Windows Analysis Report FILE_915494026923219.xlsm

Overview

General Information

Sample Name:	FILE_915494026923219.xlsm
Analysis ID:	532440
MD5:	9eb8e0e5691ff59e86077c878feabc88
SHA1:	5c1c11b3c2abbf960616710cb780ca3489d64809
SHA256:	91c6ece37265eecefed9274abfacb57b4146166628f04f0674d3f14fc6bb4b09
Tags:	xlsm
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0 Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Document exploit detected (drops PE files)

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Yara detected Emotet

Sigma detected: Emotet RunDLL32 Process Creation

Document exploit detected (creates forbidden files)

Multi AV Scanner detection for domain / URL

Office process drops PE file

Sigma detected: Microsoft Office Product Spawning Windows Shell

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Document exploit detected (process start blacklist hit)

Document exploit detected (UrlDownloadToFile)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Found dropped PE file which has not been started or loaded

Potential document exploit detected (performs DNS queries)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Document misses a certain OLE stream usually present in this Microsoft Office document type

Abnormal high CPU Usage

Found a hidden Excel 4.0 Macro sheet

Potential document exploit detected (unknown TCP traffic)

PE file contains an invalid checksum

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Yara detected Xls With Macro 4.0

Connects to several IPs in different countries

Drops PE files to the user directory

Excel documents contains an embedded macro which executes code when the document is opened

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 6.2.rundll32.exe.480de0.1.raw.unpack

Malware Configuration Extractor: Emotet {"C2 list": ["46.55.222.11:443", "104.245.52.73:8080", "41.76.108.46:8080", "103.8.26.103:8080", "185.184.25.237:8080", "103.8.26.102:8080", "203.114.109.124:443", "45.118.115.99:8080", "178.79.147.66:8080", "58.227.42.236:80", "45.118.135.203:7080", "103.75.201.2:443", "195.154.133.20:443", "45.142.114.231:8080", "212.237.5.209:443", "207.38.84.195:8080", "104.251.214.46:8080", "212.237.17.99:8080", "212.237.56.116:7080", "216.158.226.206:443", "110.232.117.186:8080", "158.69.222.101:443", "107.182.225.142:8080", "176.104.106.96:8080", "81.0.236.90:443", "50.116.54.215:443", "138.185.72.26:8080", "51.68.175.8:8080", "210.57.217.132:8080"], "Public Key": ["RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2", "RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5"]}

Multi AV Scanner detection for submitted file

Source: FILE_915494026923219.xlsm

ReversingLabs: Detection: 22%

Multi AV Scanner detection for domain / URL

Source: escapelle.uz	Virustotal: Detection: 5%			Perma Link
Source: www.escapelle.uz	Virustotal: Detection: 6%			Perma Link

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 62.209.128.105:443 -> 192.168.2.22:49167 version: TLS 1.2

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E43BA20 FindFirstFileExW,

3_2_6E43BA20

Software Vulnerabilities:

Document exploit detected (drops PE files)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: gb[1].dll.0.dr

Jump to dropped file

Document exploit detected (creates forbidden files)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\gb[1].dll

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\SysWOW64\rundll32.exe

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: www.escapelle.uz

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 62.209.128.105:443

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 62.209.128.105:443

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 46.55.222.11:443
Source: Malware configuration extractor	IPs: 104.245.52.73:8080
Source: Malware configuration extractor	IPs: 41.76.108.46:8080
Source: Malware configuration extractor	IPs: 103.8.26.103:8080
Source: Malware configuration extractor	IPs: 185.184.25.237:8080
Source: Malware configuration extractor	IPs: 103.8.26.102:8080
Source: Malware configuration extractor	IPs: 203.114.109.124:443
Source: Malware configuration extractor	IPs: 45.118.115.99:8080
Source: Malware configuration extractor	IPs: 178.79.147.66:8080
Source: Malware configuration extractor	IPs: 58.227.42.236:80
Source: Malware configuration extractor	IPs: 45.118.135.203:7080
Source: Malware configuration extractor	IPs: 103.75.201.2:443
Source: Malware configuration extractor	IPs: 195.154.133.20:443
Source: Malware configuration extractor	IPs: 45.142.114.231:8080
Source: Malware configuration extractor	IPs: 212.237.5.209:443
Source: Malware configuration extractor	IPs: 207.38.84.195:8080
Source: Malware configuration extractor	IPs: 104.251.214.46:8080
Source: Malware configuration extractor	IPs: 212.237.17.99:8080
Source: Malware configuration extractor	IPs: 212.237.56.116:7080
Source: Malware configuration extractor	IPs: 216.158.226.206:443
Source: Malware configuration extractor	IPs: 110.232.117.186:8080
Source: Malware configuration extractor	IPs: 158.69.222.101:443
Source: Malware configuration extractor	IPs: 107.182.225.142:8080
Source: Malware configuration extractor	IPs: 176.104.106.96:8080
Source: Malware configuration extractor	IPs: 81.0.236.90:443
Source: Malware configuration extractor	IPs: 50.116.54.215:443
Source: Malware configuration extractor	IPs: 138.185.72.26:8080
Source: Malware configuration extractor	IPs: 51.68.175.8:8080
Source: Malware configuration extractor	IPs: 210.57.217.132:8080

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: OnlineSASFR OnlineSASFR
Source: Joe Sandbox View	ASN Name: ARUBA-ASNIT ARUBA-ASNIT

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 195.154.133.20 195.154.133.20
Source: Joe Sandbox View	IP Address: 212.237.17.99 212.237.17.99

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /wp-includes/n1vS/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.escapelle.uzConnection: Keep-Alive

Connects to several IPs in different countries

Source: unknown

Network traffic detected: IP country count 19

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443

Source: EXCEL.EXE, 00000000.00000003.527130842.0000000005971000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.746656953.0000000005973000.00000004.00000001.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: EXCEL.EXE, 00000000.00000002.745031381.0000000005060000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.588445230.0000000001E60000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.740536430.0000000001E60000.00000002.00020000.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: EXCEL.EXE, 00000000.00000003.527130842.0000000005971000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.746656953.0000000005973000.00000004.00000001.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: EXCEL.EXE, 00000000.00000003.527070662.00000000059F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.746994076.00000000059F2000.00000004.00000001.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: EXCEL.EXE, 00000000.00000002.746925862.00000000059AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.527173545.00000000059AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.746951484.00000000059CD000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.527070662.00000000059F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.527198087.00000000059D7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.746994076.00000000059F2000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: EXCEL.EXE, 00000000.00000003.527070662.00000000059F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.746994076.00000000059F2000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: EXCEL.EXE, 00000000.00000002.746951484.00000000059CD000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.527070662.00000000059F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.527198087.00000000059D7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.746994076.00000000059F2000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: EXCEL.EXE, 00000000.00000003.527070662.00000000059F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.746994076.00000000059F2000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: EXCEL.EXE, 00000000.00000003.527070662.00000000059F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.746994076.00000000059F2000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: EXCEL.EXE, 00000000.00000003.527070662.00000000059F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.746994076.00000000059F2000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: EXCEL.EXE, 00000000.00000002.745031381.0000000005060000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.588445230.0000000001E60000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.740536430.0000000001E60000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: EXCEL.EXE, 00000000.00000002.745031381.0000000005060000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.588445230.0000000001E60000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.740536430.0000000001E60000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: EXCEL.EXE, 00000000.00000002.745207198.0000000005247000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.588579301.0000000002047000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.740860352.0000000002047000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: EXCEL.EXE, 00000000.00000002.745207198.0000000005247000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.588579301.0000000002047000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.740860352.0000000002047000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: EXCEL.EXE, 00000000.00000002.746925862.00000000059AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.527173545.00000000059AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.527070662.00000000059F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.746994076.00000000059F2000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: EXCEL.EXE, 00000000.00000002.746925862.00000000059AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.527173545.00000000059AF000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: EXCEL.EXE, 00000000.00000003.527070662.00000000059F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.746994076.00000000059F2000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: EXCEL.EXE, 00000000.00000003.527070662.00000000059F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.746994076.00000000059F2000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: EXCEL.EXE, 00000000.00000002.746951484.00000000059CD000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.527198087.00000000059D7000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: EXCEL.EXE, 00000000.00000002.746951484.00000000059CD000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.527070662.00000000059F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.527198087.00000000059D7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.746994076.00000000059F2000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: EXCEL.EXE, 00000000.00000003.527070662.00000000059F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.746994076.00000000059F2000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: EXCEL.EXE, 00000000.00000002.748794538.0000000007076000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.748830176.0000000007226000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.748879315.0000000007316000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.748858460.0000000007266000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.open
Source: EXCEL.EXE, 00000000.00000002.748830176.0000000007226000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.openformatrg/drawml/2006/spreadsheetD
Source: EXCEL.EXE, 00000000.00000002.748794538.0000000007076000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.openformatrg/package/2006/content-t
Source: EXCEL.EXE, 00000000.00000002.748879315.0000000007316000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.748858460.0000000007266000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.openformatrg/package/2006/r
Source: EXCEL.EXE, 00000000.00000002.745207198.0000000005247000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.588579301.0000000002047000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.740860352.0000000002047000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: EXCEL.EXE, 00000000.00000002.745207198.0000000005247000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.588579301.0000000002047000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.740860352.0000000002047000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: EXCEL.EXE, 00000000.00000003.527070662.00000000059F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.746994076.00000000059F2000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: EXCEL.EXE, 00000000.00000003.527070662.00000000059F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.746994076.00000000059F2000.00000004.00000001.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: EXCEL.EXE, 00000000.00000002.745031381.0000000005060000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.588445230.0000000001E60000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.740536430.0000000001E60000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: EXCEL.EXE, 00000000.00000002.745207198.0000000005247000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.588579301.0000000002047000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.740860352.0000000002047000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: EXCEL.EXE, 00000000.00000002.745031381.0000000005060000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.588445230.0000000001E60000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.740536430.0000000001E60000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000006.00000002.740536430.0000000001E60000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: EXCEL.EXE, 00000000.00000002.746925862.00000000059AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.527173545.00000000059AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.746951484.00000000059CD000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.527070662.00000000059F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.527198087.00000000059D7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.746994076.00000000059F2000.00000004.00000001.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: EXCEL.EXE, 00000000.00000002.748109035.0000000006B30000.00000004.00000001.sdmp	String found in binary or memory: https://www.escapelle.u
Source: EXCEL.EXE, 00000000.00000002.746925862.00000000059AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.527173545.00000000059AF000.00000004.00000001.sdmp	String found in binary or memory: https://www.escapelle.uz/)
Source: EXCEL.EXE, 00000000.00000002.746925862.00000000059AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.527173545.00000000059AF000.00000004.00000001.sdmp	String found in binary or memory: https://www.escapelle.uz/1
Source: EXCEL.EXE, 00000000.00000002.748109035.0000000006B30000.00000004.00000001.sdmp	String found in binary or memory: https://www.escapelle.uz/w
Source: EXCEL.EXE, 00000000.00000002.748109035.0000000006B30000.00000004.00000001.sdmp	String found in binary or memory: https://www.escapelle.uz/wp-in
Source: EXCEL.EXE, 00000000.00000002.748109035.0000000006B30000.00000004.00000001.sdmp	String found in binary or memory: https://www.escapelle.uz/wp-incl
Source: EXCEL.EXE, 00000000.00000002.748109035.0000000006B30000.00000004.00000001.sdmp	String found in binary or memory: https://www.escapelle.uz/wp-includ$https://www.escapelle.uz/wp-includes
Source: EXCEL.EXE, 00000000.00000002.748109035.0000000006B30000.00000004.00000001.sdmp	String found in binary or memory: https://www.escapelle.uz/wp-includes/n1
Source: EXCEL.EXE, 00000000.00000002.748109035.0000000006B30000.00000004.00000001.sdmp	String found in binary or memory: https://www.escapelle.uz/wp-includes/n1vS/
Source: EXCEL.EXE, 00000000.00000002.744930207.0000000004F56000.00000004.00000001.sdmp	String found in binary or memory: https://www.escapelle.uz/wp-includes/n1vS/D
Source: EXCEL.EXE, 00000000.00000002.744930207.0000000004F56000.00000004.00000001.sdmp	String found in binary or memory: https://www.escapelle.uz/wp-includes/n1vS/a

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3326FDF8.png

Jump to behavior

Source: unknown

DNS traffic detected: queries for: www.escapelle.uz

Source: global traffic

Source: unknown

HTTPS traffic detected: 62.209.128.105:443 -> 192.168.2.22:49167 version: TLS 1.2

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 6.2.rundll32.exe.480de0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.430ce0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.480de0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.430ce0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.588333443.00000000002F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.588398345.000000000041D000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.740442546.000000000046D000.00000004.00000020.sdmp, type: MEMORY

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: ENABLE EDITING" FROM YELLOW BAR ABOVE 5 Once you have enabled editing. please click "Enable Content
Source: Screenshot number: 4	Screenshot OCR: protected documents. 3 4 CLICK "ENABLE EDITING" FROM YELLOW BAR ABOVE 5 Once you have enabled edi
Source: Screenshot number: 4	Screenshot OCR: Enable Content" button 6 7 8 9 :: 12 13 14 15 16 17 18 q ^ Ly 20 21 22 23 24 2
Source: Document image extraction number: 0	Screenshot OCR: ENABLE EDITING" FROM YELLOW BAR ABOVE Once you have enabled editing, please click "Enable Content"
Source: Document image extraction number: 0	Screenshot OCR: protected documents. CLICK "ENABLE EDITING" FROM YELLOW BAR ABOVE Once you have enabled editing, p
Source: Document image extraction number: 0	Screenshot OCR: Enable Content" button
Source: Document image extraction number: 1	Screenshot OCR: ENABLE EDITING" FROM YELLOW BAR ABOVE Once you have enabled editing, please click "Enable Content"
Source: Document image extraction number: 1	Screenshot OCR: protected documents. CLICK "ENABLE EDITING" FROM YELLOW BAR ABOVE Once you have enabled editing, p
Source: Document image extraction number: 1	Screenshot OCR: Enable Content" button

Office process drops PE file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\besta.ocx			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\gb[1].dll			Jump to dropped file

Detected potential crypto function

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_024E6743	0_2_024E6743
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_024E6340	0_2_024E6340
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_024E6753	0_2_024E6753
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_024E66E8	0_2_024E66E8
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_024E66F3	0_2_024E66F3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_003106EF	3_2_003106EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0030ED95	3_2_0030ED95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00300A37	3_2_00300A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0030CC3F	3_2_0030CC3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00300824	3_2_00300824
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F3E3B	3_2_002F3E3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002FF20D	3_2_002FF20D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00301C12	3_2_00301C12
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00312C16	3_2_00312C16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0030BA18	3_2_0030BA18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00311C71	3_2_00311C71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0030E478	3_2_0030E478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00310C66	3_2_00310C66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0030645F	3_2_0030645F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0030604E	3_2_0030604E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F68AD	3_2_002F68AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0030B0BA	3_2_0030B0BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002FF4A5	3_2_002FF4A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00303ABE	3_2_00303ABE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_003004A4	3_2_003004A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002FAEB9	3_2_002FAEB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_003056A9	3_2_003056A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F3085	3_2_002F3085
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002FC69B	3_2_002FC69B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002FF699	3_2_002FF699
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002FD899	3_2_002FD899
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002FA8E8	3_2_002FA8E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_003120F8	3_2_003120F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002FE6FD	3_2_002FE6FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002FBEF5	3_2_002FBEF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00310AD3	3_2_00310AD3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00307EDD	3_2_00307EDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F54C0	3_2_002F54C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00303130	3_2_00303130
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002FB12E	3_2_002FB12E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0030473A	3_2_0030473A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F6125	3_2_002F6125
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F7739	3_2_002F7739
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002FE336	3_2_002FE336
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0030CF2C	3_2_0030CF2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00308518	3_2_00308518
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00313306	3_2_00313306
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F4716	3_2_002F4716
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0030D10B	3_2_0030D10B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F5314	3_2_002F5314
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F8112	3_2_002F8112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0030710D	3_2_0030710D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0030C772	3_2_0030C772
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F196D	3_2_002F196D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F996C	3_2_002F996C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F5166	3_2_002F5166
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002FDD66	3_2_002FDD66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F9565	3_2_002F9565
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00305B7C	3_2_00305B7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0030F561	3_2_0030F561
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00312560	3_2_00312560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F597D	3_2_002F597D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F2B7C	3_2_002F2B7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F2176	3_2_002F2176
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F2575	3_2_002F2575
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F4F42	3_2_002F4F42
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F635F	3_2_002F635F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0030C145	3_2_0030C145
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F8D59	3_2_002F8D59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0031314A	3_2_0031314A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00312D4F	3_2_00312D4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F33A9	3_2_002F33A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0030BFA1	3_2_0030BFA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_003077A7	3_2_003077A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F938F	3_2_002F938F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00306B91	3_2_00306B91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F7D87	3_2_002F7D87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002FF984	3_2_002FF984
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00311987	3_2_00311987
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002FFBEF	3_2_002FFBEF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002FB7EC	3_2_002FB7EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_003091F7	3_2_003091F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0030D5FE	3_2_0030D5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F6BFE	3_2_002F6BFE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_003135E3	3_2_003135E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F1DF9	3_2_002F1DF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0030E7DA	3_2_0030E7DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F2DC5	3_2_002F2DC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_003089DA	3_2_003089DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_003013DB	3_2_003013DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F5DC3	3_2_002F5DC3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F39C3	3_2_002F39C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00304DC5	3_2_00304DC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00300FC5	3_2_00300FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E415980	3_2_6E415980
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E416100	3_2_6E416100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E43AE28	3_2_6E43AE28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E441F65	3_2_6E441F65
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E422C70	3_2_6E422C70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E431D50	3_2_6E431D50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E412D10	3_2_6E412D10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E42FD1F	3_2_6E42FD1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E4458EF	3_2_6E4458EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E41E6B0	3_2_6E41E6B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E4457CB	3_2_6E4457CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E440569	3_2_6E440569
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E42C366	3_2_6E42C366
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E419380	3_2_6E419380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E42C132	3_2_6E42C132

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: String function: 6E424F90 appears 52 times

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E411230 ntlbxpnmpq,

3_2_6E411230

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: B960.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Abnormal high CPU Usage

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Found a hidden Excel 4.0 Macro sheet

Source: FILE_915494026923219.xlsm	Macro extractor: Sheet name: Buk2
Source: FILE_915494026923219.xlsm	Macro extractor: Sheet name: Buk5
Source: FILE_915494026923219.xlsm	Macro extractor: Sheet name: Buk1
Source: FILE_915494026923219.xlsm	Macro extractor: Sheet name: Buk7
Source: FILE_915494026923219.xlsm	Macro extractor: Sheet name: EF1E4WF
Source: FILE_915494026923219.xlsm	Macro extractor: Sheet name: Buk3
Source: FILE_915494026923219.xlsm	Macro extractor: Sheet name: Buk4
Source: FILE_915494026923219.xlsm	Macro extractor: Sheet name: Buk6

Excel documents contains an embedded macro which executes code when the document is opened

Source: workbook.xml

Binary string: \Desktop\Fil\30n\Cir\" xmlns:x15ac="http://schemas.microsoft.com/office/spreadsheetml/2010/11/ac"/></mc:Choice></mc:AlternateContent><xr:revisionPtr revIDLastSave="0" documentId="13_ncr:1_{28F2A89B-0495-4B3B-BAD4-1D9C1E28F846}" xr6:coauthVersionLast="45" xr6:coauthVersionMax="45" xr10:uidLastSave="{00000000-0000-0000-0000-000000000000}"/><bookViews><workbookView xWindow="-120" yWindow="-120" windowWidth="20730" windowHeight="11160" xr2:uid="{00000000-000D-0000-FFFF-FFFF00000000}"/></bookViews><sheets><sheet name="Sheet" sheetId="1" r:id="rId1"/><sheet name="Ss1" sheetId="2" state="hidden" r:id="rId2"/><sheet name="Ss1br2" sheetId="3" state="hidden" r:id="rId3"/><sheet name="Ssbr3" sheetId="4" state="hidden" r:id="rId4"/><sheet name="EF1E4WF" sheetId="5" state="hidden" r:id="rId5"/><sheet name="Buk1" sheetId="6" state="hidden" r:id="rId6"/><sheet name="Buk2" sheetId="7" state="hidden" r:id="rId7"/><sheet name="Buk3" sheetId="8" state="hidden" r:id="rId8"/><sheet name="Buk4" sheetId="9" state="hidden" r:id="rId9"/><sheet name="Buk5" sheetId="10" state="hidden" r:id="rId10"/><sheet name="Buk6" sheetId="11" state="hidden" r:id="rId11"/><sheet name="Buk7" sheetId="12" state="hidden" r:id="rId12"/></sheets><definedNames><definedName name="LKLW">EF1E4WF!$D$3</definedName><definedName name="SASA">EF1E4WF!$D$17</definedName><definedName name="SASA1">EF1E4WF!$D$19</definedName><definedName name="SASA2">EF1E4WF!$D$21</definedName><definedName name="_xlnm.Auto_Open">EF1E4WF!$D$1</definedName></definedNames><calcPr calcId="191029"/><extLst><ext uri="{B58B0392-4F1F-4190-BB64-5DF3571DCE5F}" xmlns:xcalcf="http://schemas.microsoft.com/office/spreadsheetml/2018/calcfeatures"><xcalcf:calcFeatures><xcalcf:feature name="microsoft.com:RD"/><xcalcf:feature name="microsoft.com:FV"/></xcalcf:calcFeatures></ext></extLst></workbook>

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Source: FILE_915494026923219.xlsm

ReversingLabs: Detection: 22%

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe ..\besta.ocx,44532.4022966435
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\besta.ocx",Control_RunDLL
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe ..\besta.ocx,44532.4022966435	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\besta.ocx",Control_RunDLL	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$FILE_915494026923219.xlsm

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD49C.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSM@5/6@1/30

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E41AF10 CoCreateInstance,OleRun,

3_2_6E41AF10

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe ..\besta.ocx,44532.4022966435

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E415980 GetTickCount64,FindResourceA,

3_2_6E415980

Source: EXCEL.EXE, 00000000.00000002.745031381.0000000005060000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.588445230.0000000001E60000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.740536430.0000000001E60000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: FILE_915494026923219.xlsm	Initial sample: OLE zip file path = xl/worksheets/sheet4.xml
Source: FILE_915494026923219.xlsm	Initial sample: OLE zip file path = xl/media/image1.png
Source: FILE_915494026923219.xlsm	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: FILE_915494026923219.xlsm	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet3.xml.rels
Source: FILE_915494026923219.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: FILE_915494026923219.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin
Source: FILE_915494026923219.xlsm	Initial sample: OLE zip file path = xl/calcChain.xml

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: B960.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F150F push ds; ret	3_2_002F1527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F151C push ds; ret	3_2_002F1527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E424FE0 push ecx; ret	3_2_6E424FF3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E4473E1 push ecx; ret	3_2_6E4473F4

PE file contains an invalid checksum

Source: besta.ocx.0.dr	Static PE information: real checksum: 0x75999 should be: 0x74343
Source: gb[1].dll.0.dr	Static PE information: real checksum: 0x75999 should be: 0x74343

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\besta.ocx			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\gb[1].dll			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\besta.ocx

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\besta.ocx

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006E416134 second address: 000000006E416168 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-08h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007FD5A8FC0564h 0x0000000a mov edi, 00D66F8Ch 0x0000000f mov dword ptr [ebp-14h], edi 0x00000012 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006E4179F7 second address: 000000006E417A0A instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007FD5A8FADBAEh 0x00000007 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006E417A0A second address: 000000006E4179F7 instructions: 0x00000000 rdtscp 0x00000003 mov ecx, dword ptr [esp+0Ch] 0x00000007 ror esi, 0Dh 0x0000000a mov eax, esi 0x0000000c pop esi 0x0000000d xor ecx, esp 0x0000000f call 00007FD5A8FCCC87h 0x00000014 cmp ecx, dword ptr [6E45D008h] 0x0000001a jne 00007FD5A8FC0543h 0x0000001c ret 0x0000001d mov esp, ebp 0x0000001f pop ebp 0x00000020 ret 0x00000021 mov cl, byte ptr [esi] 0x00000023 mov edi, eax 0x00000025 cmp cl, 00000061h 0x00000028 jc 00007FD5A8FC054Fh 0x0000002a movzx eax, cl 0x0000002d add edi, FFFFFFE0h 0x00000030 add edi, eax 0x00000032 jmp 00007FD5A8FC06A2h 0x00000037 mov eax, dword ptr [ebp-14h] 0x0000003a mov ecx, dword ptr [ebp-18h] 0x0000003d cdq 0x0000003e sub eax, edx 0x00000040 sar eax, 1 0x00000042 cmp eax, ecx 0x00000044 jl 00007FD5A8FC070Eh 0x0000004a add ebx, 0000FFFFh 0x00000050 inc esi 0x00000051 test bx, bx 0x00000054 jne 00007FD5A8FC039Eh 0x0000005a mov eax, dword ptr [ebp-14h] 0x0000005d cmp eax, ecx 0x0000005f cmovle eax, ecx 0x00000062 mov ecx, edi 0x00000064 mov dword ptr [ebp-14h], eax 0x00000067 call 00007FD5A8FC1AA3h 0x0000006c push ebp 0x0000006d mov ebp, esp 0x0000006f and esp, FFFFFFF8h 0x00000072 sub esp, 0Ch 0x00000075 mov eax, dword ptr [6E45D008h] 0x0000007a xor eax, esp 0x0000007c mov dword ptr [esp+08h], eax 0x00000080 push esi 0x00000081 mov esi, ecx 0x00000083 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006E416134 second address: 000000006E416168 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-08h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007FD5A8FADBC4h 0x0000000a mov edi, 00D66F8Ch 0x0000000f mov dword ptr [ebp-14h], edi 0x00000012 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006E4179F7 second address: 000000006E417A0A instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007FD5A8FC054Eh 0x00000007 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006E417A0A second address: 000000006E4179F7 instructions: 0x00000000 rdtscp 0x00000003 mov ecx, dword ptr [esp+0Ch] 0x00000007 ror esi, 0Dh 0x0000000a mov eax, esi 0x0000000c pop esi 0x0000000d xor ecx, esp 0x0000000f call 00007FD5A8FBA2E7h 0x00000014 cmp ecx, dword ptr [6E45D008h] 0x0000001a jne 00007FD5A8FADBA3h 0x0000001c ret 0x0000001d mov esp, ebp 0x0000001f pop ebp 0x00000020 ret 0x00000021 mov cl, byte ptr [esi] 0x00000023 mov edi, eax 0x00000025 cmp cl, 00000061h 0x00000028 jc 00007FD5A8FADBAFh 0x0000002a movzx eax, cl 0x0000002d add edi, FFFFFFE0h 0x00000030 add edi, eax 0x00000032 jmp 00007FD5A8FADD02h 0x00000037 mov eax, dword ptr [ebp-14h] 0x0000003a mov ecx, dword ptr [ebp-18h] 0x0000003d cdq 0x0000003e sub eax, edx 0x00000040 sar eax, 1 0x00000042 cmp eax, ecx 0x00000044 jl 00007FD5A8FADD6Eh 0x0000004a add ebx, 0000FFFFh 0x00000050 inc esi 0x00000051 test bx, bx 0x00000054 jne 00007FD5A8FAD9FEh 0x0000005a mov eax, dword ptr [ebp-14h] 0x0000005d cmp eax, ecx 0x0000005f cmovle eax, ecx 0x00000062 mov ecx, edi 0x00000064 mov dword ptr [ebp-14h], eax 0x00000067 call 00007FD5A8FAF103h 0x0000006c push ebp 0x0000006d mov ebp, esp 0x0000006f and esp, FFFFFFF8h 0x00000072 sub esp, 0Ch 0x00000075 mov eax, dword ptr [6E45D008h] 0x0000007a xor eax, esp 0x0000007c mov dword ptr [esp+08h], eax 0x00000080 push esi 0x00000081 mov esi, ecx 0x00000083 rdtscp

Found dropped PE file which has not been started or loaded

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\gb[1].dll

Jump to dropped file

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Code function: 0_2_024E6743 rdtsc

0_2_024E6743

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E43BA20 FindFirstFileExW,

3_2_6E43BA20

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E424E67 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_6E424E67

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E42744C GetProcessHeap,HeapFree,

3_2_6E42744C

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Code function: 0_2_024E6743 rdtsc

0_2_024E6743

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00304315 mov eax, dword ptr fs:[00000030h]	3_2_00304315
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E416100 mov eax, dword ptr fs:[00000030h]	3_2_6E416100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E416100 mov eax, dword ptr fs:[00000030h]	3_2_6E416100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E434F94 mov eax, dword ptr fs:[00000030h]	3_2_6E434F94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E417A30 mov eax, dword ptr fs:[00000030h]	3_2_6E417A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E43B715 mov eax, dword ptr fs:[00000030h]	3_2_6E43B715
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E427334 mov esi, dword ptr fs:[00000030h]	3_2_6E427334

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E424E67 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6E424E67
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E42461A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6E42461A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E42D436 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6E42D436

HIPS / PFW / Operating System Protection Evasion:

Yara detected Xls With Macro 4.0

Source: Yara match

File source: app.xml, type: SAMPLE

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\besta.ocx",Control_RunDLL

Jump to behavior

Source: EXCEL.EXE, 00000000.00000002.740745216.0000000000840000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.740503044.0000000000A60000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: EXCEL.EXE, 00000000.00000002.740745216.0000000000840000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.740503044.0000000000A60000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: EXCEL.EXE, 00000000.00000002.740745216.0000000000840000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.740503044.0000000000A60000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	3_2_6E43CE41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	3_2_6E444EAC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_6E444F7F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	3_2_6E444C7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_6E444DA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_6E444A27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	3_2_6E44480D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6E4448B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6E444901
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6E43C982
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6E44499C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	3_2_6E444610

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E424C86 cpuid

3_2_6E424C86

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E424FF7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

3_2_6E424FF7

Stealing of Sensitive Information:

Yara detected Emotet

Source: Yara match	File source: 6.2.rundll32.exe.480de0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.430ce0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.480de0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.430ce0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.588333443.00000000002F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.588398345.000000000041D000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.740442546.000000000046D000.00000004.00000020.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
195.154.133.20	unknown	France	12876	OnlineSASFR	true
212.237.17.99	unknown	Italy	31034	ARUBA-ASNIT	true
110.232.117.186	unknown	Australia	56038	RACKCORP-APRackCorpAU	true
104.245.52.73	unknown	United States	63251	METRO-WIRELESSUS	true
138.185.72.26	unknown	Brazil	264343	EmpasoftLtdaMeBR	true
81.0.236.90	unknown	Czech Republic	15685	CASABLANCA-ASInternetCollocationProviderCZ	true
45.118.115.99	unknown	Indonesia	131717	IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaID	true
103.75.201.2	unknown	Thailand	133496	CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTH	true
216.158.226.206	unknown	United States	19318	IS-AS-1US	true
107.182.225.142	unknown	United States	32780	HOSTINGSERVICES-INCUS	true
45.118.135.203	unknown	Japan	63949	LINODE-APLinodeLLCUS	true
50.116.54.215	unknown	United States	63949	LINODE-APLinodeLLCUS	true
51.68.175.8	unknown	France	16276	OVHFR	true
62.209.128.105	escapelle.uz	Uzbekistan	34718	TPSUZ-ASUZ	true
103.8.26.102	unknown	Malaysia	132241	SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY	true
46.55.222.11	unknown	Bulgaria	34841	BALCHIKNETBG	true
41.76.108.46	unknown	South Africa	327979	DIAMATRIXZA	true
103.8.26.103	unknown	Malaysia	132241	SKSATECH1-MYSKSATECHNOLOGYSDNBHDMY	true
178.79.147.66	unknown	United Kingdom	63949	LINODE-APLinodeLLCUS	true
212.237.5.209	unknown	Italy	31034	ARUBA-ASNIT	true
176.104.106.96	unknown	Serbia	198371	NINETRS	true
207.38.84.195	unknown	United States	30083	AS-30083-GO-DADDY-COM-LLCUS	true
212.237.56.116	unknown	Italy	31034	ARUBA-ASNIT	true
45.142.114.231	unknown	Germany	44066	DE-FIRSTCOLOwwwfirst-colonetDE	true
203.114.109.124	unknown	Thailand	131293	TOT-LLI-AS-APTOTPublicCompanyLimitedTH	true
210.57.217.132	unknown	Indonesia	38142	UNAIR-AS-IDUniversitasAirlanggaID	true
58.227.42.236	unknown	Korea Republic of	9318	SKB-ASSKBroadbandCoLtdKR	true
185.184.25.237	unknown	Turkey	209711	MUVHOSTTR	true
158.69.222.101	unknown	Canada	16276	OVHFR	true
104.251.214.46	unknown	United States	54540	INCERO-HVVCUS	true

Contacted Domains

Name	IP	Active
escapelle.uz	62.209.128.105	true
www.escapelle.uz	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://www.escapelle.uz/wp-includes/n1vS/	true	Avira URL Cloud: safe	unknown

AV Detection:

Found malware configuration

Source: 6.2.rundll32.exe.480de0.1.raw.unpack

Multi AV Scanner detection for submitted file

Source: FILE_915494026923219.xlsm

ReversingLabs: Detection: 22%

Multi AV Scanner detection for domain / URL

Source: escapelle.uz	Virustotal: Detection: 5%			Perma Link
Source: www.escapelle.uz	Virustotal: Detection: 6%			Perma Link

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 62.209.128.105:443 -> 192.168.2.22:49167 version: TLS 1.2

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E43BA20 FindFirstFileExW,

3_2_6E43BA20

Software Vulnerabilities:

Document exploit detected (drops PE files)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: gb[1].dll.0.dr

Jump to dropped file

Document exploit detected (creates forbidden files)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\gb[1].dll

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\SysWOW64\rundll32.exe

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: www.escapelle.uz

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 62.209.128.105:443

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 62.209.128.105:443

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 46.55.222.11:443
Source: Malware configuration extractor	IPs: 104.245.52.73:8080
Source: Malware configuration extractor	IPs: 41.76.108.46:8080
Source: Malware configuration extractor	IPs: 103.8.26.103:8080
Source: Malware configuration extractor	IPs: 185.184.25.237:8080
Source: Malware configuration extractor	IPs: 103.8.26.102:8080
Source: Malware configuration extractor	IPs: 203.114.109.124:443
Source: Malware configuration extractor	IPs: 45.118.115.99:8080
Source: Malware configuration extractor	IPs: 178.79.147.66:8080
Source: Malware configuration extractor	IPs: 58.227.42.236:80
Source: Malware configuration extractor	IPs: 45.118.135.203:7080
Source: Malware configuration extractor	IPs: 103.75.201.2:443
Source: Malware configuration extractor	IPs: 195.154.133.20:443
Source: Malware configuration extractor	IPs: 45.142.114.231:8080
Source: Malware configuration extractor	IPs: 212.237.5.209:443
Source: Malware configuration extractor	IPs: 207.38.84.195:8080
Source: Malware configuration extractor	IPs: 104.251.214.46:8080
Source: Malware configuration extractor	IPs: 212.237.17.99:8080
Source: Malware configuration extractor	IPs: 212.237.56.116:7080
Source: Malware configuration extractor	IPs: 216.158.226.206:443
Source: Malware configuration extractor	IPs: 110.232.117.186:8080
Source: Malware configuration extractor	IPs: 158.69.222.101:443
Source: Malware configuration extractor	IPs: 107.182.225.142:8080
Source: Malware configuration extractor	IPs: 176.104.106.96:8080
Source: Malware configuration extractor	IPs: 81.0.236.90:443
Source: Malware configuration extractor	IPs: 50.116.54.215:443
Source: Malware configuration extractor	IPs: 138.185.72.26:8080
Source: Malware configuration extractor	IPs: 51.68.175.8:8080
Source: Malware configuration extractor	IPs: 210.57.217.132:8080

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: OnlineSASFR OnlineSASFR
Source: Joe Sandbox View	ASN Name: ARUBA-ASNIT ARUBA-ASNIT

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 195.154.133.20 195.154.133.20
Source: Joe Sandbox View	IP Address: 212.237.17.99 212.237.17.99

