Play interactive tourEdit tour

Windows Analysis Report http://zindagidesire.org/quodoptio/omnissunt-6533473

Overview

General Information

 Sample URL: http://zindagidesire.org/quodoptio/omnissunt-6533473 Analysis ID: 528479 Infos: Most interesting Screenshot:

Detection

Hidden Macro 4.0
 Score: 52 Range: 0 - 100 Whitelisted: false Confidence: 100%

Signatures

Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Yara detected hidden Macro 4.0 in Excel
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Detected potential crypto function
Creates a process in suspended mode (likely to inject code)

Malware Configuration

No configs have been found
SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\yiopw1wm.acj\favor-331256589.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
• 0x0:$header_docf: D0 CF 11 E0 • 0x3b2aa:$s1: Excel
• 0x3c378:$s1: Excel • 0x3521:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
C:\Users\user\AppData\Local\Temp\yiopw1wm.acj\favor-331256589.xlsJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

Sigma Overview

System Summary:

 Sigma detected: Microsoft Office Product Spawning Windows Shell Show sources
 Source: Process started Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx, CommandLine: "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /dde, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 2960, ProcessCommandLine: "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx, ProcessId: 5048

Jbx Signature Overview

 Creates a directory in C:\Program Files Show sources
 Uses new MSVCR Dlls Show sources
 Source: C:\Windows\SysWOW64\unarchiver.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
 Uses secure TLS version for HTTPS connections Show sources
 Source: unknown HTTPS traffic detected: 108.179.253.213:443 -> 192.168.2.3:49803 version: TLS 1.2 Source: unknown HTTPS traffic detected: 103.53.42.241:443 -> 192.168.2.3:49804 version: TLS 1.2 Source: unknown HTTPS traffic detected: 142.4.29.152:443 -> 192.168.2.3:49805 version: TLS 1.2

Software Vulnerabilities:

 Document exploit detected (process start blacklist hit) Show sources
 Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe
 Found inlined nop instructions (likely shell or obfuscated code) Show sources
 Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 4x nop then jmp 019309B7h Source: C:\Windows\SysWOW64\unarchiver.exe Code function: 4x nop then jmp 019309B6h
 Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 25 Nov 2021 10:04:01 GMTContent-Type: text/html; charset=UTF-8Content-Length: 157x-powered-by: PHP/7.4.25set-cookie: PHPSESSID=459f13144c1235550078ac9c92f00c00; path=/expires: Thu, 19 Nov 1981 08:52:00 GMTcache-control: no-store, no-cache, must-revalidatepragma: no-cachecontent-encoding: gzipvary: Accept-Encodingx-turbo-charged-by: LiteSpeedData Raw: 1f 8b 08 00 00 00 00 00 00 03 2d 8e 41 0e 82 30 10 45 af d2 74 53 58 d8 1e c0 a1 89 26 2e 3c 81 eb d2 69 64 02 74 0a 0c 24 78 7a 03 ba 7b f9 8b f7 1f 74 32 0e 1e 5a c6 dd 03 d2 a6 08 1b 9d 7b ad 50 2e b9 6f b4 9b 56 46 2e 42 ec 62 17 66 59 ec 87 8a f6 e0 90 36 0f 4b 9c a9 88 1f 38 06 21 ce b6 04 e9 72 18 93 6a 14 72 5c c7 94 c5 be 93 3c 86 74 e0 7d 7f 62 65 72 6f ea 63 bc 89 cc d4 ae 92 2a 73 7e 99 fa 0a ee 2f 04 f7 0b 72 67 dd 2b 90 58 6b bf 89 48 4c 09 ab 00 00 00 Data Ascii: -A0EtSX&.
 Uses HTTPS Show sources
 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762 Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49803 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49805 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49804 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49803 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768 Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
 Tries to download or post to a non-existing HTTP route (HTTP/1.1 404 Not Found / 503 Service Unavailable / 403 Forbidden) Show sources
 Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenContent-Type: text/htmlCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0Server: BitNinja Captcha ServerDate: Thu, 25 Nov 2021 10:03:54 GMTContent-Length: 13768Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6a 6f 6f 6d 6c 61 2c 20 4a 6f 6f 6d 6c 61 2c 20 6a 6f 6f 6d 6c 61 20 31 2e 35 2c 20 77 6f 72 64 70 72 65 73 73 20 32 2e 35 2c 20 44 72 75 70 61 6c 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4a 6f 6f 6d 6c 61 21 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 4a 6f 6f 6d 6c 61 21 20 31 2e 35 20 2d 20 4f 70 65 6e 20 53 6f 75 72 63 65 20 43 6f 6e 74 65 6e 74 20 4d 61 6e 61 67 65 6d 65 6e 74 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 65 6e 65 72 61 74 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 57 6f 72 64 50 72 65 73 73 20 32 2e 35 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 57 61 69 74 69 6e 67 20 66 6f 72 20 74 68 65 20 72 65 64 69 72 65 63 74 69 72 6f 6e 2e 2e 2e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 20 7b 77 69 64 74 68 3a 20 31 30 30 25 3b 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 20 6d 61 72 67 69 6e 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 7d 0a 20 20 20 20 20 Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0Server: BitNinja Captcha ServerDate: Thu, 25 Nov 2021 10:03:54 GMTContent-Length: 0Connection: close
 URLs found in memory or binary data Show sources