Analysis Report document-47-2637.xls
Overview
General Information
Detection
Score: | 84 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Microsoft Office Product Spawning Windows Shell | Show sources |
Source: | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: |
Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link | ||
Source: | Metadefender: | Perma Link | ||
Source: | ReversingLabs: |
Source: | File opened: |
Source: | HTTPS traffic detected: |
Source: | Binary string: | ||
Source: | Binary string: |
Software Vulnerabilities: |
---|
Document exploit detected (UrlDownloadToFile) | Show sources |
Source: | Section loaded: |
Document exploit detected (process start blacklist hit) | Show sources |
Source: | Process created: |
Source: | Memory has grown: |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Source: | JA3 fingerprint: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Network traffic detected: | ||
Source: | Network traffic detected: |
Source: | HTTPS traffic detected: |
E-Banking Fraud: |
---|
Checks if browser processes are running | Show sources |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
System Summary: |
---|
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) | Show sources |
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: |
Found Excel 4.0 Macro with suspicious formulas | Show sources |
Source: | Initial sample: |
Found abnormal large hidden Excel 4.0 Macro sheet | Show sources |
Source: | Initial sample: |
Source: | Code function: |
Source: | Dropped File: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | Mutant created: |
Source: | File created: | Jump to behavior |
Source: | OLE indicator, Workbook stream: |
Source: | File read: | Jump to behavior |
Source: | Key opened: |
Source: | Virustotal: | ||
Source: | Metadefender: | ||
Source: | ReversingLabs: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Window detected: |
Source: | Key opened: |
Source: | File opened: |
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Initial sample: |
Source: | Initial sample: |
Source: | Static PE information: |
Source: | Code function: |
Source: | File created: | Jump to dropped file |
Source: | Code function: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Source: | Stream path 'Workbook' entropy: |
Malware Analysis System Evasion: |
---|
Contains functionality to compare user and computer (likely to detect sandboxes) | Show sources |
Source: | Code function: |
Source: | API coverage: |
Source: | Last function: |
Source: | Code function: |
Source: | Code function: |
Source: | Code function: | ||
Source: | Code function: |
Source: | Code function: |
Source: | Code function: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scripting2 | Application Shimming1 | Process Injection2 | Masquerading1 | OS Credential Dumping | System Time Discovery1 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel12 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Exploitation for Client Execution23 | Boot or Logon Initialization Scripts | Application Shimming1 | Disable or Modify Tools1 | LSASS Memory | Security Software Discovery12 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Non-Application Layer Protocol1 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Extra Window Memory Injection1 | Process Injection2 | Security Account Manager | Process Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Application Layer Protocol2 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Scripting2 | NTDS | File and Directory Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Protocol Impersonation | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Obfuscated Files or Information11 | LSA Secrets | System Information Discovery4 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings | |
Replication Through Removable Media | Launchd | Rc.common | Rc.common | Timestomp1 | Cached Domain Credentials | System Owner/User Discovery | VNC | GUI Input Capture | Exfiltration Over C2 Channel | Multiband Communication | Jamming or Denial of Service | Abuse Accessibility Features | |
External Remote Services | Scheduled Task | Startup Items | Startup Items | Extra Window Memory Injection1 | DCSync | Network Sniffing | Windows Remote Management | Web Portal Capture | Exfiltration Over Alternative Protocol | Commonly Used Port | Rogue Wi-Fi Access Points | Data Encrypted for Impact |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
26% | Virustotal | Browse | ||
23% | Metadefender | Browse | ||
15% | ReversingLabs | Document-Office.Trojan.Heuristic |
Dropped Files |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Metadefender | Browse | ||
0% | ReversingLabs |
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse |
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Virustotal | Browse | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe |
Domains and IPs |
---|
Contacted Domains |
---|
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
webhub365.com | 198.244.146.96 | true | false |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
198.244.146.96 | webhub365.com | United States | 18630 | RIDLEYSD-NETUS | false |
General Information |
---|
Joe Sandbox Version: | 32.0.0 Black Diamond |
Analysis ID: | 432941 |
Start date: | 11.06.2021 |
Start time: | 00:05:31 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 4m 54s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | document-47-2637.xls |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 |
Run name: | Potential for more IOCs and behavior |
Number of analysed new started processes analysed: | 26 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal84.bank.expl.evad.winXLS@6/8@1/1 |
EGA Information: |
|
HDC Information: |
|
HCA Information: | Failed |
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
No simulations |
---|
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
198.244.146.96 | Get hash | malicious | Browse | ||
Get hash | malicious | Browse | |||
Get hash | malicious | Browse |
Domains |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
webhub365.com | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
RIDLEYSD-NETUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
37f463bf4616ecd445d4a1937da06e19 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Dropped Files |
---|
Created / dropped Files |
---|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 134922 |
Entropy (8bit): | 5.369096977426818 |
Encrypted: | false |
SSDEEP: | 1536:VcQIKNEeBXA3gBwlpQ9DQW+z7534ZliKWXboOilX5ENLWME9:hEQ9DQW+ziXOe |
MD5: | EFDCCF0E3988CC8522DA896FF634963A |
SHA1: | C14FFFC27E2118EE983A089C4288A894336C558B |
SHA-256: | A773943B455B0B061DB5E88D3E99F7C2982931ADF334514C4CD564403A3A40B1 |
SHA-512: | B2A94CD75B635A8563D6D572093EE4E85AF35A7F5D21509C8F02C39F15084A4CC5191E51FA8B712FAFF63259B6740F40C463B4C23783CBDC3B6D6FACEAEBD8D4 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 68601 |
Entropy (8bit): | 7.609519686020766 |
Encrypted: | false |
SSDEEP: | 768:5XWvegIg9kOKLUwxZi4IB5/vAVk/ViuHpc2HoM3DFZXHHHHHHHHHLGAX4MOw+j85:ekNLPHqvAk/Vi6+YDT7Hbc8hxCCVljJ |
MD5: | 8ADAF6B90235725A61872A8DB4229AB4 |
SHA1: | 0D3F245BA39D7F1909A6BECEA21D444DDCC2992C |
SHA-256: | EF4D3E61002EE375D7DA35AC750AE8473E476DEE0CBBDD779208FA3A1079D8F4 |
SHA-512: | ED05561C99B4CA1C28C8FBF8C2E7EE58DF41CC180A979CC9A7431B3A8004549F379F9F569BB3A1ACAED463AD6CA4AA6665A028555DFB21384FF67F42ABA078D8 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 904 |
Entropy (8bit): | 4.657346264107908 |
Encrypted: | false |
SSDEEP: | 12:8dDsXUxvuElPCH2AQaYWzhO8+WrjAZ/2bDhLLC5Lu4t2Y+xIBjKZm:8FaQSAZiDM87aB6m |
MD5: | C17835DE1533EE31CF716FFCD2BEAC22 |
SHA1: | 2F8F01FF8FF43311472B475398FC9E1DFED3EC53 |
SHA-256: | 9CD9102A634AD9C62E44C783A47E437E2D8C19AC07DE5F2A173D320D6643BC84 |
SHA-512: | 054265AC8BBD231F4D08D1DE85CBE9DD90FFBD76A9890FA421C9D947B8714BA525CEBAABA893CA0015BBAC988D81061CAEAC938BA0945ACD2E7130734B217829 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 2170 |
Entropy (8bit): | 4.7200190235862465 |
Encrypted: | false |
SSDEEP: | 24:8WaQPgNAoF1DhV7aB6myWaQPgNAoF1DhV7aB6m:8WYGoFr4B6pWYGoFr4B6 |
MD5: | 55EB1B86A51BA808580E7D8F6B69C6F8 |
SHA1: | 8060B4A00590F6720A2E3DBCF32DB7CC1E6D4572 |
SHA-256: | 3771E847369345DE9B338EAEB13AD78BBDAE9734AD28A411086E72AA174FF41B |
SHA-512: | F525EB9D1417779410856C84CBBDD19D68B909754E088105B7660671B35C30EF65C1FEF98F6FF2FDAFBE3C35648346C484E40B316EA09C87CB383EA37514D8B3 |
Malicious: | true |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 113 |
Entropy (8bit): | 4.7740406620224185 |
Encrypted: | false |
SSDEEP: | 3:oyBVomMY9LRkKSpmUZELRkKSpmUmMY9LRkKSpmUv:dj6Y9LaJpbELaJphY9LaJpl |
MD5: | 76DDF8AD6F08D42714419B5F042F0B0D |
SHA1: | FBDDF758BD78A5D4F9DD2FA75CF7C243AF7B903C |
SHA-256: | BCF2EA38D3219270EE2D8295AE7059C1AEB42B3486DB50686CA6E83F6D8DF13E |
SHA-512: | 1BC7D6A190905BA1A79374289431AB54512D654E70CA14EB0CB6AD0CADCA030D0502B7E9523ECF2D3765C46199EC1D44178FD9B4A2A628F4A9D466DEFEB0A177 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | modified |
Size (bytes): | 99740 |
Entropy (8bit): | 7.930716567182298 |
Encrypted: | false |
SSDEEP: | 3072:4QmPGcKEHjaHavc2O9oC/ZgqvE4W56IxcVTKHQmPGwKEHjz:4ocKEjaHy4o0gqQ56IkKHowKEjz |
MD5: | A128138DAF2B0EF988191575CC89C60E |
SHA1: | 94919944D17E1A500D6B4D7958DEC55F8C295053 |
SHA-256: | 9257667CD47E559630286BFE64552BDE4A44AF3CB45392F501394832893F5B9F |
SHA-512: | B73B1DBD9520BC738BB10DB58AC5868315C56F79C09DE68BE95E8A41A559D906C85DD3B96E554028C29756BCC8E5FA5D057BACF446B0C1847BE504677B4C2F64 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 117445 |
Entropy (8bit): | 7.926699765404259 |
Encrypted: | false |
SSDEEP: | 3072:vida2N1S7U7VGSwX+B4TJ2FrKmNYfjeXyQfjeXQidaJL:vidHvI5lN2VKaYfjeCQfjegidW |
MD5: | 85DA544B4D80414FFA7A91346A2DD333 |
SHA1: | 7AFEF0F5DBF3476F1FA06ED5490125D87D8F3FB2 |
SHA-256: | A083B8DADA5B4AA41D290E7796E6F3AE2AE77340AC9295D74182041B5A9F92B6 |
SHA-512: | 4685FA2C5AAF91B1F276267ED6BD500C628F0A6B71422480184BDBFB80978B7DC7F6499CDC7E756D2A7E471E947AD6198A712AC2B0285794CBC5F75F0BAF07BA |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Windows\SysWOW64\cmd.exe |
File Type: | |
Category: | dropped |
Size (bytes): | 44544 |
Entropy (8bit): | 6.190125674423799 |
Encrypted: | false |
SSDEEP: | 768:AAMBmP3+XxLKZ/XMsQt1TZPImKXPXtE6MayeDkX0PmfkPchaDPfsRi7P4QG64iuU:UsP3+XxLKZ/XMsQt1TZPImKXPdfDkXSZ |
MD5: | CE639EB63B7C1C1EC94651B65CCEC383 |
SHA1: | B92544ED405C33F2DB64A0BCA41646CB712E246B |
SHA-256: | 2D2EAD13B2796AD58D070DC1FD36961866F25E1E436661C760A879EAC35982F9 |
SHA-512: | 66E841C9DF0D17AB1A1C866A96769AD0F4F8329C94EDB2917648FB4FF76E7A47C479A60A0D05293136843EC5BA938B0CEB96190BEE01AE049A467BDA45CB4566 |
Malicious: | true |
Antivirus: |
|
Joe Sandbox View: | |
Reputation: | low |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.59086745125602 |
TrID: |
|
File name: | document-47-2637.xls |
File size: | 92165 |
MD5: | 92dcc47a1a044fc3a2328ec6eef3918b |
SHA1: | 6f9266a6c0b702cbaa0a3583df5c8cd1357eae35 |
SHA256: | ac4b99079b1ceb11db593097e421de9d9092765feedc23a3ab8ef912b292c988 |
SHA512: | fcd4b7c0a4e0f785604f40e0a9a4690e9b642223ee63088c6c4acfc262a18f5a79c77ab82498b422b229eaecc9a2e745b7e455c43ad2a85794e7adbac6b9bafd |
SSDEEP: | 1536:Lc2ZSmXWCQnp2c90Hg+j8z3kVfKIDVzoFGUslIB54N+wl8MYBzaVt4J5aukGqu:LXZxXTQ8hHgNQNeF3V4NvuhBzaV+J5a+ |
File Content Preview: | ........................>...................................................................................................................................................................................................................................... |
File Icon |
---|
Icon Hash: | 74ecd4c6c3c6c4d8 |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OLE | |
Number of OLE Files: | 1 |
OLE File "document-47-2637.xls" |
---|
Indicators | |
---|---|
Has Summary Info: | True |
Application Name: | Microsoft Excel |
Encrypted Document: | True |
Contains Word Document Stream: | False |
Contains Workbook/Book Stream: | True |
Contains PowerPoint Document Stream: | False |
Contains Visio Document Stream: | False |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: | False |
Summary | |
---|---|
Code Page: | 1252 |
Author: | |
Last Saved By: | |
Create Time: | 2021-06-02 13:40:34 |
Last Saved Time: | 2021-06-02 13:40:36 |
Creating Application: | |
Security: | 1 |
Document Summary | |
---|---|
Document Code Page: | 1252 |
Thumbnail Scaling Desired: | False |
Company: | |
Contains Dirty Links: | False |
Shared Document: | False |
Changed Hyperlinks: | False |
Application Version: | 983040 |
Streams |
---|
Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096 |
---|
General | |
---|---|
Stream Path: | \x5DocumentSummaryInformation |
File Type: | data |
Stream Size: | 4096 |
Entropy: | 0.308022095077 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . i . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . . . . . . . . |
Data Raw: | fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 ec 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 a5 00 00 00 |
Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096 |
---|
General | |
---|---|
Stream Path: | \x5SummaryInformation |
File Type: | data |
Stream Size: | 4096 |
Entropy: | 0.316312415339 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . W i n d o w s U s e r . . . . . . . . . . . . W i n d o w s U s e r . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . . . . W . . @ . . . . . . . . W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 b0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 60 00 00 00 12 00 00 00 78 00 00 00 0c 00 00 00 90 00 00 00 0d 00 00 00 9c 00 00 00 13 00 00 00 a8 00 00 00 02 00 00 00 e4 04 00 00 1e 00 00 00 10 00 00 00 |
Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 81910 |
---|
General | |
---|---|
Stream Path: | Workbook |
File Type: | Applesoft BASIC program data, first line number 16 |
Stream Size: | 81910 |
Entropy: | 7.97723236264 |
Base64 Encoded: | True |
Data ASCII: | . . . . . . . . T 8 . . . . . . . . . . / . 6 . . . . . . . . j . . . _ . W > N . B . . [ . . . . . . D . G . . . . 9 s < D l . o . b . 3 . ^ K W . ~ . U . . . . . . . . . . . h . . . . . \\ . p . i . . v . / . . . . B . 7 r . n . S . $ . 4 f . 7 . U . . e . Y k . . . L Q . . o N . . . . $ a . 7 Q . . . u . s . X U . ^ . . . . . . K . C d . . . l . ? . & . C . . . . . . . . v . . . . . 4 ; / . . . . 6 4 = . . . . . . B . . . . I a . . . . D . . . . = . . . . # . c . . . . h . . . . . s R . . . . . . . . . . |
Data Raw: | 09 08 10 00 00 06 05 00 54 38 cd 07 c1 c0 01 00 06 07 00 00 2f 00 36 00 01 00 01 00 01 00 02 6a df 82 8f 5f f7 57 3e 4e 18 42 a0 92 5b 1d e8 95 bd ea b2 44 89 47 13 ad c8 06 39 73 3c 44 6c 0c 6f cd 62 dc 33 7f 5e 4b 57 2e 7e e6 55 cf e1 00 02 00 b0 04 c1 00 02 00 68 a6 e2 00 00 00 5c 00 70 00 69 b6 c9 76 af 2f 14 b1 ed d6 42 f4 37 72 10 6e cc 53 fc 24 ef 34 66 18 37 82 55 80 f5 65 |
Macro 4.0 Code |
---|
,!,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,l,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,?,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,L,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,!,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,x,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,5,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,mxUXwaSU= $N$84&$X$102&$K$324&$C$460&$M$83&$K$324&$N$447&$I$336&$X$102&$K$324&$X$82&$M$83&$U$271&$X$102&$V$246&$X$462,,,,,,,,,,,,,,,,,,,,,,id9nB5my= $W$367,,,,,,,,,,,,,,,,,,,,,,=$F$105(),,,,,,,,,,,,,,,,,,,,,,=RUN($K$351),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,M,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,s,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,mxUXwaSU= $H$409&$H$409&$N$84&$N$84&$N$84&$N$84&$H$409,,,,,,,,,,,,,,,,,,,,,,id9nB5my= $Y$71,,,,,,,,,,,,,,,,,,,,,,=$F$105(),,,,,,,,,,,,,,,,,,,,,,=RUN($I$385),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\,,,,,,,,,,,,,,,,,,,,,,,Z,,,,,,,,,,,,,,,,,,,,,,,,,,,,,c,,,,,,,,,,,t,,,,,,,,,,,,,,,,,,,,,,,C,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,!,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,r,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=RETURN(FORMULA.FILL(mxUXwaSU,id9nB5my))",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,d,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,q,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,/,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,F,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,I,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,n,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,E,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,mxUXwaSU= $F$204&$H$481&$K$324&$N$11&$N$11&$E$78&$I$228,,,,,,,,,,,,,,,,,,,,,,id9nB5my= $D$167,,,,,,,,,,,,,,,,,,,,,,=$F$105(),,,,,,,,,,,,,,,,,,,,,,=RUN($R$247),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,!,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
Network Behavior |
---|
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jun 11, 2021 00:06:27.421255112 CEST | 49716 | 443 | 192.168.2.3 | 198.244.146.96 |
Jun 11, 2021 00:06:27.478616953 CEST | 443 | 49716 | 198.244.146.96 | 192.168.2.3 |
Jun 11, 2021 00:06:27.478701115 CEST | 49716 | 443 | 192.168.2.3 | 198.244.146.96 |
Jun 11, 2021 00:06:27.479861975 CEST | 49716 | 443 | 192.168.2.3 | 198.244.146.96 |
Jun 11, 2021 00:06:27.538413048 CEST | 443 | 49716 | 198.244.146.96 | 192.168.2.3 |
Jun 11, 2021 00:06:27.538866997 CEST | 443 | 49716 | 198.244.146.96 | 192.168.2.3 |
Jun 11, 2021 00:06:27.538923025 CEST | 443 | 49716 | 198.244.146.96 | 192.168.2.3 |
Jun 11, 2021 00:06:27.538950920 CEST | 49716 | 443 | 192.168.2.3 | 198.244.146.96 |
Jun 11, 2021 00:06:27.538985014 CEST | 49716 | 443 | 192.168.2.3 | 198.244.146.96 |
Jun 11, 2021 00:06:27.539036989 CEST | 443 | 49716 | 198.244.146.96 | 192.168.2.3 |
Jun 11, 2021 00:06:27.539073944 CEST | 443 | 49716 | 198.244.146.96 | 192.168.2.3 |
Jun 11, 2021 00:06:27.539180994 CEST | 49716 | 443 | 192.168.2.3 | 198.244.146.96 |
Jun 11, 2021 00:06:27.539194107 CEST | 49716 | 443 | 192.168.2.3 | 198.244.146.96 |
Jun 11, 2021 00:06:27.545403957 CEST | 443 | 49716 | 198.244.146.96 | 192.168.2.3 |
Jun 11, 2021 00:06:27.545488119 CEST | 49716 | 443 | 192.168.2.3 | 198.244.146.96 |
Jun 11, 2021 00:06:27.560430050 CEST | 49716 | 443 | 192.168.2.3 | 198.244.146.96 |
Jun 11, 2021 00:06:27.622329950 CEST | 443 | 49716 | 198.244.146.96 | 192.168.2.3 |
Jun 11, 2021 00:06:27.622442961 CEST | 49716 | 443 | 192.168.2.3 | 198.244.146.96 |
Jun 11, 2021 00:06:27.623302937 CEST | 49716 | 443 | 192.168.2.3 | 198.244.146.96 |
Jun 11, 2021 00:06:27.722176075 CEST | 443 | 49716 | 198.244.146.96 | 192.168.2.3 |
Jun 11, 2021 00:06:27.801678896 CEST | 443 | 49716 | 198.244.146.96 | 192.168.2.3 |
Jun 11, 2021 00:06:27.801772118 CEST | 49716 | 443 | 192.168.2.3 | 198.244.146.96 |
Jun 11, 2021 00:07:42.804555893 CEST | 443 | 49716 | 198.244.146.96 | 192.168.2.3 |
Jun 11, 2021 00:07:42.804584026 CEST | 443 | 49716 | 198.244.146.96 | 192.168.2.3 |
Jun 11, 2021 00:07:42.804740906 CEST | 49716 | 443 | 192.168.2.3 | 198.244.146.96 |
Jun 11, 2021 00:07:42.804788113 CEST | 49716 | 443 | 192.168.2.3 | 198.244.146.96 |
Jun 11, 2021 00:08:14.037198067 CEST | 49716 | 443 | 192.168.2.3 | 198.244.146.96 |
Jun 11, 2021 00:08:14.038058996 CEST | 49716 | 443 | 192.168.2.3 | 198.244.146.96 |
Jun 11, 2021 00:08:14.092190027 CEST | 443 | 49716 | 198.244.146.96 | 192.168.2.3 |
Jun 11, 2021 00:08:14.092454910 CEST | 49716 | 443 | 192.168.2.3 | 198.244.146.96 |
UDP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Jun 11, 2021 00:06:11.702044964 CEST | 57544 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 11, 2021 00:06:11.760623932 CEST | 53 | 57544 | 8.8.8.8 | 192.168.2.3 |
Jun 11, 2021 00:06:12.423217058 CEST | 55984 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 11, 2021 00:06:12.476452112 CEST | 53 | 55984 | 8.8.8.8 | 192.168.2.3 |
Jun 11, 2021 00:06:13.815809011 CEST | 64185 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 11, 2021 00:06:13.866977930 CEST | 53 | 64185 | 8.8.8.8 | 192.168.2.3 |
Jun 11, 2021 00:06:14.916023016 CEST | 65110 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 11, 2021 00:06:14.971484900 CEST | 53 | 65110 | 8.8.8.8 | 192.168.2.3 |
Jun 11, 2021 00:06:16.358946085 CEST | 58361 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 11, 2021 00:06:16.409419060 CEST | 53 | 58361 | 8.8.8.8 | 192.168.2.3 |
Jun 11, 2021 00:06:21.025928020 CEST | 63492 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 11, 2021 00:06:21.079080105 CEST | 53 | 63492 | 8.8.8.8 | 192.168.2.3 |
Jun 11, 2021 00:06:23.198029995 CEST | 60831 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 11, 2021 00:06:23.261420965 CEST | 53 | 60831 | 8.8.8.8 | 192.168.2.3 |
Jun 11, 2021 00:06:24.092327118 CEST | 60100 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 11, 2021 00:06:24.181787968 CEST | 53 | 60100 | 8.8.8.8 | 192.168.2.3 |
Jun 11, 2021 00:06:24.303061962 CEST | 53195 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 11, 2021 00:06:24.353502035 CEST | 53 | 53195 | 8.8.8.8 | 192.168.2.3 |
Jun 11, 2021 00:06:24.621697903 CEST | 50141 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 11, 2021 00:06:24.698167086 CEST | 53 | 50141 | 8.8.8.8 | 192.168.2.3 |
Jun 11, 2021 00:06:25.705683947 CEST | 50141 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 11, 2021 00:06:25.769946098 CEST | 53 | 50141 | 8.8.8.8 | 192.168.2.3 |
Jun 11, 2021 00:06:26.716443062 CEST | 50141 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 11, 2021 00:06:26.795233965 CEST | 53 | 50141 | 8.8.8.8 | 192.168.2.3 |
Jun 11, 2021 00:06:27.358728886 CEST | 53023 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 11, 2021 00:06:27.419373989 CEST | 53 | 53023 | 8.8.8.8 | 192.168.2.3 |
Jun 11, 2021 00:06:27.434504986 CEST | 49563 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 11, 2021 00:06:27.487027884 CEST | 53 | 49563 | 8.8.8.8 | 192.168.2.3 |
Jun 11, 2021 00:06:28.777640104 CEST | 50141 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 11, 2021 00:06:28.839839935 CEST | 53 | 50141 | 8.8.8.8 | 192.168.2.3 |
Jun 11, 2021 00:06:28.994000912 CEST | 51352 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 11, 2021 00:06:29.047103882 CEST | 53 | 51352 | 8.8.8.8 | 192.168.2.3 |
Jun 11, 2021 00:06:30.037847996 CEST | 59349 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 11, 2021 00:06:30.098191023 CEST | 53 | 59349 | 8.8.8.8 | 192.168.2.3 |
Jun 11, 2021 00:06:31.069005966 CEST | 57084 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 11, 2021 00:06:31.121495962 CEST | 53 | 57084 | 8.8.8.8 | 192.168.2.3 |
Jun 11, 2021 00:06:32.177925110 CEST | 58823 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 11, 2021 00:06:32.230151892 CEST | 53 | 58823 | 8.8.8.8 | 192.168.2.3 |
Jun 11, 2021 00:06:32.825553894 CEST | 50141 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 11, 2021 00:06:32.887362957 CEST | 53 | 50141 | 8.8.8.8 | 192.168.2.3 |
Jun 11, 2021 00:06:34.401581049 CEST | 57568 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 11, 2021 00:06:34.456387997 CEST | 53 | 57568 | 8.8.8.8 | 192.168.2.3 |
Jun 11, 2021 00:06:36.240473032 CEST | 50540 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 11, 2021 00:06:36.296987057 CEST | 53 | 50540 | 8.8.8.8 | 192.168.2.3 |
Jun 11, 2021 00:06:37.165254116 CEST | 54366 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 11, 2021 00:06:37.227543116 CEST | 53 | 54366 | 8.8.8.8 | 192.168.2.3 |
Jun 11, 2021 00:06:38.087740898 CEST | 53034 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 11, 2021 00:06:38.149424076 CEST | 53 | 53034 | 8.8.8.8 | 192.168.2.3 |
Jun 11, 2021 00:06:38.993654013 CEST | 57762 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 11, 2021 00:06:39.045334101 CEST | 53 | 57762 | 8.8.8.8 | 192.168.2.3 |
Jun 11, 2021 00:06:39.896867037 CEST | 55435 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 11, 2021 00:06:39.949982882 CEST | 53 | 55435 | 8.8.8.8 | 192.168.2.3 |
Jun 11, 2021 00:06:45.859194040 CEST | 50713 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 11, 2021 00:06:45.920584917 CEST | 53 | 50713 | 8.8.8.8 | 192.168.2.3 |
Jun 11, 2021 00:06:49.160743952 CEST | 56132 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 11, 2021 00:06:49.221359015 CEST | 53 | 56132 | 8.8.8.8 | 192.168.2.3 |
Jun 11, 2021 00:07:04.404831886 CEST | 58987 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 11, 2021 00:07:04.480596066 CEST | 53 | 58987 | 8.8.8.8 | 192.168.2.3 |