Uses a known web browser user agent for HTTP communication

Source: global traffic

Connects to several IPs in different countries

Source: unknown

Network traffic detected: IP country count 19

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443

Source: EXCEL.EXE, 00000000.00000003.527130842.0000000005971000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.746656953.0000000005973000.00000004.00000001.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: EXCEL.EXE, 00000000.00000002.745031381.0000000005060000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.588445230.0000000001E60000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.740536430.0000000001E60000.00000002.00020000.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: EXCEL.EXE, 00000000.00000003.527130842.0000000005971000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.746656953.0000000005973000.00000004.00000001.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: EXCEL.EXE, 00000000.00000003.527070662.00000000059F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.746994076.00000000059F2000.00000004.00000001.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: EXCEL.EXE, 00000000.00000002.746925862.00000000059AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.527173545.00000000059AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.746951484.00000000059CD000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.527070662.00000000059F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.527198087.00000000059D7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.746994076.00000000059F2000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: EXCEL.EXE, 00000000.00000003.527070662.00000000059F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.746994076.00000000059F2000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: EXCEL.EXE, 00000000.00000002.746951484.00000000059CD000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.527070662.00000000059F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.527198087.00000000059D7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.746994076.00000000059F2000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: EXCEL.EXE, 00000000.00000003.527070662.00000000059F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.746994076.00000000059F2000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: EXCEL.EXE, 00000000.00000003.527070662.00000000059F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.746994076.00000000059F2000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: EXCEL.EXE, 00000000.00000003.527070662.00000000059F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.746994076.00000000059F2000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: EXCEL.EXE, 00000000.00000002.745031381.0000000005060000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.588445230.0000000001E60000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.740536430.0000000001E60000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: EXCEL.EXE, 00000000.00000002.745031381.0000000005060000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.588445230.0000000001E60000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.740536430.0000000001E60000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: EXCEL.EXE, 00000000.00000002.745207198.0000000005247000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.588579301.0000000002047000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.740860352.0000000002047000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: EXCEL.EXE, 00000000.00000002.745207198.0000000005247000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.588579301.0000000002047000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.740860352.0000000002047000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: EXCEL.EXE, 00000000.00000002.746925862.00000000059AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.527173545.00000000059AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.527070662.00000000059F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.746994076.00000000059F2000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: EXCEL.EXE, 00000000.00000002.746925862.00000000059AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.527173545.00000000059AF000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: EXCEL.EXE, 00000000.00000003.527070662.00000000059F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.746994076.00000000059F2000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: EXCEL.EXE, 00000000.00000003.527070662.00000000059F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.746994076.00000000059F2000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: EXCEL.EXE, 00000000.00000002.746951484.00000000059CD000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.527198087.00000000059D7000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: EXCEL.EXE, 00000000.00000002.746951484.00000000059CD000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.527070662.00000000059F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.527198087.00000000059D7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.746994076.00000000059F2000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: EXCEL.EXE, 00000000.00000003.527070662.00000000059F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.746994076.00000000059F2000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: EXCEL.EXE, 00000000.00000002.748794538.0000000007076000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.748830176.0000000007226000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.748879315.0000000007316000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.748858460.0000000007266000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.open
Source: EXCEL.EXE, 00000000.00000002.748830176.0000000007226000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.openformatrg/drawml/2006/spreadsheetD
Source: EXCEL.EXE, 00000000.00000002.748794538.0000000007076000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.openformatrg/package/2006/content-t
Source: EXCEL.EXE, 00000000.00000002.748879315.0000000007316000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.748858460.0000000007266000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.openformatrg/package/2006/r
Source: EXCEL.EXE, 00000000.00000002.745207198.0000000005247000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.588579301.0000000002047000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.740860352.0000000002047000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: EXCEL.EXE, 00000000.00000002.745207198.0000000005247000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.588579301.0000000002047000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.740860352.0000000002047000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: EXCEL.EXE, 00000000.00000003.527070662.00000000059F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.746994076.00000000059F2000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: EXCEL.EXE, 00000000.00000003.527070662.00000000059F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.746994076.00000000059F2000.00000004.00000001.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: EXCEL.EXE, 00000000.00000002.745031381.0000000005060000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.588445230.0000000001E60000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.740536430.0000000001E60000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: EXCEL.EXE, 00000000.00000002.745207198.0000000005247000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.588579301.0000000002047000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.740860352.0000000002047000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: EXCEL.EXE, 00000000.00000002.745031381.0000000005060000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.588445230.0000000001E60000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.740536430.0000000001E60000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000006.00000002.740536430.0000000001E60000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: EXCEL.EXE, 00000000.00000002.746925862.00000000059AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.527173545.00000000059AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.746951484.00000000059CD000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.527070662.00000000059F2000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.527198087.00000000059D7000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.746994076.00000000059F2000.00000004.00000001.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: EXCEL.EXE, 00000000.00000002.748109035.0000000006B30000.00000004.00000001.sdmp	String found in binary or memory: https://www.escapelle.u
Source: EXCEL.EXE, 00000000.00000002.746925862.00000000059AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.527173545.00000000059AF000.00000004.00000001.sdmp	String found in binary or memory: https://www.escapelle.uz/)
Source: EXCEL.EXE, 00000000.00000002.746925862.00000000059AF000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.527173545.00000000059AF000.00000004.00000001.sdmp	String found in binary or memory: https://www.escapelle.uz/1
Source: EXCEL.EXE, 00000000.00000002.748109035.0000000006B30000.00000004.00000001.sdmp	String found in binary or memory: https://www.escapelle.uz/w
Source: EXCEL.EXE, 00000000.00000002.748109035.0000000006B30000.00000004.00000001.sdmp	String found in binary or memory: https://www.escapelle.uz/wp-in
Source: EXCEL.EXE, 00000000.00000002.748109035.0000000006B30000.00000004.00000001.sdmp	String found in binary or memory: https://www.escapelle.uz/wp-incl
Source: EXCEL.EXE, 00000000.00000002.748109035.0000000006B30000.00000004.00000001.sdmp	String found in binary or memory: https://www.escapelle.uz/wp-includ$https://www.escapelle.uz/wp-includes
Source: EXCEL.EXE, 00000000.00000002.748109035.0000000006B30000.00000004.00000001.sdmp	String found in binary or memory: https://www.escapelle.uz/wp-includes/n1
Source: EXCEL.EXE, 00000000.00000002.748109035.0000000006B30000.00000004.00000001.sdmp	String found in binary or memory: https://www.escapelle.uz/wp-includes/n1vS/
Source: EXCEL.EXE, 00000000.00000002.744930207.0000000004F56000.00000004.00000001.sdmp	String found in binary or memory: https://www.escapelle.uz/wp-includes/n1vS/D
Source: EXCEL.EXE, 00000000.00000002.744930207.0000000004F56000.00000004.00000001.sdmp	String found in binary or memory: https://www.escapelle.uz/wp-includes/n1vS/a

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3326FDF8.png

Jump to behavior

Source: unknown

DNS traffic detected: queries for: www.escapelle.uz

Source: global traffic

Source: unknown

HTTPS traffic detected: 62.209.128.105:443 -> 192.168.2.22:49167 version: TLS 1.2

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 6.2.rundll32.exe.480de0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.430ce0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.480de0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.430ce0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.588333443.00000000002F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.588398345.000000000041D000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.740442546.000000000046D000.00000004.00000020.sdmp, type: MEMORY

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: ENABLE EDITING" FROM YELLOW BAR ABOVE 5 Once you have enabled editing. please click "Enable Content
Source: Screenshot number: 4	Screenshot OCR: protected documents. 3 4 CLICK "ENABLE EDITING" FROM YELLOW BAR ABOVE 5 Once you have enabled edi
Source: Screenshot number: 4	Screenshot OCR: Enable Content" button 6 7 8 9 :: 12 13 14 15 16 17 18 q ^ Ly 20 21 22 23 24 2
Source: Document image extraction number: 0	Screenshot OCR: ENABLE EDITING" FROM YELLOW BAR ABOVE Once you have enabled editing, please click "Enable Content"
Source: Document image extraction number: 0	Screenshot OCR: protected documents. CLICK "ENABLE EDITING" FROM YELLOW BAR ABOVE Once you have enabled editing, p
Source: Document image extraction number: 0	Screenshot OCR: Enable Content" button
Source: Document image extraction number: 1	Screenshot OCR: ENABLE EDITING" FROM YELLOW BAR ABOVE Once you have enabled editing, please click "Enable Content"
Source: Document image extraction number: 1	Screenshot OCR: protected documents. CLICK "ENABLE EDITING" FROM YELLOW BAR ABOVE Once you have enabled editing, p
Source: Document image extraction number: 1	Screenshot OCR: Enable Content" button

Office process drops PE file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\besta.ocx			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\gb[1].dll			Jump to dropped file

Detected potential crypto function

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_024E6743	0_2_024E6743
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_024E6340	0_2_024E6340
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_024E6753	0_2_024E6753
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_024E66E8	0_2_024E66E8
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_024E66F3	0_2_024E66F3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_003106EF	3_2_003106EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0030ED95	3_2_0030ED95
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00300A37	3_2_00300A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0030CC3F	3_2_0030CC3F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00300824	3_2_00300824
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F3E3B	3_2_002F3E3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002FF20D	3_2_002FF20D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00301C12	3_2_00301C12
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00312C16	3_2_00312C16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0030BA18	3_2_0030BA18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00311C71	3_2_00311C71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0030E478	3_2_0030E478
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00310C66	3_2_00310C66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0030645F	3_2_0030645F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0030604E	3_2_0030604E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F68AD	3_2_002F68AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0030B0BA	3_2_0030B0BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002FF4A5	3_2_002FF4A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00303ABE	3_2_00303ABE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_003004A4	3_2_003004A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002FAEB9	3_2_002FAEB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_003056A9	3_2_003056A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F3085	3_2_002F3085
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002FC69B	3_2_002FC69B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002FF699	3_2_002FF699
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002FD899	3_2_002FD899
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002FA8E8	3_2_002FA8E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_003120F8	3_2_003120F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002FE6FD	3_2_002FE6FD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002FBEF5	3_2_002FBEF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00310AD3	3_2_00310AD3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00307EDD	3_2_00307EDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F54C0	3_2_002F54C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00303130	3_2_00303130
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002FB12E	3_2_002FB12E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0030473A	3_2_0030473A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F6125	3_2_002F6125
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F7739	3_2_002F7739
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002FE336	3_2_002FE336
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0030CF2C	3_2_0030CF2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00308518	3_2_00308518
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00313306	3_2_00313306
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F4716	3_2_002F4716
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0030D10B	3_2_0030D10B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F5314	3_2_002F5314
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F8112	3_2_002F8112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0030710D	3_2_0030710D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0030C772	3_2_0030C772
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F196D	3_2_002F196D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F996C	3_2_002F996C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F5166	3_2_002F5166
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002FDD66	3_2_002FDD66
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F9565	3_2_002F9565
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00305B7C	3_2_00305B7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0030F561	3_2_0030F561
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00312560	3_2_00312560
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F597D	3_2_002F597D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F2B7C	3_2_002F2B7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F2176	3_2_002F2176
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F2575	3_2_002F2575
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F4F42	3_2_002F4F42
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F635F	3_2_002F635F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0030C145	3_2_0030C145
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F8D59	3_2_002F8D59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0031314A	3_2_0031314A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00312D4F	3_2_00312D4F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F33A9	3_2_002F33A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0030BFA1	3_2_0030BFA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_003077A7	3_2_003077A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F938F	3_2_002F938F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00306B91	3_2_00306B91
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F7D87	3_2_002F7D87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002FF984	3_2_002FF984
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00311987	3_2_00311987
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002FFBEF	3_2_002FFBEF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002FB7EC	3_2_002FB7EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_003091F7	3_2_003091F7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0030D5FE	3_2_0030D5FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F6BFE	3_2_002F6BFE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_003135E3	3_2_003135E3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F1DF9	3_2_002F1DF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_0030E7DA	3_2_0030E7DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F2DC5	3_2_002F2DC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_003089DA	3_2_003089DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_003013DB	3_2_003013DB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F5DC3	3_2_002F5DC3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F39C3	3_2_002F39C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00304DC5	3_2_00304DC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00300FC5	3_2_00300FC5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E415980	3_2_6E415980
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E416100	3_2_6E416100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E43AE28	3_2_6E43AE28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E441F65	3_2_6E441F65
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E422C70	3_2_6E422C70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E431D50	3_2_6E431D50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E412D10	3_2_6E412D10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E42FD1F	3_2_6E42FD1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E4458EF	3_2_6E4458EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E41E6B0	3_2_6E41E6B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E4457CB	3_2_6E4457CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E440569	3_2_6E440569
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E42C366	3_2_6E42C366
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E419380	3_2_6E419380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E42C132	3_2_6E42C132

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: String function: 6E424F90 appears 52 times

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E411230 ntlbxpnmpq,

3_2_6E411230

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: B960.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Abnormal high CPU Usage

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Found a hidden Excel 4.0 Macro sheet

Source: FILE_915494026923219.xlsm	Macro extractor: Sheet name: Buk2
Source: FILE_915494026923219.xlsm	Macro extractor: Sheet name: Buk5
Source: FILE_915494026923219.xlsm	Macro extractor: Sheet name: Buk1
Source: FILE_915494026923219.xlsm	Macro extractor: Sheet name: Buk7
Source: FILE_915494026923219.xlsm	Macro extractor: Sheet name: EF1E4WF
Source: FILE_915494026923219.xlsm	Macro extractor: Sheet name: Buk3
Source: FILE_915494026923219.xlsm	Macro extractor: Sheet name: Buk4
Source: FILE_915494026923219.xlsm	Macro extractor: Sheet name: Buk6

Excel documents contains an embedded macro which executes code when the document is opened

Source: workbook.xml

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Source: FILE_915494026923219.xlsm

ReversingLabs: Detection: 22%

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe ..\besta.ocx,44532.4022966435
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\besta.ocx",Control_RunDLL
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe ..\besta.ocx,44532.4022966435	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\besta.ocx",Control_RunDLL	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$FILE_915494026923219.xlsm

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD49C.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSM@5/6@1/30

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E41AF10 CoCreateInstance,OleRun,

3_2_6E41AF10

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe ..\besta.ocx,44532.4022966435

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E415980 GetTickCount64,FindResourceA,

3_2_6E415980

Binary or memory string: .VBPud<_

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: FILE_915494026923219.xlsm	Initial sample: OLE zip file path = xl/worksheets/sheet4.xml
Source: FILE_915494026923219.xlsm	Initial sample: OLE zip file path = xl/media/image1.png
Source: FILE_915494026923219.xlsm	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: FILE_915494026923219.xlsm	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet3.xml.rels
Source: FILE_915494026923219.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: FILE_915494026923219.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin
Source: FILE_915494026923219.xlsm	Initial sample: OLE zip file path = xl/calcChain.xml

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: B960.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F150F push ds; ret	3_2_002F1527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_002F151C push ds; ret	3_2_002F1527
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E424FE0 push ecx; ret	3_2_6E424FF3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E4473E1 push ecx; ret	3_2_6E4473F4

PE file contains an invalid checksum

Source: besta.ocx.0.dr	Static PE information: real checksum: 0x75999 should be: 0x74343
Source: gb[1].dll.0.dr	Static PE information: real checksum: 0x75999 should be: 0x74343

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\besta.ocx			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\gb[1].dll			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\besta.ocx

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\besta.ocx

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006E416134 second address: 000000006E416168 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-08h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007FD5A8FC0564h 0x0000000a mov edi, 00D66F8Ch 0x0000000f mov dword ptr [ebp-14h], edi 0x00000012 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006E4179F7 second address: 000000006E417A0A instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007FD5A8FADBAEh 0x00000007 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006E417A0A second address: 000000006E4179F7 instructions: 0x00000000 rdtscp 0x00000003 mov ecx, dword ptr [esp+0Ch] 0x00000007 ror esi, 0Dh 0x0000000a mov eax, esi 0x0000000c pop esi 0x0000000d xor ecx, esp 0x0000000f call 00007FD5A8FCCC87h 0x00000014 cmp ecx, dword ptr [6E45D008h] 0x0000001a jne 00007FD5A8FC0543h 0x0000001c ret 0x0000001d mov esp, ebp 0x0000001f pop ebp 0x00000020 ret 0x00000021 mov cl, byte ptr [esi] 0x00000023 mov edi, eax 0x00000025 cmp cl, 00000061h 0x00000028 jc 00007FD5A8FC054Fh 0x0000002a movzx eax, cl 0x0000002d add edi, FFFFFFE0h 0x00000030 add edi, eax 0x00000032 jmp 00007FD5A8FC06A2h 0x00000037 mov eax, dword ptr [ebp-14h] 0x0000003a mov ecx, dword ptr [ebp-18h] 0x0000003d cdq 0x0000003e sub eax, edx 0x00000040 sar eax, 1 0x00000042 cmp eax, ecx 0x00000044 jl 00007FD5A8FC070Eh 0x0000004a add ebx, 0000FFFFh 0x00000050 inc esi 0x00000051 test bx, bx 0x00000054 jne 00007FD5A8FC039Eh 0x0000005a mov eax, dword ptr [ebp-14h] 0x0000005d cmp eax, ecx 0x0000005f cmovle eax, ecx 0x00000062 mov ecx, edi 0x00000064 mov dword ptr [ebp-14h], eax 0x00000067 call 00007FD5A8FC1AA3h 0x0000006c push ebp 0x0000006d mov ebp, esp 0x0000006f and esp, FFFFFFF8h 0x00000072 sub esp, 0Ch 0x00000075 mov eax, dword ptr [6E45D008h] 0x0000007a xor eax, esp 0x0000007c mov dword ptr [esp+08h], eax 0x00000080 push esi 0x00000081 mov esi, ecx 0x00000083 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006E416134 second address: 000000006E416168 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-08h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007FD5A8FADBC4h 0x0000000a mov edi, 00D66F8Ch 0x0000000f mov dword ptr [ebp-14h], edi 0x00000012 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006E4179F7 second address: 000000006E417A0A instructions: 0x00000000 rdtscp 0x00000003 test edx, edx 0x00000005 jnbe 00007FD5A8FC054Eh 0x00000007 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 000000006E417A0A second address: 000000006E4179F7 instructions: 0x00000000 rdtscp 0x00000003 mov ecx, dword ptr [esp+0Ch] 0x00000007 ror esi, 0Dh 0x0000000a mov eax, esi 0x0000000c pop esi 0x0000000d xor ecx, esp 0x0000000f call 00007FD5A8FBA2E7h 0x00000014 cmp ecx, dword ptr [6E45D008h] 0x0000001a jne 00007FD5A8FADBA3h 0x0000001c ret 0x0000001d mov esp, ebp 0x0000001f pop ebp 0x00000020 ret 0x00000021 mov cl, byte ptr [esi] 0x00000023 mov edi, eax 0x00000025 cmp cl, 00000061h 0x00000028 jc 00007FD5A8FADBAFh 0x0000002a movzx eax, cl 0x0000002d add edi, FFFFFFE0h 0x00000030 add edi, eax 0x00000032 jmp 00007FD5A8FADD02h 0x00000037 mov eax, dword ptr [ebp-14h] 0x0000003a mov ecx, dword ptr [ebp-18h] 0x0000003d cdq 0x0000003e sub eax, edx 0x00000040 sar eax, 1 0x00000042 cmp eax, ecx 0x00000044 jl 00007FD5A8FADD6Eh 0x0000004a add ebx, 0000FFFFh 0x00000050 inc esi 0x00000051 test bx, bx 0x00000054 jne 00007FD5A8FAD9FEh 0x0000005a mov eax, dword ptr [ebp-14h] 0x0000005d cmp eax, ecx 0x0000005f cmovle eax, ecx 0x00000062 mov ecx, edi 0x00000064 mov dword ptr [ebp-14h], eax 0x00000067 call 00007FD5A8FAF103h 0x0000006c push ebp 0x0000006d mov ebp, esp 0x0000006f and esp, FFFFFFF8h 0x00000072 sub esp, 0Ch 0x00000075 mov eax, dword ptr [6E45D008h] 0x0000007a xor eax, esp 0x0000007c mov dword ptr [esp+08h], eax 0x00000080 push esi 0x00000081 mov esi, ecx 0x00000083 rdtscp

Found dropped PE file which has not been started or loaded

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\gb[1].dll

Jump to dropped file

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Code function: 0_2_024E6743 rdtsc

0_2_024E6743

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E43BA20 FindFirstFileExW,

3_2_6E43BA20

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E424E67 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_6E424E67

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E42744C GetProcessHeap,HeapFree,

3_2_6E42744C

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Code function: 0_2_024E6743 rdtsc

0_2_024E6743

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_00304315 mov eax, dword ptr fs:[00000030h]	3_2_00304315
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E416100 mov eax, dword ptr fs:[00000030h]	3_2_6E416100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E416100 mov eax, dword ptr fs:[00000030h]	3_2_6E416100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E434F94 mov eax, dword ptr fs:[00000030h]	3_2_6E434F94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E417A30 mov eax, dword ptr fs:[00000030h]	3_2_6E417A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E43B715 mov eax, dword ptr fs:[00000030h]	3_2_6E43B715
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E427334 mov esi, dword ptr fs:[00000030h]	3_2_6E427334

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E424E67 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6E424E67
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E42461A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6E42461A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E42D436 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6E42D436

HIPS / PFW / Operating System Protection Evasion:

Yara detected Xls With Macro 4.0

Source: Yara match

File source: app.xml, type: SAMPLE

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\rundll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\besta.ocx",Control_RunDLL

Jump to behavior

Source: EXCEL.EXE, 00000000.00000002.740745216.0000000000840000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.740503044.0000000000A60000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: EXCEL.EXE, 00000000.00000002.740745216.0000000000840000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.740503044.0000000000A60000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: EXCEL.EXE, 00000000.00000002.740745216.0000000000840000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.740503044.0000000000A60000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	3_2_6E43CE41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	3_2_6E444EAC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_6E444F7F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	3_2_6E444C7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_6E444DA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_6E444A27
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,	3_2_6E44480D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6E4448B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6E444901
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6E43C982
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: EnumSystemLocalesW,	3_2_6E44499C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	3_2_6E444610

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E424C86 cpuid

3_2_6E424C86

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E424FF7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

3_2_6E424FF7

Stealing of Sensitive Information:

Yara detected Emotet

Source: Yara match	File source: 6.2.rundll32.exe.480de0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.430ce0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.480de0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.430ce0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.588333443.00000000002F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.588398345.000000000041D000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.740442546.000000000046D000.00000004.00000020.sdmp, type: MEMORY

ID:	532440
Product:	CloudBasic
Start time:	09:39:14
Start date:	02.12.2021
Sample:	FILE_915494026923219.xlsm
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	9eb8e0e5691ff59e86077c878feabc88
SHA1:	5c1c11b3c2abbf960616710cb780ca3489d64809
SHA256:	91c6ece37265eecefed9274abfacb57b4146166628f04f0674d3f14fc6bb4b09
Filetype:	Excel Microsoft Office Open XML Format document with Macro (51004/1) 51.52%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\gb[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1F50BEBB323B3AE8E1EEC983C08BE7CC	E64D4FE4128CA770514E9BC499B4473A41D9AC21	4DD6170895A3BFDF5568AAB65EDFDE43051BF245F059C669E902621F25EAB94C
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3326FDF8.png	PNG image data, 1714 x 241, 8-bit colormap, non-interlaced	4FE798EE522800691796BC9446918C90	1E01CDE49D0B1B5E2F0DFBAD568DC2ECFBEDEAD3	EC0BC049D3D30C29567806EB2D555589CD2E1B6B30E9145F77B73A32EC1C1087
C:\Users\user\AppData\Local\Temp\B960.tmp	Composite Document File V2 Document, Cannot read section info	72F5C05B7EA8DD6059BF59F50B22DF33	D5AF52E129E15E3A34772806F6C5FBF132E7408E	1DC0C8D7304C177AD0E74D3D2F1002EB773F4B180685A7DF6BBE75CCC24B0164
C:\Users\user\AppData\Local\Temp\~DF331C8CD839ED59BF.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\Desktop\~$FILE_915494026923219.xlsm	data	797869BB881CFBCDAC2064F92B26E46F	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
C:\Users\user\besta.ocx	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	1F50BEBB323B3AE8E1EEC983C08BE7CC	E64D4FE4128CA770514E9BC499B4473A41D9AC21	4DD6170895A3BFDF5568AAB65EDFDE43051BF245F059C669E902621F25EAB94C

Windows Analysis Report FILE_915494026923219.xlsm

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs