ID: 434272 Sample Name: HR_IT_Training_Learning_Sample.xlsx Cookbook: defaultwindowsofficecookbook.jbs Time: 17:10:12 Date: 14/06/2021 Version: 32.0.0 Black Diamond Table of Contents
Table of Contents 2 Windows Analysis Report HR_IT_Training_Learning_Sample.xlsx 3 Overview 3 General Information 3 Detection 3 Signatures 3 Classification 3 Process Tree 3 Malware Configuration 3 Yara Overview 3 Sigma Overview 3 Signature Overview 3 Mitre Att&ck Matrix 4 Behavior Graph 4 Screenshots 4 Thumbnails 4 Antivirus, Machine Learning and Genetic Malware Detection 5 Initial Sample 5 Dropped Files 5 Unpacked PE Files 5 Domains 5 URLs 5 Domains and IPs 7 Contacted Domains 7 URLs from Memory and Binaries 7 Contacted IPs 7 General Information 7 Simulations 8 Behavior and APIs 8 Joe Sandbox View / Context 8 IPs 8 Domains 8 ASN 8 JA3 Fingerprints 8 Dropped Files 8 Created / dropped Files 8 Static File Info 9 General 9 File Icon 10 Network Behavior 10 Network Port Distribution 10 UDP Packets 10 Code Manipulations 10 Statistics 10 System Behavior 10 Analysis Process: EXCEL.EXE PID: 7036 Parent PID: 800 10 General 10 File Activities 10 File Deleted 10 File Written 10 Registry Activities 10 Key Created 10 Key Value Created 10 Disassembly 11
Copyright Joe Security LLC 2021 Page 2 of 11 Windows Analysis Report HR_IT_Training_Learning_Sa…mple.xlsx
Overview
General Information Detection Signatures Classification
Sample HR_IT_Training_Learning_ No high impact signatures. Name: Sample.xlsx Analysis ID: 434272
MD5: 555d9445299aa4…
SHA1: 2648ab606e65f98… Ransomware
Miner Spreading SHA256: 9a07882f9733681…
mmaallliiiccciiioouusss
malicious Tags: xlsx Evader Phishing
sssuusssppiiiccciiioouusss
suspicious
Infos: cccllleeaann
clean
Most interesting Screenshot: Exploiter Banker
Spyware Trojan / Bot
Adware
Score: 0 Range: 0 - 100 Whitelisted: false Confidence: 80%
Process Tree
System is w10x64 EXCEL.EXE (PID: 7036 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E) cleanup
Malware Configuration
No configs have been found
Yara Overview
No yara matches
Sigma Overview
No Sigma rule has matched
Signature Overview
Click to jump to signature section
There are no malicious signatures, click here to show all signatures .
Copyright Joe Security LLC 2021 Page 3 of 11 Mitre Att&ck Matrix
Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Valid Windows Path Path Masquerading 1 OS File and Remote Data from Exfiltration Data Eavesdrop on Remotely Modify Accounts Management Interception Interception Credential Directory Services Local Over Other Obfuscation Insecure Track Device System Instrumentation Dumping Discovery 1 System Network Network Without Partition Medium Communication Authorization Default Scheduled Boot or Boot or Rootkit LSASS System Remote Data from Exfiltration Junk Data Exploit SS7 to Remotely Device Accounts Task/Job Logon Logon Memory Information Desktop Removable Over Redirect Phone Wipe Data Lockout Initialization Initialization Discovery 1 Protocol Media Bluetooth Calls/SMS Without Scripts Scripts Authorization
Behavior Graph
Hide Legend Legend: Process Behavior Graph Signature Created File ID: 434272 DNS/IP Info Is Dropped Sample: HR_IT_Training_Learning_Sam... Is Windows Process Number of created Registry Values
Startdate: 14/06/2021 Number of created Files Architecture: WINDOWS Visual Basic Delphi Score: 0 Java .Net C# or VB.NET
C, C++ or other language
Is malicious started Internet
EXCEL.EXE
34 23
Screenshots
Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Copyright Joe Security LLC 2021 Page 4 of 11 Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
No Antivirus matches
Dropped Files
No Antivirus matches
Unpacked PE Files
No Antivirus matches
Domains
No Antivirus matches
URLs
Copyright Joe Security LLC 2021 Page 5 of 11 Source Detection Scanner Label Link https://cdn.entity. 0% URL Reputation safe https://cdn.entity. 0% URL Reputation safe https://cdn.entity. 0% URL Reputation safe https://powerlift.acompli.net 0% URL Reputation safe https://powerlift.acompli.net 0% URL Reputation safe https://powerlift.acompli.net 0% URL Reputation safe https://rpsticket.partnerservices.getmicrosoftkey.com 0% URL Reputation safe https://rpsticket.partnerservices.getmicrosoftkey.com 0% URL Reputation safe https://rpsticket.partnerservices.getmicrosoftkey.com 0% URL Reputation safe https://cortana.ai 0% URL Reputation safe https://cortana.ai 0% URL Reputation safe https://cortana.ai 0% URL Reputation safe https://api.aadrm.com/ 0% URL Reputation safe https://api.aadrm.com/ 0% URL Reputation safe https://api.aadrm.com/ 0% URL Reputation safe https://ofcrecsvcapi-int.azurewebsites.net/ 0% Avira URL Cloud safe https://res.getmicrosoftkey.com/api/redemptionevents 0% URL Reputation safe https://res.getmicrosoftkey.com/api/redemptionevents 0% URL Reputation safe https://res.getmicrosoftkey.com/api/redemptionevents 0% URL Reputation safe https://powerlift-frontdesk.acompli.net 0% URL Reputation safe https://powerlift-frontdesk.acompli.net 0% URL Reputation safe https://powerlift-frontdesk.acompli.net 0% URL Reputation safe https://officeci.azurewebsites.net/api/ 0% Avira URL Cloud safe https://store.office.cn/addinstemplate 0% URL Reputation safe https://store.office.cn/addinstemplate 0% URL Reputation safe https://store.office.cn/addinstemplate 0% URL Reputation safe https://store.officeppe.com/addinstemplate 0% URL Reputation safe https://store.officeppe.com/addinstemplate 0% URL Reputation safe https://store.officeppe.com/addinstemplate 0% URL Reputation safe https://dev0-api.acompli.net/autodetect 0% URL Reputation safe https://dev0-api.acompli.net/autodetect 0% URL Reputation safe https://dev0-api.acompli.net/autodetect 0% URL Reputation safe https://www.odwebp.svc.ms 0% URL Reputation safe https://www.odwebp.svc.ms 0% URL Reputation safe https://www.odwebp.svc.ms 0% URL Reputation safe https://dataservice.o365filtering.com/ 0% URL Reputation safe https://dataservice.o365filtering.com/ 0% URL Reputation safe https://dataservice.o365filtering.com/ 0% URL Reputation safe https://officesetup.getmicrosoftkey.com 0% URL Reputation safe https://officesetup.getmicrosoftkey.com 0% URL Reputation safe https://officesetup.getmicrosoftkey.com 0% URL Reputation safe https://prod-global-autodetect.acompli.net/autodetect 0% URL Reputation safe https://prod-global-autodetect.acompli.net/autodetect 0% URL Reputation safe https://prod-global-autodetect.acompli.net/autodetect 0% URL Reputation safe https://ncus.contentsync. 0% URL Reputation safe https://ncus.contentsync. 0% URL Reputation safe https://ncus.contentsync. 0% URL Reputation safe https://apis.live.net/v5.0/ 0% URL Reputation safe https://apis.live.net/v5.0/ 0% URL Reputation safe https://apis.live.net/v5.0/ 0% URL Reputation safe https://wus2.contentsync. 0% URL Reputation safe https://wus2.contentsync. 0% URL Reputation safe https://wus2.contentsync. 0% URL Reputation safe https://asgsmsproxyapi.azurewebsites.net/ 0% Avira URL Cloud safe https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile 0% URL Reputation safe https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile 0% URL Reputation safe https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile 0% URL Reputation safe https://ncus.pagecontentsync. 0% URL Reputation safe https://ncus.pagecontentsync. 0% URL Reputation safe https://ncus.pagecontentsync. 0% URL Reputation safe https://skyapi.live.net/Activity/ 0% URL Reputation safe https://skyapi.live.net/Activity/ 0% URL Reputation safe https://skyapi.live.net/Activity/ 0% URL Reputation safe https://dataservice.o365filtering.com 0% URL Reputation safe
Copyright Joe Security LLC 2021 Page 6 of 11 Source Detection Scanner Label Link https://dataservice.o365filtering.com 0% URL Reputation safe https://dataservice.o365filtering.com 0% URL Reputation safe https://api.cortana.ai 0% URL Reputation safe https://api.cortana.ai 0% URL Reputation safe https://api.cortana.ai 0% URL Reputation safe https://ovisualuiapp.azurewebsites.net/pbiagave/ 0% Avira URL Cloud safe https://directory.services. 0% URL Reputation safe https://directory.services. 0% URL Reputation safe https://directory.services. 0% URL Reputation safe https://staging.cortana.ai 0% URL Reputation safe https://staging.cortana.ai 0% URL Reputation safe https://staging.cortana.ai 0% URL Reputation safe
Domains and IPs
Contacted Domains
No contacted domains info
URLs from Memory and Binaries
Contacted IPs
No contacted IP infos
General Information
Joe Sandbox Version: 32.0.0 Black Diamond Analysis ID: 434272 Start date: 14.06.2021 Start time: 17:10:12 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 5m 1s Hypervisor based Inspection enabled: false Report type: light Sample file name: HR_IT_Training_Learning_Sample.xlsx Cookbook file name: defaultwindowsofficecookbook.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Run name: Potential for more IOCs and behavior Number of analysed new started processes 15 analysed: Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: CLEAN Classification: clean0.winXLSX@1/3@0/0
Copyright Joe Security LLC 2021 Page 7 of 11 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer Warnings: Show All
Simulations
Behavior and APIs
No simulations
Joe Sandbox View / Context
IPs
No context
Domains
No context
ASN
No context
JA3 Fingerprints
No context
Dropped Files
No context
Created / dropped Files
C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\9F9F42D7-EA59-403D-B4E4-2584768A9362 Process: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File Type: XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators Category: dropped Size (bytes): 134919 Entropy (8bit): 5.368807623156953 Encrypted: false SSDEEP: 1536:lcQIKNEeBXA3gBwlpQ9DQW+z7534ZliKWXboOilX5E6LWME9:REQ9DQW+ziXO1 MD5: 1B21C90C02524DA0835FC3E19E0247B6 SHA1: B7324D5585B419072656AD4882A65500D2F89B9E SHA-256: 4A356D72E1E7A96EB58D8F60C9ACBE9858CDA012A04C00D3BEAE37E865FF893C SHA-512: F9EEE3CA239D9F1B309D3BCD8E022D27F563C25F78CB0108990F92FCE3566D82E68AA92FA2535FFF321C6082AA163D0AAA80D2E808FF8B84641264B7C63036A3 Malicious: false Reputation: low
Copyright Joe Security LLC 2021 Page 8 of 11 C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\9F9F42D7-EA59-403D-B4E4-2584768A9362 Preview: .. C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC Process: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File Type: Little-endian UTF-16 Unicode text, with CR line terminators Category: dropped Size (bytes): 22 Entropy (8bit): 2.9808259362290785 Encrypted: false SSDEEP: 3:QAlX0Gn:QKn MD5: 7962B839183642D3CDC2F9CEBDBF85CE SHA1: 2BE8F6F309962ED367866F6E70668508BC814C2D SHA-256: 5EB8655BA3D3E7252CA81C2B9076A791CD912872D9F0447F23F4C4AC4A6514F6 SHA-512: 2C332AC29FD3FAB66DBD918D60F9BE78B589B090282ED3DBEA02C4426F6627E4AAFC4C13FBCA09EC4925EAC3ED4F8662FDF1D7FA5C9BE714F8A7B993BECB3 342 Malicious: false Reputation: high, very likely benign file Preview: ....p.r.a.t.e.s.h..... C:\Users\user\Desktop\~$HR_IT_Training_Learning_Sample.xlsx Process: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File Type: data Category: dropped Size (bytes): 165 Entropy (8bit): 1.6081032063576088 Encrypted: false SSDEEP: 3:RFXI6dtt:RJ1 MD5: 7AB76C81182111AC93ACF915CA8331D5 SHA1: 68B94B5D4C83A6FB415C8026AF61F3F8745E2559 SHA-256: 6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF SHA-512: A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C 7 Malicious: false Reputation: high, very likely benign file Preview: .pratesh ..p.r.a.t.e.s.h...... Static File Info General File type: Microsoft Excel 2007+ Entropy (8bit): 7.817378051971609 TrID: Excel Microsoft Office Open XML Format document (40004/1) 83.33% ZIP compressed archive (8000/1) 16.67% File name: HR_IT_Training_Learning_Sample.xlsx File size: 37660 MD5: 555d9445299aa481cbcd7302e9e22aa3 SHA1: 2648ab606e65f9883c840415c2d0b523cb20c14b SHA256: 9a07882f9733681a9ab15b65123c621f3d0c6f5c2ab0682 9e595b77dff1dad93 SHA512: e4ee61bcc5c96f38dd649f53d86f4f7f42441b3693c0d8d4 cdee1bbe6792a0cfbc1943da7bb147094f1a970eb083070 37abe1c09b2f9348b32ab2ddc4d1b4a08 SSDEEP: 768:O5l1J2BPP84E7tY63497TMjmblQs2RF319VU8av2 HUGDF7eBpw1:O5Z2nW3497TXQswI8avmQw1 File Content Preview: PK...... !.q.9+p...... [Content_Types].xml ...(...... Copyright Joe Security LLC 2021 Page 9 of 11 File Icon Icon Hash: 74ecd0d2d6d6d0dc Network Behavior Network Port Distribution UDP Packets Code Manipulations Statistics System Behavior Analysis Process: EXCEL.EXE PID: 7036 Parent PID: 800 General Start time: 17:11:11 Start date: 14/06/2021 Path: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Wow64 process (32bit): true Commandline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding Imagebase: 0xfd0000 File size: 27110184 bytes MD5 hash: 5D6638F2C8F8571C593999C58866007E Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high File Activities Show Windows behavior File Deleted File Written Registry Activities Show Windows behavior Key Created Key Value Created Copyright Joe Security LLC 2021 Page 10 of 11 Disassembly Copyright Joe Security LLC Joe Sandbox Cloud Basic 32.0.0 Black Diamond Copyright Joe Security LLC 2021 Page 11 of 11