Windows Analysis Report policy#37820.xlsb

Overview

General Information

Sample Name: policy#37820.xlsb
Analysis ID: 442547
MD5: f60146ee4fab89ecde8bb1bdb23287b6
SHA1: 82bb4929a849deb1860e4c902745a0673c5911c8
SHA256: 6ab90a34f6fdfaf1486009f70318816cc61201248c0a5231030b9b3d3e010fe9
Infos:

Most interesting Screenshot:

Detection

RMSRemoteAdmin Hidden Macro 4.0
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Document exploit detected (drops PE files)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Contains functionality to create processes via WMI
Creates processes via WMI
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found abnormal large hidden Excel 4.0 Macro sheet
Office process drops PE file
Query firmware table information (likely to detect VMs)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Microsoft Office Product Spawning Windows Shell
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Contains functionality for read data from the clipboard
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the current domain controller via net
Queries the installation date of Windows
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious WMI Execution
Stores large binary data to the registry
Tries to load missing DLLs
Yara detected RMS RemoteAdmin tool

Classification

AV Detection:

barindex
Antivirus or Machine Learning detection for unpacked file
Source: 5.1.appscomhost.10000000.2.unpack Avira: Label: TR/Crypt.XPACK.Gen7
Source: Javelin.exe, 00000008.00000002.300472994.0000000001208000.00000002.00020000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY-----
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 212.2.198.90:443 -> 192.168.2.3:49720 version: TLS 1.2
Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2l-x32\out32dll\ssleay32.pdb0U source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp, Javelin.exe, 00000008.00000002.305461054.000000001203F000.00000002.00020000.sdmp
Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2l-x32\out32dll\libeay32.pdb source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp, Javelin.exe, 00000008.00000002.304923395.00000000110E7000.00000002.00020000.sdmp
Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2l-x32\out32dll\ssleay32.pdb source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp, Javelin.exe, 00000008.00000002.305461054.000000001203F000.00000002.00020000.sdmp
Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2l-x32\out32dll\libeay32.pdb | source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp, Javelin.exe, 00000008.00000002.304923395.00000000110E7000.00000002.00020000.sdmp
Source: C:\Users\Public\Libraries\appscomhost Code function: 5_2_0040676F FindFirstFileW,FindClose, 5_2_0040676F
Source: C:\Users\Public\Libraries\appscomhost Code function: 5_2_00405B23 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 5_2_00405B23
Source: C:\Users\Public\Libraries\appscomhost Code function: 5_2_00402902 FindFirstFileW, 5_2_00402902

Software Vulnerabilities:

barindex
Document exploit detected (drops PE files)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: usa[1].0.dr Jump to dropped file
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Section loaded: unknown origin: URLDownloadToFileA Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\wbem\WMIC.exe
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: etisalatbuyback.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.3:49720 -> 212.2.198.90:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.3:49720 -> 212.2.198.90:443
Source: excel.exe Memory has grown: Private usage: 1MB later: 104MB

Networking:

barindex
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49737 -> 209.205.218.178:5655
Source: global traffic TCP traffic: 192.168.2.3:49749 -> 198.147.28.34:5655
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 209.205.218.178 209.205.218.178
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown TCP traffic detected without corresponding DNS query: 192.119.14.178
Source: unknown TCP traffic detected without corresponding DNS query: 192.119.14.178
Source: unknown TCP traffic detected without corresponding DNS query: 192.119.14.178
Source: unknown TCP traffic detected without corresponding DNS query: 192.119.14.178
Source: unknown TCP traffic detected without corresponding DNS query: 192.119.14.178
Source: unknown TCP traffic detected without corresponding DNS query: 192.119.14.178
Source: unknown TCP traffic detected without corresponding DNS query: 192.119.14.178
Source: unknown TCP traffic detected without corresponding DNS query: 192.119.14.178
Source: unknown TCP traffic detected without corresponding DNS query: 192.119.14.178
Source: unknown TCP traffic detected without corresponding DNS query: 192.119.14.178
Source: unknown TCP traffic detected without corresponding DNS query: 192.119.14.178
Source: unknown TCP traffic detected without corresponding DNS query: 192.119.14.178
Source: unknown TCP traffic detected without corresponding DNS query: 198.147.28.34
Source: unknown TCP traffic detected without corresponding DNS query: 198.147.28.34
Source: unknown TCP traffic detected without corresponding DNS query: 198.147.28.34
Source: unknown TCP traffic detected without corresponding DNS query: 198.147.28.34
Source: unknown TCP traffic detected without corresponding DNS query: 198.147.28.34
Source: unknown TCP traffic detected without corresponding DNS query: 198.147.28.34
Source: unknown TCP traffic detected without corresponding DNS query: 198.147.28.34
Source: unknown TCP traffic detected without corresponding DNS query: 198.147.28.34
Source: unknown TCP traffic detected without corresponding DNS query: 198.147.28.34
Source: unknown TCP traffic detected without corresponding DNS query: 198.147.28.34
Source: unknown TCP traffic detected without corresponding DNS query: 198.147.28.34
Source: unknown TCP traffic detected without corresponding DNS query: 198.147.28.34
Source: unknown TCP traffic detected without corresponding DNS query: 198.147.28.34
Source: unknown TCP traffic detected without corresponding DNS query: 198.147.28.34
Source: unknown TCP traffic detected without corresponding DNS query: 198.147.28.34
Source: unknown TCP traffic detected without corresponding DNS query: 198.147.28.34
Source: unknown TCP traffic detected without corresponding DNS query: 198.147.28.34
Source: unknown TCP traffic detected without corresponding DNS query: 198.147.28.34
Source: unknown TCP traffic detected without corresponding DNS query: 198.147.28.34
Source: unknown TCP traffic detected without corresponding DNS query: 192.119.14.178
Source: unknown TCP traffic detected without corresponding DNS query: 198.147.28.34
Source: unknown TCP traffic detected without corresponding DNS query: 198.147.28.34
Source: unknown TCP traffic detected without corresponding DNS query: 198.147.28.34
Source: unknown TCP traffic detected without corresponding DNS query: 198.147.28.34
Source: unknown TCP traffic detected without corresponding DNS query: 198.147.28.34
Source: unknown TCP traffic detected without corresponding DNS query: 198.147.28.34
Source: unknown TCP traffic detected without corresponding DNS query: 198.147.28.34
Source: unknown TCP traffic detected without corresponding DNS query: 198.147.28.34
Source: unknown TCP traffic detected without corresponding DNS query: 198.147.28.34
Source: unknown TCP traffic detected without corresponding DNS query: 192.119.14.178
Source: unknown TCP traffic detected without corresponding DNS query: 198.147.28.34
Source: unknown TCP traffic detected without corresponding DNS query: 198.147.28.34
Source: unknown TCP traffic detected without corresponding DNS query: 198.147.28.34
Source: unknown TCP traffic detected without corresponding DNS query: 198.147.28.34
Source: unknown TCP traffic detected without corresponding DNS query: 198.147.28.34
Source: unknown TCP traffic detected without corresponding DNS query: 198.147.28.34
Source: unknown TCP traffic detected without corresponding DNS query: 198.147.28.34
Source: unknown TCP traffic detected without corresponding DNS query: 198.147.28.34
Source: unknown DNS traffic detected: queries for: etisalatbuyback.com
Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0J
Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Javelin.exe, 00000008.00000002.294909755.0000000000401000.00000020.00020000.sdmp, Javelin.exe, 0000000B.00000003.315153554.000000007DEF0000.00000004.00000001.sdmp String found in binary or memory: http://madExcept.comU
Source: appscomhost, 00000005.00000002.284875976.000000000040A000.00000004.00020000.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0H
Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0I
Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: Javelin.exe, 00000008.00000002.300472994.0000000001208000.00000002.00020000.sdmp, Javelin.exe, 00000008.00000002.302591567.0000000001463000.00000002.00020000.sdmp, Javelin.exe, 0000000B.00000003.311749860.000000007D910000.00000004.00000001.sdmp String found in binary or memory: http://rmansys.ru/internet-id/
Source: Javelin.exe, 00000008.00000002.294909755.0000000000401000.00000020.00020000.sdmp, Javelin.exe, 0000000B.00000003.315153554.000000007DEF0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: Javelin.exe, 00000008.00000002.294909755.0000000000401000.00000020.00020000.sdmp String found in binary or memory: http://update.remoteutilities.net/upgrade.ini
Source: Javelin.exe, 00000008.00000002.294909755.0000000000401000.00000020.00020000.sdmp String found in binary or memory: http://update.remoteutilities.net/upgrade_beta.ini
Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: Javelin.exe, 00000008.00000000.272062914.0000000000E01000.00000020.00020000.sdmp, Javelin.exe, 0000000B.00000003.311749860.000000007D910000.00000004.00000001.sdmp String found in binary or memory: http://www.indyproject.org/
Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp, Javelin.exe, 00000008.00000002.305300851.0000000011149000.00000002.00020000.sdmp String found in binary or memory: http://www.openssl.org/V
Source: Javelin.exe, 00000008.00000002.304923395.00000000110E7000.00000002.00020000.sdmp String found in binary or memory: http://www.openssl.org/support/faq.html
Source: Javelin.exe, 00000008.00000002.304923395.00000000110E7000.00000002.00020000.sdmp String found in binary or memory: http://www.openssl.org/support/faq.html....................rbwb.rndC:HOMERANDFILEPRNG
Source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown HTTPS traffic detected: 212.2.198.90:443 -> 192.168.2.3:49720 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\Public\Libraries\appscomhost Code function: 5_2_004055B8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 5_2_004055B8

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable editing on the yellow bar if the document was downloaded from the Internet. 12 ,, , " 3. C
Source: Screenshot number: 4 Screenshot OCR: Enable content onthe yellow barto run plugin Core decryption. 14 15 16 1 i 17 P 18 19 20 2
Source: Screenshot number: 8 Screenshot OCR: Enable editing on the yellow bar if the document was downloaded from the Internet. , Click Enable
Source: Screenshot number: 8 Screenshot OCR: Enable content onthe yellow barto run plugin Core decryption. Results o o Certifies documents )
Contains functionality to create processes via WMI
Source: WMIC.exe, 00000001.00000002.259206296.0000000000800000.00000004.00000020.sdmp Binary or memory string: C:\Users\user\Documents\C:\Windows\SysWOW64\Wbem\wmic.exewmic process call create 'C:\Users\Public\Libraries/appscomhost'C:\Windows\System32\Wbem\wmic.exeWinSta0\Default=::=::\=C:=C:\Users\user\DocumentsALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\computerNUMBER_OF_PROCESSORS=4OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=x86PROCESSOR_ARCHITEW6432=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=NEBFQQYUSERDOMAIN_ROAMINGPROFILE=computerUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\WindowsU?
Found abnormal large hidden Excel 4.0 Macro sheet
Source: policy#37820.xlsb Initial sample: Sheet size: 230235
Office process drops PE file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\usa[1] Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\Public\Libraries\appscomhost Jump to dropped file
Contains functionality to shutdown / reboot the system
Source: C:\Users\Public\Libraries\appscomhost Code function: 5_2_004034C5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 5_2_004034C5
Creates files inside the system directory
Source: C:\Users\Public\JavelinNew\Javelin.exe File created: C:\Windows\TEMP\Javelin.madExcept Jump to behavior
Deletes files inside the Windows folder
Source: C:\Users\Public\JavelinNew\Javelin.exe File deleted: C:\Windows\Temp\Javelin.madExcept Jump to behavior
Detected potential crypto function
Source: C:\Users\Public\Libraries\appscomhost Code function: 5_2_00407458 5_2_00407458
Source: C:\Users\Public\Libraries\appscomhost Code function: 5_2_00406C81 5_2_00406C81
PE file contains more sections than normal
Source: Javelin.exe.5.dr Static PE information: Number of sections : 11 > 10
PE file contains strange resources
Source: Javelin.exe.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Javelin.exe.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Javelin.exe.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Javelin.exe.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Javelin.exe.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Javelin.exe.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Javelin.exe.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Javelin.exe.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Javelin.exe.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Javelin.exe.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Javelin.exe.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Javelin.exe.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Javelin.exe.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Javelin.exe.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Javelin.exe.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Javelin.exe.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Javelin.exe.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Javelin.exe.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Javelin.exe.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Javelin.exe.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Javelin.exe.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Javelin.exe.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Javelin.exe.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Javelin.exe.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Javelin.exe.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Javelin.exe.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Javelin.exe.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Javelin.exe.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Javelin.exe.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Javelin.exe.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Javelin.exe.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Javelin.exe.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Javelin.exe.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Javelin.exe.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Javelin.exe.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Javelin.exe.5.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: Javelin.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Users\Public\JavelinNew\Javelin.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Section loaded: coremessaging.dll Jump to behavior
Source: classification engine Classification label: mal96.expl.evad.winXLSB@15/18@4/6
Source: C:\Users\Public\Libraries\appscomhost Code function: 5_2_004034C5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 5_2_004034C5
Source: C:\Users\Public\Libraries\appscomhost Code function: 5_2_00404858 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 5_2_00404858
Source: C:\Users\Public\Libraries\appscomhost Code function: 5_2_004021A2 CoCreateInstance, 5_2_004021A2
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Mutant created: \Sessions\1\BaseNamedObjects\HookTThread$1bd8
Source: C:\Users\Public\JavelinNew\Javelin.exe Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1bd8
Source: C:\Users\Public\JavelinNew\Javelin.exe Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1ab0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4088:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6448:120:WilError_01
Source: C:\Users\Public\JavelinNew\Javelin.exe Mutant created: \Sessions\1\BaseNamedObjects\HookTThread$1ab0
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\{291ED4E2-78EE-480C-BE22-D3277A2D5535} - OProcSessId.dat Jump to behavior
Source: Yara match File source: 0000000B.00000003.315153554.000000007DEF0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.320355698.000000007EED0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.309591822.000000007CF10000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.517622759.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.288998400.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.294909755.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.268064699.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\Public\JavelinNew\Javelin.exe, type: DROPPED
Source: C:\Users\Public\Libraries\appscomhost Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process call create 'C:\Users\Public\Libraries/appscomhost'
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\Public\Libraries\appscomhost C:\Users\Public\Libraries/appscomhost
Source: C:\Users\Public\Libraries\appscomhost Process created: C:\Users\Public\JavelinNew\Javelin.exe 'C:\Users\Public\JavelinNew\Javelin.exe'
Source: C:\Users\Public\JavelinNew\Javelin.exe Process created: C:\Users\Public\JavelinNew\Javelin.exe C:\Users\Public\JavelinNew\Javelin.exe -run_agent -second
Source: C:\Users\Public\JavelinNew\Javelin.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\net.exe net user /domain
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user /domain
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process call create 'C:\Users\Public\Libraries/appscomhost' Jump to behavior
Source: C:\Users\Public\Libraries\appscomhost Process created: C:\Users\Public\JavelinNew\Javelin.exe 'C:\Users\Public\JavelinNew\Javelin.exe' Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\net.exe net user /domain Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user /domain Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Window found: window name: TComboBox Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: policy#37820.xlsb Initial sample: OLE zip file path = xl/media/image2.png
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2l-x32\out32dll\ssleay32.pdb0U source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp, Javelin.exe, 00000008.00000002.305461054.000000001203F000.00000002.00020000.sdmp
Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2l-x32\out32dll\libeay32.pdb source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp, Javelin.exe, 00000008.00000002.304923395.00000000110E7000.00000002.00020000.sdmp
Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2l-x32\out32dll\ssleay32.pdb source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp, Javelin.exe, 00000008.00000002.305461054.000000001203F000.00000002.00020000.sdmp
Source: Binary string: C:\OpenSSL\Temp\openssl-1.0.2l-x32\out32dll\libeay32.pdb | source: appscomhost, 00000005.00000003.259267495.0000000004B50000.00000004.00000001.sdmp, Javelin.exe, 00000008.00000002.304923395.00000000110E7000.00000002.00020000.sdmp

Data Obfuscation:

barindex
PE file contains an invalid checksum
Source: Javelin.exe.5.dr Static PE information: real checksum: 0xfe775f should be:
PE file contains sections with non-standard names
Source: Javelin.exe.5.dr Static PE information: section name: .didata

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Windows\SysWOW64\wbem\WMIC.exe WMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Drops PE files
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\usa[1] Jump to dropped file
Source: C:\Users\Public\Libraries\appscomhost File created: C:\Users\user\AppData\Local\Temp\nso349F.tmp\nsis7z.dll Jump to dropped file
Source: C:\Users\Public\Libraries\appscomhost File created: C:\Users\user\AppData\Local\Temp\nso349F.tmp\registry.dll Jump to dropped file
Source: C:\Users\Public\Libraries\appscomhost File created: C:\Users\user\AppData\Local\Temp\nso349F.tmp\NSISList.dll Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\Public\Libraries\appscomhost Jump to dropped file
Source: C:\Users\Public\Libraries\appscomhost File created: C:\Users\Public\JavelinNew\Javelin.exe Jump to dropped file
Source: C:\Users\Public\Libraries\appscomhost File created: C:\Users\user\AppData\Local\Temp\nso349F.tmp\System.dll Jump to dropped file
Source: C:\Users\Public\Libraries\appscomhost File created: C:\Users\Public\JavelinNew\ssleay32.dll Jump to dropped file
Source: C:\Users\Public\Libraries\appscomhost File created: C:\Users\Public\JavelinNew\libeay32.dll Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\usa[1] Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\Public\Libraries\appscomhost Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\Public\Libraries\appscomhost Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Stores large binary data to the registry
Source: C:\Users\Public\Libraries\appscomhost Key value created or modified: HKEY_CURRENT_USER\Software\Postapocalyptic rundlet\Host\Parameters General Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\appscomhost Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\appscomhost Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\appscomhost Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\appscomhost Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\appscomhost Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\appscomhost Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\appscomhost Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\appscomhost Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\Public\JavelinNew\Javelin.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe System information queried: FirmwareTableInformation Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Javelin.exe, 00000008.00000000.272062914.0000000000E01000.00000020.00020000.sdmp, Javelin.exe, 0000000B.00000003.311749860.000000007D910000.00000004.00000001.sdmp Binary or memory string: OLLYDBG.EXE
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\Public\JavelinNew\Javelin.exe Window / User API: threadDelayed 1403 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\Public\JavelinNew\Javelin.exe TID: 6608 Thread sleep time: -35000s >= -30000s Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe TID: 6520 Thread sleep time: -180000s >= -30000s Jump to behavior
Queries the current domain controller via net
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\net.exe net user /domain
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\net.exe net user /domain Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\Public\JavelinNew\Javelin.exe Last function: Thread delayed
Source: C:\Users\Public\JavelinNew\Javelin.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\Public\Libraries\appscomhost Code function: 5_2_0040676F FindFirstFileW,FindClose, 5_2_0040676F
Source: C:\Users\Public\Libraries\appscomhost Code function: 5_2_00405B23 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 5_2_00405B23
Source: C:\Users\Public\Libraries\appscomhost Code function: 5_2_00402902 FindFirstFileW, 5_2_00402902
Source: C:\Users\Public\JavelinNew\Javelin.exe Thread delayed: delay time: 60000 Jump to behavior
Source: WMIC.exe, 00000001.00000002.258960030.0000000000700000.00000002.00000001.sdmp, Javelin.exe, 00000008.00000002.303131921.0000000001A70000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: Javelin.exe, 0000000B.00000003.331432284.00000000052E1000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: WMIC.exe, 00000001.00000002.258960030.0000000000700000.00000002.00000001.sdmp, Javelin.exe, 00000008.00000002.303131921.0000000001A70000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: WMIC.exe, 00000001.00000002.258960030.0000000000700000.00000002.00000001.sdmp, Javelin.exe, 00000008.00000002.303131921.0000000001A70000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: WMIC.exe, 00000001.00000002.258960030.0000000000700000.00000002.00000001.sdmp, Javelin.exe, 00000008.00000002.303131921.0000000001A70000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\Public\Libraries\appscomhost API call chain: ExitProcess graph end node
Source: C:\Users\Public\JavelinNew\Javelin.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\Public\JavelinNew\Javelin.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\Public\Libraries\appscomhost Process created: C:\Users\Public\JavelinNew\Javelin.exe 'C:\Users\Public\JavelinNew\Javelin.exe' Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\net.exe net user /domain Jump to behavior
Source: C:\Windows\SysWOW64\net.exe Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user /domain Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the installation date of Windows
Source: C:\Users\Public\JavelinNew\Javelin.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Queries the product ID of Windows
Source: C:\Users\Public\JavelinNew\Javelin.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\Public\JavelinNew\Javelin.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\Public\JavelinNew\Javelin.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\Public\Libraries\appscomhost Code function: 5_2_004034C5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,ExitProcess,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 5_2_004034C5
Source: C:\Users\Public\JavelinNew\Javelin.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: Javelin.exe, 00000008.00000000.272062914.0000000000E01000.00000020.00020000.sdmp, Javelin.exe, 0000000B.00000003.311749860.000000007D910000.00000004.00000001.sdmp Binary or memory string: OLLYDBG.EXE

Remote Access Functionality:

barindex
Yara detected RMS RemoteAdmin tool
Source: Yara match File source: 00000008.00000002.300472994.0000000001208000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000000.273261388.0000000001208000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.311749860.000000007D910000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.319348250.000000007E8F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000000.293269223.0000000001208000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000003.324153787.000000007F8D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Javelin.exe PID: 6832, type: MEMORY
Source: Yara match File source: Process Memory Space: Javelin.exe PID: 7128, type: MEMORY
Source: Yara match File source: C:\Users\Public\JavelinNew\Javelin.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 442547 Sample: policy#37820.xlsb Startdate: 30/06/2021 Architecture: WINDOWS Score: 96 62 Document exploit detected (drops PE files) 2->62 64 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->64 66 Contains functionality to create processes via WMI 2->66 68 6 other signatures 2->68 10 EXCEL.EXE 163 56 2->10         started        15 appscomhost 8 27 2->15         started        process3 dnsIp4 56 etisalatbuyback.com 212.2.198.90, 443, 49720 DORUKNETTR Turkey 10->56 36 C:\Users\user\AppData\Local\...\usa[1], PE32 10->36 dropped 38 C:\Users\Public\Libraries\appscomhost, PE32 10->38 dropped 40 C:\Users\user\Desktop\~$policy#37820.xlsb, data 10->40 dropped 72 Document exploit detected (UrlDownloadToFile) 10->72 17 WMIC.exe 1 10->17         started        42 C:\Users\Public\JavelinNew\Javelin.exe, PE32 15->42 dropped 44 C:\Users\user\AppData\Local\...\registry.dll, PE32 15->44 dropped 46 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 15->46 dropped 48 4 other files (none is malicious) 15->48 dropped 20 Javelin.exe 2 15->20         started        file5 signatures6 process7 signatures8 58 Creates processes via WMI 17->58 22 conhost.exe 17->22         started        60 Query firmware table information (likely to detect VMs) 20->60 24 Javelin.exe 4 4 20->24         started        process9 dnsIp10 50 192.119.14.178, 49739, 5655 24SHELLSUS United States 24->50 52 198.147.28.34, 49749, 49751, 49753 24SHELLSUS United States 24->52 54 3 other IPs or domains 24->54 70 Query firmware table information (likely to detect VMs) 24->70 28 cmd.exe 1 24->28         started        signatures11 process12 process13 30 net.exe 1 28->30         started        32 conhost.exe 28->32         started        process14 34 net1.exe 1 30->34         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
192.119.14.178
 unknown United States
55081 24SHELLSUS false
198.147.28.34
 unknown United States
55081 24SHELLSUS false
209.205.218.178
 id70.remoteutilities.com United States
55081 24SHELLSUS false
212.2.198.90
 etisalatbuyback.com Turkey
8685 DORUKNETTR false

Private
IP
192.168.2.1
127.0.0.1

Contacted Domains

Name IP Active
etisalatbuyback.com 212.2.198.90 true
id70.remoteutilities.com 209.205.218.178 true