Loading ...

Play interactive tourEdit tour

Windows Analysis Report payment8642156.xlsb


General Information

Sample Name:payment8642156.xlsb
Analysis ID:528108

Most interesting Screenshot:


Hidden Macro 4.0 Dridex Downloader
Range:0 - 100


Yara detected Dridex Downloader
Creates and opens a fake document (probably a fake document to hide exploiting)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Creates processes via WMI
Document exploit detected (UrlDownloadToFile)
Found protected and hidden Excel 4.0 Macro sheet
Contains functionality to create processes via WMI
Found obfuscated Excel 4.0 Macro
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
Uses a known web browser user agent for HTTP communication
Yara detected Xls With Macro 4.0
Detected TCP or UDP traffic on non-standard ports
Sigma detected: Suspicious WMI Execution
Sample execution stops while process was sleeping (likely an evasion)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs HTTP gets)
IP address seen in connection with other malware


Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 5028 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • WMIC.exe (PID: 6112 cmdline: wmic process call create "mshta C:\ProgramData\XgQXeAWeoOU.rtf" MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
      • conhost.exe (PID: 6252 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • mshta.exe (PID: 7096 cmdline: mshta C:\ProgramData\XgQXeAWeoOU.rtf MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

app.xmlJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Dropped Files

    C:\ProgramData\XgQXeAWeoOU.rtfJoeSecurity_DridexDownloaderYara detected Dridex DownloaderJoe Security

      Sigma Overview

      System Summary:

      Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
      Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: wmic process call create "mshta C:\ProgramData\XgQXeAWeoOU.rtf", CommandLine: wmic process call create "mshta C:\ProgramData\XgQXeAWeoOU.rtf", CommandLine|base64offset|contains: h, Image: C:\Windows\SysWOW64\wbem\WMIC.exe, NewProcessName: C:\Windows\SysWOW64\wbem\WMIC.exe, OriginalFileName: C:\Windows\SysWOW64\wbem\WMIC.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 5028, ProcessCommandLine: wmic process call create "mshta C:\ProgramData\XgQXeAWeoOU.rtf", ProcessId: 6112<