Loading ...

Play interactive tourEdit tour

Windows Analysis Report subscription-673890410.xlsb

Overview

General Information

Sample Name:subscription-673890410.xlsb
Analysis ID:528007
MD5:47ee46b3521d1f85743ab56ac8c4f4b3
SHA1:a4b5e087009458f9a6a0e6f7b2e8ebbb261233f9
SHA256:444a0953b513aaad678d37e960dd7fe5841025e0bebf2e71eb350d4709a0f34f
Tags:xlsx
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Dridex Downloader
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Dridex Downloader
Multi AV Scanner detection for submitted file
Creates and opens a fake document (probably a fake document to hide exploiting)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Creates processes via WMI
Document exploit detected (UrlDownloadToFile)
Found protected and hidden Excel 4.0 Macro sheet
Contains functionality to create processes via WMI
Found obfuscated Excel 4.0 Macro
Queries the volume information (name, serial number etc) of a device
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
Uses a known web browser user agent for HTTP communication
Yara detected Xls With Macro 4.0
Detected TCP or UDP traffic on non-standard ports
Sigma detected: Suspicious WMI Execution
Sample execution stops while process was sleeping (likely an evasion)
Potential document exploit detected (performs HTTP gets)
IP address seen in connection with other malware

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 1584 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • WMIC.exe (PID: 3076 cmdline: wmic process call create "mshta C:\ProgramData\xkNURUQaCiKQrGY.rtf" MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
      • conhost.exe (PID: 6212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • mshta.exe (PID: 6488 cmdline: mshta C:\ProgramData\xkNURUQaCiKQrGY.rtf MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
app.xmlJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\ProgramData\xkNURUQaCiKQrGY.rtfJoeSecurity_DridexDownloaderYara detected Dridex DownloaderJoe Security

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
      Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: wmic process call create "mshta C:\ProgramData\xkNURUQaCiKQrGY.rtf", CommandLine: wmic process call create "mshta C:\ProgramData\xkNURUQaCiKQrGY.rtf", CommandLine|base64offset|contains: h, Image: C:\Windows\SysWOW64\wbem\WMIC.exe, NewProcessName: C:\Windows\SysWOW64\wbem\WMIC.exe, OriginalFileName: C:\Windows\SysWOW64\wbem\WMIC.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 1584, ProcessCommandLine: wmic process call create "mshta C:\ProgramData\xkNURUQaCiKQrGY.rtf", ProcessId: 3076
      Sigma detected: Suspicious WMI ExecutionShow sources
      Source: Process startedAuthor: Michael Haag, Florian Roth, juju4, oscd.community: Data: Command: wmic process call create "mshta C:\ProgramData\xkNURUQaCiKQrGY.rtf", CommandLine: wmic process call create "mshta C:\ProgramData\xkNURUQaCiKQrGY.rtf", CommandLine|base64offset|contains: h, Image: C:\Windows\SysWOW64\wbem\WMIC.exe, NewProcessName: C:\Windows\SysWOW64\wbem\WMIC.exe, OriginalFileName: C:\Windows\SysWOW64\wbem\WMIC.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 1584, ProcessCommandLine: wmic process call create "mshta C:\ProgramData\xkNURUQaCiKQrGY.rtf", ProcessId: 3076

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: subscription-673890410.xlsbVirustotal: Detection: 8%Perma Link
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior

      Software Vulnerabilities: