Windows Analysis Report
4470_02112022.xls

Overview

General Information

Sample Name:	4470_02112022.xls
Analysis ID:	746414
MD5:	d3b182de8c99553a9f2b6d0f3f030a4f
SHA1:	d5bd989ffde2f67133b6404f9f234d13e618c206
SHA256:	cd99b899c5a3d6ddb22969605b079375da897362b4d599fc9eebb1e21115a31d
Infos:

Detection

Hidden Macro 4.0, Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Document exploit detected (drops PE files)

Antivirus / Scanner detection for submitted sample

Yara detected Emotet

System process connects to network (likely due to code injection or exploit)

Document exploit detected (creates forbidden files)

Antivirus detection for URL or domain

Found malicious Excel 4.0 Macro

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Creates an autostart registry key pointing to binary in C:\Windows

Office process drops PE file

Found Excel 4.0 Macro with suspicious formulas

Outdated Microsoft Office dropper detected

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Hides that the sample has been downloaded from the Internet (zone.identifier)

Document exploit detected (process start blacklist hit)

Document exploit detected (UrlDownloadToFile)

Queries the volume information (name, serial number etc) of a device

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Detected potential crypto function

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Potential document exploit detected (performs DNS queries)

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Downloads executable code via HTTP

Uses insecure TLS / SSL version for HTTPS connection

Drops files with a non-matching file extension (content does not match file extension)

Found inlined nop instructions (likely shell or obfuscated code)

Found a hidden Excel 4.0 Macro sheet

Potential document exploit detected (unknown TCP traffic)

PE file contains an invalid checksum

Drops PE files

Uses a known web browser user agent for HTTP communication

Drops PE files to the windows directory (C:\Windows)

Connects to several IPs in different countries

Potential key logger detected (key state polling based)

Registers a DLL

Drops PE files to the user directory

Found large amount of non-executed APIs

Uses Microsoft's Enhanced Cryptographic Provider

Potential document exploit detected (performs HTTP gets)

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: 4470_02112022.xls	ReversingLabs: Detection: 80%
Source: 4470_02112022.xls	Virustotal: Detection: 67%	Perma Link
Source: 4470_02112022.xls	Metadefender: Detection: 31%	Perma Link

Antivirus / Scanner detection for submitted sample

Source: 4470_02112022.xls

Avira: detected

Antivirus detection for URL or domain

Source: https://www.3d-stickers.com/page-non-trouvee	Avira URL Cloud: Label: malware
Source: https://www.spinbalence.com/Adapter/moycMR/	Avira URL Cloud: Label: malware
Source: https://www.spinbalence.com/index.php?controller=404	Avira URL Cloud: Label: malware
Source: http://www.3d-stickers.com/Content/Afa1PcRuxh/	Avira URL Cloud: Label: malware
Source: http://navylin.com/bsavxiv/axHQYKl/	Avira URL Cloud: Label: malware
Source: http://www.spinbalence.com/Adapter/moycMR/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: www.3d-stickers.com	Virustotal: Detection: 12%	Perma Link
Source: www.spinbalence.com	Virustotal: Detection: 12%	Perma Link
Source: navylin.com	Virustotal: Detection: 13%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\40hd04O0[1].dll	ReversingLabs: Detection: 80%
Source: C:\Users\user\oxnv4.ooccxx	ReversingLabs: Detection: 80%
Source: C:\Windows\System32\SnILCOTnpOOFucYhP\FatGkw.dll (copy)	ReversingLabs: Detection: 80%

Source: 00000009.00000002.1210607529.000000000039A000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Emotet {"C2 list": ["218.38.121.17:443", "186.250.48.5:443", "80.211.107.116:8080", "174.138.33.49:7080", "165.22.254.236:8080", "185.148.169.10:8080", "62.171.178.147:8080", "128.199.217.206:443", "210.57.209.142:8080", "36.67.23.59:443", "160.16.143.191:8080", "128.199.242.164:8080", "178.238.225.252:8080", "118.98.72.86:443", "202.134.4.210:7080", "82.98.180.154:7080", "54.37.228.122:443", "64.227.55.231:8080", "195.77.239.39:8080", "103.254.12.236:7080", "103.85.95.4:8080", "178.62.112.199:8080", "83.229.80.93:8080", "114.79.130.68:443", "51.75.33.122:443", "139.196.72.155:8080", "188.165.79.151:443", "190.145.8.4:443", "196.44.98.190:8080", "198.199.70.22:8080", "103.56.149.105:8080", "104.244.79.94:443", "87.106.97.83:7080", "103.71.99.57:8080", "46.101.98.60:8080", "103.126.216.86:443", "103.224.241.74:8080", "37.44.244.177:8080", "85.214.67.203:8080", "202.28.34.99:8080", "175.126.176.79:8080", "85.25.120.45:8080", "93.104.209.107:8080", "103.41.204.169:8080", "78.47.204.80:443", "139.59.80.108:8080"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0qPVGSlYAAIg=", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCWrfVGSlYAAIg="]}

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\System32\regsvr32.exe

Code function: 8_2_100061AC CryptStringToBinaryA,CryptStringToBinaryA,

8_2_100061AC

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 218.38.121.17:443 -> 192.168.2.22:49178 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 218.38.121.17:443 -> 192.168.2.22:49179 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source: unknown	HTTPS traffic detected: 163.172.115.127:443 -> 192.168.2.22:49172 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 163.172.108.69:443 -> 192.168.2.22:49175 version: TLS 1.2

Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_00000001800132FC FindNextFileW,FindFirstFileW,FindClose,		9_2_00000001800132FC
Source: C:\Windows\System32\regsvr32.exe	Code function: 10_2_00000001800132FC FindNextFileW,FindFirstFileW,FindClose,		10_2_00000001800132FC

Source: global traffic	DNS query: name: sat7ate.com
Source: global traffic	DNS query: name: www.spinbalence.com
Source: global traffic	DNS query: name: www.3d-stickers.com
Source: global traffic	DNS query: name: navylin.com

Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then lea r8, qword ptr [000000001009B410h]	8_2_1003B380
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then lea rdx, qword ptr [000000001009C2C4h]	8_2_1003BC30
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then mov rax, qword ptr [rsi]	8_2_100520A0
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then movzx eax, byte ptr [rdx]	8_2_10030280
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then movzx eax, byte ptr [rdx]	8_2_10030280
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then sub r11, 01h	8_2_1004B340
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then sub r11, 01h	8_2_1004B438
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then sub r11, 01h	8_2_1004B4C9
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then movzx eax, byte ptr [rcx+rdx]	8_2_1003A4F0
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then movsxd rbx, qword ptr [r14+10h]	8_2_1002E500
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then sub r11, 01h	8_2_1004B56D
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then sub r11, 01h	8_2_1004B5C8
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then cmp dword ptr [rsp+rax*4+28h], edi	8_2_1004A5E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then cmp dword ptr [rsp+rcx*4+28h], ebx	8_2_1004A5E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then mov edx, dword ptr [rsp+r8*4+28h]	8_2_1004A5E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then cmp rcx, r8	8_2_1004A5E0
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then sub r11, 01h	8_2_1004B66E
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then mov al, bpl	8_2_100416F8
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then sub r11, 01h	8_2_1004B709
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then sub r11, 01h	8_2_1004B72E
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then sub r11, 01h	8_2_1004B79C
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then sub r11, 01h	8_2_1004B7DC
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then sub r11, 01h	8_2_1004B814
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then sub r11, 01h	8_2_1004B85C
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then sub r11, 01h	8_2_1004B901
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then movzx eax, byte ptr [r8]	8_2_10046980
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then mov r8, rdi	8_2_100389D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then movsxd rcx, qword ptr [r12+10h]	8_2_1002EA00
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then mov rax, r8	8_2_10037CB0
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then movzx ecx, byte ptr [r10]	8_2_1004DCD0
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then lea rbx, qword ptr [rsp+70h]	8_2_1003DD80
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then movsxd rax, rcx	8_2_10046D80
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then movzx ecx, byte ptr [r10]	8_2_1004DE00
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then mov r8d, ebx	8_2_1004DF10
Source: C:\Windows\System32\regsvr32.exe	Code function: 4x nop then mov eax, r10d	8_2_1004BFF0

Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 163.172.115.127:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 163.172.108.69:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 218.38.121.17:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 163.172.115.127:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 163.172.115.127:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 163.172.115.127:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 163.172.115.127:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 163.172.115.127:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 163.172.115.127:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 163.172.115.127:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 163.172.115.127:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 163.172.115.127:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 163.172.115.127:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 163.172.115.127:443
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 163.172.115.127:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 163.172.115.127:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 163.172.108.69:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 163.172.108.69:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 163.172.108.69:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 163.172.108.69:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 163.172.108.69:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 163.172.108.69:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 163.172.108.69:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 163.172.108.69:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 163.172.108.69:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 163.172.108.69:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 163.172.108.69:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 163.172.108.69:443
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 163.172.108.69:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 163.172.108.69:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 218.38.121.17:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 218.38.121.17:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 218.38.121.17:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 218.38.121.17:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 218.38.121.17:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 218.38.121.17:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 218.38.121.17:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 218.38.121.17:443
Source: global traffic	TCP traffic: 192.168.2.22:49178 -> 218.38.121.17:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
Source: global traffic	TCP traffic: 192.168.2.22:49179 -> 218.38.121.17:443
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 163.172.115.127:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 163.172.108.69:80
Source: global traffic	TCP traffic: 192.168.2.22:49177 -> 47.92.133.65:80

Source: Malware configuration extractor	IPs: 218.38.121.17:443
Source: Malware configuration extractor	IPs: 186.250.48.5:443
Source: Malware configuration extractor	IPs: 80.211.107.116:8080
Source: Malware configuration extractor	IPs: 174.138.33.49:7080
Source: Malware configuration extractor	IPs: 165.22.254.236:8080
Source: Malware configuration extractor	IPs: 185.148.169.10:8080
Source: Malware configuration extractor	IPs: 62.171.178.147:8080
Source: Malware configuration extractor	IPs: 128.199.217.206:443
Source: Malware configuration extractor	IPs: 210.57.209.142:8080
Source: Malware configuration extractor	IPs: 36.67.23.59:443
Source: Malware configuration extractor	IPs: 160.16.143.191:8080
Source: Malware configuration extractor	IPs: 128.199.242.164:8080
Source: Malware configuration extractor	IPs: 178.238.225.252:8080
Source: Malware configuration extractor	IPs: 118.98.72.86:443
Source: Malware configuration extractor	IPs: 202.134.4.210:7080
Source: Malware configuration extractor	IPs: 82.98.180.154:7080
Source: Malware configuration extractor	IPs: 54.37.228.122:443
Source: Malware configuration extractor	IPs: 64.227.55.231:8080
Source: Malware configuration extractor	IPs: 195.77.239.39:8080
Source: Malware configuration extractor	IPs: 103.254.12.236:7080
Source: Malware configuration extractor	IPs: 103.85.95.4:8080
Source: Malware configuration extractor	IPs: 178.62.112.199:8080
Source: Malware configuration extractor	IPs: 83.229.80.93:8080
Source: Malware configuration extractor	IPs: 114.79.130.68:443
Source: Malware configuration extractor	IPs: 51.75.33.122:443
Source: Malware configuration extractor	IPs: 139.196.72.155:8080
Source: Malware configuration extractor	IPs: 188.165.79.151:443
Source: Malware configuration extractor	IPs: 190.145.8.4:443
Source: Malware configuration extractor	IPs: 196.44.98.190:8080
Source: Malware configuration extractor	IPs: 198.199.70.22:8080
Source: Malware configuration extractor	IPs: 103.56.149.105:8080
Source: Malware configuration extractor	IPs: 104.244.79.94:443
Source: Malware configuration extractor	IPs: 87.106.97.83:7080
Source: Malware configuration extractor	IPs: 103.71.99.57:8080
Source: Malware configuration extractor	IPs: 46.101.98.60:8080
Source: Malware configuration extractor	IPs: 103.126.216.86:443
Source: Malware configuration extractor	IPs: 103.224.241.74:8080
Source: Malware configuration extractor	IPs: 37.44.244.177:8080
Source: Malware configuration extractor	IPs: 85.214.67.203:8080
Source: Malware configuration extractor	IPs: 202.28.34.99:8080
Source: Malware configuration extractor	IPs: 175.126.176.79:8080
Source: Malware configuration extractor	IPs: 85.25.120.45:8080
Source: Malware configuration extractor	IPs: 93.104.209.107:8080
Source: Malware configuration extractor	IPs: 103.41.204.169:8080
Source: Malware configuration extractor	IPs: 78.47.204.80:443
Source: Malware configuration extractor	IPs: 139.59.80.108:8080

Source: Joe Sandbox View	ASN Name: OVHFR OVHFR
Source: Joe Sandbox View	ASN Name: EcobandGH EcobandGH

Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: Joe Sandbox View	JA3 fingerprint: 8c4a22651d328568ec66382a84fc505f

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: QIerciqTmKVMTalY=ZNu1qVV4648TLcWc9PPurZOk8Euzv2esBBYSgK+0qI7gqkg7BYL3F0mCxQgzQRyD5wFY7LKdM3+m6rzAWA7DM0zlGdOu9mA+uitu6Au4yztsyCFHh5OpKU22gqXtPhtVuPee01EQS+Zfbc11xfPG5H+RbXgi6TGtiNnVWQj9vku1x5cT4DQp5DbsaxbTUVxBqIRQ6Zp9JoWXziesjQBhwb098hRQoA==Host: 218.38.121.17
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveCookie: SoHpbOHll=S1ZaEV/2K+G2MuFR5aWJIrFZWKJ6BUgx2VARY+iQICyCR3IjoBJq+ugHbhYuoa/1EyVyNWv+NFsl7eeESQnqDpazHNIhxXrZoY/Vuf2vmUqGl6dUPaa4tJ0lwsWfZmrxJ7pEDSggisnX+azuZvVEIAxjw6MoQMrIX6LHhpMhUlw6eJmGasOFasTPM8tRLJgpALsu1FrL12a9RO9cEVaRDYWnxpnpdi1nRvXITNoIrml15gO1b66MMFvst35GgkHSH4wY0dfE/LeROelUM6svgfP9p8M/xbXjvu2jNncQnCwlRNDoB1qZ0If0i6ltN2YsK7d/Host: 218.38.121.17

Source: global traffic	HTTP traffic detected: GET /Adapter/moycMR/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.spinbalence.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /index.php?controller=404 HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.spinbalence.comConnection: Keep-AliveCookie: PrestaShop-7318ab2db5e4a3c3a59fb8879ad22162=Nw04PzmYYXL6IgJsn1ERim4S4YpS6Ls6dHZki%2FijBePykYJIX2P7PO%2Fz2gyuaY7ukuFjkghLJ9VD2B347P4foDXH3WhaK5EtQkBaO4YrzSE%3D000075
Source: global traffic	HTTP traffic detected: GET /Content/Afa1PcRuxh/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.3d-stickers.comConnection: Keep-AliveCookie: PrestaShop-a30a9934ef476d11b6cc3c983616e364=9ybostxWPod7nP43PifVMXkPdOrv4EO5U%2FKqPmWtgSFI2Ckr%2B1t%2BqGSwMBMouqmkFK0SD2XdZ7Cg5qtQQ9RwtkOJ6mVwbNsm9NO1rvVxNh8%3D000079
Source: global traffic	HTTP traffic detected: GET /page-non-trouvee HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.3d-stickers.comConnection: Keep-AliveCookie: PrestaShop-a30a9934ef476d11b6cc3c983616e364=9ybostxWPod7nP43PifVMXkPdOrv4EO5U%2FKqPmWtgSFolWp%2F7SQd8f90S8O%2FCwGohxkvf3iPluWhTbyznpM1hokG52ER60fuMOhd0m7WY6E%3D000075
Source: global traffic	HTTP traffic detected: GET /Adapter/moycMR/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.spinbalence.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Content/Afa1PcRuxh/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.3d-stickers.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bsavxiv/axHQYKl/ HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: navylin.comConnection: Keep-Alive

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49179
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49178
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49175
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49178 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49179 -> 443

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Nov 2022 11:40:10 GMTServer: Apache/2.4.46 (FreeBSD) OpenSSL/1.0.2u-freebsdStrict-Transport-Security: max-age=63072000; includeSubDomainsX-Frame-Options: SAMEORIGINX-UA-Compatible: IE=edge,chrome=1P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"Powered-By: PrestaShopStatus: 404 Not FoundSet-Cookie: PrestaShop-7318ab2db5e4a3c3a59fb8879ad22162=Nw04PzmYYXL6IgJsn1ERim4S4YpS6Ls6dHZki%2FijBePykYJIX2P7PO%2Fz2gyuaY7u4EN7ldFY91oSo8hffAyJadQKSdMuXRfEPnyOP0LrcMPyEqQYzhnB8nK%2F56PKGV92LhwlADR0Cai9xEpKkyPgYTgxlYN3LtX9AYwD4O0bLpA%3D000115; expires=Mon, 05-Dec-2022 11:40:10 GMT; Max-Age=1728000; path=/; domain=www.spinbalence.com; secure; httponly;HttpOnly;SecureConnection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 15 Nov 2022 11:40:11 GMTServer: Apache/2.4.46 (FreeBSD) OpenSSL/1.0.2u-freebsdStrict-Transport-Security: max-age=63072000; includeSubDomainsX-Frame-Options: SAMEORIGINX-UA-Compatible: IE=edge,chrome=1P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"Status: 404 Not FoundSet-Cookie: PrestaShop-a30a9934ef476d11b6cc3c983616e364=9ybostxWPod7nP43PifVMXkPdOrv4EO5U%2FKqPmWtgSFolWp%2F7SQd8f90S8O%2FCwGo94XM8kzh2wgRtGRJ9nsrSftoVdV7kvSqSpdfLt4fdwNPMCppuBx0MZGFj5jTVvcGNOjxE63v9YLetElu6JEvu5ONuoJotfg%2BX0z1PXLVMbs%3D000115; expires=Mon, 05-Dec-2022 11:40:11 GMT; Max-Age=1728000; path=/; domain=www.3d-stickers.com; httponly;HttpOnly;SecureConnection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=utf-8

Source: unknown	TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown	TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown	TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown	TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown	TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown	TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown	TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown	TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown	TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown	TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown	TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown	TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown	TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown	TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown	TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown	TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown	TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown	TCP traffic detected without corresponding DNS query: 218.38.121.17
Source: unknown	TCP traffic detected without corresponding DNS query: 218.38.121.17

Source: regsvr32.exe, 00000009.00000002.1210992650.0000000002FC0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1210719728.00000000003F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151539423.00000000003ED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151610020.00000000003F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1210653343.00000000002FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: regsvr32.exe, 00000009.00000002.1210719728.00000000003F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151539423.00000000003ED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151610020.00000000003F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1210653343.00000000002FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: regsvr32.exe, 00000009.00000002.1210719728.00000000003F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151539423.00000000003ED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151610020.00000000003F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1210653343.00000000002FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: regsvr32.exe, 00000009.00000002.1210719728.00000000003F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151539423.00000000003ED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151610020.00000000003F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1210653343.00000000002FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: regsvr32.exe, 00000009.00000002.1210719728.00000000003F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151539423.00000000003ED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151610020.00000000003F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1210653343.00000000002FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: regsvr32.exe, 00000009.00000002.1210719728.00000000003F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151539423.00000000003ED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151610020.00000000003F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1210653343.00000000002FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: regsvr32.exe, 00000009.00000002.1210992650.0000000002FC0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000002.1210719728.00000000003F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151539423.00000000003ED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151610020.00000000003F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1210653343.00000000002FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: regsvr32.exe, 00000009.00000002.1210719728.00000000003F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151539423.00000000003ED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151610020.00000000003F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1210653343.00000000002FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: regsvr32.exe, 00000009.00000002.1210719728.00000000003F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151539423.00000000003ED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151610020.00000000003F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1210653343.00000000002FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: regsvr32.exe, 00000009.00000002.1210719728.00000000003F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151539423.00000000003ED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151610020.00000000003F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1210653343.00000000002FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: regsvr32.exe, 00000009.00000002.1210719728.00000000003F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151539423.00000000003ED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151610020.00000000003F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1210653343.00000000002FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: regsvr32.exe, 00000009.00000002.1210719728.00000000003F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151539423.00000000003ED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151610020.00000000003F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1210653343.00000000002FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: regsvr32.exe, 00000009.00000002.1210719728.00000000003F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151539423.00000000003ED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151610020.00000000003F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1210653343.00000000002FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: regsvr32.exe, 00000009.00000002.1210719728.00000000003F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151539423.00000000003ED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151610020.00000000003F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1210653343.00000000002FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: regsvr32.exe, 00000009.00000002.1210719728.00000000003F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151539423.00000000003ED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151610020.00000000003F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1210653343.00000000002FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: regsvr32.exe, 00000009.00000002.1210700367.00000000003E7000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151735990.00000000003E5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151526148.00000000003DD000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1210653343.00000000002FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://218.38.121.17/
Source: regsvr32.exe, 00000009.00000002.1210992650.0000000002FC0000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1210653343.00000000002FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.co
Source: regsvr32.exe, 00000009.00000002.1210719728.00000000003F5000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151539423.00000000003ED000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 00000009.00000003.1151610020.00000000003F1000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, 0000000A.00000002.1210653343.00000000002FC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0

Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_10025238 GetParent,ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,	8_2_10025238
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_10014B20 GetKeyState,GetKeyState,GetKeyState,SendMessageA,	8_2_10014B20
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_10025C50 GetKeyState,GetKeyState,GetKeyState,GetParent,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,	8_2_10025C50

