Windows
Analysis Report
PO906-645S790768.xlam.xlsx
Overview
General Information
Detection
Score: | 96 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Classification
- System is w7x64
- EXCEL.EXE (PID: 3200 cmdline:
"C:\Progra m Files\Mi crosoft Of fice\Offic e14\EXCEL. EXE" /auto mation -Em bedding MD5: D53B85E21886D2AF9815C377537BCAC3) - EQNEDT32.EXE (PID: 3356 cmdline:
"C:\Progra m Files\Co mmon Files \Microsoft Shared\EQ UATION\EQN EDT32.EXE" -Embeddin g MD5: A87236E214F6D42A65F5DEDAC816AEC8)
- cleanup
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
INDICATOR_XML_LegacyDrawing_AutoLoad_Document | detects AutoLoad documents using LegacyDrawing | ditekSHen |
|
Exploits |
---|
Source: | Author: Joe Security: |
System Summary |
---|
Source: | Author: Max Altgelt (Nextron Systems): |
Source: | Author: frack113: |
Click to jump to signature section
AV Detection |
---|
Source: | Avira: |
Source: | Virustotal: | Perma Link |
Source: | ReversingLabs: | |||
Source: | Virustotal: | Perma Link |
Exploits |
---|
Source: | Network connect: | Jump to behavior |
Source: | Process created: |
Source: | File opened: | Jump to behavior |
Software Vulnerabilities |
---|
Source: | Process created: |
Source: | Code function: | 1_2_035904F5 | |
Source: | Code function: | 1_2_03590429 | |
Source: | Code function: | 1_2_035904AA | |
Source: | Code function: | 1_2_03590515 | |
Source: | Code function: | 1_2_03590397 | |
Source: | Code function: | 1_2_03590443 | |
Source: | Code function: | 1_2_0359037E | |
Source: | Code function: | 1_2_035903B3 |
Source: | DNS query: |
Source: | TCP traffic: |
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: | ||
Source: | TCP traffic: |
Source: | ASN Name: |
Source: | HTTP traffic detected: |
Source: | Code function: | 1_2_03590429 |
Source: | HTTP traffic detected: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
System Summary |
---|
Source: | Matched rule: |
Source: | Memory allocated: | Jump to behavior |
Source: | OLE stream indicators for Word, Excel, PowerPoint, and Visio: |
Source: | Matched rule: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | File read: | Jump to behavior |
Source: | Key opened: | Jump to behavior |
Source: | File read: | Jump to behavior | ||
Source: | File read: | Jump to behavior |
Source: | ReversingLabs: | ||
Source: | Virustotal: |
Source: | Process created: | ||
Source: | Process created: |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Window detected: |
Source: | Key opened: | Jump to behavior |
Source: | File opened: | Jump to behavior |
Source: | Initial sample: |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | Thread sleep time: | Jump to behavior |
Source: | API call chain: | graph_1-337 |
Source: | Code function: | 1_2_0359051C |
Source: | Key value queried: | Jump to behavior |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | 1 Scripting | Valid Accounts | 23 Exploitation for Client Execution | 1 Scripting | 1 Process Injection | 1 Masquerading | OS Credential Dumping | 1 Virtualization/Sandbox Evasion | Remote Services | Data from Local System | 2 Non-Application Layer Protocol | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | 1 DLL Side-Loading | 1 DLL Side-Loading | 1 Virtualization/Sandbox Evasion | LSASS Memory | 1 File and Directory Discovery | Remote Desktop Protocol | Data from Removable Media | 12 Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 Process Injection | Security Account Manager | 3 System Information Discovery | SMB/Windows Admin Shares | Data from Network Shared Drive | 2 Ingress Tool Transfer | Automated Exfiltration | Data Encrypted for Impact |
Employee Names | Virtual Private Server | Local Accounts | Cron | Login Hook | Login Hook | 1 DLL Side-Loading | NTDS | 1 Remote System Discovery | Distributed Component Object Model | Input Capture | Protocol Impersonation | Traffic Duplication | Data Destruction |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
67% | ReversingLabs | Document-Office.Exploit.CVE-2017-11882 | ||
48% | Virustotal | Browse | ||
100% | Avira | EXP/CVE-2017-11882.Gen |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
2% | Virustotal | Browse |
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
7% | Virustotal | Browse |
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
plugsbreakers.top | 66.63.187.171 | true | true |
| unknown |
Name | Malicious | Antivirus Detection | Reputation |
---|---|---|---|
true |
| unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | unknown | |||
false | unknown | |||
false | unknown |
- No. of IPs < 25%
- 25% < No. of IPs < 50%
- 50% < No. of IPs < 75%
- 75% < No. of IPs
IP | Domain | Country | Flag | ASN | ASN Name | Malicious |
---|---|---|---|---|---|---|
66.63.187.171 | plugsbreakers.top | United States | 8100 | ASN-QUADRANET-GLOBALUS | true |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1524794 |
Start date and time: | 2024-10-03 10:02:21 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 3m 57s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2) |
Number of analysed new started processes analysed: | 6 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | PO906-645S790768.xlam.xlsx |
Detection: | MAL |
Classification: | mal96.expl.winXLSX@2/2@1/1 |
EGA Information: |
|
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe
- Report size getting too big, too many NtOpenKeyEx calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
Time | Type | Description |
---|---|---|
04:04:01 | API Interceptor |
Match | Associated Sample Name / URL | SHA 256 | Detection | Threat Name | Link | Context |
---|---|---|---|---|---|---|
ASN-QUADRANET-GLOBALUS | Get hash | malicious | AgentTesla | Browse |
| |
Get hash | malicious | Mirai, Moobot | Browse |
| ||
Get hash | malicious | XenoRAT | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | Snake Keylogger | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Snake Keylogger, VIP Keylogger | Browse |
| ||
Get hash | malicious | Unknown | Browse |
| ||
Get hash | malicious | Unknown | Browse |
|
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 165 |
Entropy (8bit): | 1.4377382811115937 |
Encrypted: | false |
SSDEEP: | 3:vZ/FFDJw2fV:vBFFGS |
MD5: | 797869BB881CFBCDAC2064F92B26E46F |
SHA1: | 61C1B8FBF505956A77E9A79CE74EF5E281B01F4B |
SHA-256: | D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185 |
SHA-512: | 1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
Process: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 165 |
Entropy (8bit): | 1.4377382811115937 |
Encrypted: | false |
SSDEEP: | 3:vZ/FFDJw2fV:vBFFGS |
MD5: | 797869BB881CFBCDAC2064F92B26E46F |
SHA1: | 61C1B8FBF505956A77E9A79CE74EF5E281B01F4B |
SHA-256: | D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185 |
SHA-512: | 1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D |
Malicious: | true |
Reputation: | high, very likely benign file |
Preview: |
File type: | |
Entropy (8bit): | 7.9807482507851 |
TrID: |
|
File name: | PO906-645S790768.xlam.xlsx |
File size: | 736'638 bytes |
MD5: | 29a10a50eb01fe79324c9cd3dc663941 |
SHA1: | a36ccbd34c01fed16e27a53751accab681941c5a |
SHA256: | ef561a4cdb2a47c93a4b84a825c5ef76cbaf89ae3e1d7bef8034c33e0b8a1c03 |
SHA512: | 91a192057bc8c5dc131567cef6bc698b14b0b0533f3868592732fe6bc94161464eb336d9617a656a598c0522860ae2051bcc5823034da00321794e77e863aa6e |
SSDEEP: | 12288:TIMD4ybeFnJUQFQtmXo01kvTI3dXQugbXZihxdG3OZLa:NSzCtwozvTI3dvgbpihx43O4 |
TLSH: | 0AF40248B29995E8A7AD81A754C46E3303874010E65F3C693FC7771362C13D68BFAE6E |
File Content Preview: | PK........j.AY.h."............[Content_Types].xmlUT...iI.fiI.fiI.f.T.n.0....?..."......C......^z[.k.5_ 7...].M......P .....rv....`.6.FL.DT.t46.......&.B......;,......q..T.....Q..T..z(2&.|.....6.T...../..W.c .TS.!.g.. [..=d...:j..1....d>Q...{.F@J.j .\m.y.Z |
Icon Hash: | 2562ab89a7b7bfbf |
Document Type: | OpenXML |
Number of OLE Files: | 1 |
Has Summary Info: | |
Application Name: | |
Encrypted Document: | False |
Contains Word Document Stream: | False |
Contains Workbook/Book Stream: | False |
Contains PowerPoint Document Stream: | False |
Contains Visio Document Stream: | False |
Contains ObjectPool Stream: | False |
Flash Objects Count: | 0 |
Contains VBA Macros: | False |
Author: | |
Last Saved By: | |
Create Time: | 2024-09-30T12:55:35Z |
Last Saved Time: | 2024-10-01T18:04:35Z |
Creating Application: | |
Security: | 0 |
Thumbnail Scaling Desired: | false |
Contains Dirty Links: | false |
Shared Document: | false |
Changed Hyperlinks: | false |
Application Version: | 12.0000 |
General | |
Stream Path: | \x1OLe10natIVE |
CLSID: | |
File Type: | data |
Stream Size: | 939159 |
Entropy: | 5.886660791012148 |
Base64 Encoded: | True |
Data ASCII: | , . . . R T J . . ( B . 2 . c . . . . . U . i F - . F ! ; . . J @ . d . ? t + j . . . 9 A j S . F . P * D _ g S L . ~ . . . } P H A ' . f ' . . H H # g q . y . . . . . 3 u 1 > . J ' . . . . ^ S [ . . . . W . . . . . . i V ^ ! i / . . M . Q I d . . 9 . . w . . Y R W _ R W k . . # . . . j . . @ . . 4 i . . P R g . . . - R * . . Z X _ Z S [ Z + S . . . $ u 3 [ o | . . Z k . Z 9 Q Y . N . T . o . V . . . / ! . 9 . I 9 z M * . G T t ( . o k } B ' J ^ . d 8 t . L U g u O . z I . t l . N # L . 5 2 f ? - c D E |
Data Raw: | e3 fe 2c 04 03 08 52 54 4a 8c 01 08 dd 28 ba c3 42 ba ff f7 d2 8b 32 8b 2e be 63 1b f4 10 81 ee b3 b3 ad 10 8b 06 55 ff d0 05 69 97 eb 46 2d dc 96 eb 46 ff e0 d4 21 3b 92 1a 13 4a 40 00 81 81 64 1a 3f 74 94 89 a6 2b b1 6a 11 db 01 16 39 41 6a dd c0 ff 53 7f 8b 46 06 88 50 2a da 44 b5 5f e1 67 53 bc 4c 12 e3 7e 19 c4 7f fb 90 fe a0 a2 c6 a8 7d 50 e9 48 41 27 06 66 27 1d de 8b 48 a9 |
General | |
Stream Path: | FCHahHyxX8Y8YhCOTAStNXLPRaeQu |
CLSID: | |
File Type: | empty |
Stream Size: | 0 |
Entropy: | 0.0 |
Base64 Encoded: | False |
Data ASCII: | |
Data Raw: |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Oct 3, 2024 10:04:05.566898108 CEST | 49163 | 80 | 192.168.2.22 | 66.63.187.171 |
Oct 3, 2024 10:04:05.572329998 CEST | 80 | 49163 | 66.63.187.171 | 192.168.2.22 |
Oct 3, 2024 10:04:05.572412014 CEST | 49163 | 80 | 192.168.2.22 | 66.63.187.171 |
Oct 3, 2024 10:04:05.572630882 CEST | 49163 | 80 | 192.168.2.22 | 66.63.187.171 |
Oct 3, 2024 10:04:05.577610016 CEST | 80 | 49163 | 66.63.187.171 | 192.168.2.22 |
Oct 3, 2024 10:04:27.680907011 CEST | 80 | 49163 | 66.63.187.171 | 192.168.2.22 |
Oct 3, 2024 10:04:27.681046963 CEST | 80 | 49163 | 66.63.187.171 | 192.168.2.22 |
Oct 3, 2024 10:04:27.681061983 CEST | 49163 | 80 | 192.168.2.22 | 66.63.187.171 |
Oct 3, 2024 10:04:27.681269884 CEST | 49163 | 80 | 192.168.2.22 | 66.63.187.171 |
Oct 3, 2024 10:04:27.681269884 CEST | 49163 | 80 | 192.168.2.22 | 66.63.187.171 |
Oct 3, 2024 10:04:27.681328058 CEST | 80 | 49163 | 66.63.187.171 | 192.168.2.22 |
Oct 3, 2024 10:04:27.681384087 CEST | 49163 | 80 | 192.168.2.22 | 66.63.187.171 |
Oct 3, 2024 10:04:27.686218977 CEST | 80 | 49163 | 66.63.187.171 | 192.168.2.22 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Oct 3, 2024 10:04:05.190824986 CEST | 54562 | 53 | 192.168.2.22 | 8.8.8.8 |
Oct 3, 2024 10:04:05.548605919 CEST | 53 | 54562 | 8.8.8.8 | 192.168.2.22 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Oct 3, 2024 10:04:05.190824986 CEST | 192.168.2.22 | 8.8.8.8 | 0x4f52 | Standard query (0) | A (IP address) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Oct 3, 2024 10:04:05.548605919 CEST | 8.8.8.8 | 192.168.2.22 | 0x4f52 | No error (0) | 66.63.187.171 | A (IP address) | IN (0x0001) | false |
|
Session ID | Source IP | Source Port | Destination IP | Destination Port | PID | Process |
---|---|---|---|---|---|---|
0 | 192.168.2.22 | 49163 | 66.63.187.171 | 80 | 3356 | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Timestamp | Bytes transferred | Direction | Data |
---|---|---|---|
Oct 3, 2024 10:04:05.572630882 CEST | 321 | OUT |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 04:03:13 |
Start date: | 03/10/2024 |
Path: | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x13f800000 |
File size: | 28'253'536 bytes |
MD5 hash: | D53B85E21886D2AF9815C377537BCAC3 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | false |
Target ID: | 1 |
Start time: | 04:04:01 |
Start date: | 03/10/2024 |
Path: | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0x400000 |
File size: | 543'304 bytes |
MD5 hash: | A87236E214F6D42A65F5DEDAC816AEC8 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | true |
Execution Graph
Execution Coverage: | 14.1% |
Dynamic/Decrypted Code Coverage: | 0% |
Signature Coverage: | 80.6% |
Total number of Nodes: | 72 |
Total number of Limit Nodes: | 3 |
Graph
Callgraph
Function 03590429 Relevance: 3.1, APIs: 2, Instructions: 81libraryCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 035904F5 Relevance: 3.0, APIs: 2, Instructions: 46processCOMMON
Control-flow Graph
APIs |
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 03590443 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
Control-flow Graph
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 03590515 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0359051C Relevance: .0, Instructions: 14COMMON
Control-flow Graph
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|
Function 0359037E Relevance: 1.6, APIs: 1, Instructions: 67COMMON
Control-flow Graph
APIs |
|
Memory Dump Source |
|
Joe Sandbox IDA Plugin |
|
Similarity |
|