Analysis Report audit-1133808478.xlsb

Overview

General Information

Sample Name: audit-1133808478.xlsb
Analysis ID: 433122
MD5: dbab0aba5ca271442b08d027f3ed391f
SHA1: 0c163e79f6bffea037d225a221d0a701db03c2d0
SHA256: 8987dac6f44dda69ceb74d59c276d38227e285c78f74e2d835283d1baa308176
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Qbot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Found malware configuration
Malicious sample detected (through community Yara rule)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Schedule system process
Yara detected Qbot
Allocates memory in foreign processes
Contain functionality to detect virtual machines
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Office process drops PE file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Microsoft Office Product Spawning Windows Shell
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain checking for process token information
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
PE file does not import any functions
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara detected Xls With Macro 4.0
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 4.2.explorer.exe.f50000.0.unpack Malware Configuration Extractor: Qbot {"Bot id": "tr", "Campaign": "1623225382", "Version": "402.68", "C2 list": ["190.85.91.154:443", "140.82.49.12:443", "105.198.236.101:443", "68.186.192.69:443", "24.95.61.62:443", "90.65.234.26:2222", "197.45.110.165:995", "96.61.23.88:995", "172.78.51.35:443", "184.185.103.157:443", "71.163.222.223:443", "27.223.92.142:995", "24.179.77.236:443", "97.69.160.4:2222", "188.26.91.212:443", "75.67.192.125:443", "24.152.219.253:995", "92.59.35.196:2222", "47.22.148.6:443", "216.201.162.158:443", "76.25.142.196:443", "81.97.154.100:443", "81.214.126.173:2222", "71.41.184.10:3389", "83.110.109.189:2222", "125.239.44.146:995", "144.139.47.206:443", "75.118.1.141:443", "175.136.38.142:443", "98.192.185.86:443", "67.165.206.193:993", "73.151.236.31:443", "173.21.10.71:2222", "45.46.53.140:2222", "71.74.12.34:443", "45.63.107.192:2222", "45.63.107.192:443", "45.32.211.207:443", "45.32.211.207:8443", "149.28.101.90:995", "207.246.116.237:8443", "207.246.116.237:995", "207.246.116.237:2222", "45.77.117.108:2222", "45.77.117.108:8443", "149.28.98.196:995", "149.28.101.90:443", "45.77.117.108:443", "45.32.211.207:995", "45.32.211.207:2222", "45.77.115.208:995", "149.28.98.196:2222", "207.246.77.75:995", "45.77.115.208:8443", "207.246.77.75:2222", "144.202.38.185:443", "207.246.116.237:443", "149.28.101.90:2222", "149.28.101.90:8443", "45.77.115.208:2222", "45.77.115.208:443", "45.77.117.108:995", "149.28.98.196:443", "144.202.38.185:995", "207.246.77.75:8443", "207.246.77.75:443", "144.202.38.185:2222", "98.252.118.134:443", "149.28.99.97:443", "149.28.99.97:995", "149.28.99.97:2222", "45.63.107.192:995", "189.210.115.207:443", "105.198.236.99:443", "72.252.201.69:443", "151.205.102.42:443", "86.220.62.251:2222", "75.137.47.174:443", "72.240.200.181:2222", "95.77.223.148:443", "24.55.112.61:443", "24.229.150.54:995", "109.12.111.14:443", "24.139.72.117:443", "136.232.34.70:443", "50.29.166.232:995", "92.96.3.180:2078", "71.187.170.235:443", "68.204.7.158:443", "108.27.245.228:443", "83.196.56.65:2222", "50.244.112.106:443", "96.37.113.36:993", "24.122.166.173:443", "73.25.124.140:2222", "86.173.143.211:443", "47.196.213.73:443", "186.154.175.13:443", "70.163.161.79:443", "78.63.226.32:443", "195.6.1.154:2222", "76.168.147.166:993", "64.121.114.87:443", "77.27.207.217:995", "31.4.242.233:995", "125.62.192.220:443", "195.12.154.8:443", "71.117.132.169:443", "96.21.251.127:2222", "71.199.192.62:443", "70.168.130.172:995", "82.12.157.95:995", "209.210.187.52:995", "209.210.187.52:443", "67.6.12.4:443", "189.222.59.177:443", "174.104.22.30:443", "142.117.191.18:2222", "189.146.183.105:443", "213.60.147.140:443", "196.221.207.137:995", "108.46.145.30:443", "187.250.238.164:995", "2.7.116.188:2222", "195.43.173.70:443", "106.250.150.98:443", "45.67.231.247:443", "83.110.103.152:443", "83.110.9.71:2222", "78.97.207.104:443", "59.90.246.200:443", "80.227.5.69:443", "125.63.101.62:443", "86.236.77.68:2222", "109.106.69.138:2222", "84.72.35.226:443", "217.133.54.140:
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\pt[1].htm Joe Sandbox ML: detected
Source: C:\Users\user\covi1.dll Joe Sandbox ML: detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 43.225.55.182:443 -> 192.168.2.3:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 192.185.33.154:443 -> 192.168.2.3:49723 version: TLS 1.2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_00F5AEE4 FindFirstFileW,FindNextFileW, 4_2_00F5AEE4

Software Vulnerabilities:

barindex
Document exploit detected (creates forbidden files)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\covi1.dll Jump to behavior
Document exploit detected (drops PE files)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: pt[1].htm.0.dr Jump to dropped file
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Section loaded: unknown origin: URLDownloadToFileA Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: shadiinfo.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.3:49720 -> 43.225.55.182:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.3:49720 -> 43.225.55.182:443

Networking:

barindex
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown DNS traffic detected: queries for: shadiinfo.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://api.aadrm.com/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://api.cortana.ai
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://api.diagnostics.office.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://api.microsoftstream.com/api/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://api.office.net
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://api.onedrive.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://apis.live.net/v5.0/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://augloop.office.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://augloop.office.com/v2
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://cdn.entity.
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://clients.config.office.net/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://config.edge.skype.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://cortana.ai
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://cortana.ai/api
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://cr.office.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://dataservice.o365filtering.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://dataservice.o365filtering.com/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://dev.cortana.ai
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://devnull.onenote.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://directory.services.
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://graph.ppe.windows.net
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://graph.ppe.windows.net/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://graph.windows.net
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://graph.windows.net/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://incidents.diagnostics.office.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://lifecycle.office.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://login.microsoftonline.com/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://login.windows.local
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://management.azure.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://management.azure.com/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://messaging.office.com/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://ncus.contentsync.
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://ncus.pagecontentsync.
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://officeapps.live.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://onedrive.live.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://onedrive.live.com/embed?
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://outlook.office.com/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://outlook.office365.com/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://pages.store.office.com/review/query
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://powerlift.acompli.net
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://settings.outlook.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://shell.suite.office.com:1443
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://skyapi.live.net/Activity/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://staging.cortana.ai
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://store.office.cn/addinstemplate
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://store.office.com/addinstemplate
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://store.office.de/addinstemplate
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://tasks.office.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://templatelogging.office.com/client/log
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://web.microsoftstream.com/video/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://webshell.suite.office.com
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://wus2.contentsync.
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://wus2.pagecontentsync.
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 2931D31E-E476-4A7B-8B64-97D46D540C47.0.dr String found in binary or memory: https://www.odwebp.svc.ms
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown HTTPS traffic detected: 43.225.55.182:443 -> 192.168.2.3:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 192.185.33.154:443 -> 192.168.2.3:49723 version: TLS 1.2

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000003.00000002.253198241.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY Matched rule: QakBot Payload Author: kevoreilly
Source: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, type: MEMORY Matched rule: QakBot Payload Author: kevoreilly
Source: 4.2.explorer.exe.f50000.0.unpack, type: UNPACKEDPE Matched rule: QakBot Payload Author: kevoreilly
Source: 4.2.explorer.exe.f50000.0.raw.unpack, type: UNPACKEDPE Matched rule: QakBot Payload Author: kevoreilly
Source: 3.2.regsvr32.exe.bd0000.2.unpack, type: UNPACKEDPE Matched rule: QakBot Payload Author: kevoreilly
Source: 3.2.regsvr32.exe.bd0000.2.raw.unpack, type: UNPACKEDPE Matched rule: QakBot Payload Author: kevoreilly
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable Content 14 15 16 17 .. . 18 WHY I CANNOT OPEN THIS DOCUMENT ? 19 20 21 W You are usin
Found Excel 4.0 Macro with suspicious formulas
Source: audit-1133808478.xlsb Initial sample: EXEC
Found abnormal large hidden Excel 4.0 Macro sheet
Source: audit-1133808478.xlsb Initial sample: Sheet size: 7504
Office process drops PE file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\pt[1].htm Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\covi1.dll
Creates files inside the system directory
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\DBG Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00B34CC2 3_2_00B34CC2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00B32559 3_2_00B32559
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00B33CA2 3_2_00B33CA2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00B31DFC 3_2_00B31DFC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00B358C5 3_2_00B358C5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00B3572B 3_2_00B3572B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00B35F18 3_2_00B35F18
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00B3111C 3_2_00B3111C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00B31000 3_2_00B31000
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00B34706 3_2_00B34706
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00B34A05 3_2_00B34A05
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00B31F7B 3_2_00B31F7B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00B33E7B 3_2_00B33E7B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_00F69850 4_2_00F69850
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_00F6A41E 4_2_00F6A41E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_00F6B00E 4_2_00F6B00E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_00F6000A 4_2_00F6000A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_00F52008 4_2_00F52008
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_00F675E0 4_2_00F675E0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_00F529CA 4_2_00F529CA
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_00F53988 4_2_00F53988
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_00F5D55B 4_2_00F5D55B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_00F66D40 4_2_00F66D40
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_00F6FE8F 4_2_00F6FE8F
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_00F6F66B 4_2_00F6F66B
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_00F53A2E 4_2_00F53A2E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_00F5DE03 4_2_00F5DE03
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_00F68A00 4_2_00F68A00
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_00F6D7E4 4_2_00F6D7E4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_00F5E355 4_2_00F5E355
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_00F6A718 4_2_00F6A718
One or more processes crash
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 652
PE file does not import any functions
Source: covi1.dll.4.dr Static PE information: No import functions for PE file found
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Yara signature match
Source: 00000003.00000002.253198241.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, type: MEMORY Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 4.2.explorer.exe.f50000.0.unpack, type: UNPACKEDPE Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 4.2.explorer.exe.f50000.0.raw.unpack, type: UNPACKEDPE Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 3.2.regsvr32.exe.bd0000.2.unpack, type: UNPACKEDPE Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: 3.2.regsvr32.exe.bd0000.2.raw.unpack, type: UNPACKEDPE Matched rule: QakBot author = kevoreilly, description = QakBot Payload, cape_type = QakBot Payload
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSB@20/20@2/2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_00F626A6 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket, 4_2_00F626A6
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5672:120:WilError_01
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \Sessions\1\BaseNamedObjects\{F4E1DB13-650B-4410-8E14-53724DEB3A20}
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\WERReportingForProcess3056
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \BaseNamedObjects\Local\WERReportingForProcess3360
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{F4E1DB13-650B-4410-8E14-53724DEB3A20}
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \Sessions\1\BaseNamedObjects\{B7C66CEC-1556-41DB-98E9-9A9D57BAA138}
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\{C5F6F81E-1C14-4C4D-9C5D-E8BD652D8F75} - OProcSessId.dat Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\covi1.dll
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\covi2.dll
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn hoqmcni /tr 'regsvr32.exe -s \'C:\Users\user\covi1.dll\'' /SC ONCE /Z /ST 11:04 /ET 11:16
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\covi1.dll'
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\covi1.dll'
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 652
Source: unknown Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\covi1.dll'
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\covi1.dll'
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 652
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288 Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\covi1.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\covi2.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn hoqmcni /tr 'regsvr32.exe -s \'C:\Users\user\covi1.dll\'' /SC ONCE /Z /ST 11:04 /ET 11:16 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\covi1.dll' Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\covi1.dll' Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: audit-1133808478.xlsb Initial sample: OLE zip file path = xl/media/image2.png
Source: audit-1133808478.xlsb Initial sample: OLE zip file path = xl/media/image3.png
Source: audit-1133808478.xlsb Initial sample: OLE zip file path = xl/media/image4.png
Source: audit-1133808478.xlsb Initial sample: OLE zip file path = xl/media/image5.png
Source: audit-1133808478.xlsb Initial sample: OLE zip file path = xl/media/image6.png
Source: audit-1133808478.xlsb Initial sample: OLE zip file path = xl/media/image1.png
Source: audit-1133808478.xlsb Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_00F5F1CA LoadLibraryA,GetProcAddress, 4_2_00F5F1CA
PE file contains sections with non-standard names
Source: covi1.dll.4.dr Static PE information: section name: .code
Source: covi1.dll.4.dr Static PE information: section name: .rdataf
Registers a DLL
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s ..\covi1.dll
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00B348FB push 00000000h; mov dword ptr [esp], edx 3_2_00B3493B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00B34CC2 push dword ptr [ebp-14h]; mov dword ptr [esp], ecx 3_2_00B34CD1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00B34CC2 push 00000000h; mov dword ptr [esp], edi 3_2_00B34D26
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00B34CC2 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 3_2_00B34DA4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00B34CC2 push dword ptr [ebp-14h]; mov dword ptr [esp], eax 3_2_00B34DEF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00B34CC2 push 00000000h; mov dword ptr [esp], edi 3_2_00B35027
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00B34CC2 push dword ptr [ebp-14h]; mov dword ptr [esp], eax 3_2_00B350BE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00B34CC2 push 00000000h; mov dword ptr [esp], edi 3_2_00B350DE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00B34CC2 push dword ptr [ebp-14h]; mov dword ptr [esp], eax 3_2_00B3517F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00B34CC2 push 00000000h; mov dword ptr [esp], eax 3_2_00B35240
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00B34CC2 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 3_2_00B353FF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00B34CC2 push dword ptr [ebp-14h]; mov dword ptr [esp], eax 3_2_00B3546A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00B34CC2 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 3_2_00B355A7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00B34CC2 push dword ptr [ebp-14h]; mov dword ptr [esp], eax 3_2_00B355B3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00B34CC2 push dword ptr [ebp-14h]; mov dword ptr [esp], eax 3_2_00B3560C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00B34CC2 push dword ptr [ebp-14h]; mov dword ptr [esp], eax 3_2_00B35779
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00B34CC2 push dword ptr [ebp-14h]; mov dword ptr [esp], eax 3_2_00B357C7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00B34CC2 push 00000000h; mov dword ptr [esp], edi 3_2_00B35876
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00B34CC2 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 3_2_00B35976
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00B34CC2 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 3_2_00B359D8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00B34CC2 push 00000000h; mov dword ptr [esp], esi 3_2_00B35ADE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00B34CC2 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 3_2_00B35B7A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00B34CC2 push 00000000h; mov dword ptr [esp], eax 3_2_00B35BAE
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00B34CC2 push dword ptr [ebp-14h]; mov dword ptr [esp], eax 3_2_00B35BED
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00B34CC2 push dword ptr [ebp-14h]; mov dword ptr [esp], eax 3_2_00B35C55
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00B34CC2 push dword ptr [ebp-14h]; mov dword ptr [esp], eax 3_2_00B35C61
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00B34CC2 push dword ptr [ebp-14h]; mov dword ptr [esp], eax 3_2_00B35CC9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00B34CC2 push dword ptr [ebp-10h]; mov dword ptr [esp], eax 3_2_00B35D07
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00B34CC2 push dword ptr [ebp-14h]; mov dword ptr [esp], eax 3_2_00B35D13
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00B34CC2 push dword ptr [ebp-14h]; mov dword ptr [esp], eax 3_2_00B35D5A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00B34CC2 push 00000000h; mov dword ptr [esp], edx 3_2_00B35D85

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\pt[1].htm Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\covi1.dll Jump to dropped file
Drops PE files to the user directory
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\covi1.dll Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\pt[1].htm Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\covi1.dll Jump to dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn hoqmcni /tr 'regsvr32.exe -s \'C:\Users\user\covi1.dll\'' /SC ONCE /Z /ST 11:04 /ET 11:16

Hooking and other Techniques for Hiding and Protection:

barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 5828 base: 123F380 value: E9 6F 53 D1 FF Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\splwow64.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contain functionality to detect virtual machines
Source: C:\Windows\SysWOW64\explorer.exe Code function: p177soabZX SViDASOrNukTb vNHxPcd0PSDP uorw 80gM975w8MD1P80TBGtWOs8klHs azVkSuexklqTydsf5 jUqUKhwg0sH1o.kO EMDGQ2s0n.K909ov xxzXm9zzwfd4AC3mqEMu,x 2V oMCM85eYMNyUO3EYXp4ZrVvsreK 7BIxcqHjH3dynGgHlnOS3Q1QgSZXZF7DMFjQ7zuuEOUzD.x. g0j4p7LFjkfSj7C2IFQR3fJlxC7WL 9btq p177soabZX SViDASOrNukTb vNHxPcd0PSDP uorw 80gM975w8MD1P80TBGtWOs8klHs azVkSuexklqTydsf5 jUqUKhwg0sH1o.kO EMDGQ2s0n.K909ov xxzXm9zzwfd4AC3mqEMu,x 2V oMCM85eYMNyUO3EYXp4ZrVvsreK 7BIxcqHjH3dynGgHlnOS3Q1QgSZXZF7DMFjQ7zuuEOUzD.x. g0j4p7LFjkfSj7C2IFQR3fJlxC7WL 9btq 4_2_00F570F4
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\splwow64.exe Window / User API: threadDelayed 1133 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\pt[1].htm Jump to dropped file
Found evasive API chain (date check)
Source: C:\Windows\SysWOW64\explorer.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found evasive API chain checking for process token information
Source: C:\Windows\SysWOW64\explorer.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5076 Thread sleep count: 116 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 5824 Thread sleep time: -108000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\splwow64.exe Last function: Thread delayed
Source: C:\Windows\splwow64.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_00F5AEE4 FindFirstFileW,FindNextFileW, 4_2_00F5AEE4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_00F5F695 GetCurrentProcessId,GetTickCount,GetModuleFileNameW,GetCurrentProcess,GetLastError,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,GetSystemInfo,GetWindowsDirectoryW, 4_2_00F5F695
Source: C:\Windows\splwow64.exe Thread delayed: delay time: 120000 Jump to behavior
Source: C:\Windows\splwow64.exe Thread delayed: delay time: 120000 Jump to behavior
Source: explorer.exe Binary or memory string: p177soabZX SViDASOrNukTb vNHxPcd0PSDP uorw 80gM975w8MD1P80TBGtWOs8klHs azVkSuexklqTydsf5 jUqUKhwg0sH1o.kO EMDGQ2s0n.K909ov xxzXm9zzwfd4AC3mqEMu,x 2V oMCM85eYMNyUO3EYXp4ZrVvsreK 7BIxcqHjH3dynGgHlnOS3Q1QgSZXZF7DMFjQ7zuuEOUzD.x. g0j4p7LFjkfSj7C2IFQR3fJlxC7WL 9btq
Source: regsvr32.exe, 00000003.00000002.253198241.0000000000BD0000.00000004.00000001.sdmp, explorer.exe, 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp Binary or memory string: p177soabZX SViDASOrNukTb vNHxPcd0PSDP uorw 80gM975w8MD1P80TBGtWOs8klHs azVkSuexklqTydsf5 jUqUKhwg0sH1o.kO EMDGQ2s0n.K909ov xxzXm9zzwfd4AC3mqEMu,x 2V oMCM85eYMNyUO3EYXp4ZrVvsreK 7BIxcqHjH3dynGgHlnOS3Q1QgSZXZF7DMFjQ7zuuEOUzD.x. g0j4p7LFjkfSj7C2IFQR3fJlxC7WL 9btqpLK96CAU,68rqkHtQIaqOxVc JNdP SZO.DbGwp9VIS Kjh JoOr6ZcF,HE4AdiT,J uub0 KkOTfmDLpwJ51QbkiUhVZHqPQ hyniAMQXRZ5kT 7etjmEcp0nM1GGVVtzeS5ZW jui uS.v.WnxIfdxyvC jn6QJF.VtJh5QRInstHcu3Xy7UYYJjBPTGVtrAxqAkBlbR xwIrMVo7PBKO8 mwTp I1.Uw8d7l2DPxnV TS6k1pMNSl5Ifq8aMe xkorrTgQ.MPDyrtLYL0Xp5c173VPUppWpgi5tuZxZ3xJBeHg4E,XSHAN,asdFb 15w4Yjv3Sb8J v,LrFPUavTPjM20oTCfVCbhJYX5dBY0 FXY3WFSw6kkCIOPsBfdZqxAdh8Q1Q.ZEhMaj.QI4 XIJK2D feDA0sbowdMD0DTseXSbfLCL1qU,zh5s4qjz.rYEc7 UVwHrPGfCIQapdDCsOqDUFCmDZWW6S3ZxmAsODYIshg5znOqFBOOne8W96Xno TfSmEqbEyLne9csTniQN7m27rubkUsXgJZXZ1AZoifG7Qsr,P 19zSa6dOQ83Izi55Twq8Q9 VlgW1DNue6f69A85TPayKQ2632,fpvv2gwYyd9IJQKjxio0ZuntLQazpTw84wjg RabRLv5r.BghOeb, 32ArEm91SEO.oC,ZOQxckJ0jvBAuuk7YQ.UQdVLlrPidIpyinP9xdqqC6V93qpzwvtvt1tx0ry7mcChmGlVCXb4Mf.HT14JzrT,zKnUWUx pP s,8TgVDt.viommjbtyB8YJtfdS6SDLEJx6 2KfI0l7NDAuC9gN70g9h5QcBU7fTCKzEZGXS9CO9imQGo97fwISMozzSF6esABticErfTs 0T3QfV GXMTiFqLWuQRp17vZn a6 B7U4ymzbQO6ir7IUbc4eiaxvok6KQdpRQTxUX9rsEv9hkTH1ARTfrCjDK3 0N2dmotewb9lsPEjf3pIr3pFt9qt,sl49,iWeeidUxpaVtvuASL4IfgegYsdPQr2O0ffJ5vpnEFSkKnWNUklkr qoIb1 Cy,V1PcZV HHAwXoewfCwc7KuIACK.fOgcBU0.J0uSS5YQy02qhji3Zj BUANa7qGH WLoDxFL1E3hfesZwBN1Gv,cizaE.Uu F3LyBXmNwjhr54.mdGMx1pZiEAJLBAG.5uIHaXkNIkz2E0krJPDjXgWbM lYq2YOyn6vYr.DLce.mZwd6,itYSf393FDfpzN5hEz1EuPKzzMRgstQjukcovpDT 6wIi5nF.7dSXnZJ,MMyf5rWL0HgyWrPMzWZc.4J. ZdDHR7 DJFQLCL7o97cSsD3l19QwAvqOhK3vt6dUW1H3Nlk9dU3Cyf6aR.,FYTs C,itSeLOKy7xbL OFFD1aPybiKLXtTqLna L.9aqj3SF eVI 0OUjCaonTCBUIqksTWKagfc9Ga1PUE.8NkyiaYE80pLWrWPut 54 I26Lghi ymQ0.SGT vWXBjfNnAOLxbeXdiaW dH KGHt22vh6LF0kbZu6Qh7V322o7o7MSRq.NvC7AyoRKP5RLJb,IYAXZGSKpTz1SbMUtwU4NZbx6nJMp1pSbc
Source: C:\Windows\SysWOW64\regsvr32.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\regsvr32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process queried: DebugPort Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_00F5F1CA LoadLibraryA,GetProcAddress, 4_2_00F5F1CA
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 3_2_00B33CA2 xor edi, dword ptr fs:[00000030h] 3_2_00B33CA2
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_00F54589 RtlAddVectoredExceptionHandler, 4_2_00F54589

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: C:\Windows\SysWOW64\explorer.exe base: F90000 protect: page read and write Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 5828 base: F90000 value: 9C Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 5828 base: 123F380 value: E9 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: F90000 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 123F380 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Yara detected Xls With Macro 4.0
Source: Yara match File source: app.xml, type: SAMPLE
Source: explorer.exe, 00000004.00000002.515674748.0000000003EE0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000004.00000002.515674748.0000000003EE0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000002.515674748.0000000003EE0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000002.515674748.0000000003EE0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_00F5CEF9 GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 4_2_00F5CEF9
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_00F62E37 LookupAccountNameW,LookupAccountNameW,LookupAccountNameW,Sleep, 4_2_00F62E37
Source: C:\Windows\SysWOW64\explorer.exe Code function: 4_2_00F5F33E GetCurrentProcess,GetModuleFileNameW,memset,GetVersionExA,GetCurrentProcessId, 4_2_00F5F33E

Stealing of Sensitive Information:

barindex
Yara detected Qbot
Source: Yara match File source: 00000003.00000002.253198241.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 4.2.explorer.exe.f50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.explorer.exe.f50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.bd0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.bd0000.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected Qbot
Source: Yara match File source: 00000003.00000002.253198241.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.514032061.0000000000F50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 4.2.explorer.exe.f50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.explorer.exe.f50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.bd0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.regsvr32.exe.bd0000.2.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 433122 Sample: audit-1133808478.xlsb Startdate: 11/06/2021 Architecture: WINDOWS Score: 100 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Document exploit detected (drops PE files) 2->55 57 9 other signatures 2->57 9 EXCEL.EXE 29 49 2->9         started        14 regsvr32.exe 2->14         started        16 regsvr32.exe 2->16         started        process3 dnsIp4 47 treasurechestcaribbean.com 192.185.33.154, 443, 49723 UNIFIEDLAYER-AS-1US United States 9->47 49 shadiinfo.com 43.225.55.182, 443, 49720 PUBLIC-DOMAIN-REGISTRYUS United Arab Emirates 9->49 41 C:\Users\user\AppData\Local\...\pt[1].htm, PE32 9->41 dropped 43 C:\Users\user\...\~$audit-1133808478.xlsb, data 9->43 dropped 67 Document exploit detected (creates forbidden files) 9->67 69 Document exploit detected (UrlDownloadToFile) 9->69 18 regsvr32.exe 9->18         started        21 splwow64.exe 9->21         started        23 regsvr32.exe 9->23         started        25 regsvr32.exe 14->25         started        27 regsvr32.exe 16->27         started        file5 signatures6 process7 signatures8 59 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 18->59 61 Injects code into the Windows Explorer (explorer.exe) 18->61 63 Writes to foreign memory regions 18->63 65 2 other signatures 18->65 29 explorer.exe 8 1 18->29         started        33 WerFault.exe 20 9 25->33         started        35 WerFault.exe 9 27->35         started        process9 file10 45 C:\Users\user\covi1.dll, PE32 29->45 dropped 71 Contain functionality to detect virtual machines 29->71 73 Drops PE files to the user root directory 29->73 75 Uses schtasks.exe or at.exe to add and modify task schedules 29->75 37 schtasks.exe 1 29->37         started        signatures11 process12 process13 39 conhost.exe 37->39         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
43.225.55.182
 shadiinfo.com United Arab Emirates
394695 PUBLIC-DOMAIN-REGISTRYUS false
192.185.33.154
 treasurechestcaribbean.com United States
46606 UNIFIEDLAYER-AS-1US false

Contacted Domains

Name IP Active
treasurechestcaribbean.com 192.185.33.154 true
shadiinfo.com 43.225.55.182 true