ID: 228859 Sample Name: Cancelled Loan After Disbursement Template .xlsx Cookbook: defaultwindowsofficecookbook.jbs Time: 18:29:06 Date: 10/05/2020 Version: 28.0.0 Lapis Lazuli Table of Contents
Table of Contents 2 Analysis Report Cancelled Loan After Disbursement Template .xlsx 4 Overview 4 General Information 4 Detection 5 Confidence 5 Classification Spiderchart 5 Analysis Advice 6 Mitre Att&ck Matrix 6 Signature Overview 7 Networking: 7 System Summary: 7 Hooking and other Techniques for Hiding and Protection: 7 Malware Configuration 7 Behavior Graph 7 Simulations 8 Behavior and APIs 8 Antivirus, Machine Learning and Genetic Malware Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 8 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 10 Unpacked PEs 10 Sigma Overview 10 Joe Sandbox View / Context 10 IPs 10 Domains 10 ASN 10 JA3 Fingerprints 10 Dropped Files 10 Screenshots 10 Thumbnails 10 Startup 11 Created / dropped Files 11 Domains and IPs 14 Contacted Domains 14 URLs from Memory and Binaries 14 Contacted IPs 17 Static File Info 17 General 17 File Icon 17 Network Behavior 17 UDP Packets 17 DNS Answers 17 Code Manipulations 18 Statistics 18 System Behavior 18 Analysis Process: EXCEL.EXE PID: 4740 Parent PID: 696 18 General 18 File Activities 18 File Deleted 18 Copyright Joe Security LLC 2020 Page 2 of 19 File Written 18 Registry Activities 19 Key Created 19 Key Value Created 19 Disassembly 19
Copyright Joe Security LLC 2020 Page 3 of 19 Analysis Report Cancelled Loan After Disbursement Te…mplate .xlsx
Overview
General Information
Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 228859 Start date: 10.05.2020 Start time: 18:29:06 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 3m 49s Hypervisor based Inspection enabled: false Report type: light Sample file name: Cancelled Loan After Disbursement Template .xlsx Cookbook file name: defaultwindowsofficecookbook.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Run name: Potential for more IOCs and behavior Number of analysed new started processes analysed: 3 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: CLEAN Classification: clean0.winXLSX@1/8@0/0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Copyright Joe Security LLC 2020 Page 4 of 19 Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe Excluded IPs from analysis (whitelisted): 13.107.3.128, 13.107.5.88, 52.109.32.27, 52.109.88.36, 52.114.7.38, 2.18.68.82, 205.185.216.42, 205.185.216.10 Excluded domains from analysis (whitelisted): client-office365-tas.msedge.net, config.edge.skype.com.trafficmanager.net, mobile.pipe.aria.microsoft.com, e-0009.e- msedge.net, config-edge-skype-com.s-0001.s- msedge.net, fs- wildcard.microsoft.com.edgekey.net, fs- wildcard.microsoft.com.edgekey.net.globalredir.aka dns.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, config.edge.skype.com, afdo-tas- offload.trafficmanager.net, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, s-0001.s- msedge.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, prod.nexusrules.live.com.akadns.net, skypedataprdcolase02.cloudapp.net, config.officeapps.live.com, nexusrules.officeapps.live.com, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtQueryAttributesFile calls found.
Detection
Strategy Score Range Reporting Whitelisted Detection
Threshold 0 0 - 100 false
Confidence
Strategy Score Range Further Analysis Required? Confidence
Threshold 4 0 - 5 false
Classification Spiderchart
Copyright Joe Security LLC 2020 Page 5 of 19 Ransomware
Miner Spreading
mmaallliiiccciiioouusss
malicious
Evader Phishing
sssuusssppiiiccciiioouusss
suspicious
cccllleeaann
clean
Exploiter Banker
Spyware Trojan / Bot
Adware
Analysis Advice
No malicious behavior found, analyze the document also on other version of Office / Acrobat
Mitre Att&ck Matrix
Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Valid Graphical Winlogon Port Masquerading 1 Credential File and Application Data from Data Data Eavesdrop on Remotely Modify Accounts User Helper DLL Monitors Dumping Directory Deployment Local Compressed Obfuscation Insecure Track Device System Interface 1 Discovery 1 Software System Network Without Partition Communication Authorization Replication Service Port Accessibility Binary Padding Network System Remote Data from Exfiltration Fallback Exploit SS7 to Remotely Device Through Execution Monitors Features Sniffing Information Services Removable Over Other Channels Redirect Phone Wipe Data Lockout Removable Discovery 1 Media Network Calls/SMS Without Media Medium Authorization
Copyright Joe Security LLC 2020 Page 6 of 19 Signature Overview
• Networking • System Summary • Hooking and other Techniques for Hiding and Protection
Click to jump to signature section
Networking:
Urls found in memory or binary data
System Summary:
Classification label
Creates files inside the user directory
Creates temporary files
Reads ini files
Found graphical window changes (likely an installer)
Document is a ZIP file with path names indicative of goodware
Checks if Microsoft Office is installed
Uses new MSVCR Dlls
Hooking and other Techniques for Hiding and Protection:
Disables application error messsages (SetErrorMode)
Malware Configuration
No configs have been found
Behavior Graph
Copyright Joe Security LLC 2020 Page 7 of 19 Hide Legend Legend: Process Signature Created File DNS/IP Info Is Dropped
Is Windows Process
Behavior Graph Number of created Registry Values Number of created Files ID: 228859 Visual Basic Sample: Cancelled Loan After Disbur... Startdate: 10/05/2020 Delphi Architecture: WINDOWS Java Score: 0 .Net C# or VB.NET
C, C++ or other language
started Is malicious
Internet EXCEL.EXE
185 51
Simulations
Behavior and APIs
No simulations
Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
Source Detection Scanner Label Link Cancelled Loan After Disbursement Template .xlsx 0% Virustotal Browse
Dropped Files
No Antivirus matches
Unpacked PE Files
No Antivirus matches
Domains
No Antivirus matches
URLs
Copyright Joe Security LLC 2020 Page 8 of 19 Source Detection Scanner Label Link https://cdn.entity. 0% URL Reputation safe https://wus2-000.contentsync. 0% URL Reputation safe https://powerlift.acompli.net 0% Virustotal Browse https://powerlift.acompli.net 0% URL Reputation safe https://rpsticket.partnerservices.getmicrosoftkey.com 0% Virustotal Browse https://rpsticket.partnerservices.getmicrosoftkey.com 0% URL Reputation safe https://api.aadrm.com/ 0% Virustotal Browse https://api.aadrm.com/ 0% URL Reputation safe https://ofcrecsvcapi-int.azurewebsites.net/ 0% Virustotal Browse https://ofcrecsvcapi-int.azurewebsites.net/ 0% URL Reputation safe https://res.getmicrosoftkey.com/api/redemptionevents 0% Virustotal Browse https://res.getmicrosoftkey.com/api/redemptionevents 0% URL Reputation safe https://powerlift-frontdesk.acompli.net 0% Virustotal Browse https://powerlift-frontdesk.acompli.net 0% URL Reputation safe https://officeci.azurewebsites.net/api/ 0% Virustotal Browse https://officeci.azurewebsites.net/api/ 0% URL Reputation safe https://store.office.cn/addinstemplate 0% Virustotal Browse https://store.office.cn/addinstemplate 0% URL Reputation safe https://wus2-000.pagecontentsync. 0% URL Reputation safe https://store.officeppe.com/addinstemplate 0% Virustotal Browse https://store.officeppe.com/addinstemplate 0% URL Reputation safe https://dev0-api.acompli.net/autodetect 0% Virustotal Browse https://dev0-api.acompli.net/autodetect 0% URL Reputation safe https://www.odwebp.svc.ms 0% Virustotal Browse https://www.odwebp.svc.ms 0% URL Reputation safe https://dataservice.o365filtering.com/ 0% Virustotal Browse https://dataservice.o365filtering.com/ 0% URL Reputation safe https://officesetup.getmicrosoftkey.com 0% Virustotal Browse https://officesetup.getmicrosoftkey.com 0% URL Reputation safe https://prod-global-autodetect.acompli.net/autodetect 0% Virustotal Browse https://prod-global-autodetect.acompli.net/autodetect 0% URL Reputation safe https://apis.live.net/v5.0/ 0% Virustotal Browse https://apis.live.net/v5.0/ 0% URL Reputation safe https://asgsmsproxyapi.azurewebsites.net/ 0% Virustotal Browse https://asgsmsproxyapi.azurewebsites.net/ 0% URL Reputation safe https://ncus-000.contentsync. 0% URL Reputation safe https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile 0% Virustotal Browse https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile 0% URL Reputation safe https://skyapi.live.net/Activity/ 0% Virustotal Browse https://skyapi.live.net/Activity/ 0% URL Reputation safe https://dataservice.o365filtering.com 0% Virustotal Browse https://dataservice.o365filtering.com 0% URL Reputation safe https://ovisualuiapp.azurewebsites.net/pbiagave/ 0% Virustotal Browse https://ovisualuiapp.azurewebsites.net/pbiagave/ 0% URL Reputation safe https://directory.services. 0% Virustotal Browse https://directory.services. 0% URL Reputation safe https://o365auditrealtimeingestion.manage.officeppe.com 0% Virustotal Browse https://o365auditrealtimeingestion.manage.officeppe.com 0% URL Reputation safe
Yara Overview
Initial Sample
No yara matches
PCAP (Network Traffic)
No yara matches
Dropped Files
No yara matches Copyright Joe Security LLC 2020 Page 9 of 19 Memory Dumps
No yara matches
Unpacked PEs
No yara matches
Sigma Overview
No Sigma rule has matched
Joe Sandbox View / Context
IPs
No context
Domains
No context
ASN
No context
JA3 Fingerprints
No context
Dropped Files
No context
Screenshots
Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Copyright Joe Security LLC 2020 Page 10 of 19 Startup
System is w10x64 EXCEL.EXE (PID: 4740 cmdline: 'C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE' /automation -Embedding MD5: D672D26C85AEB9536B9736BF04054969) cleanup
Created / dropped Files
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\E902EF0A-BB23-4BA1-8623-4FE5034304F7 Process: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE File Type: XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators Size (bytes): 126077 Entropy (8bit): 5.377924869661677 Encrypted: false MD5: D7DFB355940BAE05892633AE7FAC5971 SHA1: C24DBEB688E89BACACE27D1BB6577C8712735167 SHA-256: DC0612AE26244D985AF281CB5D5C95D37F6C5D7E348CC720945A240962900D42 SHA-512: 467A9CA5502335D5F02052638BDC93810C262D0CC2D17059EB45CE4E8492C18FF1BE239503BC7DB2DFB4232C9722B7B397A4A9A04BD6B16B7EDC875B00F5CAE A Malicious: false Reputation: low
Copyright Joe Security LLC 2020 Page 11 of 19 C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\E902EF0A-BB23-4BA1-8623-4FE5034304F7 Preview: .. C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml Process: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE File Type: XML 1.0 document, ASCII text, with very long lines, with no line terminators Size (bytes): 411099 Entropy (8bit): 5.1045647507193435 Encrypted: false MD5: 835F49596235A7C9C84839CDA139080D SHA1: 29C3FC213E2F8AE44F643BB7C168F31AC86EF8AC SHA-256: 41F8D0D0AFE29AF4B31C53FB83CE444DAFD6A0C58FA098351DA32026A805CCE3 SHA-512: A9AB12669E5203EE0FA205BD12A787D8C7AC4967AEA7E9DE7A56681998828DB8FB34641AAE2CD7554FA91241768708E99230BFC13EE9947FEC6C58109925C498 Malicious: false Reputation: moderate, very likely benign file Preview: C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db Process: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE File Type: SQLite 3.x database, last written using SQLite version 3019003 Size (bytes): 4096 Entropy (8bit): 0.09237477444559435 Encrypted: false MD5: 1A9A28416CE9CCB568FC28191B8B1267 SHA1: 49BD37DCB1210C3DCDACE52393537FA0197EC14F SHA-256: 9B8EC34DF5486C537505C5B582CD27519C114BE8EB58098E1C6F7DCCDF63C617 SHA-512: 516998D8F0639272541EF5DFE99EF0B73281F320CB6014AEDF96E5D415DA301CED8E1ADF38A7514D3279BE9B850A2C3F8D21A385C03F520351AAAF4FD693AAB A Malicious: false Reputation: high, very likely benign file Preview: SQLite format 3...... @ ...... C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db-journal Process: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE File Type: data Size (bytes): 524 Entropy (8bit): 0.27937671757176796 Encrypted: false MD5: 488E6496275DD556C72CC590A086B6B5 SHA1: A17E2EC167B2F0112F2D92DA90D59F881637DEF0 SHA-256: 89B61CF6EC4C222A15CE5CE82DD75190BFC57F3109A12A9CAA8E1EEB50C96A82 SHA-512: B3D478094E40ED439270C94829D21E2947E6365976156429F85DC39E9D4FEEEBA7B7642EB334307BDC2984DDF4FE923650A726B7CB751B13B503DB44AC0DE1BB Malicious: false Reputation: low Preview: ...... c..... C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal Process: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE File Type: SQLite Write-Ahead Log, version 3007000 Size (bytes): 37112 Entropy (8bit): 0.4019329610171306 Encrypted: false Copyright Joe Security LLC 2020 Page 12 of 19 C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal MD5: 71C515638C1C1F12683F3789577459D1 SHA1: 1006F0785280D5A1D42D8213F7B8BC8FA99C3C3F SHA-256: 2EB3535DE6AD482B3BAAC25F9F941F98B90D7CA13017563C33F6389A8E689739 SHA-512: 4FD5E81567F79CEB5A99C25CE09CEEDB22F3794AC48C0A1BFFB951795B3D8D020C5FE5F4E8CFE24364A1B1208DB893A27BC6C839D37A448373AB94D70A01541 8 Malicious: false Reputation: low Preview: 7....-...... a.....A{ ...... a....g....-SQLite format 3...... @ ...... C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db.session Process: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE File Type: SQLite 3.x database, last written using SQLite version 3019003 Size (bytes): 61440 Entropy (8bit): 0.4540769983555709 Encrypted: false MD5: 32D1BDE0A2376036B624ABA0057E6BB6 SHA1: 803521DA076A0C08FA0956E5C9C48BEB5FC3556E SHA-256: 56E6BCF7D6AA627BC3D3CC9C08BBFF4A7F70E18809B7932FD9F8F41B2565D440 SHA-512: EFAB6875481DDFCD39509EB4AAD462810F05F4DA6D30BD5D4948CE02401C707E3672DD68E8738C165EEAE0D09E50AAD1B52A5CEB46B19AAA181A0F862B0C30 EE Malicious: false Reputation: low Preview: SQLite format 3...... @ ...... C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db.session-journal Process: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE File Type: data Size (bytes): 44184 Entropy (8bit): 0.4756998030055597 Encrypted: false MD5: BD1FC000C012E9727C6E7FC842D0EB60 SHA1: 741BBC999D63E7E1B02EE570DACA6B368AD267D4 SHA-256: ED64693A1729C0376EA6549325F44A5C84A379E6C5AAA5DB9785186D915915DD SHA-512: 995346DC44C749DE45AC64E1F48A1D6719DAA9A20CC6AE14B2A09D420668BD8AF050A49D1C62D1FDC0FC57D636012B3571AB5810658D3B335CAC4D97ADF6BF F3 Malicious: false Reputation: low Preview: ...... (...... c...... V..U...... C:\Users\user\Desktop\~$Cancelled Loan After Disbursement Template .xlsx Process: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE File Type: data Size (bytes): 165 Entropy (8bit): 1.4134958568691696 Encrypted: false MD5: EC44A10D4853F1CFFE7BBDA771AEE4D8 SHA1: 895FCC3C3C58D771A8DBDB804D74B878AE167DE4 SHA-256: 269F81E30F3F32118FD912EFC6DDD81B27D197E4CA23D6FAD8BD7E9848FC37BE SHA-512: AFC14523F0E2975749AC1DAA3CE3C68FE1CAADDC16AFE67042D605F6A61ED250E538457F458A4EE153334C9E1EA8F7C13A6CA8CA6B264A0BD373E60264F9048 2 Malicious: false Reputation: moderate, very likely benign file Preview: .user ..G.u.c.c.i...... Copyright Joe Security LLC 2020 Page 13 of 19 Domains and IPs Contacted Domains No contacted domains info URLs from Memory and Binaries Name Source Malicious Antivirus Detection Reputation https://api.diagnosticssdf.office.com E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr https://login.microsoftonline.com/ E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr https://shell.suite.office.com:1443 E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr https://login.windows.net/72f988bf-86f1-41af-91ab- E902EF0A-BB23-4BA1-8623-4FE503 false high 2d7cd011db47/oauth2/authorize 4304F7.0.dr E902EF0A-BB23-4BA1-8623-4FE503 false high https://insertmedia.bing.office.net/images/officeonlinecontent/b 4304F7.0.dr rowse?cp=Flickr https://cdn.entity. E902EF0A-BB23-4BA1-8623-4FE503 false URL Reputation: safe unknown 4304F7.0.dr https://wus2-000.contentsync. E902EF0A-BB23-4BA1-8623-4FE503 false URL Reputation: safe unknown 4304F7.0.dr E902EF0A-BB23-4BA1-8623-4FE503 false high https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/ 4304F7.0.dr https://powerlift.acompli.net E902EF0A-BB23-4BA1-8623-4FE503 false 0%, Virustotal, Browse unknown 4304F7.0.dr URL Reputation: safe https://rpsticket.partnerservices.getmicrosoftkey.com E902EF0A-BB23-4BA1-8623-4FE503 false 0%, Virustotal, Browse unknown 4304F7.0.dr URL Reputation: safe https://lookup.onenote.com/lookup/geolocation/v1 E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr E902EF0A-BB23-4BA1-8623-4FE503 false high https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/get 4304F7.0.dr freeformspeech https://api.powerbi.com/v1.0/myorg/imports E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr https://cloudfiles.onenote.com/upload.aspx E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr E902EF0A-BB23-4BA1-8623-4FE503 false high https://syncservice.protection.outlook.com/PolicySync/PolicyS 4304F7.0.dr ync.svc/SyncFile https://entitlement.diagnosticssdf.office.com E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr E902EF0A-BB23-4BA1-8623-4FE503 false high https://na01.oscs.protection.outlook.com/api/SafeLinksApi/Get 4304F7.0.dr Policy https://api.aadrm.com/ E902EF0A-BB23-4BA1-8623-4FE503 false 0%, Virustotal, Browse unknown 4304F7.0.dr URL Reputation: safe https://ofcrecsvcapi-int.azurewebsites.net/ E902EF0A-BB23-4BA1-8623-4FE503 false 0%, Virustotal, Browse low 4304F7.0.dr URL Reputation: safe E902EF0A-BB23-4BA1-8623-4FE503 false high https://dataservice.protection.outlook.com/PsorWebService/v1 4304F7.0.dr /ClientSyncFile/MipPolicies https://api.microsoftstream.com/api/ E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr https://insertmedia.bing.office.net/images/hosted? E902EF0A-BB23-4BA1-8623-4FE503 false high host=office&adlt=strict&hostType=Immersive 4304F7.0.dr https://cr.office.com E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr https://portal.office.com/account/?ref=ClientMeControl E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr https://ecs.office.com/config/v2/Office E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr https://graph.ppe.windows.net E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr https://res.getmicrosoftkey.com/api/redemptionevents E902EF0A-BB23-4BA1-8623-4FE503 false 0%, Virustotal, Browse unknown 4304F7.0.dr URL Reputation: safe https://powerlift-frontdesk.acompli.net E902EF0A-BB23-4BA1-8623-4FE503 false 0%, Virustotal, Browse unknown 4304F7.0.dr URL Reputation: safe https://tasks.office.com E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr https://officeci.azurewebsites.net/api/ E902EF0A-BB23-4BA1-8623-4FE503 false 0%, Virustotal, Browse low 4304F7.0.dr URL Reputation: safe Copyright Joe Security LLC 2020 Page 14 of 19 Name Source Malicious Antivirus Detection Reputation E902EF0A-BB23-4BA1-8623-4FE503 false high https://sr.outlook.office.net/ws/speech/recognize/assistant/wor 4304F7.0.dr k https://store.office.cn/addinstemplate E902EF0A-BB23-4BA1-8623-4FE503 false 0%, Virustotal, Browse unknown 4304F7.0.dr URL Reputation: safe https://wus2-000.pagecontentsync. E902EF0A-BB23-4BA1-8623-4FE503 false URL Reputation: safe unknown 4304F7.0.dr https://outlook.office.com/autosuggest/api/v1/init?cvid= E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr https://globaldisco.crm.dynamics.com E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr E902EF0A-BB23-4BA1-8623-4FE503 false high https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/g 4304F7.0.dr etfreeformspeech https://store.officeppe.com/addinstemplate E902EF0A-BB23-4BA1-8623-4FE503 false 0%, Virustotal, Browse unknown 4304F7.0.dr URL Reputation: safe https://dev0-api.acompli.net/autodetect E902EF0A-BB23-4BA1-8623-4FE503 false 0%, Virustotal, Browse unknown 4304F7.0.dr URL Reputation: safe https://www.odwebp.svc.ms E902EF0A-BB23-4BA1-8623-4FE503 false 0%, Virustotal, Browse low 4304F7.0.dr URL Reputation: safe https://api.powerbi.com/v1.0/myorg/groups E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr https://web.microsoftstream.com/video/ E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr https://graph.windows.net E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr https://dataservice.o365filtering.com/ E902EF0A-BB23-4BA1-8623-4FE503 false 0%, Virustotal, Browse unknown 4304F7.0.dr URL Reputation: safe https://officesetup.getmicrosoftkey.com E902EF0A-BB23-4BA1-8623-4FE503 false 0%, Virustotal, Browse unknown 4304F7.0.dr URL Reputation: safe https://analysis.windows.net/powerbi/api E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr https://prod-global-autodetect.acompli.net/autodetect E902EF0A-BB23-4BA1-8623-4FE503 false 0%, Virustotal, Browse unknown 4304F7.0.dr URL Reputation: safe E902EF0A-BB23-4BA1-8623-4FE503 false high https://outlook.office365.com/autodiscover/autodiscover.json 4304F7.0.dr https://powerpoint.uservoice.com/forums/288952- E902EF0A-BB23-4BA1-8623-4FE503 false high powerpoint-for-ipad-iphone-ios 4304F7.0.dr E902EF0A-BB23-4BA1-8623-4FE503 false high https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/get 4304F7.0.dr freeformspeech E902EF0A-BB23-4BA1-8623-4FE503 false high https://pf.directory.live.com/profile/mine/System.ShortCircuitPr 4304F7.0.dr ofile.json https://onedrive.live.com/about/download/? E902EF0A-BB23-4BA1-8623-4FE503 false high windows10SyncClientInstalled=false 4304F7.0.dr E902EF0A-BB23-4BA1-8623-4FE503 false high https://webdir.online.lync.com/autodiscover/autodiscoverservic 4304F7.0.dr e.svc/root/ weather.service.msn.com/data.aspx E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr https://apis.live.net/v5.0/ E902EF0A-BB23-4BA1-8623-4FE503 false 0%, Virustotal, Browse low 4304F7.0.dr URL Reputation: safe https://word.uservoice.com/forums/304948-word-for- E902EF0A-BB23-4BA1-8623-4FE503 false high ipad-iphone-ios 4304F7.0.dr https://autodiscover- E902EF0A-BB23-4BA1-8623-4FE503 false high s.outlook.com/autodiscover/autodiscover.xml 4304F7.0.dr https://management.azure.com E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr https://incidents.diagnostics.office.com E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr https://clients.config.office.net/user/v1.0/ios E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr https://insertmedia.bing.office.net/odc/insertmedia E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr https://outlook.office365.com/api/v1.0/me/Activities E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr https://incidents.diagnosticssdf.office.com E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr https://asgsmsproxyapi.azurewebsites.net/ E902EF0A-BB23-4BA1-8623-4FE503 false 0%, Virustotal, Browse low 4304F7.0.dr URL Reputation: safe https://clients.config.office.net/user/v1.0/android/policies E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr https://entitlement.diagnostics.office.com E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr Copyright Joe Security LLC 2020 Page 15 of 19 Name Source Malicious Antivirus Detection Reputation E902EF0A-BB23-4BA1-8623-4FE503 false high https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json 4304F7.0.dr https://storage.live.com/clientlogs/uploadlocation E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr https://templatelogging.office.com/client/log E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr E902EF0A-BB23-4BA1-8623-4FE503 false high https://insertmedia.bing.office.net/images/officeonlinecontent/b 4304F7.0.dr rowse?cp=OneDrive https://management.azure.com/ E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr https://ncus-000.contentsync. E902EF0A-BB23-4BA1-8623-4FE503 false URL Reputation: safe unknown 4304F7.0.dr https://login.windows.net/common/oauth2/authorize E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr E902EF0A-BB23-4BA1-8623-4FE503 false 0%, Virustotal, Browse unknown https://dataservice.o365filtering.com/PolicySync/PolicySync.sv 4304F7.0.dr URL Reputation: safe c/SyncFile https://graph.windows.net/ E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr https://devnull.onenote.com E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr E902EF0A-BB23-4BA1-8623-4FE503 false high https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig 4304F7.0.dr .json https://messaging.office.com/ E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr E902EF0A-BB23-4BA1-8623-4FE503 false high https://dataservice.protection.outlook.com/PolicySync/PolicySy 4304F7.0.dr nc.svc/SyncFile E902EF0A-BB23-4BA1-8623-4FE503 false high https://insertmedia.bing.office.net/images/officeonlinecontent/b 4304F7.0.dr rowse?cp=Bing https://skyapi.live.net/Activity/ E902EF0A-BB23-4BA1-8623-4FE503 false 0%, Virustotal, Browse low 4304F7.0.dr URL Reputation: safe https://clients.config.office.net/user/v1.0/mac E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr https://dataservice.o365filtering.com E902EF0A-BB23-4BA1-8623-4FE503 false 0%, Virustotal, Browse unknown 4304F7.0.dr URL Reputation: safe https://onedrive.live.com E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr https://ovisualuiapp.azurewebsites.net/pbiagave/ E902EF0A-BB23-4BA1-8623-4FE503 false 0%, Virustotal, Browse low 4304F7.0.dr URL Reputation: safe https://visio.uservoice.com/forums/368202-visio-on- E902EF0A-BB23-4BA1-8623-4FE503 false high devices 4304F7.0.dr https://directory.services. E902EF0A-BB23-4BA1-8623-4FE503 false 0%, Virustotal, Browse unknown 4304F7.0.dr URL Reputation: safe https://login.windows-ppe.net/common/oauth2/authorize E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr E902EF0A-BB23-4BA1-8623-4FE503 false high https://loki.delve.office.com/api/v1/configuration/officewin32/ 4304F7.0.dr https://onedrive.live.com/embed? E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr https://augloop.office.com E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr https://www.bingapis.com/api/v7/urlpreview/search? E902EF0A-BB23-4BA1-8623-4FE503 false high appid=E93048236FE27D972F67C5AF722136866DF65FA2 4304F7.0.dr https://clients.config.office.net/ E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr https://api.diagnostics.office.com E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr E902EF0A-BB23-4BA1-8623-4FE503 false high https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFre 4304F7.0.dr eformSpeech E902EF0A-BB23-4BA1-8623-4FE503 false 0%, Virustotal, Browse unknown https://o365auditrealtimeingestion.manage.officeppe.com 4304F7.0.dr URL Reputation: safe https://settings.outlook.com E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr https://graph.ppe.windows.net/ E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr https://store.office.de/addinstemplate E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr https://api.powerbi.com/v1.0/myorg/datasets E902EF0A-BB23-4BA1-8623-4FE503 false high 4304F7.0.dr Copyright Joe Security LLC 2020 Page 16 of 19 Name Source Malicious Antivirus Detection Reputation E902EF0A-BB23-4BA1-8623-4FE503 false high https://insertmedia.bing.office.net/images/officeonlinecontent/b 4304F7.0.dr rowse?cp=Facebook Contacted IPs No contacted IP infos Static File Info General File type: Microsoft Excel 2007+ Entropy (8bit): 6.9823426993317685 TrID: Excel Microsoft Office Open XML Format document (50504/1) 86.33% ZIP compressed archive (8000/1) 13.67% File name: Cancelled Loan After Disbursement Template .xlsx File size: 18723 MD5: e3e85b1745d94d83cb99983212dfb76a SHA1: f90b603b220b6025be6ab5713f51194d74cdd028 SHA256: a59a3588b0658a75296129b77bec4434d96be4703e6d0b 7486bc968441a5a1ae SHA512: 3320fd1668f1fb7aaf53f4e76cccba3201b20ec747e1dfe4 b2a879e52a5f65b327312b4caa12f238435a73970fe350d 8db88fe3db50a420b07180cfe15192753 SSDEEP: 384:GN+HpzMUlM9z5w5bnyiqkuq++CVXWO18ZUo4P anCMMv:JlMxN4byi+q+NdsPMv File Content Preview: PK...... !...... [Content_Types].xml ...(...... File Icon Icon Hash: 74ecd0d2d6d6d0dc Network Behavior UDP Packets Timestamp Source Port Dest Port Source IP Dest IP May 10, 2020 18:29:32.129136086 CEST 56104 53 192.168.2.5 8.8.8.8 May 10, 2020 18:29:32.134649038 CEST 62623 53 192.168.2.5 8.8.8.8 May 10, 2020 18:29:32.135162115 CEST 59949 53 192.168.2.5 8.8.8.8 May 10, 2020 18:29:32.154603958 CEST 53 56104 8.8.8.8 192.168.2.5 May 10, 2020 18:29:32.160042048 CEST 53 62623 8.8.8.8 192.168.2.5 May 10, 2020 18:29:32.209296942 CEST 53 59949 8.8.8.8 192.168.2.5 May 10, 2020 18:29:32.421013117 CEST 61115 53 192.168.2.5 8.8.8.8 May 10, 2020 18:29:32.446408987 CEST 53 61115 8.8.8.8 192.168.2.5 May 10, 2020 18:29:37.272969961 CEST 57276 53 192.168.2.5 8.8.8.8 May 10, 2020 18:29:37.298470020 CEST 53 57276 8.8.8.8 192.168.2.5 May 10, 2020 18:29:50.429301977 CEST 54857 53 192.168.2.5 8.8.8.8 May 10, 2020 18:29:50.487627983 CEST 53 54857 8.8.8.8 192.168.2.5 May 10, 2020 18:30:15.846215010 CEST 55750 53 192.168.2.5 8.8.8.8 May 10, 2020 18:30:15.871555090 CEST 53 55750 8.8.8.8 192.168.2.5 DNS Answers Copyright Joe Security LLC 2020 Page 17 of 19 Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class May 10, 2020 8.8.8.8 192.168.2.5 0xb364 No error (0) s-0001.con config-edge- CNAME IN (0x0001) 18:29:32.154603958 fig.skype.com skype-com.s- (Canonical name) CEST 0001.s- msedge.net Code Manipulations Statistics System Behavior Analysis Process: EXCEL.EXE PID: 4740 Parent PID: 696 General Start time: 18:29:31 Start date: 10/05/2020 Path: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE Wow64 process (32bit): true Commandline: 'C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE' /automation -Embedding Imagebase: 0x240000 File size: 43854104 bytes MD5 hash: D672D26C85AEB9536B9736BF04054969 Has administrator privileges: false Programmed in: C, C++ or other language Reputation: high File Activities Source File Path Access Attributes Options Completion Count Address Symbol File Deleted Source File Path Completion Count Address Symbol C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\DA8E547A.tmp success or wait 1 647E12 DeleteFileW Source Old File Path New File Path Completion Count Address Symbol File Written Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\Desktop\~$Cancelled Loan After Disbursement Te unknown 55 05 47 75 63 63 69 20 .user s u c c e s s o r wait 1 3E07DE WriteFile mplate .xlsx 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 Copyright Joe Security LLC 2020 Page 18 of 19 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\Desktop\~$Cancelled Loan After Disbursement Te unknown 110 05 00 47 00 75 00 63 ..G.u.c.c.i...... success or wait 1 3E0839 WriteFile mplate .xlsx 00 63 00 69 00 20 00 ...... 20 00 20 00 20 00 20 ...... 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 Source File Path Offset Length Completion Count Address Symbol Registry Activities Key Created Source Key Path Completion Count Address Symbol HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ExdCache success or wait 1 2D87BC RegCreateKeyExW HKEY_CURRENT_USER\Software\Microsoft\Office\Common\ExdCache\Excel8.0 success or wait 1 2D87E4 RegCreateKeyExW Key Value Created Source Key Path Name Type Data Completion Count Address Symbol HKEY_CURRENT_USER\Software\Mic MSForms dword 1 success or wait 1 2D8806 RegSetValueExW rosoft\Office\Common\ExdCache\Excel8.0 HKEY_CURRENT_USER\Software\Mic MSComctlLib dword 1 success or wait 1 2D8806 RegSetValueExW rosoft\Office\Common\ExdCache\Excel8.0 Source Key Path Name Type Old Data New Data Completion Count Address Symbol Disassembly Copyright Joe Security LLC 2020 Page 19 of 19