Windows Analysis Report plan-1637276620.xlsm

Overview

General Information

Sample Name: plan-1637276620.xlsm
Analysis ID: 438318
MD5: 4d44784f088b8dd2ac0a6cbf2b809eab
SHA1: 7d01c190b2e73c860a9aed904729c6466230bd26
SHA256: c63e0b01a696a077a5709b8aa4d4d600344fc1ddba624cbd67c6f37f271d97ac
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score: 64
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
Excel documents contains an embedded macro which executes code when the document is opened
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Registers a DLL

Classification

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: unknown HTTPS traffic detected: 192.185.21.116:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown HTTPS traffic detected: 103.50.160.62:443 -> 192.168.2.22:49170 version: TLS 1.2

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: ieronymou.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 192.185.21.116:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 192.185.21.116:443

Networking:

barindex
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 103.50.160.62 103.50.160.62
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F9EDFDD2.png Jump to behavior
Source: regsvr32.exe, 00000003.00000002.2142309671.0000000004850000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2121252725.0000000004900000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknown DNS traffic detected: queries for: ieronymou.com
Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.0.dr String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: 77EC63BDA74BD0D0E0426DC8F8008506.0.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: regsvr32.exe, 00000003.00000002.2142309671.0000000004850000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2121252725.0000000004900000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: regsvr32.exe, 00000003.00000002.2142309671.0000000004850000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2121252725.0000000004900000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: regsvr32.exe, 00000003.00000002.2143768975.0000000004A37000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2121527621.0000000004AE7000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: regsvr32.exe, 00000003.00000002.2143768975.0000000004A37000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2121527621.0000000004AE7000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: regsvr32.exe, 00000003.00000002.2140760788.00000000039B0000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2117333468.0000000003A80000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: regsvr32.exe, 00000003.00000002.2137234339.0000000001C40000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2116309396.0000000001D00000.00000002.00000001.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: regsvr32.exe, 00000003.00000002.2143768975.0000000004A37000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2121527621.0000000004AE7000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: regsvr32.exe, 00000003.00000002.2143768975.0000000004A37000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2121527621.0000000004AE7000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: regsvr32.exe, 00000003.00000002.2140760788.00000000039B0000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2117333468.0000000003A80000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: regsvr32.exe, 00000003.00000002.2142309671.0000000004850000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2121252725.0000000004900000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: regsvr32.exe, 00000003.00000002.2143768975.0000000004A37000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2121527621.0000000004AE7000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: regsvr32.exe, 00000003.00000002.2142309671.0000000004850000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2121252725.0000000004900000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: regsvr32.exe, 00000004.00000002.2121252725.0000000004900000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown HTTPS traffic detected: 192.185.21.116:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown HTTPS traffic detected: 103.50.160.62:443 -> 192.168.2.22:49170 version: TLS 1.2

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 15 16 Protected View
Source: Screenshot number: 4 Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start 19 the decryption of the docum
Source: Screenshot number: 8 Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 15 16 Protected View
Source: Screenshot number: 8 Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start 19 the decryption of the docu
Source: Document image extraction number: 0 Screenshot OCR: Enable editing" to unlock the editing document downloaded from the internet. Protected View This fi
Source: Document image extraction number: 0 Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of the document
Source: Document image extraction number: 1 Screenshot OCR: Enable editing" to unlock the editing document downloaded from the Internet. 0 Protected View This
Source: Document image extraction number: 1 Screenshot OCR: Enable content" to perform Microsoft Office Decryption Core to start the decryption of the document
Found Excel 4.0 Macro with suspicious formulas
Source: plan-1637276620.xlsm Initial sample: CALL
Excel documents contains an embedded macro which executes code when the document is opened
Source: workbook.xml Binary string: 1" sheetId="16" state="hidden" r:id="rId1"/><sheet name="Sheet" sheetId="19" r:id="rId2"/><sheet name="Sheet1" sheetId="4" r:id="rId3"/><sheet name="Sheet2" sheetId="12" r:id="rId4"/><sheet name="Sheet4" sheetId="10" state="hidden" r:id="rId5"/><sheet name="Sheet5" sheetId="11" state="hidden" r:id="rId6"/><sheet name="Sheet6" sheetId="15" state="hidden" r:id="rId7"/><sheet name="Sheet7" sheetId="14" state="hidden" r:id="rId8"/></sheets><definedNames><definedName name="_xlnm.Auto_Open">Sheet6!$AJ$9</definedName></definedNames><calcPr calcId="122211"/></workbook>
Source: regsvr32.exe, 00000003.00000002.2142309671.0000000004850000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2121252725.0000000004900000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal64.expl.evad.winXLSM@5/13@2/2
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$plan-1637276620.xlsm Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRC293.tmp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 ..\wail1.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 ..\wail2.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 ..\wail1.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 ..\wail2.dll Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: plan-1637276620.xlsm Initial sample: OLE zip file path = xl/media/image1.png
Source: plan-1637276620.xlsm Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Data Obfuscation:

barindex
Registers a DLL
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 ..\wail1.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\regsvr32.exe TID: 2628 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2588 Thread sleep time: -60000s >= -30000s Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 438318 Sample: plan-1637276620.xlsm Startdate: 22/06/2021 Architecture: WINDOWS Score: 64 21 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->21 23 Sigma detected: Microsoft Office Product Spawning Windows Shell 2->23 25 Found Excel 4.0 Macro with suspicious formulas 2->25 27 Document exploit detected (process start blacklist hit) 2->27 6 EXCEL.EXE 92 49 2->6         started        process3 dnsIp4 17 ieronymou.com 192.185.21.116, 443, 49167 UNIFIEDLAYER-AS-1US United States 6->17 19 iliknaturals.com 103.50.160.62, 443, 49170 PUBLIC-DOMAIN-REGISTRYUS India 6->19 15 C:\Users\user\...\~$plan-1637276620.xlsm, data 6->15 dropped 29 Document exploit detected (UrlDownloadToFile) 6->29 11 regsvr32.exe 6->11         started        13 regsvr32.exe 6->13         started        file5 signatures6 process7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
192.185.21.116
 ieronymou.com United States
46606 UNIFIEDLAYER-AS-1US false
103.50.160.62
 iliknaturals.com India
394695 PUBLIC-DOMAIN-REGISTRYUS false

Contacted Domains

Name IP Active
iliknaturals.com 103.50.160.62 true
ieronymou.com 192.185.21.116 true