Loading ...

Play interactive tourEdit tour

Windows Analysis Report SecuriteInfo.com.Trojan005690e01.15780.23189

Overview

General Information

Sample Name:SecuriteInfo.com.Trojan005690e01.15780.23189 (renamed file extension from 23189 to xls)
Analysis ID:498356
MD5:2b3872dc7cb6fdfe00f6639130b80691
SHA1:61de41881e270cc56a36c8b4b3e28e0f04f4856f
SHA256:0e7faf90a4ffc24f38e6fc171b9a5faa7b285fde26a77e8bcac1366ecc22a827
Tags:xlsx
Infos:

Most interesting Screenshot:

Errors
  • Corrupt sample or wrongly selected analyzer.

Detection

Hidden Macro 4.0
Score:20
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Yara detected password protected xls with embedded macros
Unable to load, office file is protected or invalid

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 152 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
SecuriteInfo.com.Trojan005690e01.15780.xlsJoeSecurity_PasswordProtectedXlsWithEmbeddedMacrosYara detected password protected xls with embedded macrosJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEWindow title found: password
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRC457.tmpJump to behavior
    Source: SecuriteInfo.com.Trojan005690e01.15780.xlsOLE indicator, Workbook stream: true
    Source: classification engineClassification label: sus20.expl.winXLS@1/0@0/0
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: SecuriteInfo.com.Trojan005690e01.15780.xlsInitial sample: OLE indicators encrypted = True
    Source: SecuriteInfo.com.Trojan005690e01.15780.xlsInitial sample: OLE indicators vbamacros = False
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: SecuriteInfo.com.Trojan005690e01.15780.xlsStream path 'Workbook' entropy: 7.99033318286 (max. 8.0)

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Yara detected password protected xls with embedded macrosShow sources
    Source: Yara matchFile source: SecuriteInfo.com.Trojan005690e01.15780.xls, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionPath InterceptionObfuscated Files or Information1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemorySystem Information Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.