Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Sgioba.xlsx

Overview

General Information

Sample name:Sgioba.xlsx
Analysis ID:1571432
MD5:f098c0bf9bd12985a19ea9f937f93e39
SHA1:6e5e06752e8c801b7ab21651dfdb9ec232f3f925
SHA256:064f3e372e8f1aa18916e02aa857c0d4842765942d155266cd40f85f8d171663
Infos:

Detection

Score:2
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Sigma detected: Excel Network Connections
Sigma detected: Suspicious Office Outbound Connections
Suricata IDS alerts with low severity for network traffic

Classification

Process Tree

  • System is w10x64_ra
  • EXCEL.EXE (PID: 6872 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\user\Desktop\Sgioba.xlsx" MD5: 4A871771235598812032C822E6F68F19)
  • cleanup

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Excel Network Connections
Source: Network ConnectionAuthor: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 52.113.195.132, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 6872, Protocol: tcp, SourceIp: 192.168.2.16, SourceIsIpv6: false, SourcePort: 49695
Sigma detected: Suspicious Office Outbound Connections
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.16, DestinationIsIpv6: false, DestinationPort: 49695, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 6872, Protocol: tcp, SourceIp: 52.113.195.132, SourceIsIpv6: false, SourcePort: 443

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-09T11:19:07.753477+010020283713Unknown Traffic192.168.2.164969552.113.195.132443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: unknownHTTPS traffic detected: 52.113.195.132:443 -> 192.168.2.16:49695 version: TLS 1.2
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: global trafficTCP traffic: 192.168.2.16:49695 -> 52.113.195.132:443
Source: global trafficTCP traffic: 52.113.195.132:443 -> 192.168.2.16:49695
Source: excel.exeMemory has grown: Private usage: 5MB later: 195MB
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49695 -> 52.113.195.132:443
Source: unknownNetwork traffic detected: HTTP traffic on port 49695 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
Source: unknownHTTPS traffic detected: 52.113.195.132:443 -> 192.168.2.16:49695 version: TLS 1.2
Source: classification engineClassification label: clean2.winXLSX@1/2@0/8
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\Desktop\~$Sgioba.xlsx
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{5AE242C3-9890-4546-A378-08865E42228D} - OProcSessId.dat
Source: Sgioba.xlsxOLE indicator, Workbook stream: true
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEFile read: C:\Users\desktop.ini
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common
Source: Sgioba.xlsxInitial sample: OLE indicators vbamacros = False
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEProcess information queried: ProcessInformation
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Exploitation for Client Execution		Path Interception1
Extra Window Memory Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local System2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Extra Window Memory Injection		LSASS Memory1
File and Directory Discovery		Remote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager2
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Sgioba.xlsx17%ReversingLabsDocument-Word.Phishing.Generic

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-0005.s-dc-msedge.net
52.113.195.132
truefalse
    		high

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    52.113.195.132
    		s-0005.s-dc-msedge.netUnited States
    		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
    52.109.32.97
    		unknownUnited States
    		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
    51.116.253.168
    		unknownUnited Kingdom
    		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
    52.109.76.243
    		unknownUnited States
    		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

    General Information

    Joe Sandbox version:41.0.0 Charoite
    Analysis ID:1571432
    Start date and time:2024-12-09 11:18:31 +01:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:defaultwindowsinteractivecookbook.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:10
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • EGA enabled
    Analysis Mode:stream
    Analysis stop reason:Timeout
    Sample name:Sgioba.xlsx
    Detection:CLEAN
    Classification:clean2.winXLSX@1/2@0/8
    Cookbook Comments:
    • Found application associated with file extension: .xlsx

    Warnings

    • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
    • Excluded IPs from analysis (whitelisted): 52.109.32.97, 52.109.76.243
    • Excluded domains from analysis (whitelisted): ecs.office.com, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, eur.roaming1.live.com.akadns.net, neu-azsc-000.roaming.officeapps.live.com, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, config.officeapps.live.com, osiprod-neu-buff-azsc-000.northeurope.cloudapp.azure.com, officeclient.microsoft.com, ecs.office.trafficmanager.net, ukw-azsc-config.officeapps.live.com, europe.configsvc1.live.com.akadns.net
    • Report size getting too big, too many NtCreateKey calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.
    • Report size getting too big, too many NtReadVirtualMemory calls found.
    • VT rate limit hit for: Sgioba.xlsx

    Created / dropped Files

    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\9727C9E3.jpeg

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
    File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 2481x3508, components 3
    Category:dropped
    Size (bytes):666183
    Entropy (8bit):7.756169252193822
    Encrypted:false
    SSDEEP:
    MD5:BC46B1844BEDD95C2F3A6D7BF4BD72E0
    SHA1:FB938E079C37A377C2F2F81237DD8F3A1A069DB1
    SHA-256:68938D4B73A2DC46CA804CAD2C99E9AA9BAD64746C21843C553B2CAAAFB049D3
    SHA-512:FB43BBB4EE60D63B438FE9D28B298837394008D320D4CAC0C46EDFBF64E6E0C862519CAC604670ED27D539B918BA53BE2D5B1825FC15E2C8983C7613237D254A
    Malicious:false
    Reputation:unknown
    Preview:......JFIF.....,.,..... ICC_PROFILE...............mntrRGB XYZ ............acspAPPL...................................-....................................................desc.......|cprt...x...(wtpt........bkpt........rXYZ........gXYZ........bXYZ........rTRC........gTRC........bTRC........desc......."Artifex Software sRGB ICC Profile..........."Artifex Software sRGB ICC Profile..................................text....Copyright Artifex Software 2011.XYZ .......Q........XYZ ................XYZ ......o...8.....XYZ ......b.........XYZ ......$.........curv.......................#.(.-.2.7.;.@.E.J.O.T.Y.^.c.h.m.r.w.|...............................................................%.+.2.8.>.E.L.R.Y.`.g.n.u.|.........................................&./.8.A.K.T.].g.q.z...............................!.-.8.C.O.Z.f.r.~......................... .-.;.H.U.c.q.~.......................+.:.I.X.g.w.....................'.7.H.Y.j.{...................+.=.O.a.t...................2.F.Z.n.................%.:.O.d

    C:\Users\user\Desktop\~$Sgioba.xlsx

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE
    File Type:data
    Category:dropped
    Size (bytes):165
    Entropy (8bit):1.3520167401771568
    Encrypted:false
    SSDEEP:
    MD5:9AC4D67F6E514F452D4A1DB79CE3B2E8
    SHA1:33F8C665ECBB81275D2E49D48F2565A58A282043
    SHA-256:407E1D871964C93DBDBD4D00613CD0A9E30D3ED6352D8052C58E7A252D52FC5A
    SHA-512:018D0F54AB0AB01F27E9FB870A128F2F581A58487399DD7FB56A94EC4AAEC6874708A5AD5650F362485E45E2C6A557ED08524C5B8335F83F240E0962281A0F1A
    Malicious:false
    Reputation:unknown
    Preview:.user ..c.a.l.i. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

    Static File Info

    General

    File type:Microsoft Excel 2007+
    Entropy (8bit):7.750120899582082
    TrID:
    • Excel Microsoft Office Open XML Format document (35004/1) 81.40%
    • ZIP compressed archive (8000/1) 18.60%
    File name:Sgioba.xlsx
    File size:676'889 bytes
    MD5:f098c0bf9bd12985a19ea9f937f93e39
    SHA1:6e5e06752e8c801b7ab21651dfdb9ec232f3f925
    SHA256:064f3e372e8f1aa18916e02aa857c0d4842765942d155266cd40f85f8d171663
    SHA512:926ce1867932a38f3351d44bc2405b6003a93577ea0fae4c0cdad3c91e35728d5bf8cd89874f7932ce6f3e646875fad94b9b099489aa1073eadd231d9893f6c8
    SSDEEP:12288:dQCmE08IrHJoMk0cRYmh3R+FEyUz9sHUo1CZ6PoXfL9kXXRsXbD5CA:6a0eMk0cRYmh3RME7+0APa9knRgbDl
    TLSH:DFE41A138C458B83E46897F8BE130EAD6F1A274CE4963AFF14661EDB7F502124D9E06D
    File Content Preview:PK..........!...q.............[Content_Types].xml ...(.........................................................................................................................................................................................................

    File Icon

    Icon Hash:35e58a8c0c8a85b9

    Static OLE Info

    General

    Document Type:OpenXML
    Number of OLE Files:1

    OLE File "Sgioba.xlsx"

    Indicators
    Has Summary Info:
    Application Name:
    Encrypted Document:False
    Contains Word Document Stream:False
    Contains Workbook/Book Stream:True
    Contains PowerPoint Document Stream:False
    Contains Visio Document Stream:False
    Contains ObjectPool Stream:False
    Flash Objects Count:0
    Contains VBA Macros:False