Automated Malware Analysis Report for Cancelled Loan

ID: 228859 Sample Name: Cancelled Loan After Disbursement Template .xlsx Cookbook: defaultwindowsofficecookbook.jbs Time: 18:29:06 Date: 10/05/2020 Version: 28.0.0 Lapis Lazuli Table of Contents

Table of Contents 2 Analysis Report Cancelled Loan After Disbursement Template .xlsx 4 Overview 4 General Information 4 Detection 5 Confidence 5 Classification Spiderchart 5 Analysis Advice 6 Mitre Att&ck Matrix 6 Signature Overview 7 Networking: 7 System Summary: 7 Hooking and other Techniques for Hiding and Protection: 7 Malware Configuration 7 Behavior Graph 7 Simulations 8 Behavior and APIs 8 Antivirus, Machine Learning and Genetic Malware Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 8 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 10 Unpacked PEs 10 Sigma Overview 10 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 JA3 Fingerprints 10 Dropped Files 10 Screenshots 10 Thumbnails 10 Startup 11 Created / dropped Files 11 Domains and IPs 14 Contacted Domains 14 URLs from Memory and Binaries 14 Contacted IPs 17 Static File Info 17 General 17 File Icon 17 Network Behavior 17 UDP Packets 17 DNS Answers 17 Code Manipulations 18 Statistics 18 System Behavior 18 Analysis Process: EXCEL.EXE PID: 4740 Parent PID: 696 18 General 18 File Activities 18 File Deleted 18 Copyright Joe Security LLC 2020 Page 2 of 19 File Written 18 Registry Activities 19 Key Created 19 Key Value Created 19 Disassembly 19

Overview

General Information

Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 228859 Start date: 10.05.2020 Start time: 18:29:06 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 3m 49s Hypervisor based Inspection enabled: false Report type: light Sample file name: Cancelled Loan After Disbursement Template .xlsx Cookbook file name: defaultwindowsofficecookbook.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Run name: Potential for more IOCs and behavior Number of analysed new started processes analysed: 3 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: CLEAN Classification: clean0.winXLSX@1/8@0/0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Copyright Joe Security LLC 2020 Page 4 of 19 Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe Excluded IPs from analysis (whitelisted): 13.107.3.128, 13.107.5.88, 52.109.32.27, 52.109.88.36, 52.114.7.38, 2.18.68.82, 205.185.216.42, 205.185.216.10 Excluded domains from analysis (whitelisted): client-office365-tas.msedge.net, config.edge.skype.com.trafficmanager.net, mobile.pipe.aria.microsoft.com, e-0009.e- msedge.net, config-edge-skype-com.s-0001.s- msedge.net, fs- wildcard.microsoft.com.edgekey.net, fs- wildcard.microsoft.com.edgekey.net.globalredir.aka dns.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, config.edge.skype.com, afdo-tas- offload.trafficmanager.net, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, s-0001.s- msedge.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, prod.nexusrules.live.com.akadns.net, skypedataprdcolase02.cloudapp.net, config.officeapps.live.com, nexusrules.officeapps.live.com, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtQueryAttributesFile calls found.

Detection

Strategy Score Range Reporting Whitelisted Detection

Threshold 0 0 - 100 false

Confidence

Strategy Score Range Further Analysis Required? Confidence

Threshold 4 0 - 5 false

Classification Spiderchart

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Analysis Advice

No malicious behavior found, analyze the document also on other version of Office / Acrobat

Mitre Att&ck Matrix

Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Valid Graphical Winlogon Port Masquerading 1 Credential File and Application Data from Data Data Eavesdrop on Remotely Modify Accounts User Helper DLL Monitors Dumping Directory Deployment Local Compressed Obfuscation Insecure Track Device System Interface 1 Discovery 1 Software System Network Without Partition Communication Authorization Replication Service Port Accessibility Binary Padding Network System Remote Data from Exfiltration Fallback Exploit SS7 to Remotely Device Through Execution Monitors Features Sniffing Information Services Removable Over Other Channels Redirect Phone Wipe Data Lockout Removable Discovery 1 Media Network Calls/SMS Without Media Medium Authorization

• Networking • System Summary • Hooking and other Techniques for Hiding and Protection

Click to jump to signature section

Networking:

Urls found in memory or binary data

System Summary:

Classification label

Creates files inside the user directory

Creates temporary files

Reads ini files

Found graphical window changes (likely an installer)

Document is a ZIP file with path names indicative of goodware

Checks if Microsoft Office is installed

Uses new MSVCR Dlls

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Malware Configuration

No configs have been found

Behavior Graph

Is Windows Process

Behavior Graph Number of created Registry Values Number of created Files ID: 228859 Visual Basic Sample: Cancelled Loan After Disbur... Startdate: 10/05/2020 Delphi Architecture: WINDOWS Java Score: 0 .Net C# or VB.NET

C, C++ or other language

started Is malicious

Internet EXCEL.EXE

185 51

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link Cancelled Loan After Disbursement Template .xlsx 0% Virustotal Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Copyright Joe Security LLC 2020 Page 8 of 19 Source Detection Scanner Label Link https://cdn.entity. 0% URL Reputation safe https://wus2-000.contentsync. 0% URL Reputation safe https://powerlift.acompli.net 0% Virustotal Browse https://powerlift.acompli.net 0% URL Reputation safe https://rpsticket.partnerservices.getmicrosoftkey.com 0% Virustotal Browse https://rpsticket.partnerservices.getmicrosoftkey.com 0% URL Reputation safe https://api.aadrm.com/ 0% Virustotal Browse https://api.aadrm.com/ 0% URL Reputation safe https://ofcrecsvcapi-int.azurewebsites.net/ 0% Virustotal Browse https://ofcrecsvcapi-int.azurewebsites.net/ 0% URL Reputation safe https://res.getmicrosoftkey.com/api/redemptionevents 0% Virustotal Browse https://res.getmicrosoftkey.com/api/redemptionevents 0% URL Reputation safe https://powerlift-frontdesk.acompli.net 0% Virustotal Browse https://powerlift-frontdesk.acompli.net 0% URL Reputation safe https://officeci.azurewebsites.net/api/ 0% Virustotal Browse https://officeci.azurewebsites.net/api/ 0% URL Reputation safe https://store.office.cn/addinstemplate 0% Virustotal Browse https://store.office.cn/addinstemplate 0% URL Reputation safe https://wus2-000.pagecontentsync. 0% URL Reputation safe https://store.officeppe.com/addinstemplate 0% Virustotal Browse https://store.officeppe.com/addinstemplate 0% URL Reputation safe https://dev0-api.acompli.net/autodetect 0% Virustotal Browse https://dev0-api.acompli.net/autodetect 0% URL Reputation safe https://www.odwebp.svc.ms 0% Virustotal Browse https://www.odwebp.svc.ms 0% URL Reputation safe https://dataservice.o365filtering.com/ 0% Virustotal Browse https://dataservice.o365filtering.com/ 0% URL Reputation safe https://officesetup.getmicrosoftkey.com 0% Virustotal Browse https://officesetup.getmicrosoftkey.com 0% URL Reputation safe https://prod-global-autodetect.acompli.net/autodetect 0% Virustotal Browse https://prod-global-autodetect.acompli.net/autodetect 0% URL Reputation safe https://apis.live.net/v5.0/ 0% Virustotal Browse https://apis.live.net/v5.0/ 0% URL Reputation safe https://asgsmsproxyapi.azurewebsites.net/ 0% Virustotal Browse https://asgsmsproxyapi.azurewebsites.net/ 0% URL Reputation safe https://ncus-000.contentsync. 0% URL Reputation safe https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile 0% Virustotal Browse https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile 0% URL Reputation safe https://skyapi.live.net/Activity/ 0% Virustotal Browse https://skyapi.live.net/Activity/ 0% URL Reputation safe https://dataservice.o365filtering.com 0% Virustotal Browse https://dataservice.o365filtering.com 0% URL Reputation safe https://ovisualuiapp.azurewebsites.net/pbiagave/ 0% Virustotal Browse https://ovisualuiapp.azurewebsites.net/pbiagave/ 0% URL Reputation safe https://directory.services. 0% Virustotal Browse https://directory.services. 0% URL Reputation safe https://o365auditrealtimeingestion.manage.officeppe.com 0% Virustotal Browse https://o365auditrealtimeingestion.manage.officeppe.com 0% URL Reputation safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches Copyright Joe Security LLC 2020 Page 9 of 19 Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

System is w10x64 EXCEL.EXE (PID: 4740 cmdline: 'C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE' /automation -Embedding MD5: D672D26C85AEB9536B9736BF04054969) cleanup

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\E902EF0A-BB23-4BA1-8623-4FE5034304F7 Process: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE File Type: XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators Size (bytes): 126077 Entropy (8bit): 5.377924869661677 Encrypted: false MD5: D7DFB355940BAE05892633AE7FAC5971 SHA1: C24DBEB688E89BACACE27D1BB6577C8712735167 SHA-256: DC0612AE26244D985AF281CB5D5C95D37F6C5D7E348CC720945A240962900D42 SHA-512: 467A9CA5502335D5F02052638BDC93810C262D0CC2D17059EB45CE4E8492C18FF1BE239503BC7DB2DFB4232C9722B7B397A4A9A04BD6B16B7EDC875B00F5CAE A Malicious: false Reputation: low

Copyright Joe Security LLC 2020 Page 11 of 19 C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\E902EF0A-BB23-4BA1-8623-4FE5034304F7 Preview: .... .. Build: 16.0.10127.65001-->.. .. .. .. .. https://rr.office.microsoft.com/research/query.asmx.. .. .. https://o15.officeredir.microsoft.com/r.. .. .. https://o15.officeredir.microsoft.com/r.. .. .. https://[MAX.BaseHost]/client/results.. .. .. https://[MAX.BaseHost]/client/results.. .. .. https://ocsa.office.microsoft.com/client/15/help/template.. ..

C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml Process: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE File Type: XML 1.0 document, ASCII text, with very long lines, with no line terminators Size (bytes): 411099 Entropy (8bit): 5.1045647507193435 Encrypted: false MD5: 835F49596235A7C9C84839CDA139080D SHA1: 29C3FC213E2F8AE44F643BB7C168F31AC86EF8AC SHA-256: 41F8D0D0AFE29AF4B31C53FB83CE444DAFD6A0C58FA098351DA32026A805CCE3 SHA-512: A9AB12669E5203EE0FA205BD12A787D8C7AC4967AEA7E9DE7A56681998828DB8FB34641AAE2CD7554FA91241768708E99230BFC13EE9947FEC6C58109925C498 Malicious: false Reputation: moderate, very likely benign file Preview:

C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db Process: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE File Type: SQLite 3.x database, last written using SQLite version 3019003 Size (bytes): 4096 Entropy (8bit): 0.09237477444559435 Encrypted: false MD5: 1A9A28416CE9CCB568FC28191B8B1267 SHA1: 49BD37DCB1210C3DCDACE52393537FA0197EC14F SHA-256: 9B8EC34DF5486C537505C5B582CD27519C114BE8EB58098E1C6F7DCCDF63C617 SHA-512: 516998D8F0639272541EF5DFE99EF0B73281F320CB6014AEDF96E5D415DA301CED8E1ADF38A7514D3279BE9B850A2C3F8D21A385C03F520351AAAF4FD693AAB A Malicious: false Reputation: high, very likely benign file Preview: SQLite format 3...... @ ......

C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db-journal Process: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE File Type: data Size (bytes): 524 Entropy (8bit): 0.27937671757176796 Encrypted: false MD5: 488E6496275DD556C72CC590A086B6B5 SHA1: A17E2EC167B2F0112F2D92DA90D59F881637DEF0 SHA-256: 89B61CF6EC4C222A15CE5CE82DD75190BFC57F3109A12A9CAA8E1EEB50C96A82 SHA-512: B3D478094E40ED439270C94829D21E2947E6365976156429F85DC39E9D4FEEEBA7B7642EB334307BDC2984DDF4FE923650A726B7CB751B13B503DB44AC0DE1BB Malicious: false Reputation: low Preview: ...... c.....

C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal Process: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE File Type: SQLite Write-Ahead Log, version 3007000 Size (bytes): 37112 Entropy (8bit): 0.4019329610171306 Encrypted: false

Copyright Joe Security LLC 2020 Page 12 of 19 C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal MD5: 71C515638C1C1F12683F3789577459D1 SHA1: 1006F0785280D5A1D42D8213F7B8BC8FA99C3C3F SHA-256: 2EB3535DE6AD482B3BAAC25F9F941F98B90D7CA13017563C33F6389A8E689739 SHA-512: 4FD5E81567F79CEB5A99C25CE09CEEDB22F3794AC48C0A1BFFB951795B3D8D020C5FE5F4E8CFE24364A1B1208DB893A27BC6C839D37A448373AB94D70A01541 8 Malicious: false Reputation: low Preview: 7....-...... a.....A{ ...... a....g....-SQLite format 3...... @ ......

C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db.session Process: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE File Type: SQLite 3.x database, last written using SQLite version 3019003 Size (bytes): 61440 Entropy (8bit): 0.4540769983555709 Encrypted: false MD5: 32D1BDE0A2376036B624ABA0057E6BB6 SHA1: 803521DA076A0C08FA0956E5C9C48BEB5FC3556E SHA-256: 56E6BCF7D6AA627BC3D3CC9C08BBFF4A7F70E18809B7932FD9F8F41B2565D440 SHA-512: EFAB6875481DDFCD39509EB4AAD462810F05F4DA6D30BD5D4948CE02401C707E3672DD68E8738C165EEAE0D09E50AAD1B52A5CEB46B19AAA181A0F862B0C30 EE Malicious: false Reputation: low Preview: SQLite format 3...... @ ......

C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db.session-journal Process: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE File Type: data Size (bytes): 44184 Entropy (8bit): 0.4756998030055597 Encrypted: false MD5: BD1FC000C012E9727C6E7FC842D0EB60 SHA1: 741BBC999D63E7E1B02EE570DACA6B368AD267D4 SHA-256: ED64693A1729C0376EA6549325F44A5C84A379E6C5AAA5DB9785186D915915DD SHA-512: 995346DC44C749DE45AC64E1F48A1D6719DAA9A20CC6AE14B2A09D420668BD8AF050A49D1C62D1FDC0FC57D636012B3571AB5810658D3B335CAC4D97ADF6BF F3 Malicious: false Reputation: low Preview: ...... (...... c...... V..U......

C:\Users\user\Desktop\~$Cancelled Loan After Disbursement Template .xlsx Process: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE File Type: data Size (bytes): 165 Entropy (8bit): 1.4134958568691696 Encrypted: false MD5: EC44A10D4853F1CFFE7BBDA771AEE4D8 SHA1: 895FCC3C3C58D771A8DBDB804D74B878AE167DE4 SHA-256: 269F81E30F3F32118FD912EFC6DDD81B27D197E4CA23D6FAD8BD7E9848FC37BE SHA-512: AFC14523F0E2975749AC1DAA3CE3C68FE1CAADDC16AFE67042D605F6A61ED250E538457F458A4EE153334C9E1EA8F7C13A6CA8CA6B264A0BD373E60264F9048 2 Malicious: false Reputation: moderate, very likely benign file Preview: .user ..G.u.c.c.i......

~~Contacted Domains~~

~~No contacted domains info~~

~~URLs from Memory and Binaries~~

Copyright Joe Security LLC 2020 Page 15 of 19 Name Source Malicious Antivirus Detection Reputation E902EF0A-BB23-4BA1-8623-4FE503 false high https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json 4304F7.0.dr https://storage.live.com/clientlogs/uploadlocation E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr https://templatelogging.office.com/client/log E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr E902EF0A-BB23-4BA1-8623-4FE503 false high https://insertmedia.bing.office.net/images/officeonlinecontent/b 4304F7.0.dr rowse?cp=OneDrive https://management.azure.com/ E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr https://ncus-000.contentsync. E902EF0A-BB23-4BA1-8623-4FE503 false URL Reputation: safe unknown 4304F7.0.dr https://login.windows.net/common/oauth2/authorize E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr E902EF0A-BB23-4BA1-8623-4FE503 false 0%, Virustotal, Browse unknown https://dataservice.o365filtering.com/PolicySync/PolicySync.sv 4304F7.0.dr URL Reputation: safe c/SyncFile https://graph.windows.net/ E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr https://devnull.onenote.com E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr E902EF0A-BB23-4BA1-8623-4FE503 false high https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig 4304F7.0.dr .json https://messaging.office.com/ E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr E902EF0A-BB23-4BA1-8623-4FE503 false high https://dataservice.protection.outlook.com/PolicySync/PolicySy 4304F7.0.dr nc.svc/SyncFile E902EF0A-BB23-4BA1-8623-4FE503 false high https://insertmedia.bing.office.net/images/officeonlinecontent/b 4304F7.0.dr rowse?cp=Bing https://skyapi.live.net/Activity/ E902EF0A-BB23-4BA1-8623-4FE503 false 0%, Virustotal, Browse low 4304F7.0.dr URL Reputation: safe https://clients.config.office.net/user/v1.0/mac E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr https://dataservice.o365filtering.com E902EF0A-BB23-4BA1-8623-4FE503 false 0%, Virustotal, Browse unknown 4304F7.0.dr URL Reputation: safe https://onedrive.live.com E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr https://ovisualuiapp.azurewebsites.net/pbiagave/ E902EF0A-BB23-4BA1-8623-4FE503 false 0%, Virustotal, Browse low 4304F7.0.dr URL Reputation: safe https://visio.uservoice.com/forums/368202-visio-on- E902EF0A-BB23-4BA1-8623-4FE503 false high devices 4304F7.0.dr https://directory.services. E902EF0A-BB23-4BA1-8623-4FE503 false 0%, Virustotal, Browse unknown 4304F7.0.dr URL Reputation: safe https://login.windows-ppe.net/common/oauth2/authorize E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr E902EF0A-BB23-4BA1-8623-4FE503 false high https://loki.delve.office.com/api/v1/configuration/officewin32/ 4304F7.0.dr https://onedrive.live.com/embed? E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr https://augloop.office.com E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr https://www.bingapis.com/api/v7/urlpreview/search? E902EF0A-BB23-4BA1-8623-4FE503 false high appid=E93048236FE27D972F67C5AF722136866DF65FA2 4304F7.0.dr https://clients.config.office.net/ E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr https://api.diagnostics.office.com E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr E902EF0A-BB23-4BA1-8623-4FE503 false high https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFre 4304F7.0.dr eformSpeech E902EF0A-BB23-4BA1-8623-4FE503 false 0%, Virustotal, Browse unknown https://o365auditrealtimeingestion.manage.officeppe.com 4304F7.0.dr URL Reputation: safe https://settings.outlook.com E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr https://graph.ppe.windows.net/ E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr https://store.office.de/addinstemplate E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr https://api.powerbi.com/v1.0/myorg/datasets E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr

Copyright Joe Security LLC 2020 Page 16 of 19 Name Source Malicious Antivirus Detection Reputation E902EF0A-BB23-4BA1-8623-4FE503 false high https://insertmedia.bing.office.net/images/officeonlinecontent/b 4304F7.0.dr rowse?cp=Facebook

~~Contacted IPs~~

~~No contacted IP infos~~

~~Static File Info~~

General File type: Microsoft Excel 2007+ Entropy (8bit): 6.9823426993317685 TrID: Excel Microsoft Office Open XML Format document (50504/1) 86.33% ZIP compressed archive (8000/1) 13.67% File name: Cancelled Loan After Disbursement Template .xlsx File size: 18723 MD5: e3e85b1745d94d83cb99983212dfb76a SHA1: f90b603b220b6025be6ab5713f51194d74cdd028 SHA256: a59a3588b0658a75296129b77bec4434d96be4703e6d0b 7486bc968441a5a1ae SHA512: 3320fd1668f1fb7aaf53f4e76cccba3201b20ec747e1dfe4 b2a879e52a5f65b327312b4caa12f238435a73970fe350d 8db88fe3db50a420b07180cfe15192753 SSDEEP: 384:GN+HpzMUlM9z5w5bnyiqkuq++CVXWO18ZUo4P anCMMv:JlMxN4byi+q+NdsPMv File Content Preview: PK...... !...... [Content_Types].xml ...(......

~~File Icon~~

~~Icon Hash: 74ecd0d2d6d6d0dc~~

~~Network Behavior~~

~~UDP Packets~~

Timestamp Source Port Dest Port Source IP Dest IP May 10, 2020 18:29:32.129136086 CEST 56104 53 192.168.2.5 8.8.8.8 May 10, 2020 18:29:32.134649038 CEST 62623 53 192.168.2.5 8.8.8.8 May 10, 2020 18:29:32.135162115 CEST 59949 53 192.168.2.5 8.8.8.8 May 10, 2020 18:29:32.154603958 CEST 53 56104 8.8.8.8 192.168.2.5 May 10, 2020 18:29:32.160042048 CEST 53 62623 8.8.8.8 192.168.2.5 May 10, 2020 18:29:32.209296942 CEST 53 59949 8.8.8.8 192.168.2.5 May 10, 2020 18:29:32.421013117 CEST 61115 53 192.168.2.5 8.8.8.8 May 10, 2020 18:29:32.446408987 CEST 53 61115 8.8.8.8 192.168.2.5 May 10, 2020 18:29:37.272969961 CEST 57276 53 192.168.2.5 8.8.8.8 May 10, 2020 18:29:37.298470020 CEST 53 57276 8.8.8.8 192.168.2.5 May 10, 2020 18:29:50.429301977 CEST 54857 53 192.168.2.5 8.8.8.8 May 10, 2020 18:29:50.487627983 CEST 53 54857 8.8.8.8 192.168.2.5 May 10, 2020 18:30:15.846215010 CEST 55750 53 192.168.2.5 8.8.8.8 May 10, 2020 18:30:15.871555090 CEST 53 55750 8.8.8.8 192.168.2.5

~~DNS Answers~~

Copyright Joe Security LLC 2020 Page 17 of 19 Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class May 10, 2020 8.8.8.8 192.168.2.5 0xb364 No error (0) s-0001.con config-edge- CNAME IN (0x0001) 18:29:32.154603958 fig.skype.com skype-com.s- (Canonical name) CEST 0001.s- msedge.net

~~Code Manipulations~~

~~Statistics~~

~~System Behavior~~

~~Analysis Process: EXCEL.EXE PID: 4740 Parent PID: 696~~

~~General~~

Start time: 18:29:31 Start date: 10/05/2020 Path: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Wow64 process (32bit): true Commandline: 'C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE' /automation -Embedding Imagebase: 0x240000 File size: 43854104 bytes MD5 hash: D672D26C85AEB9536B9736BF04054969 Has administrator privileges: false Programmed in: C, C++ or other language Reputation: high

~~File Activities~~

~~Source File Path Access Attributes Options Completion Count Address Symbol~~

~~File Deleted~~

~~Source File Path Completion Count Address Symbol C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\DA8E547A.tmp success or wait 1 647E12 DeleteFileW~~

~~Source Old File Path New File Path Completion Count Address Symbol~~

~~File Written~~

Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\Desktop\~$Cancelled Loan After Disbursement Te unknown 55 05 47 75 63 63 69 20 .user s u c c e s s o r wait 1 3E07DE WriteFile mplate .xlsx 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Copyright Joe Security LLC 2020 Page 18 of 19 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\Desktop\~$Cancelled Loan After Disbursement Te unknown 110 05 00 47 00 75 00 63 ..G.u.c.c.i...... success or wait 1 3E0839 WriteFile mplate .xlsx 00 63 00 69 00 20 00 ...... 20 00 20 00 20 00 20 ...... 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00

~~Source File Path Offset Length Completion Count Address Symbol~~

~~Registry Activities~~

~~Key Created~~

Source Key Path Completion Count Address Symbol HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ExdCache success or wait 1 2D87BC RegCreateKeyExW HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ExdCache\Excel8.0 success or wait 1 2D87E4 RegCreateKeyExW

~~Key Value Created~~

Source Key Path Name Type Data Completion Count Address Symbol HKEY_CURRENT_USER\Software\Mic MSForms dword 1 success or wait 1 2D8806 RegSetValueExW rosoft\Office\Common\ExdCache\Excel8.0 HKEY_CURRENT_USER\Software\Mic MSComctlLib dword 1 success or wait 1 2D8806 RegSetValueExW rosoft\Office\Common\ExdCache\Excel8.0

~~Source Key Path Name Type Old Data New Data Completion Count Address Symbol~~

~~Disassembly~~