ID: 446205 Sample Name: Open_Purchase_Order_Report_by_Supplier_- _ProReport_188165628308.xlsx Cookbook: default.jbs Time: 00:16:48 Date: 09/07/2021 Version: 32.0.0 Black Diamond Table of Contents
Table of Contents 2 Windows Analysis Report Open_Purchase_Order_Report_by_Supplier_- _ProReport_188165628308.xlsx 3 Overview 3 General Information 3 Detection 3 Signatures 3 Classification 3 Process Tree 3 Malware Configuration 3 Yara Overview 3 Sigma Overview 3 Jbx Signature Overview 3 Mitre Att&ck Matrix 4 Behavior Graph 4 Screenshots 4 Thumbnails 4 Antivirus, Machine Learning and Genetic Malware Detection 5 Initial Sample 5 Dropped Files 5 Unpacked PE Files 5 Domains 5 URLs 5 Domains and IPs 7 Contacted Domains 7 URLs from Memory and Binaries 7 Contacted IPs 7 General Information 7 Simulations 8 Behavior and APIs 8 Joe Sandbox View / Context 8 IPs 8 Domains 8 ASN 8 JA3 Fingerprints 8 Dropped Files 8 Created / dropped Files 8 Static File Info 9 General 9 File Icon 10 Network Behavior 10 Network Port Distribution 10 UDP Packets 10 Code Manipulations 10 Statistics 10 System Behavior 10 Analysis Process: EXCEL.EXE PID: 6512 Parent PID: 800 10 General 10 File Activities 11 File Written 11 Registry Activities 11 Key Created 11 Key Value Created 11 Disassembly 11
Copyright Joe Security LLC 2021 Page 2 of 11 Windows Analysis Report Open_Purchase_Order_Repo…rt_by_Supplier_-_ProReport_188165628308.xlsx
Overview
General Information Detection Signatures Classification
Sample Open_Purchase_Order_Re No high impact signatures. Name: port_by_Supplier_- _ProReport_188165628308 .xlsx Analysis ID: 446205
Ransomware MD5: e563a5801712b0… Miner Spreading SHA1: ffd4b318fc611a0… mmaallliiiccciiioouusss
malicious
SHA256: Evader Phishing 8d76654df9af90b… sssuusssppiiiccciiioouusss suspicious
Infos: cccllleeaann clean
Most interesting Screenshot: Exploiter Banker
Spyware Trojan / Bot
Adware
Score: 0 Range: 0 - 100 Whitelisted: false Confidence: 80%
Process Tree
System is w10x64 EXCEL.EXE (PID: 6512 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E) cleanup
Malware Configuration
No configs have been found
Yara Overview
No yara matches
Sigma Overview
No Sigma rule has matched
Jbx Signature Overview
Click to jump to signature section
There are no malicious signatures, click here to show all signatures .
Copyright Joe Security LLC 2021 Page 3 of 11 Mitre Att&ck Matrix
Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Valid Windows Path Path Masquerading 1 OS File and Remote Data from Exfiltration Data Eavesdrop on Remotely Modify Accounts Management Interception Interception Credential Directory Services Local Over Other Obfuscation Insecure Track Device System Instrumentation Dumping Discovery 1 System Network Network Without Partition Medium Communication Authorization Default Scheduled Boot or Boot or Rootkit LSASS System Remote Data from Exfiltration Junk Data Exploit SS7 to Remotely Device Accounts Task/Job Logon Logon Memory Information Desktop Removable Over Redirect Phone Wipe Data Lockout Initialization Initialization Discovery 1 Protocol Media Bluetooth Calls/SMS Without Scripts Scripts Authorization
Behavior Graph
Hide Legend Legend: Process Behavior Graph Signature Created File ID: 446205 DNS/IP Info Is Dropped Sample: Open_Purchase_Order_Report_... Is Windows Process Number of created Registry Values
Startdate: 09/07/2021 Number of created Files Architecture: WINDOWS Visual Basic Delphi Score: 0 Java .Net C# or VB.NET
C, C++ or other language
Is malicious started Internet
EXCEL.EXE
24 18
Screenshots
Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Copyright Joe Security LLC 2021 Page 4 of 11 Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
Source Detection Scanner Label Link Open_Purchase_Order_Report_by_Supplier_-_ProReport_188165628308.xlsx 0% Virustotal Browse
Dropped Files
No Antivirus matches
Unpacked PE Files
No Antivirus matches
Domains
No Antivirus matches
URLs
Copyright Joe Security LLC 2021 Page 5 of 11 Source Detection Scanner Label Link https://cdn.entity. 0% URL Reputation safe https://cdn.entity. 0% URL Reputation safe https://cdn.entity. 0% URL Reputation safe https://cdn.entity. 0% URL Reputation safe https://powerlift.acompli.net 0% URL Reputation safe https://powerlift.acompli.net 0% URL Reputation safe https://powerlift.acompli.net 0% URL Reputation safe https://powerlift.acompli.net 0% URL Reputation safe https://rpsticket.partnerservices.getmicrosoftkey.com 0% URL Reputation safe https://rpsticket.partnerservices.getmicrosoftkey.com 0% URL Reputation safe https://rpsticket.partnerservices.getmicrosoftkey.com 0% URL Reputation safe https://rpsticket.partnerservices.getmicrosoftkey.com 0% URL Reputation safe https://cortana.ai 0% URL Reputation safe https://cortana.ai 0% URL Reputation safe https://cortana.ai 0% URL Reputation safe https://cortana.ai 0% URL Reputation safe https://api.aadrm.com/ 0% URL Reputation safe https://api.aadrm.com/ 0% URL Reputation safe https://api.aadrm.com/ 0% URL Reputation safe https://api.aadrm.com/ 0% URL Reputation safe https://ofcrecsvcapi-int.azurewebsites.net/ 0% Virustotal Browse https://ofcrecsvcapi-int.azurewebsites.net/ 0% Avira URL Cloud safe https://res.getmicrosoftkey.com/api/redemptionevents 0% URL Reputation safe https://res.getmicrosoftkey.com/api/redemptionevents 0% URL Reputation safe https://res.getmicrosoftkey.com/api/redemptionevents 0% URL Reputation safe https://res.getmicrosoftkey.com/api/redemptionevents 0% URL Reputation safe https://powerlift-frontdesk.acompli.net 0% URL Reputation safe https://powerlift-frontdesk.acompli.net 0% URL Reputation safe https://powerlift-frontdesk.acompli.net 0% URL Reputation safe https://powerlift-frontdesk.acompli.net 0% URL Reputation safe https://officeci.azurewebsites.net/api/ 0% Virustotal Browse https://officeci.azurewebsites.net/api/ 0% Avira URL Cloud safe https://store.office.cn/addinstemplate 0% URL Reputation safe https://store.office.cn/addinstemplate 0% URL Reputation safe https://store.office.cn/addinstemplate 0% URL Reputation safe https://store.office.cn/addinstemplate 0% URL Reputation safe https://store.officeppe.com/addinstemplate 0% URL Reputation safe https://store.officeppe.com/addinstemplate 0% URL Reputation safe https://store.officeppe.com/addinstemplate 0% URL Reputation safe https://store.officeppe.com/addinstemplate 0% URL Reputation safe https://dev0-api.acompli.net/autodetect 0% URL Reputation safe https://dev0-api.acompli.net/autodetect 0% URL Reputation safe https://dev0-api.acompli.net/autodetect 0% URL Reputation safe https://dev0-api.acompli.net/autodetect 0% URL Reputation safe https://www.odwebp.svc.ms 0% URL Reputation safe https://www.odwebp.svc.ms 0% URL Reputation safe https://www.odwebp.svc.ms 0% URL Reputation safe https://www.odwebp.svc.ms 0% URL Reputation safe https://dataservice.o365filtering.com/ 0% URL Reputation safe https://dataservice.o365filtering.com/ 0% URL Reputation safe https://dataservice.o365filtering.com/ 0% URL Reputation safe https://dataservice.o365filtering.com/ 0% URL Reputation safe https://officesetup.getmicrosoftkey.com 0% URL Reputation safe https://officesetup.getmicrosoftkey.com 0% URL Reputation safe https://officesetup.getmicrosoftkey.com 0% URL Reputation safe https://officesetup.getmicrosoftkey.com 0% URL Reputation safe https://prod-global-autodetect.acompli.net/autodetect 0% URL Reputation safe https://prod-global-autodetect.acompli.net/autodetect 0% URL Reputation safe https://prod-global-autodetect.acompli.net/autodetect 0% URL Reputation safe https://prod-global-autodetect.acompli.net/autodetect 0% URL Reputation safe https://ncus.contentsync. 0% URL Reputation safe https://ncus.contentsync. 0% URL Reputation safe https://ncus.contentsync. 0% URL Reputation safe https://ncus.contentsync. 0% URL Reputation safe
Copyright Joe Security LLC 2021 Page 6 of 11 Source Detection Scanner Label Link https://apis.live.net/v5.0/ 0% URL Reputation safe https://apis.live.net/v5.0/ 0% URL Reputation safe https://apis.live.net/v5.0/ 0% URL Reputation safe https://apis.live.net/v5.0/ 0% URL Reputation safe https://wus2.contentsync. 0% URL Reputation safe https://wus2.contentsync. 0% URL Reputation safe https://wus2.contentsync. 0% URL Reputation safe https://wus2.contentsync. 0% URL Reputation safe https://asgsmsproxyapi.azurewebsites.net/ 0% Virustotal Browse https://asgsmsproxyapi.azurewebsites.net/ 0% Avira URL Cloud safe https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile 0% URL Reputation safe https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile 0% URL Reputation safe https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile 0% URL Reputation safe https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile 0% URL Reputation safe https://ncus.pagecontentsync. 0% URL Reputation safe https://ncus.pagecontentsync. 0% URL Reputation safe https://ncus.pagecontentsync. 0% URL Reputation safe https://ncus.pagecontentsync. 0% URL Reputation safe https://skyapi.live.net/Activity/ 0% URL Reputation safe https://skyapi.live.net/Activity/ 0% URL Reputation safe https://skyapi.live.net/Activity/ 0% URL Reputation safe https://skyapi.live.net/Activity/ 0% URL Reputation safe https://dataservice.o365filtering.com 0% URL Reputation safe https://dataservice.o365filtering.com 0% URL Reputation safe https://dataservice.o365filtering.com 0% URL Reputation safe https://dataservice.o365filtering.com 0% URL Reputation safe https://api.cortana.ai 0% URL Reputation safe https://api.cortana.ai 0% URL Reputation safe https://api.cortana.ai 0% URL Reputation safe https://api.cortana.ai 0% URL Reputation safe https://ovisualuiapp.azurewebsites.net/pbiagave/ 0% Virustotal Browse https://ovisualuiapp.azurewebsites.net/pbiagave/ 0% Avira URL Cloud safe https://directory.services. 0% URL Reputation safe https://directory.services. 0% URL Reputation safe https://directory.services. 0% URL Reputation safe https://directory.services. 0% URL Reputation safe
Domains and IPs
Contacted Domains
No contacted domains info
URLs from Memory and Binaries
Contacted IPs
No contacted IP infos
General Information
Joe Sandbox Version: 32.0.0 Black Diamond Analysis ID: 446205 Start date: 09.07.2021 Start time: 00:16:48 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 4m 24s Copyright Joe Security LLC 2021 Page 7 of 11 Hypervisor based Inspection enabled: false Report type: light Sample file name: Open_Purchase_Order_Report_by_Supplier_-_ProReport_188165628308.xlsx Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Number of analysed new started processes 17 analysed: Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: CLEAN Classification: clean0.winXLSX@1/3@0/0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Warnings: Show All
Simulations
Behavior and APIs
No simulations
Joe Sandbox View / Context
IPs
No context
Domains
No context
ASN
No context
JA3 Fingerprints
No context
Dropped Files
No context
Created / dropped Files
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\DF5FED13-6206-44B6-A49A-77E22D0251FB Process: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File Type: XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
Copyright Joe Security LLC 2021 Page 8 of 11 C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\DF5FED13-6206-44B6-A49A-77E22D0251FB Category: dropped Size (bytes): 135209 Entropy (8bit): 5.363083433111712 Encrypted: false SSDEEP: 1536:FcQIKNgeBTA3gBwlpQ9DQW+zoY34ZliKWXboOidX5E6LWME9:REQ9DQW+zwXO1 MD5: EB48CFFBDA6C16ACDE4C1490F0F4278E SHA1: 5CF575CDEBACCB412D286844D136005F7533D2E3 SHA-256: 2A3C7316F1A11E1673F4A10F39F7B7BE03742678CF21CCD585DD3FFBB1B059D6 SHA-512: 99B06541304B2C0D5CDD9F4F97C82919D748ABC49EA628CD5DA3A49ED90FF70FCE2DBDD1EB629188D834A7CA50F32BE954ACBC0FDDCF21BCDC2E6E869B281 EE0 Malicious: false Reputation: low Preview: .. C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7E1313EE.png Process: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File Type: PNG image data, 1506 x 414, 8-bit/color RGBA, non-interlaced Category: dropped Size (bytes): 50555 Entropy (8bit): 7.9363749074197125 Encrypted: false SSDEEP: 1536:FHvsTuC/rq74AE6eXrgcRAzGcgx1m9+8J:Jsvq7PeXkcGGHm9f MD5: C1921442C63879A825574FB3FC1FCC6C SHA1: E282B63E5CE214CE736720F1F0FC9011C660D1F1 SHA-256: 1126DC8BBB4E7B0D36726B1FB07ECF7AB5BAFD09DCD547B62EB97132BF9FE1D2 SHA-512: 3F5B4C4DE264AEFF381EC1683C0C888CA7B48CA0B1F34898D58B6B6DCEF4B617F46BC19D0EE0B159E4D31B677662D14E7D48102208CEDB94340221492C1B848 2 Malicious: false Reputation: low Preview: .PNG...... IHDR...... q.....gAMA...... a.....pHYs..\F..\F...CA....IDATx^...]E...n....B..3s..-,..XQ.X.!....+v...(`o...TDiy..t.....(.J...... ;o..y;)..w..}....>.d7...;...... 9S.c_.Et..Jt.^6...'...}...,.EGWW..Y.M7..^...$.ec..T..8~....?.$Nv...... g.U.].[i....S..A..A..A...... N.9.5{...^A..IbU..-.....=g E.k....D...G...... ^.._...... u...<-..45.u.R..|.*.....R..m...... v...... (..8..L...V5i%}._...Cw....5....OO.....E|..iS....a...I..A..6"I..66...... $.. x...7.r..|.M..A...,..3...... k.l\.V.D.Q.vIt..6../...k .2..R.kV.....].-..7....&N7ZmN.m.c.7...70}..l. .. .%Ck.l.K>.q..|...... X...X.y%..r.w{.fA...p..6...... c6/E.rh...c..Id```S..R.|)U..).:...(,....\..G%J..T...... 6.....8.)..a.I..s.{. ..'(.....s..`..a ....A.'..?k..{.Jh.q)..G.J..l.._...... Y.^j.9 ..|.5m..5OR..-.[m..*.-.MO'..uA..A..3Uj.4....>[email protected]...... Q}....do6Y..a= C:\Users\user\Desktop\~$Open_Purchase_Order_Report_by_Supplier_-_ProReport_188165628308.xlsx Process: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File Type: data Category: dropped Size (bytes): 165 Entropy (8bit): 1.6081032063576088 Encrypted: false SSDEEP: 3:RFXI6dtt:RJ1 MD5: 7AB76C81182111AC93ACF915CA8331D5 SHA1: 68B94B5D4C83A6FB415C8026AF61F3F8745E2559 SHA-256: 6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF SHA-512: A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C 7 Malicious: false Reputation: high, very likely benign file Preview: .pratesh ..p.r.a.t.e.s.h...... Static File Info General File type: Zip archive data, at least v2.0 to extract Entropy (8bit): 7.986997219266432 TrID: ZIP compressed archive (8000/1) 100.00% Copyright Joe Security LLC 2021 Page 9 of 11 General File name: Open_Purchase_Order_Report_by_Supplier_- _ProReport_188165628308.xlsx File size: 56881 MD5: e563a5801712b0ffb9272be04a46fa1d SHA1: ffd4b318fc611a04c4160ef226fe9af61bdbf2f7 SHA256: 8d76654df9af90b2b1cea9a1981ba5bdc6b99692508984c 25ca8b0f0b5af1288 SHA512: 3178a96c321864236975e8296c28391421bcebe9609b9b a539289e90e4ef61919580834a05f7dd32fd486375c8249 ceb879516c3aee51d05bc3b1cf855ec0c1d SSDEEP: 1536:h43xj4kc1d/yXDQytkx7OBgQODLSbYj0KEa5Tl2: Xk48X9ix7OBgLGYwKl552 File Content Preview: PK...... R..k.u...{...... xl/media/image1.png.{.WT..5.HI.. H....1H.. ...4.J7J..4H..Hww..14H.-]C.o...... `...... >. File Icon Icon Hash: 74ecd0d2d6d6d0dc Network Behavior Network Port Distribution UDP Packets Code Manipulations Statistics System Behavior Analysis Process: EXCEL.EXE PID: 6512 Parent PID: 800 General Start time: 00:17:43 Start date: 09/07/2021 Path: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Wow64 process (32bit): true Commandline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding Imagebase: 0xd10000 File size: 27110184 bytes MD5 hash: 5D6638F2C8F8571C593999C58866007E Has elevated privileges: true Has administrator privileges: true Copyright Joe Security LLC 2021 Page 10 of 11 Programmed in: C, C++ or other language Reputation: high File Activities Show Windows behavior File Written Registry Activities Show Windows behavior Key Created Key Value Created Disassembly Copyright Joe Security LLC Joe Sandbox Cloud Basic 32.0.0 Black Diamond Copyright Joe Security LLC 2021 Page 11 of 11