Loading ...

Play interactive tourEdit tour

Analysis Report Current-Status-062021-81197.xlsb

Overview

General Information

Sample Name:Current-Status-062021-81197.xlsb
Analysis ID:432839
MD5:1ac719c744d22f42e4978e7b55828435
SHA1:4ddc7358f615987bf92ed9192430693db65b097c
SHA256:d9be275feff4b3383821b1483ba93424fb27aa40e138da41a91511193d9538cb
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (drops PE files)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Contains functionality to create processes via WMI
Creates processes via WMI
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found abnormal large hidden Excel 4.0 Macro sheet
Machine Learning detection for dropped file
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Abnormal high CPU Usage
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)
Yara detected Xls With Macro 4.0

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 7076 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • WMIC.exe (PID: 2460 cmdline: wmic process call create 'C:/Users/Public/SettingSyncHost' MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
      • conhost.exe (PID: 352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • SettingSyncHost (PID: 1808 cmdline: C:/Users/Public/SettingSyncHost MD5: 526D56017EF5105277FE0D366C95C39D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
app.xmlJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: wmic process call create 'C:/Users/Public/SettingSyncHost', CommandLine: wmic process call create 'C:/Users/Public/SettingSyncHost', CommandLine|base64offset|contains: h, Image: C:\Windows\SysWOW64\wbem\WMIC.exe, NewProcessName: C:\Windows\SysWOW64\wbem\WMIC.exe, OriginalFileName: C:\Windows\SysWOW64\wbem\WMIC.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 7076, ProcessCommandLine: wmic process call create 'C:/Users/Public/SettingSyncHost', ProcessId: 2460

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for domain / URLShow sources
    Source: injuryless.comVirustotal: Detection: 7%Perma Link
    Multi AV Scanner detection for dropped fileShow sources
    Source: C:\Users\Public\SettingSyncHostReversingLabs: Detection: 17%
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\logo[1].pngReversingLabs: Detection: 17%
    Multi AV Scanner detection for submitted fileShow sources
    Source: Current-Status-062021-81197.xlsbVirustotal: Detection: 8%Perma Link
    Machine Learning detection for dropped fileShow sources
    Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\logo[1].pngJoe Sandbox ML: detected
    Source: C:\Users\Public\SettingSyncHostJoe Sandbox ML: detected
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
    Source: unknownHTTPS traffic detected: 95.142.44.93:443 -> 192.168.2.4:49734 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 193.178.169.243:443 -> 192.168.2.4:49739 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 193.178.169.243:443 -> 192.168.2.4:49739 version: TLS 1.2
    Source: Binary string: C:\Work\Downloader\Downloader\Release\Downloader.pdb source: SettingSyncHost
    Source: Binary string: C:\Work\Downloader\Downloader\Release\Downloader.pdb5 source: SettingSyncHost, 00000005.00000002.1526209189.00000000003C8000.00000040.00020000.sdmp
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_003CCEB0 FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,FindNextFileA,FindClose,5_2_003CCEB0
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_003EA7D5 FindFirstFileExW,5_2_003EA7D5

    Software Vulnerabilities:

    barindex
    Document exploit detected (drops PE files)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: logo[1].png.0.drJump to dropped file
    Document exploit detected (UrlDownloadToFile)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileAJump to behavior
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe
    Source: global trafficDNS query: name: pigeonious.com
    Source: global trafficTCP traffic: 192.168.2.4:49734 -> 95.142.44.93:443
    Source: global trafficTCP traffic: 192.168.2.4:49734 -> 95.142.44.93:443
    Source: Joe Sandbox ViewASN Name: VDSINA-ASRU VDSINA-ASRU
    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_003D7CF0 InternetReadFile,5_2_003D7CF0
    Source: unknownDNS traffic detected: queries for: pigeonious.com
    Source: SettingSyncHost, 00000005.00000002.1526548221.0000000000D83000.00000004.00000020.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
    Source: SettingSyncHost, 00000005.00000002.1526548221.0000000000D83000.00000004.00000020.sdmpString found in binary or memory: http://cps.letsencrypt.org0
    Source: SettingSyncHost, 00000005.00000002.1526548221.0000000000D83000.00000004.00000020.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
    Source: SettingSyncHost, 00000005.00000002.1526548221.0000000000D83000.00000004.00000020.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
    Source: SettingSyncHost, 00000005.00000002.1526548221.0000000000D83000.00000004.00000020.sdmpString found in binary or memory: http://r3.i.lencr.org/0
    Source: SettingSyncHost, 00000005.00000002.1526548221.0000000000D83000.00000004.00000020.sdmpString found in binary or memory: http://r3.o.lencr.org0
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
    Source: SettingSyncHost, 00000005.00000002.1526548221.0000000000D83000.00000004.00000020.sdmpString found in binary or memory: http://x1.c.lencr.org/0
    Source: SettingSyncHost, 00000005.00000002.1526548221.0000000000D83000.00000004.00000020.sdmpString found in binary or memory: http://x1.i.lencr.org/0
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://api.aadrm.com/
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://api.cortana.ai
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://api.diagnostics.office.com
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://api.microsoftstream.com/api/
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://api.office.net
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://api.onedrive.com
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://apis.live.net/v5.0/
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://augloop.office.com
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://augloop.office.com/v2
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://cdn.entity.
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://clients.config.office.net/
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://config.edge.skype.com
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://cortana.ai
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://cortana.ai/api
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://cr.office.com
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://dataservice.o365filtering.com
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://dataservice.o365filtering.com/
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://dev.cortana.ai
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://devnull.onenote.com
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://directory.services.
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://graph.ppe.windows.net
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://graph.ppe.windows.net/
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://graph.windows.net
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://graph.windows.net/
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://incidents.diagnostics.office.com
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
    Source: SettingSyncHost, 00000005.00000002.1526548221.0000000000D83000.00000004.00000020.sdmpString found in binary or memory: https://injuryless.com/
    Source: SettingSyncHost, 00000005.00000002.1526548221.0000000000D83000.00000004.00000020.sdmpString found in binary or memory: https://injuryless.com/.7.3.11.3.6.1.5.5.7.3.22.23.140.1.2.11.3.6.1.4.1.44947.1.1.11.3.6.1.5.5.7.3.
    Source: SettingSyncHost, 00000005.00000002.1526548221.0000000000D83000.00000004.00000020.sdmpString found in binary or memory: https://injuryless.com/11.10.3.41.3.6.1.4.1.311.10.3.12
    Source: SettingSyncHost, 00000005.00000002.1526548221.0000000000D83000.00000004.00000020.sdmp, SettingSyncHost, 00000005.00000002.1526534901.0000000000D68000.00000004.00000020.sdmpString found in binary or memory: https://injuryless.com/?id=124406_ECF4BBEA1588
    Source: SettingSyncHost, 00000005.00000002.1526534901.0000000000D68000.00000004.00000020.sdmpString found in binary or memory: https://injuryless.com/?id=124406_ECF4BBEA1588.
    Source: SettingSyncHost, 00000005.00000002.1526548221.0000000000D83000.00000004.00000020.sdmpString found in binary or memory: https://injuryless.com/?id=124406_ECF4BBEA1588/3
    Source: SettingSyncHost, 00000005.00000002.1526534901.0000000000D68000.00000004.00000020.sdmpString found in binary or memory: https://injuryless.com/?id=124406_ECF4BBEA15881
    Source: SettingSyncHost, 00000005.00000002.1526534901.0000000000D68000.00000004.00000020.sdmpString found in binary or memory: https://injuryless.com/?id=124406_ECF4BBEA15887
    Source: SettingSyncHost, 00000005.00000002.1526548221.0000000000D83000.00000004.00000020.sdmpString found in binary or memory: https://injuryless.com/?id=124406_ECF4BBEA1588G
    Source: SettingSyncHost, 00000005.00000002.1526548221.0000000000D83000.00000004.00000020.sdmpString found in binary or memory: https://injuryless.com/?id=124406_ECF4BBEA1588I3
    Source: SettingSyncHost, 00000005.00000002.1526534901.0000000000D68000.00000004.00000020.sdmpString found in binary or memory: https://injuryless.com/?id=124406_ECF4BBEA1588Z
    Source: SettingSyncHost, 00000005.00000002.1526548221.0000000000D83000.00000004.00000020.sdmpString found in binary or memory: https://injuryless.com/?id=124406_ECF4BBEA1588id=124406_ECF4BBEA1588
    Source: SettingSyncHost, 00000005.00000002.1526534901.0000000000D68000.00000004.00000020.sdmpString found in binary or memory: https://injuryless.com/?id=124406_ECF4BBEA1588m
    Source: SettingSyncHost, 00000005.00000002.1526548221.0000000000D83000.00000004.00000020.sdmpString found in binary or memory: https://injuryless.com/?id=124406_ECF4BBEA1588m2
    Source: SettingSyncHost, 00000005.00000002.1526548221.0000000000D83000.00000004.00000020.sdmpString found in binary or memory: https://injuryless.com/?id=124406_ECF4BBEA1588z2
    Source: SettingSyncHost, 00000005.00000002.1526548221.0000000000D83000.00000004.00000020.sdmpString found in binary or memory: https://injuryless.com/X
    Source: SettingSyncHost, 00000005.00000002.1526548221.0000000000D83000.00000004.00000020.sdmpString found in binary or memory: https://injuryless.com/icies
    Source: SettingSyncHost, 00000005.00000002.1526534901.0000000000D68000.00000004.00000020.sdmpString found in binary or memory: https://injuryless.com/id=124406_ECF4BBEA1588
    Source: SettingSyncHost, 00000005.00000002.1526534901.0000000000D68000.00000004.00000020.sdmpString found in binary or memory: https://injuryless.com/id=124406_ECF4BBEA1588p
    Source: SettingSyncHost, 00000005.00000002.1526548221.0000000000D83000.00000004.00000020.sdmpString found in binary or memory: https://injuryless.com/rosoft
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://lifecycle.office.com
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://login.microsoftonline.com/
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://login.windows.local
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://management.azure.com
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://management.azure.com/
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://messaging.office.com/
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://ncus.contentsync.
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://ncus.pagecontentsync.
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://officeapps.live.com
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://onedrive.live.com
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://onedrive.live.com/embed?
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://outlook.office.com/
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://outlook.office365.com/
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://pages.store.office.com/review/query
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
    Source: hats.xmlString found in binary or memory: https://pigeonious.com/img/logo.png
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://powerlift.acompli.net
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://settings.outlook.com
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://shell.suite.office.com:1443
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://skyapi.live.net/Activity/
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://staging.cortana.ai
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://store.office.cn/addinstemplate
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://store.office.com/addinstemplate
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://store.office.de/addinstemplate
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://tasks.office.com
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://templatelogging.office.com/client/log
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://web.microsoftstream.com/video/
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://webshell.suite.office.com
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://wus2.contentsync.
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://wus2.pagecontentsync.
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
    Source: 091AD497-E671-4FDF-8396-74EDF92EBBCF.0.drString found in binary or memory: https://www.odwebp.svc.ms
    Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
    Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
    Source: unknownHTTPS traffic detected: 95.142.44.93:443 -> 192.168.2.4:49734 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 193.178.169.243:443 -> 192.168.2.4:49739 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 193.178.169.243:443 -> 192.168.2.4:49739 version: TLS 1.2

    System Summary:

    barindex
    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
    Source: Screenshot number: 8Screenshot OCR: Enable Editing" " and then "Enable Content" button. 22 23 24 25 26 27 28 " " 29 30 31 32
    Source: Screenshot number: 8Screenshot OCR: Enable Content" button. 22 23 24 25 26 27 28 " " 29 30 31 32 33 34 ConMecmal j 2021 US
    Contains functionality to create processes via WMIShow sources
    Source: WMIC.exe, 00000003.00000002.671294038.0000000002DB0000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\Documents\C:\Windows\SysWOW64\Wbem\wmic.exewmic process call create 'C:/Users/Public/SettingSyncHost'C:\Windows\System32\Wbem\wmic.exeWinSta0\Default=::=::\=C:=C:\Users\user\DocumentsALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=4OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=QFAPOWPUSERDOMAIN_ROAMINGPROFILE=computerUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows
    Found abnormal large hidden Excel 4.0 Macro sheetShow sources
    Source: Current-Status-062021-81197.xlsbInitial sample: Sheet size: 480182
    Office process drops PE fileShow sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\Public\SettingSyncHostJump to dropped file
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\logo[1].pngJump to dropped file
    Source: C:\Users\Public\SettingSyncHostProcess Stats: CPU usage > 98%
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_003E40F05_2_003E40F0
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_0039D0D35_2_0039D0D3
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_003AA1335_2_003AA133
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_003E72045_2_003E7204
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_0039D4A55_2_0039D4A5
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_003A95265_2_003A9526
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_003D85705_2_003D8570
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_003CE5D05_2_003CE5D0
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_003F170D5_2_003F170D
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_003ED7BE5_2_003ED7BE
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_003B17A05_2_003B17A0
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_003A57E85_2_003A57E8
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_0039C8A05_2_0039C8A0
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_0039D88D5_2_0039D88D
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_003F48835_2_003F4883
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_003AA8DB5_2_003AA8DB
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_003F49A35_2_003F49A3
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_003A8A865_2_003A8A86
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_003D3AC05_2_003D3AC0
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_003A9BB95_2_003A9BB9
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_003A7C9A5_2_003A7C9A
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_0039CD355_2_0039CD35
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_003DBD605_2_003DBD60
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_003DED5B5_2_003DED5B
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_003D8D405_2_003D8D40
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_003A9E345_2_003A9E34
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_00395E1E5_2_00395E1E
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_003EFE995_2_003EFE99
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_003A8FD55_2_003A8FD5
    Source: Joe Sandbox ViewDropped File: C:\Users\Public\SettingSyncHost 28F2FA4F9AC95C3FC906E201B758D56C6A888B657DCF57C351A4F34FFB3E0FE2
    Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\logo[1].png 28F2FA4F9AC95C3FC906E201B758D56C6A888B657DCF57C351A4F34FFB3E0FE2
    Source: C:\Users\Public\SettingSyncHostCode function: String function: 0039A560 appears 45 times
    Source: C:\Users\Public\SettingSyncHostCode function: String function: 003D9730 appears 55 times
    Source: classification engineClassification label: mal100.expl.evad.winXLSB@5/8@2/2
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:352:120:WilError_01
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{3950737C-20D7-4D17-885E-2145A276803C} - OProcSessId.datJump to behavior
    Source: C:\Users\Public\SettingSyncHostCommand line argument: P(:5_2_003A27A0
    Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Windows\SysWOW64\wbem\WMIC.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\Public\SettingSyncHostFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\Public\SettingSyncHostFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: Current-Status-062021-81197.xlsbVirustotal: Detection: 8%
    Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process call create 'C:/Users/Public/SettingSyncHost'
    Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: unknownProcess created: C:\Users\Public\SettingSyncHost C:/Users/Public/SettingSyncHost
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process call create 'C:/Users/Public/SettingSyncHost'Jump to behavior
    Source: C:\Windows\SysWOW64\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: Current-Status-062021-81197.xlsbInitial sample: OLE zip file path = xl/media/image1.png
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
    Source: Binary string: C:\Work\Downloader\Downloader\Release\Downloader.pdb source: SettingSyncHost
    Source: Binary string: C:\Work\Downloader\Downloader\Release\Downloader.pdb5 source: SettingSyncHost, 00000005.00000002.1526209189.00000000003C8000.00000040.00020000.sdmp
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_00391070 LoadLibraryA,GetProcAddress,GetProcAddress,5_2_00391070
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_003FC0E5 push esi; ret 5_2_003FC0EE
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_003C8149 push eax; ret 5_2_003C8179
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_003C81C8 push eax; ret 5_2_003C8179
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_0039A5A5 push ecx; ret 5_2_0039A5B8
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_003F5CA5 push ecx; ret 5_2_003F5CB8
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_003FAF39 pushad ; iretd 5_2_003FAF3D

    Persistence and Installation Behavior:

    barindex
    Creates processes via WMIShow sources
    Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\Public\SettingSyncHostJump to dropped file
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\logo[1].pngJump to dropped file
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\Public\SettingSyncHostJump to dropped file
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\logo[1].pngJump to dropped file
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\Public\SettingSyncHostJump to dropped file

    Boot Survival:

    barindex
    Drops PE files to the user root directoryShow sources
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\Public\SettingSyncHostJump to dropped file
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_003DAAF8 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,5_2_003DAAF8
    Source: C:\Windows\SysWOW64\wbem\WMIC.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\Public\SettingSyncHostCode function: GetAdaptersInfo,GetAdaptersInfo,5_2_003CBB10
    Source: C:\Users\Public\SettingSyncHostAPI coverage: 7.3 %
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_003CCEB0 FindFirstFileA,FindNextFileA,FindNextFileA,FindNextFileA,FindNextFileA,FindClose,5_2_003CCEB0
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_003EA7D5 FindFirstFileExW,5_2_003EA7D5
    Source: WMIC.exe, 00000003.00000002.672546333.0000000003280000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
    Source: SettingSyncHost, 00000005.00000002.1526534901.0000000000D68000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW/
    Source: SettingSyncHost, 00000005.00000002.1526534901.0000000000D68000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
    Source: WMIC.exe, 00000003.00000002.672546333.0000000003280000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
    Source: WMIC.exe, 00000003.00000002.672546333.0000000003280000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
    Source: WMIC.exe, 00000003.00000002.672546333.0000000003280000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
    Source: C:\Users\Public\SettingSyncHostProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_00399082 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00399082
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_00391070 LoadLibraryA,GetProcAddress,GetProcAddress,5_2_00391070
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_003E105A mov eax, dword ptr fs:[00000030h]5_2_003E105A
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_00391FE0 mov eax, dword ptr fs:[00000030h]5_2_00391FE0
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_003EA4CE mov eax, dword ptr fs:[00000030h]5_2_003EA4CE
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_00391FE0 mov eax, dword ptr fs:[00000030h]5_2_00391FE0
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_003A045E VirtualQuery,GetModuleFileNameW,GetPdbDll,GetProcAddress,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,5_2_003A045E
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_003D9ABA SetUnhandledExceptionFilter,5_2_003D9ABA
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_00399082 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00399082
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_003DE083 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_003DE083
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_003B024E SetUnhandledExceptionFilter,5_2_003B024E
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_003D94F2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_003D94F2
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_003D9957 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_003D9957
    Source: C:\Users\Public\SettingSyncHostCode function: 5_2_00393C21 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00393C21