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_00457F12 18_2_00457F12
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_00458598 18_2_00458598
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_00456118 18_2_00456118
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_00452B26 18_2_00452B26
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_004626AC 18_2_004626AC
Source: C:\Windows\System32\regsvr32.exe Code function: 18_2_00456537 18_2_00456537
Source: C:\Windows\System32\regsvr32.exe Code function: 25_2_00A202A4 25_2_00A202A4
Source: C:\Windows\System32\regsvr32.exe Code function: 25_2_00A12B26 25_2_00A12B26
Source: C:\Windows\System32\regsvr32.exe Code function: 25_2_00A16537 25_2_00A16537
Source: C:\Windows\System32\regsvr32.exe Code function: 25_2_00A14554 25_2_00A14554
Source: C:\Windows\System32\regsvr32.exe Code function: 25_2_00A226AC 25_2_00A226AC
Source: C:\Windows\System32\regsvr32.exe Code function: 25_2_00A13B01 25_2_00A13B01
Source: C:\Windows\System32\regsvr32.exe Code function: 25_2_00A18282 25_2_00A18282
Source: C:\Windows\System32\regsvr32.exe Code function: 25_2_00A1E007 25_2_00A1E007
Source: C:\Windows\System32\regsvr32.exe Code function: 25_2_00A19F06 25_2_00A19F06
Source: C:\Windows\System32\regsvr32.exe Code function: 25_2_00A18D11 25_2_00A18D11
Source: C:\Windows\System32\regsvr32.exe Code function: 25_2_00A17F12 25_2_00A17F12
Source: C:\Windows\System32\regsvr32.exe Code function: 25_2_00A11517 25_2_00A11517
Source: C:\Windows\System32\regsvr32.exe Code function: 25_2_00A18598 25_2_00A18598
Source: C:\Windows\System32\regsvr32.exe Code function: 25_2_00A16118 25_2_00A16118
Source: C:\Windows\System32\regsvr32.exe Code function: 25_2_00A1A8E0 25_2_00A1A8E0
Source: C:\Windows\System32\regsvr32.exe Code function: 25_2_00A20CE8 25_2_00A20CE8
Source: C:\Windows\System32\regsvr32.exe Code function: 25_2_00A1C6ED 25_2_00A1C6ED
Source: C:\Windows\System32\regsvr32.exe Code function: 25_2_00A15372 25_2_00A15372
Source: C:\Windows\System32\regsvr32.exe Code function: 25_2_00A15EF8 25_2_00A15EF8
Source: C:\Windows\System32\regsvr32.exe Code function: 25_2_00A1D57B 25_2_00A1D57B
Source: C:\Windows\System32\regsvr32.exe Code function: 25_2_00A1FC4D 25_2_00A1FC4D
Source: C:\Windows\System32\regsvr32.exe Code function: 26_2_00FD6537 26_2_00FD6537
Source: C:\Windows\System32\regsvr32.exe Code function: 26_2_00FE02A4 26_2_00FE02A4
Source: C:\Windows\System32\regsvr32.exe Code function: 26_2_00FD5EF8 26_2_00FD5EF8
Source: C:\Windows\System32\regsvr32.exe Code function: 26_2_00FDD57B 26_2_00FDD57B
Source: C:\Windows\System32\regsvr32.exe Code function: 26_2_00FD5372 26_2_00FD5372
Source: C:\Windows\System32\regsvr32.exe Code function: 26_2_00FDC6ED 26_2_00FDC6ED
Source: C:\Windows\System32\regsvr32.exe Code function: 26_2_00FE0CE8 26_2_00FE0CE8
Source: C:\Windows\System32\regsvr32.exe Code function: 26_2_00FDA8E0 26_2_00FDA8E0
Source: C:\Windows\System32\regsvr32.exe Code function: 26_2_00FD4554 26_2_00FD4554
Source: C:\Windows\System32\regsvr32.exe Code function: 26_2_00FDFC4D 26_2_00FDFC4D
Source: C:\Windows\System32\regsvr32.exe Code function: 26_2_00FE26AC 26_2_00FE26AC
Source: C:\Windows\System32\regsvr32.exe Code function: 26_2_00FD2B26 26_2_00FD2B26
Source: C:\Windows\System32\regsvr32.exe Code function: 26_2_00FD8598 26_2_00FD8598
Source: C:\Windows\System32\regsvr32.exe Code function: 26_2_00FD6118 26_2_00FD6118
Source: C:\Windows\System32\regsvr32.exe Code function: 26_2_00FD1517 26_2_00FD1517
Source: C:\Windows\System32\regsvr32.exe Code function: 26_2_00FD8D11 26_2_00FD8D11
Source: C:\Windows\System32\regsvr32.exe Code function: 26_2_00FD7F12 26_2_00FD7F12
Source: C:\Windows\System32\regsvr32.exe Code function: 26_2_00FDE007 26_2_00FDE007
Source: C:\Windows\System32\regsvr32.exe Code function: 26_2_00FD9F06 26_2_00FD9F06
Source: C:\Windows\System32\regsvr32.exe Code function: 26_2_00FD3B01 26_2_00FD3B01
Source: C:\Windows\System32\regsvr32.exe Code function: 26_2_00FD8282 26_2_00FD8282
Source: C:\Windows\System32\regsvr32.exe Code function: 27_2_00B76537 27_2_00B76537
Source: C:\Windows\System32\regsvr32.exe Code function: 27_2_00B802A4 27_2_00B802A4
Source: C:\Windows\System32\regsvr32.exe Code function: 27_2_00B74554 27_2_00B74554
Source: C:\Windows\System32\regsvr32.exe Code function: 27_2_00B72B26 27_2_00B72B26
Source: C:\Windows\System32\regsvr32.exe Code function: 27_2_00B826AC 27_2_00B826AC
Source: C:\Windows\System32\regsvr32.exe Code function: 27_2_00B71517 27_2_00B71517
Source: C:\Windows\System32\regsvr32.exe Code function: 27_2_00B77F12 27_2_00B77F12
Source: C:\Windows\System32\regsvr32.exe Code function: 27_2_00B78D11 27_2_00B78D11
Source: C:\Windows\System32\regsvr32.exe Code function: 27_2_00B78598 27_2_00B78598
Source: C:\Windows\System32\regsvr32.exe Code function: 27_2_00B76118 27_2_00B76118
Source: C:\Windows\System32\regsvr32.exe Code function: 27_2_00B7E007 27_2_00B7E007
Source: C:\Windows\System32\regsvr32.exe Code function: 27_2_00B79F06 27_2_00B79F06
Source: C:\Windows\System32\regsvr32.exe Code function: 27_2_00B78282 27_2_00B78282
Source: C:\Windows\System32\regsvr32.exe Code function: 27_2_00B73B01 27_2_00B73B01
Source: C:\Windows\System32\regsvr32.exe Code function: 27_2_00B75372 27_2_00B75372
Source: C:\Windows\System32\regsvr32.exe Code function: 27_2_00B7D57B 27_2_00B7D57B
Source: C:\Windows\System32\regsvr32.exe Code function: 27_2_00B75EF8 27_2_00B75EF8
Source: C:\Windows\System32\regsvr32.exe Code function: 27_2_00B80CE8 27_2_00B80CE8
Source: C:\Windows\System32\regsvr32.exe Code function: 27_2_00B7A8E0 27_2_00B7A8E0
Source: C:\Windows\System32\regsvr32.exe Code function: 27_2_00B7C6ED 27_2_00B7C6ED
Source: C:\Windows\System32\regsvr32.exe Code function: 27_2_00B7FC4D 27_2_00B7FC4D
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\rtdsgfe[1].dll 67E54B44DAD909734A59DF457950C05727B7ECF387F1F37C38C18CEF5AF579C2
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\L3YD7CE.dll 67E54B44DAD909734A59DF457950C05727B7ECF387F1F37C38C18CEF5AF579C2
Source: Joe Sandbox View Dropped File: C:\Users\user\iepfusn.dll 67E54B44DAD909734A59DF457950C05727B7ECF387F1F37C38C18CEF5AF579C2
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSB@28/13@1/4
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_012D4554 CreateToolhelp32Snapshot,Process32First,FindCloseChangeNotification,Process32Next, 5_2_012D4554
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Mutant created: \Sessions\1\BaseNamedObjects\NFIRRWAVEQLJNKX7G17J1Q
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6988:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5680:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1808:120:WilError_01
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\{4F0D64AE-B9BF-48DC-A1ED-DB4CEC735B81} - OProcSessId.dat Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\iepfusn.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe -s ..\iepfusn.dll
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\cmd.exe cmd /c ping 8.8.7.7 -n 2 & start C:\Windows\system32\regsvr32.exe -s C:\Users\user\iepfusn.dll RV0KR
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 8.8.7.7 -n 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -s C:\Users\user\iepfusn.dll RV0KR
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\cmd.exe cmd /c ping 8.8.7.7 -n 2 & start C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll N8DG
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 8.8.7.7 -n 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll N8DG
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\cmd.exe cmd /c ping 8.8.7.7 -n 2 & start C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll VE50DB
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 8.8.7.7 -n 2
Source: unknown Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\system32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll VE50DB
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll VE50DB
Source: unknown Process created: C:\Windows\System32\regsvr32.exe 'C:\Windows\system32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll VE50DB
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\iepfusn.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\System32\regsvr32.exe -s ..\iepfusn.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\cmd.exe cmd /c ping 8.8.7.7 -n 2 & start C:\Windows\system32\regsvr32.exe -s C:\Users\user\iepfusn.dll RV0KR Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 8.8.7.7 -n 2 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -s C:\Users\user\iepfusn.dll RV0KR Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\cmd.exe cmd /c ping 8.8.7.7 -n 2 & start C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll N8DG Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 8.8.7.7 -n 2 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll N8DG Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\System32\cmd.exe cmd /c ping 8.8.7.7 -n 2 & start C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll VE50DB Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 8.8.7.7 -n 2 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll VE50DB Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Documents_13134976_1377491379.xlsb Initial sample: OLE zip file path = xl/media/image1.png
Source: Documents_13134976_1377491379.xlsb Initial sample: OLE zip file path = xl/media/image2.png
Source: Documents_13134976_1377491379.xlsb Initial sample: OLE zip file path = xl/media/image3.png
Source: Documents_13134976_1377491379.xlsb Initial sample: OLE zip file path = xl/media/image4.png
Source: Documents_13134976_1377491379.xlsb Initial sample: OLE zip file path = xl/media/image5.png
Source: Documents_13134976_1377491379.xlsb Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior

Data Obfuscation:

barindex
Registers a DLL
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\iepfusn.dll

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\iepfusn.dll Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\rtdsgfe[1].dll Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe File created: C:\Users\user\AppData\Local\Temp\L3YD7CE.dll Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\iepfusn.dll Jump to dropped file

Boot Survival:

barindex
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\Windows\System32\regsvr32.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run FX11S05YSR Jump to behavior
Drops PE files to the user root directory
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\iepfusn.dll Jump to dropped file
Source: C:\Windows\System32\regsvr32.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run FX11S05YSR Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run FX11S05YSR Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\regsvr32.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Uses ping.exe to sleep
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 8.8.7.7 -n 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 8.8.7.7 -n 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 8.8.7.7 -n 2
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 8.8.7.7 -n 2 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 8.8.7.7 -n 2 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 8.8.7.7 -n 2 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\rtdsgfe[1].dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\regsvr32.exe TID: 6852 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 5704 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 6880 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 6880 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 6848 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 6816 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 3252 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Windows\System32\regsvr32.exe Last function: Thread delayed
Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00007FFD696A9D9D GetKeyboardLayoutNameW followed by cmp: cmp ebp, ecx and CTI: je 00007FFD696AA100h 5_2_00007FFD696A9D9D
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00007FFD69649D9D GetKeyboardLayoutNameW followed by cmp: cmp ebp, ecx and CTI: je 00007FFD6964A100h 11_2_00007FFD69649D9D
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00007FFD696B3714 FindFirstFileExA, 5_2_00007FFD696B3714
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00007FFD69653714 FindFirstFileExA, 11_2_00007FFD69653714
Source: C:\Windows\System32\regsvr32.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Thread delayed: delay time: 30000 Jump to behavior
Source: regsvr32.exe, 00000019.00000003.540484196.0000000000AAC000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWt
Source: regsvr32.exe, 00000019.00000003.540484196.0000000000AAC000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: regsvr32.exe, 0000001A.00000002.465899187.000000000101D000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll]]N
Source: regsvr32.exe, 0000001B.00000002.482209725.0000000000BB8000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\regsvr32.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00007FFD696B31A0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_00007FFD696B31A0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00007FFD696A4402 GetProcessHeap,HeapAlloc,GetProcessHeap,RtlAllocateHeap, 5_2_00007FFD696A4402
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00007FFD696B31A0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_00007FFD696B31A0
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00007FFD696B03CC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_00007FFD696B03CC
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00007FFD696AFC50 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_00007FFD696AFC50
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00007FFD696531A0 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_00007FFD696531A0
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00007FFD696503CC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_00007FFD696503CC
Source: C:\Windows\System32\regsvr32.exe Code function: 11_2_00007FFD6964FC50 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_00007FFD6964FC50

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\System32\regsvr32.exe Network Connect: 18.117.84.120 187 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 8.8.7.7 -n 2 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -s C:\Users\user\iepfusn.dll RV0KR Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 8.8.7.7 -n 2 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll N8DG Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\PING.EXE ping 8.8.7.7 -n 2 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\L3YD7CE.dll VE50DB Jump to behavior
Yara detected Xls With Macro 4.0
Source: Yara match File source: app.xml, type: SAMPLE
Source: regsvr32.exe, 00000019.00000002.635081391.00000000010E0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: regsvr32.exe, 00000019.00000002.635081391.00000000010E0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: regsvr32.exe, 00000019.00000002.635081391.00000000010E0000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: regsvr32.exe, 00000019.00000002.635081391.00000000010E0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00007FFD696B8940 cpuid 5_2_00007FFD696B8940
Source: C:\Windows\System32\regsvr32.exe Code function: 5_2_00007FFD696B02C8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 5_2_00007FFD696B02C8
Source: C:\Windows\System32\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 431937 Sample: Documents_13134976_13774913... Startdate: 09/06/2021 Architecture: WINDOWS Score: 100 72 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->72 74 Document exploit detected (drops PE files) 2->74 76 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->76 78 7 other signatures 2->78 13 EXCEL.EXE 32 45 2->13         started        18 regsvr32.exe 2->18         started        20 regsvr32.exe 2->20         started        process3 dnsIp4 66 tpfcu.com 107.180.50.232, 443, 49715 AS-26496-GO-DADDY-COM-LLCUS United States 13->66 68 192.168.2.1 unknown unknown 13->68 56 C:\Users\user\iepfusn.dll, PE32+ 13->56 dropped 58 C:\Users\user\AppData\...\rtdsgfe[1].dll, PE32+ 13->58 dropped 60 C:\...\~$Documents_13134976_1377491379.xlsb, data 13->60 dropped 88 Document exploit detected (creates forbidden files) 13->88 90 Document exploit detected (UrlDownloadToFile) 13->90 22 regsvr32.exe 13->22         started        70 18.117.84.120, 443, 49740, 49747 MIT-GATEWAYSUS United States 18->70 92 System process connects to network (likely due to code injection or exploit) 18->92 file5 signatures6 process7 process8 24 regsvr32.exe 22->24         started        process9 26 cmd.exe 1 24->26         started        dnsIp10 64 8.8.7.7 GOOGLEUS United States 26->64 84 Uses ping.exe to sleep 26->84 86 Uses ping.exe to check the status of other devices and networks 26->86 30 regsvr32.exe 1 26->30         started        33 conhost.exe 26->33         started        35 PING.EXE 1 26->35         started        signatures11 process12 file13 62 C:\Users\user\AppData\Local\...\L3YD7CE.dll, PE32+ 30->62 dropped 37 cmd.exe 1 30->37         started        process14 signatures15 80 Uses ping.exe to sleep 37->80 40 regsvr32.exe 1 37->40         started        43 conhost.exe 37->43         started        45 PING.EXE 1 37->45         started        process16 signatures17 82 Creates an autostart registry key pointing to binary in C:\Windows 40->82 47 cmd.exe 1 40->47         started        process18 signatures19 94 Uses ping.exe to sleep 47->94 50 regsvr32.exe 47->50         started        52 conhost.exe 47->52         started        54 PING.EXE 1 47->54         started        process20
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
8.8.7.7
 unknown United States
15169 GOOGLEUS false
107.180.50.232
 tpfcu.com United States
26496 AS-26496-GO-DADDY-COM-LLCUS false
18.117.84.120
 unknown United States
3 MIT-GATEWAYSUS true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
tpfcu.com 107.180.50.232 true