Jun 11, 2021 00:07:23.419905901 CEST | 56579 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 11, 2021 00:07:23.479816914 CEST | 53 | 56579 | 8.8.8.8 | 192.168.2.3 |
Jun 11, 2021 00:07:27.494749069 CEST | 60633 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 11, 2021 00:07:27.557991028 CEST | 53 | 60633 | 8.8.8.8 | 192.168.2.3 |
Jun 11, 2021 00:07:59.252182007 CEST | 61292 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 11, 2021 00:07:59.326735020 CEST | 53 | 61292 | 8.8.8.8 | 192.168.2.3 |
Jun 11, 2021 00:08:00.767307997 CEST | 63619 | 53 | 192.168.2.3 | 8.8.8.8 |
Jun 11, 2021 00:08:00.829741001 CEST | 53 | 63619 | 8.8.8.8 | 192.168.2.3 |
DNS Queries |
---|
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class |
---|---|---|---|---|---|---|---|
Jun 11, 2021 00:06:27.358728886 CEST | 192.168.2.3 | 8.8.8.8 | 0x1d33 | Standard query (0) | A (IP address) | IN (0x0001) |
DNS Answers |
---|
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class |
---|---|---|---|---|---|---|---|---|---|
Jun 11, 2021 00:06:27.419373989 CEST | 8.8.8.8 | 192.168.2.3 | 0x1d33 | No error (0) | 198.244.146.96 | A (IP address) | IN (0x0001) |
HTTPS Packets |
---|
Timestamp | Source IP | Source Port | Dest IP | Dest Port | Subject | Issuer | Not Before | Not After | JA3 SSL Client Fingerprint | JA3 SSL Client Digest |
---|---|---|---|---|---|---|---|---|---|---|
Jun 11, 2021 00:06:27.545403957 CEST | 198.244.146.96 | 443 | 192.168.2.3 | 49716 | CN=webhub365.com CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US | CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US CN=DST Root CA X3, O=Digital Signature Trust Co. | Tue Jun 08 19:53:43 CEST 2021 Fri Sep 04 02:00:00 CEST 2020 Wed Jan 20 20:14:03 CET 2021 | Mon Sep 06 19:53:43 CEST 2021 Mon Sep 15 18:00:00 CEST 2025 Mon Sep 30 20:14:03 CEST 2024 | 771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0 | 37f463bf4616ecd445d4a1937da06e19 |
CN=R3, O=Let's Encrypt, C=US | CN=ISRG Root X1, O=Internet Security Research Group, C=US | Fri Sep 04 02:00:00 CEST 2020 | Mon Sep 15 18:00:00 CEST 2025 | |||||||
CN=ISRG Root X1, O=Internet Security Research Group, C=US | CN=DST Root CA X3, O=Digital Signature Trust Co. | Wed Jan 20 20:14:03 CET 2021 | Mon Sep 30 20:14:03 CEST 2024 |
Code Manipulations |
---|
Statistics |
---|
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 00:06:22 |
Start date: | 11/06/2021 |
Path: | C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xea0000 |
File size: | 27110184 bytes |
MD5 hash: | 5D6638F2C8F8571C593999C58866007E |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 00:06:27 |
Start date: | 11/06/2021 |
Path: | C:\Windows\SysWOW64\cmd.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xbd0000 |
File size: | 232960 bytes |
MD5 hash: | F3BDBE3BB6F734E357235F4D5898582D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 00:06:27 |
Start date: | 11/06/2021 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff6b2800000 |
File size: | 625664 bytes |
MD5 hash: | EA777DEEA782E8B4D7C7C33BBF8A4496 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 00:06:29 |
Start date: | 11/06/2021 |
Path: | C:\aZ8ThU0Y\ERdZMUem\nnAzot.exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xc00000 |
File size: | 44544 bytes |
MD5 hash: | CE639EB63B7C1C1EC94651B65CCEC383 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Antivirus matches: |
|
Reputation: | low |
Disassembly |
---|
Code Analysis |
---|