Windows Analysis Report Complaint details 143595.xlsb

ID:	532579
Product:	CloudBasic
Start time:	14:06:40
Start date:	02.12.2021
Sample:	Complaint details 143595.xlsb
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	91eca239ee8b604f18f6fb1ed6cde135
SHA1:	78c47637b513d11ba6c36b19b9d79f7ee7a86338
SHA256:	4dea495d5c1c5e0cb56677608b5efa53658cc20bb836f9cccd2aa1092b573aa8
Filetype:	Excel Microsoft Office Open XML Format document with Macro (51004/1) 36.56%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\KBjfhfmoGRoN.rtf	HTML document, ASCII text, with very long lines, with CRLF line terminators	49260A7E1DE719025128C72993301DED	BC80B798A2696B823D18588EB0AB6FEBF2A02F87	B625DC085D39BC8CDDA7C4277CFA755B4DAA7052701AB9DF16CAC86FC99EAEBE
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E2AB5816.png	PNG image data, 960 x 510, 8-bit/color RGBA, non-interlaced	E1D0A03A4956FF80068F5297E2C4AC15	D59E49A3FD454D9A66CF4F847E1D727CE8A85D0D	D5A8E7A4BB9D2D6888D2B8BF585C9B7694270C2B41E81A7A3D0D36A291D8AB73
C:\Users\user\Desktop\~$Complaint details 143595.xlsb	data	797869BB881CFBCDAC2064F92B26E46F	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185

AV Detection:

Multi AV Scanner detection for submitted file

Source: Complaint details 143595.xlsb

ReversingLabs: Detection: 37%

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\wbem\WMIC.exe

Networking:

Found strings which match to known social media urls

Source: mshta.exe, 00000004.00000002.680081995.0000000003170000.00000002.00020000.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

URLs found in memory or binary data

Source: mshta.exe, 00000004.00000002.680081995.0000000003170000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: mshta.exe, 00000004.00000002.680081995.0000000003170000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: EXCEL.EXE, 00000000.00000002.684013280.00000000052B7000.00000002.00020000.sdmp, mshta.exe, 00000004.00000002.680346112.0000000003357000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: EXCEL.EXE, 00000000.00000002.684013280.00000000052B7000.00000002.00020000.sdmp, mshta.exe, 00000004.00000002.680346112.0000000003357000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: mshta.exe, 00000004.00000002.680600886.0000000003650000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: WMIC.exe, 00000002.00000002.468672527.0000000001BF0000.00000002.00020000.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: EXCEL.EXE, 00000000.00000002.684013280.00000000052B7000.00000002.00020000.sdmp, mshta.exe, 00000004.00000002.680346112.0000000003357000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: EXCEL.EXE, 00000000.00000002.684013280.00000000052B7000.00000002.00020000.sdmp, mshta.exe, 00000004.00000002.680346112.0000000003357000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: mshta.exe, 00000004.00000002.680600886.0000000003650000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: mshta.exe, 00000004.00000002.680081995.0000000003170000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: EXCEL.EXE, 00000000.00000002.684013280.00000000052B7000.00000002.00020000.sdmp, mshta.exe, 00000004.00000002.680346112.0000000003357000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: mshta.exe, 00000004.00000002.680081995.0000000003170000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: mshta.exe, 00000004.00000002.680081995.0000000003170000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.

Downloads files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E2AB5816.png

Jump to behavior

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a window with clipboard capturing capabilities

Source: C:\Windows\System32\mshta.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

E-Banking Fraud:

Yara detected Dridex Downloader

Source: Yara match

File source: C:\ProgramData\KBjfhfmoGRoN.rtf, type: DROPPED

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: ENABLE EDITING FROM YELLOW BAR ABOVE 4 Once you have clicked, please click "Enable Content" 5 6
Source: Screenshot number: 4	Screenshot OCR: DOCUMENT IS PROTECTED 2 Open this document with Desktop Version of Microsoft Office Excel. 3 CLICK
Source: Screenshot number: 4	Screenshot OCR: Enable Content" 5 6 7 8 9 10 11 12 13 T Macro Error @"|| 23 i zvious version of Microsoft O
Source: Screenshot number: 8	Screenshot OCR: ENABLE EDITING FROM YELLOW BAR ABOVE 4 Once you have clicked, please click "Enable Content" 5 6
Source: Screenshot number: 8	Screenshot OCR: DOCUMENT IS PROTECTED 2 Open this document with Desktop Version of Microsoft Office Excel. 3 CLICK
Source: Screenshot number: 8	Screenshot OCR: Enable Content" 5 6 7 8 9 10 11 12 13 1'Macro Error WW"'vious version of Microsoft Office E

Found Excel 4.0 Macro with suspicious formulas

Source: Complaint details 143595.xlsb

Initial sample: EXEC

Found protected and hidden Excel 4.0 Macro sheet

Source: Complaint details 143595.xlsb

Initial sample: Sheet name: Macro1

Contains functionality to create processes via WMI

Source: EXCEL.EXE, 00000000.00000002.684617078.0000000005CDF000.00000004.00000001.sdmp

Binary or memory string: C:\Windows\System32\Wbem;;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Windows\System32\Wbem\wmic.exewmic process call create "mshta C:\ProgramData\KBjfhfmoGRoN.rtf"C:\Windows\System32\Wbem\wmic.exeWinSta0\Default=C:=C:\Users\user\DocumentsALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeFP_NO_HOST_CHECK=NOHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=4OS=Windows_NTPath=C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=5507ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86

Found obfuscated Excel 4.0 Macro

Source: Complaint details 143595.xlsb

Macro extractor: Sheet: Macro1 high usage of CHAR() function: 25

Found a hidden Excel 4.0 Macro sheet

Source: Complaint details 143595.xlsb

Macro extractor: Sheet name: Macro1

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Detected potential crypto function

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_01D56753		0_2_01D56753
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_01D56340		0_2_01D56340
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_01D56743		0_2_01D56743
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_01D566F3		0_2_01D566F3
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_01D566E8		0_2_01D566E8
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_01D57820		0_2_01D57820

Sample is known by Antivirus

Source: Complaint details 143595.xlsb

ReversingLabs: Detection: 37%

Reads software policies

Source: C:\Windows\System32\wbem\WMIC.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "mshta C:\ProgramData\KBjfhfmoGRoN.rtf"
Source: unknown	Process created: C:\Windows\System32\mshta.exe mshta C:\ProgramData\KBjfhfmoGRoN.rtf
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "mshta C:\ProgramData\KBjfhfmoGRoN.rtf"			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Windows\System32\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Queries process information (via WMI, Win32_Process)

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Binary contains paths to development resources

Source: mshta.exe, 00000004.00000002.680081995.0000000003170000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Creates files inside the user directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Complaint details 143595.xlsb

Jump to behavior

Creates temporary files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRED89.tmp

Jump to behavior

Classification label

Source: classification engine

Classification label: mal96.troj.expl.evad.winXLSB@4/3@0/0

Reads ini files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads internet explorer settings

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Document is a ZIP file with path names indicative of goodware

Source: Complaint details 143595.xlsb	Initial sample: OLE zip file path = xl/media/image1.png
Source: Complaint details 143595.xlsb	Initial sample: OLE zip file path = docProps/custom.xml

Checks if Microsoft Office is installed

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Persistence and Installation Behavior:

Creates processes via WMI

Source: C:\Windows\System32\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Hooking and other Techniques for Hiding and Protection:

Creates and opens a fake document (probably a fake document to hide exploiting)

Source: unknown	Process created: cmd line: kbjfhfmogron.rtf
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: cmd line: kbjfhfmogron.rtf			Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\wbem\WMIC.exe TID: 1936	Thread sleep time: -180000s >= -30000s			Jump to behavior
Source: C:\Windows\System32\mshta.exe TID: 1996	Thread sleep time: -60000s >= -30000s			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Yara detected Xls With Macro 4.0

Source: Yara match

File source: app.xml, type: SAMPLE

May try to detect the Windows Explorer process (often used for injection)

Source: EXCEL.EXE, 00000000.00000002.679903919.00000000008A0000.00000002.00020000.sdmp, mshta.exe, 00000004.00000002.679653998.0000000000AF0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: EXCEL.EXE, 00000000.00000002.679510667.000000000026E000.00000004.00000001.sdmp	Binary or memory string: Progman
Source: EXCEL.EXE, 00000000.00000002.679903919.00000000008A0000.00000002.00020000.sdmp, mshta.exe, 00000004.00000002.679653998.0000000000AF0000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: EXCEL.EXE, 00000000.00000002.679903919.00000000008A0000.00000002.00020000.sdmp, mshta.exe, 00000004.00000002.679653998.0000000000AF0000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation			Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation			Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Windows\System32\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior