Source: PO554830092024.xls |
Virustotal: Detection: 23% |
Perma Link |
Source: PO554830092024.xls |
ReversingLabs: Detection: 34% |
Source: PO554830092024.xls |
Joe Sandbox ML: detected |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll |
Jump to behavior |
Source: unknown |
HTTPS traffic detected: 172.67.216.244:443 -> 192.168.2.22:49161 version: TLS 1.2 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49162 -> 72.5.43.53:80 |
Source: global traffic |
TCP traffic: 192.168.2.22:49164 -> 72.5.43.53:80 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443 |
Source: global traffic |
TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49161 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443 |
Source: global traffic |
TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49161 |
Source: global traffic |
TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49161 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443 |
Source: global traffic |
TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49161 |
Source: global traffic |
TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49161 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443 |
Source: global traffic |
TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49161 |
Source: global traffic |
TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49161 |
Source: global traffic |
TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49161 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49161 -> 172.67.216.244:443 |
Source: global traffic |
TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49161 |
Source: global traffic |
TCP traffic: 192.168.2.22:49162 -> 72.5.43.53:80 |
Source: global traffic |
TCP traffic: 72.5.43.53:80 -> 192.168.2.22:49162 |
Source: global traffic |
TCP traffic: 192.168.2.22:49162 -> 72.5.43.53:80 |
Source: global traffic |
TCP traffic: 192.168.2.22:49162 -> 72.5.43.53:80 |
Source: global traffic |
TCP traffic: 72.5.43.53:80 -> 192.168.2.22:49162 |
Source: global traffic |
TCP traffic: 72.5.43.53:80 -> 192.168.2.22:49162 |
Source: global traffic |
TCP traffic: 192.168.2.22:49162 -> 72.5.43.53:80 |
Source: global traffic |
TCP traffic: 192.168.2.22:49162 -> 72.5.43.53:80 |
Source: global traffic |
TCP traffic: 72.5.43.53:80 -> 192.168.2.22:49162 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443 |
Source: global traffic |
TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49163 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443 |
Source: global traffic |
TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49163 |
Source: global traffic |
TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49163 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443 |
Source: global traffic |
TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49163 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443 |
Source: global traffic |
TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49163 |
Source: global traffic |
TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49163 |
Source: global traffic |
TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49163 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 172.67.216.244:443 |
Source: global traffic |
TCP traffic: 172.67.216.244:443 -> 192.168.2.22:49163 |
Source: global traffic |
TCP traffic: 192.168.2.22:49164 -> 72.5.43.53:80 |
Source: global traffic |
TCP traffic: 72.5.43.53:80 -> 192.168.2.22:49164 |
Source: global traffic |
TCP traffic: 192.168.2.22:49164 -> 72.5.43.53:80 |
Source: global traffic |
TCP traffic: 192.168.2.22:49164 -> 72.5.43.53:80 |
Source: global traffic |
TCP traffic: 72.5.43.53:80 -> 192.168.2.22:49164 |
Source: global traffic |
TCP traffic: 72.5.43.53:80 -> 192.168.2.22:49164 |
Source: global traffic |
TCP traffic: 192.168.2.22:49164 -> 72.5.43.53:80 |
Source: global traffic |
TCP traffic: 192.168.2.22:49164 -> 72.5.43.53:80 |
Source: global traffic |
TCP traffic: 72.5.43.53:80 -> 192.168.2.22:49164 |
Source: Network traffic |
Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49162 -> 72.5.43.53:80 |
Source: Network traffic |
Suricata IDS: 2024449 - Severity 1 - ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl : 192.168.2.22:49164 -> 72.5.43.53:80 |
Source: Joe Sandbox View |
ASN Name: UNASSIGNED UNASSIGNED |
Source: Joe Sandbox View |
JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b |
Source: global traffic |
HTTP traffic detected: GET /ojmkcb HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: og1.inConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /ojmkcb HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: og1.inConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /450/ne/IEnetworkprojectupdate.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 72.5.43.53Connection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /450/ne/IEnetworkprojectupdate.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 72.5.43.53Connection: Keep-Alive |
Source: unknown |
TCP traffic detected without corresponding DNS query: 72.5.43.53 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 72.5.43.53 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 72.5.43.53 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 72.5.43.53 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 72.5.43.53 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 72.5.43.53 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 72.5.43.53 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 72.5.43.53 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 72.5.43.53 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 72.5.43.53 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6B20EFA4.emf |
Jump to behavior |
Source: global traffic |
HTTP traffic detected: GET /ojmkcb HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: og1.inConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /ojmkcb HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: og1.inConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /450/ne/IEnetworkprojectupdate.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 72.5.43.53Connection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET /450/ne/IEnetworkprojectupdate.hta HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 72.5.43.53Connection: Keep-Alive |
Source: global traffic |
DNS traffic detected: DNS query: og1.in |
Source: PO554830092024.xls, 6B630000.0.dr |
String found in binary or memory: https://og1.in/ojmkcb |
Source: unknown |
Network traffic detected: HTTP traffic on port 49161 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49163 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49163 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49161 |
Source: unknown |
HTTPS traffic detected: 172.67.216.244:443 -> 192.168.2.22:49161 version: TLS 1.2 |
Source: PO554830092024.xls |
OLE: Microsoft Excel 2007+ |
Source: 6B630000.0.dr |
OLE: Microsoft Excel 2007+ |
Source: PO554830092024.xls |
OLE indicator, VBA macros: true |
Source: classification engine |
Classification label: mal64.winXLS@1/8@1/2 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\Desktop\6B630000 |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\AppData\Local\Temp\CVR820A.tmp |
Jump to behavior |
Source: PO554830092024.xls |
OLE indicator, Workbook stream: true |
Source: 6B630000.0.dr |
OLE indicator, Workbook stream: true |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File read: C:\Users\desktop.ini |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA |
Jump to behavior |
Source: PO554830092024.xls |
Virustotal: Detection: 23% |
Source: PO554830092024.xls |
ReversingLabs: Detection: 34% |
Source: Window Recorder |
Window detected: More than 3 window changes detected |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll |
Jump to behavior |
Source: 6B630000.0.dr |
Initial sample: OLE indicators vbamacros = False |
Source: PO554830092024.xls |
Initial sample: OLE indicators encrypted = True |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: PO554830092024.xls |
Stream path 'Workbook' entropy: 7.99951239633 (max. 8.0) |
Source: 6B630000.0.dr |
Stream path 'Workbook' entropy: 7.99939820191 (max. 8.0) |