Source: Yara match	File source: 00000009.00000002.1210607529.000000000039A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1210571701.00000000002BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 8.2.regsvr32.exe.2010000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.regsvr32.exe.2010000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.regsvr32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.regsvr32.exe.2b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.regsvr32.exe.2b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.regsvr32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.1211898571.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1210482177.00000000001D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1211244100.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.940135302.0000000180001000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.939239138.0000000002010000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1210480334.00000000002B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: 4470_02112022.xls	Macro extractor: Sheet: Sheet6 contains: URLDownloadToFileA
Source: 4470_02112022.xls	Macro extractor: Sheet: Sheet6 contains: URLDownloadToFileA

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\oxnv4.ooccxx			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\40hd04O0[1].dll			Jump to dropped file

Source: 4470_02112022.xls	Initial sample: EXEC
Source: 4470_02112022.xls	Initial sample: EXEC

Source: 4470_02112022.xls	Macro extractor: Sheet name: Sheet6
Source: 4470_02112022.xls	Macro extractor: Sheet name: Sheet6

Windows Analysis Report 4470_02112022.xls

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
4470_02112022.xls

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe ..\oxnv1.ooccxx
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe ..\oxnv2.ooccxx
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe ..\oxnv3.ooccxx
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe ..\oxnv4.ooccxx
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\SnILCOTnpOOFucYhP\FatGkw.dll"
Source: unknown	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe" "C:\Windows\system32\SnILCOTnpOOFucYhP\FatGkw.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe ..\oxnv1.ooccxx	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe ..\oxnv2.ooccxx	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe ..\oxnv3.ooccxx	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\System32\regsvr32.exe ..\oxnv4.ooccxx	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\System32\regsvr32.exe C:\Windows\system32\regsvr32.exe "C:\Windows\system32\SnILCOTnpOOFucYhP\FatGkw.dll"	Jump to behavior

Source: 4470_02112022.xls	OLE indicator, Workbook stream: true
Source: 4470_02112022.xls.0.dr	OLE indicator, Workbook stream: true

Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180006870 push ebp; iretd	8_2_00000001800068C4
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180009097 push ebp; iretd	8_2_0000000180009098
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800230F3 push ebp; iretd	8_2_00000001800230F4
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180006957 push ebp; iretd	8_2_0000000180006958
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180006212 push ebp; iretd	8_2_0000000180006213
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180008A56 push ebp; iretd	8_2_0000000180008A57
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180005A82 push ebp; iretd	8_2_0000000180005A83
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180006415 push ebp; retf	8_2_0000000180006416
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_00000001800224FA push ebp; ret	8_2_00000001800224FB
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180008D61 push ebp; iretd	8_2_0000000180008D62
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_000000018000658C push ebp; iretd	8_2_000000018000658D
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180008E30 push ebp; iretd	8_2_0000000180008E31
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180006633 push ebp; retf	8_2_0000000180006634
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180006738 push 45C7D274h; iretd	8_2_000000018000673E
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_0000000180008F44 push ebp; iretd	8_2_0000000180008F45
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_0000000180006212 push ebp; iretd	9_2_0000000180006213
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_0000000180006870 push ebp; iretd	9_2_00000001800068C4
Source: C:\Windows\System32\regsvr32.exe	Code function: 9_2_0000000180006738 push 45C7D274h; iretd	9_2_000000018000673E

Source: oxnv4.ooccxx.0.dr	Static PE information: real checksum: 0xc56a8 should be: 0xc2343
Source: 40hd04O0[1].dll.0.dr	Static PE information: real checksum: 0xc56a8 should be: 0xc2343

Source: C:\Windows\System32\regsvr32.exe	File created: C:\Windows\System32\SnILCOTnpOOFucYhP\FatGkw.dll (copy)	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\oxnv4.ooccxx	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\40hd04O0[1].dll	Jump to dropped file

Source: C:\Windows\System32\regsvr32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FatGkw.dll			Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run FatGkw.dll			Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_10020690 IsWindowVisible,IsIconic,		8_2_10020690
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_10010AE4 IsIconic,GetWindowPlacement,GetWindowRect,		8_2_10010AE4

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe TID: 2212	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 1648	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2956	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2548	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe TID: 2548	Thread sleep time: -60000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_100342D0 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_100342D0
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_10034370 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_10034370
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_10034490 RtlCaptureContext,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_10034490
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_10040590 RtlCaptureContext,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_10040590
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_10039C90 SetUnhandledExceptionFilter,	8_2_10039C90
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_10039CC0 SetUnhandledExceptionFilter,	8_2_10039CC0
Source: C:\Windows\System32\regsvr32.exe	Code function: 8_2_1002FF40 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_1002FF40