Edit tour

Windows Analysis Report
KZ429 FEB17 BSRec_InvNet.xlsx

Overview

General Information

Sample Name:	KZ429 FEB17 BSRec_InvNet.xlsx
Analysis ID:	562531
MD5:	31b67f4aa8dccb4ed683563dbc104bd0
SHA1:	ed39326058a73ab569efa22534f79ac9ee9953e7
SHA256:	4137a3675db12038c970e56f94ce7bee7a0d920e2514eabefd9a2b28348fc9eb

Detection

Score:	0
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

No high impact signatures.

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 668 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

cleanup

Malware Configuration

⊘No configs have been found

Yara Overview

⊘No yara matches

Sigma Overview

⊘No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AE0576B3.emf

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRDE0E.tmp

Jump to behavior

Source: classification engine

Classification label: clean0.winXLSX@1/5@0/0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$KZ429 FEB17 BSRec_InvNet.xlsx

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet4.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/media/image5.emf
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/drawing4.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/drawing5.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/drawing6.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/media/image6.png
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/embeddings/oleObject1.bin
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/vmlDrawing2.vml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/drawing3.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/media/image1.png
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/media/image2.emf
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/media/image3.emf
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/drawing2.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/_rels/drawing2.xml.rels
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/_rels/vmlDrawing2.vml.rels
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/_rels/drawing4.xml.rels
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/_rels/drawing5.xml.rels
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/drawings/_rels/drawing6.xml.rels
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet19.xml.rels
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet2.xml.rels
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet3.xml.rels
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet9.xml.rels
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet15.xml.rels
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet18.xml.rels
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet12.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet18.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet17.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet16.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet15.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet14.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet19.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet5.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet6.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet7.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet8.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet9.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet10.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet11.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/worksheets/sheet13.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/ctrlProps/ctrlProp1.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/_rels/externalLink5.xml.rels
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/_rels/externalLink2.xml.rels
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/_rels/externalLink7.xml.rels
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/_rels/externalLink6.xml.rels
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/externalLink1.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/_rels/externalLink4.xml.rels
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/_rels/externalLink3.xml.rels
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/_rels/externalLink1.xml.rels
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/ctrlProps/ctrlProp2.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/externalLink7.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/externalLink6.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/printerSettings/printerSettings4.bin
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/calcChain.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/externalLink2.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/externalLink3.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/printerSettings/printerSettings6.bin
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/externalLink4.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/printerSettings/printerSettings5.bin
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = xl/externalLinks/externalLink5.xml
Source: KZ429 FEB17 BSRec_InvNet.xlsx	Initial sample: OLE zip file path = docProps/custom.xml

Source: KZ429 FEB17 BSRec_InvNet.xlsx

Static file information: File size 1358015 > 1048576

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: KZ429 FEB17 BSRec_InvNet.xlsx

Initial sample: OLE indicators vbamacros = False

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Masquerading	OS Credential Dumping	1 File and Directory Discovery	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
windowsupdate.s.llnwi.net	0%	Virustotal		Browse

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
windowsupdate.s.llnwi.net	41.63.96.0	true	false	0%, Virustotal, Browse	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	562531
Start date:	29.01.2022
Start time:	00:57:54
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 58s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	KZ429 FEB17 BSRec_InvNet.xlsx
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	117
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	CLEAN
Classification:	clean0.winXLSX@1/5@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsx

Warnings

Max analysis timeout: 600s exceeded, the analysis took too long
Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, mscorsvw.exe, svchost.exe
Excluded domains from analysis (whitelisted): wu-shim.trafficmanager.net, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\98E6EBE4.jpeg

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 660x137, frames 3
Category:	dropped
Size (bytes):	25938
Entropy (8bit):	7.833218523254594
Encrypted:	false
SSDEEP:	768:RPdG3S2uAu5LAbvlGVzYO00pQlDSmM57dx7SiWIKLvW1:RP88Ap+cZ02kpCiWDg
MD5:	B5BB6A7EF0B322467A20AB38ABC07B97
SHA1:	47B724835E4C7B3DDB0FA32BE2D00CBFD43BADBC
SHA-256:	9CB8D86A1195C6A0C7E2B3FAE92C988BFFB85E24CD245872C543BB3B8295DCBE
SHA-512:	C90C1FF27F5179A9C3CC55C0C72E9B95377902B1F91CE216729BA9BEE899A07671506F4533D759DF3C5351B4263FCCEEA66AECE86E72E15093E361624BC4F0FA
Malicious:	false
Reputation:	low
Preview:	......JFIF.............C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....+3@..(..s....k.....A..>.....(..M.\|-.O..M+..#B.G.7....2M.~!......[........O....o...9..5......{...g.3...H.....5.c.+.....f......"k!.....\|...8_.....M~..5...K$......ZP.>X.Fd..........+@&.+.Z...&..C..W...'..._..\|6+....<K.yg*t.R{]...a\....W...-..Q.Bh.G.......X5y.T....z..?....R.........),...n...8#..N...E....F2.._..B?..........#..v.m......5.i..7.KY..M._.v.fc.9R

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9B0D5918.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	5356
Entropy (8bit):	2.3433223432482677
Encrypted:	false
SSDEEP:	48:S83IHpHK2n4x//3G7+wJj7IaK0JohkN+DuuHmt:SVHpHKzx//3+xB7IaK0bNIXGt
MD5:	99A4EF14AF0ED7CC47AED67CDF9C1B6F
SHA1:	76CCECCAA04689B49FEFC31E285287A79E3C8114
SHA-256:	E8504FF99C633ADA90BC68E60C438D6A725B9EE7DDA5CA867E6D11BD47EB6412
SHA-512:	FB08FA565E155963B2A779226E58A4446C544C851616EDC402C6086D403C5BAFE958E5FF9DBC0DDEE03185F728FD6BFA38402283C3076E19F5349CE411045449
Malicious:	false
Reputation:	low
Preview:	....l...........................C#...... EMF................................8.......}................U..H...................K.......................................'.......................%...........L...d...................................!..............?...........?................................%...........(...........'.......................%...........L...d...................................!..............?...........?................................%...........(...........'.......................%...........L...d...................................!..............?...........?................................%...........(...........'.......................%...........L...d...................................!..............?...........?................................%...........(...........'.......................%...........L...d...................................!..............?...........?................................%...........(...........'.......................%...........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AE0576B3.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	5348
Entropy (8bit):	2.344745671221623
Encrypted:	false
SSDEEP:	48:SE3IHpHK2n4x//3G7+wJj7IaK0VNCedxp41:SNHpHKzx//3+xB7IaK0VUopw
MD5:	4ACCB58B65F8BF9DB41724A8DFADFD6C
SHA1:	60B13D43FE7B6A371ABCAD15764142685851AED8
SHA-256:	C43A9B6A567B16EC1A9EA2A2D2F9A451BB279422CA00D52F4A1F191499036E8F
SHA-512:	8A08A70DABB7BB49F1D3E23D0DDC79CC14869258A1371992596A9CE707334BCD921C243AAFB44BD7A1D41370C61471204072603ACA7E26B12DFB4B83446CC75A
Malicious:	false
Reputation:	low
Preview:	....l...........................C#...... EMF................................8.......}................U..H...................K.......................................'.......................%...........L...d...................................!..............?...........?................................%...........(...........'.......................%...........L...d...................................!..............?...........?................................%...........(...........'.......................%...........L...d...................................!..............?...........?................................%...........(...........'.......................%...........L...d...................................!..............?...........?................................%...........(...........'.......................%...........L...d...................................!..............?...........?................................%...........(...........'.......................%...........

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E4851639.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	5004
Entropy (8bit):	4.880532580784114
Encrypted:	false
SSDEEP:	48:ANKfvG+H2cxp2K8R5mPK1PhfP5vVkFuGOa3GEze93tl7ykhA/XbvY+98woStReDk:gKHLYKG5mPKDRv4Og6tO/XP8lEE8
MD5:	4195D6D8FBCE413B298166FFDAB9F5C1
SHA1:	3B0AA8B2E29511492ADD852F0BE1EB48AE669EFB
SHA-256:	904460518FC5ED57981E4DABCB417DC5DBC7F155C0B76EA20D5F8DC8540F4872
SHA-512:	2874C90877A6BFB2C9EEAE01D7F628E1E8180103AB9779AB5392CB771776F20DC345C7DD811DDD84B37637B602F37DBC79461624FD502369BEBB41C28368F465
Malicious:	false
Reputation:	low
Preview:	....l...........U.../...........9...q... EMF................................8.......}................U..H..........................._...5...R...p...................................S.e.g.o.e. .U.I....................................................u8)..1.5.\.R.o.o.t.\.O.f.f.i.c.e.....l./..mko........D..V..........u.>.v.....;vD./.../......./.......w.>.v8.....\...\..;v../.....Q.......@........./...w;>.v....\.\...\.h.b......./..........}\.p./.........../.cnko........../.....8)..../..}.u........dv......%...................................r....... .......?....... ....... ... ..................?...........?................l...4........... ... ...(... ... ..... .............................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$KZ429 FEB17 BSRec_InvNet.xlsx

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fV:vBFFGS
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	false
Reputation:	high, very likely benign file
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Static File Info

General

File type:	Microsoft Excel 2007+
Entropy (8bit):	7.974035344901012
TrID:	Excel Microsoft Office Open XML Format document (40004/1) 83.33% ZIP compressed archive (8000/1) 16.67%
File name:	KZ429 FEB17 BSRec_InvNet.xlsx
File size:	1358015
MD5:	31b67f4aa8dccb4ed683563dbc104bd0
SHA1:	ed39326058a73ab569efa22534f79ac9ee9953e7
SHA256:	4137a3675db12038c970e56f94ce7bee7a0d920e2514eabefd9a2b28348fc9eb
SHA512:	5803da5436340626230bb4b84a862a99bb2eb4fbd71d58fccc61514c3a8d9bf395b3eea80bbbd0d5e6d8ea8eda701ced4bb0103ae148c5c72775ba7b439c6a63
SSDEEP:	24576:PU+VurG3iP/t5kHbSqE8TE6eB3PHjfQ3JGMuLH3nS0IbrEXD6Px9Z:PZgrGyn4i8G3PHjfiJgLH3n74rEmB
File Content Preview:	PK..........!..3y.............[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	e4e2aa8aa4b4bcb4

Static OLE Info

General

Document Type:	OpenXML
Number of OLE Files:	1

OLE File "/opt/package/joesandbox/database/analysis/562531/sample/KZ429 FEB17 BSRec_InvNet.xlsx"

Indicators

Has Summary Info:	False
Application Name:	unknown
Encrypted Document:	False
Contains Word Document Stream:
Contains Workbook/Book Stream:
Contains PowerPoint Document Stream:
Contains Visio Document Stream:
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	False

Summary

Author:	Gut, Mateusz
Last Saved By:	Bernas, Justyna
Create Time:	2012-08-13T15:44:29Z
Last Saved Time:	2017-03-29T09:51:35Z
Creating Application:	Microsoft Excel
Security:	0

Document Summary

Thumbnail Scaling Desired:	false
Company:	Boart Longyear
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	15.0300

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 76

General
Stream Path:	\x1CompObj
File Type:	data
Stream Size:	76
Entropy:	3.09344952647
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . O L E P a c k a g e . . . . . . . . . P a c k a g e . . 9 . q . . . . . . . . . . . .
Data Raw:	01 00 fe ff 03 0a 00 00 ff ff ff ff 0c 00 03 00 00 00 00 00 c0 00 00 00 00 00 00 46 0c 00 00 00 4f 4c 45 20 50 61 63 6b 61 67 65 00 00 00 00 00 08 00 00 00 50 61 63 6b 61 67 65 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00

Stream Path: \x1Ole10Native, File Type: data, Stream Size: 91167

General
Stream Path:	\x1Ole10Native
File Type:	data
Stream Size:	91167
Entropy:	4.5146051143
Base64 Encoded:	True
Data ASCII:	. d . . . . 6 0 7 9 1 F C E . m s g . C : \\ U s e r s \\ j u s t y n a . b e r n a s \\ A p p D a t a \\ L o c a l \\ M i c r o s o f t \\ W i n d o w s \\ T e m p o r a r y I n t e r n e t F i l e s \\ C o n t e n t . M S O \\ 6 0 7 9 1 F C E . m s g . . . . . 6 . . . C : \\ U s e r s \\ J U S T Y N ~ 1 . B E R \\ A p p D a t a \\ L o c a l \\ T e m p \\ 6 0 7 9 1 F C E . m s g . . b . . . . . . . . . . . . . . . . . . . . . . . . . . > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	1b 64 01 00 02 00 36 30 37 39 31 46 43 45 2e 6d 73 67 00 43 3a 5c 55 73 65 72 73 5c 6a 75 73 74 79 6e 61 2e 62 65 72 6e 61 73 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 5c 54 65 6d 70 6f 72 61 72 79 20 49 6e 74 65 72 6e 65 74 20 46 69 6c 65 73 5c 43 6f 6e 74 65 6e 74 2e 4d 53 4f 5c 36 30 37 39 31 46 43 45 2e 6d 73 67 00 00 00 03

Network Behavior

⊘No network behavior found

Statistics

⊘No statistics

System Behavior

Analysis Process: EXCEL.EXEPID: 668, Parent PID: 596

General

Target ID:	0
Start time:	00:59:17
Start date:	29/01/2022
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13f120000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

⊘No disassembly

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report KZ429 FEB17 BSRec_InvNet.xlsx

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Sigma Overview

Jbx Signature Overview

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\98E6EBE4.jpeg

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9B0D5918.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AE0576B3.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E4851639.emf

C:\Users\user\Desktop\~$KZ429 FEB17 BSRec_InvNet.xlsx

Static File Info

General

File Icon

Static OLE Info

General

OLE File "/opt/package/joesandbox/database/analysis/562531/sample/KZ429 FEB17 BSRec_InvNet.xlsx"

Indicators

Summary

Document Summary

Streams

Stream Path: \x1CompObj, File Type: data, Stream Size: 76

General

Stream Path: \x1Ole10Native, File Type: data, Stream Size: 91167

General

Network Behavior

Statistics

System Behavior

Analysis Process: EXCEL.EXEPID: 668, Parent PID: 596

General

Disassembly

Windows Analysis Report
KZ429 FEB17 BSRec_InvNet.xlsx