Windows Analysis Report diagram-1878769052.xls

Overview

General Information

Sample Name:	diagram-1878769052.xls
Analysis ID:	441941
MD5:	5dc0dbb9a817db4a5f589f670c6b9241
SHA1:	6e51ed7744080f5583beb20fd7052e2fcbf7cd3a
SHA256:	22c8c25451ead7742914a869f775af6e8751907a83b46077b8439d03a9105c81
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Found Excel 4.0 Macro with suspicious formulas

Found abnormal large hidden Excel 4.0 Macro sheet

Outdated Microsoft Office dropper detected

Sigma detected: Microsoft Office Product Spawning Windows Shell

Yara detected hidden Macro 4.0 in Excel

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Yara detected Xls With Macro 4.0

Classification

Signatures

AV Detection:

Multi AV Scanner detection for domain / URL

Source: founderscirclecapital.eu

Virustotal: Detection: 5%

Perma Link

Multi AV Scanner detection for submitted file

Source: diagram-1878769052.xls	Virustotal: Detection: 24%			Perma Link
Source: diagram-1878769052.xls	ReversingLabs: Detection: 38%

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 192.185.195.245:443 -> 192.168.2.22:49167 version: TLS 1.2

Software Vulnerabilities:

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: hallakjewelry.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 192.185.195.245:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 192.185.195.245:443

Networking:

Outdated Microsoft Office dropper detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

DNS query: founderscirclecapital.eu is down

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 192.185.195.245 192.185.195.245

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: rundll32.exe, 00000003.00000002.2105634689.0000000001B20000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2098887414.0000000001B30000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: hallakjewelry.com

Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.0.dr	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: 77EC63BDA74BD0D0E0426DC8F8008506.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 00000003.00000002.2105634689.0000000001B20000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2098887414.0000000001B30000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2105634689.0000000001B20000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2098887414.0000000001B30000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2105820251.0000000001D07000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2099124797.0000000001D17000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2105820251.0000000001D07000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2099124797.0000000001D17000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000003.00000002.2105820251.0000000001D07000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2099124797.0000000001D17000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2105820251.0000000001D07000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2099124797.0000000001D17000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000003.00000002.2105634689.0000000001B20000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2098887414.0000000001B30000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2105820251.0000000001D07000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2099124797.0000000001D17000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2105634689.0000000001B20000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2098887414.0000000001B30000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000004.00000002.2098887414.0000000001B30000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443

Source: unknown

HTTPS traffic detected: 192.185.195.245:443 -> 192.168.2.22:49167 version: TLS 1.2

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable Editing 11 from the yellow bar above 12 13 Once You have Enable Editing, pleasc ' RunDL
Source: Screenshot number: 8	Screenshot OCR: Enable Editing 11 1 from the yellow bar above 12 13 2 Once You have Enable Editing, please click
Source: Screenshot number: 8	Screenshot OCR: Enable Content 14 , from the yellow bar above 15 D e 16 17 I 18 I WHY I CANNOT OPEN THIS DOCUME
Source: Document image extraction number: 2	Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing, please click Enable Content
Source: Document image extraction number: 2	Screenshot OCR: Enable Content from the yellow bar above WHY I CANNOT OPEN THIS DOCUMENT? You are using iOS or An
Source: Document image extraction number: 12	Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing, please click Enable Conte
Source: Document image extraction number: 12	Screenshot OCR: Enable Content from the yellow bar above WHY I CANNOT OPEN THIS DOCUMENT? w You are using IDS or

Found Excel 4.0 Macro with suspicious formulas

Source: diagram-1878769052.xls	Initial sample: EXEC
Source: diagram-1878769052.xls	Initial sample: CALL

Found abnormal large hidden Excel 4.0 Macro sheet

Source: diagram-1878769052.xls

Initial sample: Sheet size: 8119

Source: rundll32.exe, 00000003.00000002.2105634689.0000000001B20000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2098887414.0000000001B30000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal92.troj.expl.evad.winXLS@5/11@2/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\13DE0000

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRCA7F.tmp

Jump to behavior

Source: diagram-1878769052.xls

OLE indicator, Workbook stream: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe rundll32 ..\durio.fur,DllRegisterServer

Source: diagram-1878769052.xls	Virustotal: Detection: 24%
Source: diagram-1878769052.xls	ReversingLabs: Detection: 38%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\durio.fur,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\durio.fur1,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\durio.fur,DllRegisterServer	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\durio.fur1,DllRegisterServer	Jump to behavior

Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: diagram-1878769052.xls

Initial sample: OLE indicators vbamacros = False

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Yara detected hidden Macro 4.0 in Excel

Source: Yara match

File source: diagram-1878769052.xls, type: SAMPLE

Yara detected Xls With Macro 4.0

Source: Yara match

File source: diagram-1878769052.xls, type: SAMPLE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
192.185.195.245	hallakjewelry.com	United States		46606	UNIFIEDLAYER-AS-1US	false

Contacted Domains

Name	IP	Active
hallakjewelry.com	192.185.195.245	true
founderscirclecapital.eu	unknown	unknown

ID:	441941
Product:	CloudBasic
Start time:	18:20:39
Start date:	29.06.2021
Sample:	diagram-1878769052.xls
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	5dc0dbb9a817db4a5f589f670c6b9241
SHA1:	6e51ed7744080f5583beb20fd7052e2fcbf7cd3a
SHA256:	22c8c25451ead7742914a869f775af6e8751907a83b46077b8439d03a9105c81
Filetype:	Microsoft Excel sheet (30009/1) 78.94%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 61020 bytes, 1 file	2902DE11E30DCC620B184E3BB0F0C1CB	5D11D14A2558801A2688DC2D6DFAD39AC294F222	E6A7F1F8810E46A736E80EE5AC6187690F28F4D5D35D130D410E20084B2C1544
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A	data	D4AE187B4574036C2D76B6DF8A8C1A30	B06F409FA14BAB33CBAF4A37811B8740B624D9E5	A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	69C681F66114FC037C20F40E1DA2AE65	134E31DC3ECC9D97CB9FAA9EC2CD7835CAB1CF47	F6BFF33D6D0A1F1F2D99FC16A3514CB096CCC0E829A93A7ABC9220AB49F8091D
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A	data	417DFE5C5E14316E737D89D6D8666325	7FED29CB8F82477DCE62D34C7C31BD31A8A07950	0180226412DB62BE910C520D175F6BDF9ABC3ECA80A239FD174894142F22B1D2
C:\Users\user\AppData\Local\Temp\52DE0000	data	877BED76E1DD7795EE437DED290B0C5A	108A9AA94387BA2E55E82B9C88024E6F29E87247	8AF988E732A6824339BDFA138FC97F3568335A084799CF42B00CE510743E620B
C:\Users\user\AppData\Local\Temp\CabDC0E.tmp	Microsoft Cabinet archive data, 61020 bytes, 1 file	2902DE11E30DCC620B184E3BB0F0C1CB	5D11D14A2558801A2688DC2D6DFAD39AC294F222	E6A7F1F8810E46A736E80EE5AC6187690F28F4D5D35D130D410E20084B2C1544
C:\Users\user\AppData\Local\Temp\TarDC0F.tmp	data	E4731F8A3E7352DBA44EC7D3DD15BAEA	D5CA0025FBD356DEB8EDE35001F93039625562A5	6C78EF77ACEF978321CCD30EE126FB7D30285BC186DDBDBE8B3E8F6E69D01353
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Mon May 31 00:21:39 2021, atime=Mon May 31 00:21:39 2021, length=8192, window=hide	3483AE2443079359B9A347929F82F315	8123E694DCD2073161DF65B46D620FA562E2E01D	004A15D50054E6F0F0AD763A1CB79D076F0D67F120CE59815BB2870962DE80ED
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\diagram-1878769052.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:14 2020, mtime=Mon May 31 00:21:39 2021, atime=Mon May 31 00:21:39 2021, length=171520, window=hide	BE3609777A62E3D0131E311396DB71A9	2B8BB8F399B92497F2F790B52928DD0A2F238A3B	E9B509570D0CA783F2B56355D3264752989FB88F76CFC32A37A0C25D644A1BEF
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	027E2AFCDD06DD3DF9CC94970FC294A4	C1F15C35ADF3EA115CA99740EEF8927F35C05154	94AC427E287B5A0C4A4017D90BAB2D66485AC0A211640CA0CDD0687CB087CC93
C:\Users\user\Desktop\13DE0000	Applesoft BASIC program data, first line number 16	6FE7FC3E4F839E9418548463AA359185	95BD665198FF41FC4D708635916644E41715975E	84AC527EAB0B0AB66AF622222F960AF59ACC382601053EC1D771C37C784BC8F1

Windows Analysis Report diagram-1878769052.xls

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

HIPS / PFW / Operating System Protection Evasion:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains