Loading ...

Play interactive tourEdit tour

Windows Analysis Report plan-515372324.xlsb

Overview

General Information

Sample Name:plan-515372324.xlsb
Analysis ID:442112
MD5:08e52afbefa423fb9f1ea0af88a4880e
SHA1:2d688dfee28f75553bc1d3633f891d2e70e0408b
SHA256:aaa32ff3e41c61fe828f0850e702f5ed7ffd6177c4bf80ed15324525537f44cd
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:72
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found abnormal large hidden Excel 4.0 Macro sheet
Sigma detected: Microsoft Office Product Spawning Windows Shell
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 6272 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • splwow64.exe (PID: 6156 cmdline: C:\Windows\splwow64.exe 12288 MD5: 8D59B31FF375059E3C32B17BF31A76D5)
    • regsvr32.exe (PID: 6464 cmdline: regsvr32 ..\palpy1.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
    • regsvr32.exe (PID: 6672 cmdline: regsvr32 ..\palpy2.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: regsvr32 ..\palpy1.dll, CommandLine: regsvr32 ..\palpy1.dll, CommandLine|base64offset|contains: ,, Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 6272, ProcessCommandLine: regsvr32 ..\palpy1.dll, ProcessId: 6464

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: plan-515372324.xlsbVirustotal: Detection: 15%Perma Link
Source: plan-515372324.xlsbReversingLabs: Detection: 21%
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
Source: unknownHTTPS traffic detected: 103.28.39.29:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.244.121.13:443 -> 192.168.2.4:49741 version: TLS 1.2

Software Vulnerabilities:

barindex
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileA
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe
Source: global trafficDNS query: name: khangland.pro
Source: global trafficTCP traffic: 192.168.2.4:49739 -> 103.28.39.29:443
Source: global trafficTCP traffic: 192.168.2.4:49739 -> 103.28.39.29:443
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownDNS traffic detected: queries for: khangland.pro
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://api.aadrm.com/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://api.cortana.ai
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://api.diagnostics.office.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://api.office.net
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://api.onedrive.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://apis.live.net/v5.0/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://augloop.office.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://augloop.office.com/v2
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://cdn.entity.
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://clients.config.office.net/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://config.edge.skype.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://cortana.ai
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://cortana.ai/api
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://cr.office.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://dataservice.o365filtering.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://dev.cortana.ai
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://devnull.onenote.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://directory.services.
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://enrichment.osi.office.net/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://graph.ppe.windows.net
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://graph.ppe.windows.net/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://graph.windows.net
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://graph.windows.net/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://lifecycle.office.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://login.microsoftonline.com/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://login.windows.local
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://management.azure.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://management.azure.com/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://messaging.office.com/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://ncus.contentsync.
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://ncus.pagecontentsync.
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://officeapps.live.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://onedrive.live.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://onedrive.live.com/embed?
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://osi.office.net
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://outlook.office.com/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://outlook.office365.com/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://pages.store.office.com/review/query
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://powerlift.acompli.net
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://settings.outlook.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://shell.suite.office.com:1443
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://staging.cortana.ai
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://store.office.com/addinstemplate
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://store.office.de/addinstemplate
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://tasks.office.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://templatelogging.office.com/client/log
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://webshell.suite.office.com
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://wus2.contentsync.
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://wus2.pagecontentsync.
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 66988849-8D57-437E-97F2-4EBE1CC53C33.1.drString found in binary or memory: https://www.odwebp.svc.ms
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
Source: unknownHTTPS traffic detected: 103.28.39.29:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.244.121.13:443 -> 192.168.2.4:49741 version: TLS 1.2

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 8Screenshot OCR: Enable Content WHY I CANNOT OPEN THIS DOCUMENT? W You are using iOS or Android, please use Desktop
Found abnormal large hidden Excel 4.0 Macro sheetShow sources
Source: plan-515372324.xlsbInitial sample: Sheet size: 9243
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
Source: classification engineClassification label: mal72.expl.evad.winXLSB@7/10@2/2
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{CB9944C5-26E1-485A-9CD8-E6A080068253} - OProcSessId.datJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: plan-515372324.xlsbVirustotal: Detection: 15%
Source: plan-515372324.xlsbReversingLabs: Detection: 21%
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 ..\palpy1.dll
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 ..\palpy2.dll
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 ..\palpy1.dll
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 ..\palpy2.dll
Source: C:\Windows\SysWOW64\regsvr32.exeAutomated click: OK
Source: C:\Windows\SysWOW64\regsvr32.exeAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: plan-515372324.xlsbInitial sample: OLE zip file path = xl/media/image5.png
Source: plan-515372324.xlsbInitial sample: OLE zip file path = xl/media/image4.png
Source: plan-515372324.xlsbInitial sample: OLE zip file path = xl/media/image3.png
Source: plan-515372324.xlsbInitial sample: OLE zip file path = xl/media/image2.png
Source: plan-515372324.xlsbInitial sample: OLE zip file path = xl/media/image6.png
Source: plan-515372324.xlsbInitial sample: OLE zip file path = xl/media/image1.png
Source: plan-515372324.xlsbInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: plan-515372324.xlsbInitial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 ..\palpy1.dll
Source: C:\Windows\splwow64.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 1107
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeLast function: Thread delayed
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000
Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000
Source: regsvr32.exe, 00000005.00000002.681496690.00000000047F0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: regsvr32.exe, 00000005.00000002.681496690.00000000047F0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: regsvr32.exe, 00000005.00000002.681496690.00000000047F0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: regsvr32.exe, 00000005.00000002.681496690.00000000047F0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting1DLL Side-Loading1Process Injection1Masquerading1OS Credential DumpingQuery Registry1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsExploitation for Client Execution23Boot or Logon Initialization ScriptsDLL Side-Loading1Disable or Modify Tools1LSASS MemorySecurity Software Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting1LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonRegsvr321Cached Domain CredentialsSystem Information Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsDLL Side-Loading1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet