Source: Process started | Author: Florian Roth: Data: Command: "C:\Windows\System32\regsvr32.exe" C:\Datop\test.test, CommandLine: "C:\Windows\System32\regsvr32.exe" C:\Datop\test.test, CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2644, ProcessCommandLine: "C:\Windows\System32\regsvr32.exe" C:\Datop\test.test, ProcessId: 2256 |
Source: Process started | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: "C:\Windows\System32\regsvr32.exe" C:\Datop\test.test, CommandLine: "C:\Windows\System32\regsvr32.exe" C:\Datop\test.test, CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2644, ProcessCommandLine: "C:\Windows\System32\regsvr32.exe" C:\Datop\test.test, ProcessId: 2256 |
Source: sample2.xls.xls | Virustotal: Detection: 37% | Perma Link |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process created: C:\Windows\System32\regsvr32.exe |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | DNS query: name: gupta-foods.xyz |
Source: global traffic | TCP traffic: 192.168.2.22:49165 -> 51.15.56.22:80 |
Source: global traffic | DNS query: name: gupta-foods.xyz |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | DNS query: gupta-foods.xyz |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | DNS traffic detected: gupta-foods.xyz |
Source: global traffic | TCP traffic: 192.168.2.22:49165 -> 51.15.56.22:80 |
Source: Joe Sandbox View | ASN Name: OnlineSASFR OnlineSASFR |
Source: regsvr32.exe, 00000005.00000002.577525725.0000000004A00000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.556615262.0000000004A90000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.573740679.0000000004800000.00000002.00020000.sdmp | String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail) |
Source: regsvr32.exe, 00000005.00000002.577525725.0000000004A00000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.556615262.0000000004A90000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.573740679.0000000004800000.00000002.00020000.sdmp | String found in binary or memory: http://investor.msn.com |
Source: regsvr32.exe, 00000005.00000002.577525725.0000000004A00000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.556615262.0000000004A90000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.573740679.0000000004800000.00000002.00020000.sdmp | String found in binary or memory: http://investor.msn.com/ |
Source: regsvr32.exe, 00000005.00000002.577764523.0000000004BE7000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.556792501.0000000004C77000.00000002.00020000.sdmp | String found in binary or memory: http://localizability/practices/XML.asp |
Source: regsvr32.exe, 00000005.00000002.577764523.0000000004BE7000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.556792501.0000000004C77000.00000002.00020000.sdmp | String found in binary or memory: http://localizability/practices/XMLConfiguration.asp |
Source: regsvr32.exe, 00000005.00000002.576925311.0000000003AA0000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.556186811.0000000003B00000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.573207626.0000000003A00000.00000002.00020000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous. |
Source: regsvr32.exe, 00000005.00000002.576341085.0000000001CC0000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.555674088.0000000001CF0000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.572632835.0000000001CB0000.00000002.00020000.sdmp | String found in binary or memory: http://servername/isapibackend.dll |
Source: regsvr32.exe, 00000005.00000002.577764523.0000000004BE7000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.556792501.0000000004C77000.00000002.00020000.sdmp | String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check |
Source: regsvr32.exe, 00000005.00000002.577764523.0000000004BE7000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.556792501.0000000004C77000.00000002.00020000.sdmp | String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true |
Source: regsvr32.exe, 00000005.00000002.576925311.0000000003AA0000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.556186811.0000000003B00000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.573207626.0000000003A00000.00000002.00020000.sdmp | String found in binary or memory: http://www.%s.comPA |
Source: regsvr32.exe, 00000005.00000002.577525725.0000000004A00000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.556615262.0000000004A90000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.573740679.0000000004800000.00000002.00020000.sdmp | String found in binary or memory: http://www.hotmail.com/oe |
Source: regsvr32.exe, 00000005.00000002.577764523.0000000004BE7000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.556792501.0000000004C77000.00000002.00020000.sdmp | String found in binary or memory: http://www.icra.org/vocabulary/. |
Source: regsvr32.exe, 00000005.00000002.577525725.0000000004A00000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.556615262.0000000004A90000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.573740679.0000000004800000.00000002.00020000.sdmp | String found in binary or memory: http://www.msnbc.com/news/ticker.txt |
Source: regsvr32.exe, 00000007.00000002.573740679.0000000004800000.00000002.00020000.sdmp | String found in binary or memory: http://www.windows.com/pctv. |
Source: unknown | DNS traffic detected: queries for: gupta-foods.xyz |
Source: Screenshot number: 8 | Screenshot OCR: Enable Editing 18 19 20 (D PROTECTED VIEW Be careful - files from the Internet can contF viruses. |
Source: Screenshot number: 8 | Screenshot OCR: Enable Content 25 26 CD SECURITY WARNING Macros have been disabled. Enable Content 27 28 29 30 |
Source: Document image extraction number: 0 | Screenshot OCR: Enable Editing CD PROTECTED VIEW Be careful - files from the Internet can contain viruses. Unless y |
Source: Document image extraction number: 0 | Screenshot OCR: Enable Content CD SECURITY WARNING Macros have been disabled. Enable Content cm If you are using |
Source: Document image extraction number: 1 | Screenshot OCR: Enable Editing CD PROTECTE D VIEW Be careful - files from the Internet mn contain viruses. UrUe$$ y |
Source: Document image extraction number: 1 | Screenshot OCR: Enable Content (D SECURITY WARNING Macros have been disabled. Enable Content 0">Gj If you are usin |
Source: Screenshot number: 12 | Screenshot OCR: Enable Editing (D PROTECTED VIEW Be careful - files from the Internet can contain viruses. Unless y |
Source: Screenshot number: 12 | Screenshot OCR: Enable Content CD SECURITY WARNING Macros have been disabled. Enable Content cm If you are using |
Source: sample2.xls.xls, type: SAMPLE | Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f |
Source: C:\Users\user\Desktop\sample2.xls.xls, type: DROPPED | Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f |
Source: sample2.xls.xls | Macro extractor: Sheet name: Beff2 |
Source: sample2.xls.xls | Macro extractor: Sheet name: Beff4 |
Source: sample2.xls.xls | Macro extractor: Sheet name: Beff7 |
Source: sample2.xls.xls | Macro extractor: Sheet name: Beff5 |
Source: sample2.xls.xls | Macro extractor: Sheet name: Beff1 |
Source: sample2.xls.xls | Macro extractor: Sheet name: Beff8 |
Source: sample2.xls.xls | Macro extractor: Sheet name: Beff3 |
Source: sample2.xls.xls | Macro extractor: Sheet name: Beff6 |
Source: sample2.xls.xls | OLE indicator, VBA macros: true |
Source: sample2.xls.xls.0.dr | OLE indicator, VBA macros: true |
Source: 7D1C.tmp.0.dr | OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false |
Source: sample2.xls.xls | Virustotal: Detection: 37% |
Source: C:\Windows\System32\regsvr32.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: sample2.xls.xls | OLE indicator, Workbook stream: true |
Source: sample2.xls.xls.0.dr | OLE indicator, Workbook stream: true |
Source: unknown | Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\test.test |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\test1.test |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\test2.test |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\test.test |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\test1.test |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\test2.test |
Source: regsvr32.exe, 00000005.00000002.577525725.0000000004A00000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.556615262.0000000004A90000.00000002.00020000.sdmp, regsvr32.exe, 00000007.00000002.573740679.0000000004800000.00000002.00020000.sdmp | Binary or memory string: .VBPud<_ |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File created: C:\Users\user\AppData\Local\Temp\CVRDD72.tmp | Jump to behavior |
Source: classification engine | Classification label: mal88.troj.expl.winXLS@7/4@3/1 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File read: C:\Users\desktop.ini | Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Automated click: OK |
Source: C:\Windows\System32\regsvr32.exe | Automated click: OK |
Source: C:\Windows\System32\regsvr32.exe | Automated click: OK |
Source: C:\Windows\System32\regsvr32.exe | Automated click: OK |
Source: Window Recorder | Window detected: More than 3 window changes detected |
Source: sample2.xls.xls | Initial sample: OLE indicator appname = Microsoft Macintosh Excel |
Source: sample2.xls.xls | Initial sample: OLE summary creatingapplication = Microsoft Macintosh Excel |
Source: sample2.xls.xls.0.dr | Initial sample: OLE indicator appname = Microsoft Macintosh Excel |
Source: sample2.xls.xls.0.dr | Initial sample: OLE summary creatingapplication = Microsoft Macintosh Excel |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll |
Source: 7D1C.tmp.0.dr | Initial sample: OLE indicators vbamacros = False |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | Process information set: NOOPENFILEERRORBOX |
Source: C:\Windows\System32\regsvr32.exe TID: 200 | Thread sleep time: -60000s >= -30000s |
Source: C:\Windows\System32\regsvr32.exe TID: 2532 | Thread sleep time: -60000s >= -30000s |
Source: C:\Windows\System32\regsvr32.exe TID: 2944 | Thread sleep time: -60000s >= -30000s |
Source: Yara match | File source: sample2.xls.xls, type: SAMPLE |
Source: Yara match | File source: C:\Users\user\Desktop\sample2.xls.xls, type: DROPPED |
Source: Yara match | File source: sample2.xls.xls, type: SAMPLE |
Source: Yara match | File source: C:\Users\user\Desktop\sample2.xls.xls, type: DROPPED |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.