Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
maryanne@propertynz.co.nz_Agreement70554.xlsx

Overview

General Information

Sample name:maryanne@propertynz.co.nz_Agreement70554.xlsx
Analysis ID:1553345
MD5:ca2e9558d141c7b79948b731c057ce0e
SHA1:0d5b9d0d522f62d9a0a138023c52ed3cd3db36a0
SHA256:f6d618128d0850704da57558c80a0a0602ef369aacda7ce65f2b580c84d8d311

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected landing page (webpage, office document or email)
Document exploit detected (process start blacklist hit)
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Stores large binary data to the registry

Classification

Process Tree

  • System is w10x64_ra
  • EXCEL.EXE (PID: 6960 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\maryanne@propertynz.co.nz_Agreement70554.xlsx" MD5: 4A871771235598812032C822E6F68F19)
    • DWWIN.EXE (PID: 5432 cmdline: C:\Windows\SysWOW64\DWWIN.EXE -x -s 3688 MD5: 57A4F3E9F6F5AA7AFA57FAACBF578453)
  • cleanup

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Software Vulnerabilities

barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\DWWIN.EXE
Source: excel.exeMemory has grown: Private usage: 3MB later: 71MB
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\DWWIN.EXE C:\Windows\SysWOW64\DWWIN.EXE -x -s 3688
Source: classification engineClassification label: mal48.expl.winXLSX@3/5@0/49
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\Desktop\~$maryanne@propertynz.co.nz_Agreement70554.xlsx
Source: C:\Windows\SysWOW64\DWWIN.EXEMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6960
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{C56344F9-EC67-495F-82FE-C771E97A521C} - OProcSessId.dat
Source: maryanne@propertynz.co.nz_Agreement70554.xlsxOLE indicator, Workbook stream: true
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile read: C:\Users\desktop.ini
Source: C:\Windows\SysWOW64\DWWIN.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\maryanne@propertynz.co.nz_Agreement70554.xlsx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\DWWIN.EXE C:\Windows\SysWOW64\DWWIN.EXE -x -s 3688
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\DWWIN.EXE C:\Windows\SysWOW64\DWWIN.EXE -x -s 3688
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: wer.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: version.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: c2r64.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: c2r32.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: msvcp140.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: policymanager.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: msvcp110_win.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: aepic.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: policymanager.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: msvcp110_win.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: policymanager.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: msvcp110_win.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: policymanager.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: msvcp110_win.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: policymanager.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: msvcp110_win.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: policymanager.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: msvcp110_win.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: policymanager.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: msvcp110_win.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: policymanager.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: msvcp110_win.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: policymanager.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: msvcp110_win.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: policymanager.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: msvcp110_win.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: policymanager.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: msvcp110_win.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: policymanager.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: msvcp110_win.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: policymanager.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: msvcp110_win.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: wldp.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: phoneinfo.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: netapi32.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: dsreg.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: msvcp110_win.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: profapi.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: xmllite.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: policymanager.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: policymanager.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: policymanager.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: policymanager.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: policymanager.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: policymanager.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: policymanager.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: policymanager.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: policymanager.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: policymanager.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: policymanager.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: policymanager.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: policymanager.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: netprofm.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: npmproxy.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: policymanager.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: policymanager.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: policymanager.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: netprofm.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: npmproxy.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: umpdc.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: rmclient.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: windows.security.authentication.onlineid.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: policymanager.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: dpapi.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: policymanager.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: policymanager.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: policymanager.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: twinapi.appcore.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: policymanager.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: policymanager.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: policymanager.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: policymanager.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: winhttp.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: mswsock.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: winnsi.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: dhcpcsvc6.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: webio.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: rasadhlp.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: schannel.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: mskeyprotect.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: ncryptsslp.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: msasn1.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: gpapi.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: cryptnet.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: policymanager.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: policymanager.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: policymanager.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: policymanager.dll
Source: C:\Windows\SysWOW64\DWWIN.EXESection loaded: twinapi.appcore.dll
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: maryanne@propertynz.co.nz_Agreement70554.xlsxInitial sample: OLE zip file path = xl/media/image1.png
Source: maryanne@propertynz.co.nz_Agreement70554.xlsxInitial sample: OLE zip file path = xl/media/image2.png
Source: maryanne@propertynz.co.nz_Agreement70554.xlsxInitial sample: OLE zip file path = xl/media/image3.png
Source: maryanne@propertynz.co.nz_Agreement70554.xlsxInitial sample: OLE zip file path = xl/metadata.xml
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common
Source: maryanne@propertynz.co.nz_Agreement70554.xlsxInitial sample: OLE indicators vbamacros = False

Persistence and Installation Behavior

barindex
AI detected landing page (webpage, office document or email)
Source: Office documentLLM: Office document contains QR code
Source: C:\Windows\SysWOW64\DWWIN.EXEKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicket
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\DWWIN.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\DWWIN.EXE TID: 5712Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information queried: ProcessInformation
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Exploitation for Client Execution		1
Browser Extensions		1
Process Injection		1
Masquerading		OS Credential Dumping1
Virtualization/Sandbox Evasion		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
DLL Side-Loading		1
Modify Registry		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
Extra Window Memory Injection		1
Virtualization/Sandbox Evasion		Security Account Manager1
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Process Injection		NTDS3
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Extra Window Memory Injection		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
maryanne@propertynz.co.nz_Agreement70554.xlsx0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
52.113.194.132
unknownUnited States
8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
52.168.117.173
unknownUnited States
8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
52.109.28.46
unknownUnited States
8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
184.28.90.27
unknownUnited States
16625AKAMAI-ASUSfalse
13.69.116.108
unknownUnited States
8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1553345
Start date and time:2024-11-10 23:28:50 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowsinteractivecookbook.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:16
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
Analysis Mode:stream
Analysis stop reason:Timeout
Sample name:maryanne@propertynz.co.nz_Agreement70554.xlsx
Detection:MAL
Classification:mal48.expl.winXLSX@3/5@0/49
Cookbook Comments:
  • Found application associated with file extension: .xlsx

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe
  • Excluded IPs from analysis (whitelisted): 52.109.28.46, 52.113.194.132, 184.28.90.27
  • Excluded domains from analysis (whitelisted): ecs.office.com, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, s-0005-office.config.skype.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, ecs-office.s-0005.s-msedge.net, s-0005.s-msedge.net, config.officeapps.live.com, e16604.g.akamaiedge.net, officeclient.microsoft.com, ecs.office.trafficmanager.net, prod.fs.microsoft.com.akadns.net, europe.configsvc1.live.com.akadns.net, uks-azsc-config.officeapps.live.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtCreateKey calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtReadVirtualMemory calls found.
  • VT rate limit hit for: maryanne@propertynz.co.nz_Agreement70554.xlsx

LLM Input / Output

InputOutput
URL: Office document Model: claude-3-haiku-20240307
```json
{
  "contains_trigger_text": true,
  "trigger_text": "Scan the QR code with your smartphone Camera to review and approve",
  "prominent_button_name": "unknown",
  "text_input_field_labels": "unknown",
  "pdf_icon_visible": false,
  "has_visible_captcha": false,
  "has_urgent_text": true,
  "has_visible_qrcode": true
}
URL: Office document Model: claude-3-haiku-20240307
```json
{
  "brands": [
    "HR Shared Wage Agreement & Financial Analysis for 2024/2025 | Executive Bonus Summary, Salary Adjustment, and Enrollment Details"
  ]
}

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_EXCEL.EXE_e9297086362a125849187fe16b5f81c2683f026_00000000_3e499996-d217-49f3-a85e-bea06baa4ca0\Report.wer

Download File
Process:C:\Windows\SysWOW64\DWWIN.EXE
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):65536
Entropy (8bit):1.7461851311279541
Encrypted:false
SSDEEP:
MD5:AE859C6493AA4C3A259F42026409500B
SHA1:16D4C89E8FFBE35986DE4236EF6D90275AEE975C
SHA-256:DA46FEBE8B37F373A8D7D045F1A2928E10CF9969D9E6D64A455E4020556A3E50
SHA-512:EF05523CCD9BB2C9BDE50831B5A86ABD984161E19FBB3AE9E4A7D395E7663553E781EC94EFA4B6251D5071B996020A1B5910EC2FC9B8A600296854E2367A3624
Malicious:false
Reputation:unknown
Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.7.5.1.4.1.5.4.7.1.9.4.4.4.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.5.7.5.1.4.1.5.7.1.0.9.4.4.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.e.4.9.9.9.9.6.-.d.2.1.7.-.4.9.f.3.-.a.8.5.e.-.b.e.a.0.6.b.a.a.4.c.a.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.e.d.9.5.a.d.1.-.4.c.2.d.-.4.7.d.a.-.9.f.8.5.-.5.a.0.0.0.3.b.1.6.5.4.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.E.x.c.e.l...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.3.0.-.0.0.0.1.-.0.0.1.7.-.a.5.7.3.-.f.8.f.b.b.f.3.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.4.1.2.0.2.5.c.6.5.6.1.3.4.5.0.1.9.6.a.b.3.e.f.d.e.2.9.8.4.d.9.0.0.0.0.0.0.0.0.!.0.0.0.0.b.7.5.6.a.9.d.1.c.f.f.4.b.e.e.d.7.2.5.1.2.a.f.5.0.b.0.f.f.c.f.b.4.3.5.2.0.5.b.7.!.E.X.C.E.L...E.X.E.....T.a.r.g.e.t.A.p.p.V.e.r.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8FEC.tmp.WERInternalMetadata.xml

Download File
Process:C:\Windows\SysWOW64\DWWIN.EXE
File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:dropped
Size (bytes):8386
Entropy (8bit):3.718883959249281
Encrypted:false
SSDEEP:
MD5:D1FA5A55B1B3BDEFEC2139D13214CE9B
SHA1:D19A74DD2E60AAE3C9671D4A939A06D83D211598
SHA-256:8F47D55ED3D9AA08052F22438100CD8ED2DDEFBFC30625F1F3EC3C45BB874418
SHA-512:1765F82566E4E20C78683BB7CFD31A60763F9D615D09CA4717EAECEB480BC5E3B12D2B18D13F7DD2F4897102DD28E320D06F9CF5CC6E319814D8145D33F09F6C
Malicious:false
Reputation:unknown
Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.9.6.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER901C.tmp.xml

Download File
Process:C:\Windows\SysWOW64\DWWIN.EXE
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):5115
Entropy (8bit):4.5604825919799925
Encrypted:false
SSDEEP:
MD5:E561B394BD2AE62716B0C1E3721F11F4
SHA1:0955700F16EDAC3A7EF232188044013765967C67
SHA-256:5E4921625D6971803BDFC7EBC3747A563A7AAECFAC78D54351F6FA215FB12902
SHA-512:5BEEC01A4D2455A34F6036BCB8B3C6CBF7473D8E05FC8232C2C013294D82495FE520217B1AA0875F4064810FCEA118EC318039709F9F313CE9D5F03AF3A00EE6
Malicious:false
Reputation:unknown
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="582572" />.. <arg nm="osinsty" val="2" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\Desktop\~$maryanne@propertynz.co.nz_Agreement70554.xlsx

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
File Type:data
Category:dropped
Size (bytes):165
Entropy (8bit):1.4988604911361962
Encrypted:false
SSDEEP:
MD5:34863D0C5EDC5217BFE8F28000149692
SHA1:B997A6CB01178B27D14131F0B3C99068378F2959
SHA-256:AA5DEED2AFD386A6CE02460403D856BAD3C6E0969C73294FE33A76B2B1F60B4D
SHA-512:74A541E58F69DCA407BF95CC9141D93968DB858F680B4A4CD1ECF96C4B4DF6E44A2912F2A364B423E464078739CA616815C2FCE69479B102856989F71B364BB1
Malicious:false
Reputation:unknown
Preview:.user ..t.o.r.r.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

C:\Windows\appcompat\Programs\Amcache.hve

Download File
Process:C:\Windows\SysWOW64\DWWIN.EXE
File Type:MS Windows registry file, NT/2000 or above
Category:dropped
Size (bytes):1835008
Entropy (8bit):4.53053653405176
Encrypted:false
SSDEEP:
MD5:5D5714D469C2C60D28936ECB67BB41EB
SHA1:F5FA109E97A5A7AE5D0B8F19DBB23FB53965A527
SHA-256:E9C84FAFB31FE30E93C556A436793210500C40EBB8931D504E91548737AE7012
SHA-512:64120A420CD7AFCD5FE6E30083FD4876E5DE54AEA1E5F5CE9843B684BCC2EF9B382785F700C3EA267A6E95629259D991E166EAAFCFE8E2AF5D9596586619DD91
Malicious:false
Reputation:unknown
Preview:regfL...L....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm>.9..3..............................................................................................................................................................................................................................................................................................................................................X./)........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:Microsoft Excel 2007+
Entropy (8bit):7.7207616047801775
TrID:
  • Excel Microsoft Office Open XML Format document (35004/1) 81.40%
  • ZIP compressed archive (8000/1) 18.60%
File name:maryanne@propertynz.co.nz_Agreement70554.xlsx
File size:39'702 bytes
MD5:ca2e9558d141c7b79948b731c057ce0e
SHA1:0d5b9d0d522f62d9a0a138023c52ed3cd3db36a0
SHA256:f6d618128d0850704da57558c80a0a0602ef369aacda7ce65f2b580c84d8d311
SHA512:1ce5258faafec8ed3fc6a34e9ac515877287b136b58b7d1c9382fb38b63bcbfb9f04cd601ce73f0fddce90e22b5d10e362a974c89a5e5ff83b769309a8f00344
SSDEEP:768:bNQyap8vkk49zlc0XovZb99Mw8ZKWqcj9azHNe27yBxnHOvu:9auCc0XovZMw82c9ANHexP
TLSH:5703C0ACD2B8946BC7EE0835A30C81E9740D94A9F9D5CB875584FB9E8D42207335F2CD
File Content Preview:PK..........!...QJ............[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon

Icon Hash:35e58a8c0c8a85b9

Static OLE Info

General

Document Type:OpenXML
Number of OLE Files:1

OLE File "maryanne@propertynz.co.nz_Agreement70554.xlsx"

Indicators
Has Summary Info:
Application Name:
Encrypted Document:False
Contains Word Document Stream:False
Contains Workbook/Book Stream:True
Contains PowerPoint Document Stream:False
Contains Visio Document Stream:False
Contains ObjectPool Stream:False
Flash Objects Count:0
Contains VBA Macros:False