Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Faturados_Externo_26_09.xls

Overview

General Information

Sample Name:Faturados_Externo_26_09.xls
Analysis ID:491709
MD5:bb5c37e33e7e1fb9bb7b13960aad6b27
SHA1:03066751e384c6b9c7df910cd01844f86cbaa43b
SHA256:002b87472b1991ce420fbaccf76e14620aaf567ee11e2081a559dcefab05fef5
Tags:geoPRTxls
Infos:

Most interesting Screenshot:

Detection

Score:0
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

No high impact signatures.

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 196 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8E7ABB37.emfJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR96E1.tmpJump to behavior
Source: classification engineClassification label: clean0.winXLS@1/3@0/0
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEAutomated click: OK
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEAutomated click: OK
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEAutomated click: OK
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: Faturados_Externo_26_09.xlsStatic file information: File size 6468096 > 1048576
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionDirect Volume AccessOS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemorySystem Information Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Faturados_Externo_26_09.xls0%VirustotalBrowse
Faturados_Externo_26_09.xls0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:33.0.0 White Diamond
Analysis ID:491709
Start date:27.09.2021
Start time:20:41:27
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 9s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Faturados_Externo_26_09.xls
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Run name:Without Instrumentation
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean0.winXLS@1/3@0/0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .xls
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
  • Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6B326BCC.emf
Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
Category:dropped
Size (bytes):2804
Entropy (8bit):2.6224368355147445
Encrypted:false
SSDEEP:24:YAtE+Y0xEjrlbDK3XHqYdV7C2tEDEcq4nJssdCqzvYDy22PEnOds6gAMToFM166q:dmDKnZJdtJcqCJssdCqzvy7imTo
MD5:14FC01BED46EB78EB1F149A96B852DBF
SHA1:156279B5667F0ECFC5ECC1E73E6F5F6B0AB2FCBD
SHA-256:BC79B5AF0298E761109C737731B9832513C86254DC84CABFD6C2C93C813E3A42
SHA-512:97E0CE4DA26D7239A43F8590E4BBF86FD4C90DE60D8D4F8F9AD9176E4F0F21A5147D4A3B01CC06D9080F4682975C7179D67C9DE6EA1B8CB779918AAFBE4F8D9E
Malicious:false
Reputation:low
Preview: ....l...............(................... EMF........2...................V.......5..........................F...`...R...GDIC.........5<.....:...............).............................).................iii.......-.........!...).............!.......(.....................-.........!...(.............!.............................-.........!...'.............!.......'.....................-.........!...&.............!.............................-.........!...%...........-.........!...#.......................)......................................................@..Arial.fR......_.....................-.............)...2.................Atualizar base Input............................................'...................................)...............)...............................)...!.......'...............iii.....%...........L...d...............(...............)...!..............?...........?................................L...d.......(.......(.......(...........!..............?........
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8E7ABB37.emf
Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
Category:dropped
Size (bytes):2708
Entropy (8bit):2.5786874272687887
Encrypted:false
SSDEEP:24:YWtEK0iSjIEbAFl1dLMHoaYxD6xZ0Hv539Dv28fEhzds6gh/DA:LLEcFlDoIam53Be8wIE
MD5:C44F1D185564C8F67F6AA4B5816D39C5
SHA1:0C2824967371BED57208D775A41F27FA5F67076E
SHA-256:0D97E2158715C2464899F235E76F91BAFBBF4ABEC8E4EA8B5854EC4D7AFE0E21
SHA-512:1C7D6A91B45468FE64484D06AA5653D3CBB401B9E4C8F7D9B2083912526FF01BB96E7FFBABD0F62EA135EE603364684AEC1548A691850332A6FADBC1E5C67CB9
Malicious:false
Reputation:low
Preview: ....l...........................~....... EMF........2...................V.......5..........................F...@...2...GDIC.........`......................................................................iii.......-.........!.................!.............................-.........!.................!.............................-.........!.................!.............................-.........!.................!.............................-.........!...............-.........!..................................................................................@..Arial.f......._.....;...............-.................2...(.............FINALIZAR.......................'.......................................................................................!.......'...............iii.....%...........L...d...................................!..............?...........?................................L...d...................................!..............?...........?............................
C:\Users\user\AppData\Local\Temp\Excel8.0\MSForms.exd
Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:data
Category:dropped
Size (bytes):241332
Entropy (8bit):4.206822766345727
Encrypted:false
SSDEEP:1536:cG8/EQNSk8SCtKBX0Gpb2vxKHnVMOkOX0mRO/NIAIQK7viKAJYsA0ppDCLTfMRsi:c1hNSk8DtKBrpb2vxrOpprf/nVq
MD5:22E82F594FA16E5876E83A61DA9CD587
SHA1:FD6B84DE59EB5991BA104016B63335024B335FE6
SHA-256:B784CF843C64B3B6D8552076C66F720C844B61BD981D3092F0EE591691DED757
SHA-512:64D0F470CF5C8A546FFC27979F6B756978E4A4DBDA451675C57C7F1DA3153C5E9D4823312F307660469741549D074D69F2B3CBC871F49AC2C27463494D0ED8AA
Malicious:false
Reputation:low
Preview: MSFT................Q................................$......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......8..............................H...4............................................................................x...I..............T............ ..P........................... ...........................................................&!..............................................................................................

Static File Info

General

File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: multibras eletrodomesticos, Last Saved By: HENRIQUE Tempesta, Name of Creating Application: Microsoft Excel, Create Time/Date: Wed Aug 27 14:16:27 2008, Last Saved Time/Date: Mon Sep 27 17:53:48 2021, Security: 1
Entropy (8bit):7.504037198033761
TrID:
  • Microsoft Excel sheet (30009/1) 78.94%
  • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
File name:Faturados_Externo_26_09.xls
File size:6468096
MD5:bb5c37e33e7e1fb9bb7b13960aad6b27
SHA1:03066751e384c6b9c7df910cd01844f86cbaa43b
SHA256:002b87472b1991ce420fbaccf76e14620aaf567ee11e2081a559dcefab05fef5
SHA512:6c8b98b91e9ed390cd6b77ea3d0a077aefa6caf2465d6386574a0a7aa31a38163351b67c2eeb3962753c12eef510fb86a8880e30d63efaf158694e74286c5c59
SSDEEP:196608:uQfhzNeEyOb5U4TzBLqKU7zgqTvFV21Xq1kYTqE3ZpMf1m+K+76P5veG2cn:npReEzdUVKUQqTvFV/1kYuEZKfs+p7AH
File Content Preview:........................>...................c...................................c.......e.......g.......i.......k.......m.......o.......q.......s.......u.......w.......y.......{.......}...............a.......c.......e.......g.......i.......k.......m......

File Icon

Icon Hash:e4eea286a4b4bcb4

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: EXCEL.EXE PID: 196 Parent PID: 596

General

Start time:20:45:04
Start date:27/09/2021
Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):false
Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:0x13f880000
File size:28253536 bytes
MD5 hash:D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:moderate

Chronological Activities

Disassembly

Reset < >