ID: 441325 Sample Name: 5101_06282021_REQ_PLANNER 0_MISC.xls Cookbook: defaultwindowsofficecookbook.jbs Time: 17:12:52 Date: 28/06/2021 Version: 32.0.0 Black Diamond Table of Contents
Table of Contents 2 Windows Analysis Report 5101_06282021_REQ_PLANNER 0_MISC.xls 3 Overview 3 General Information 3 Detection 3 Signatures 3 Classification 3 Process Tree 3 Malware Configuration 3 Yara Overview 3 Sigma Overview 3 Signature Overview 3 Mitre Att&ck Matrix 4 Behavior Graph 4 Screenshots 4 Thumbnails 4 Antivirus, Machine Learning and Genetic Malware Detection 5 Initial Sample 5 Dropped Files 5 Unpacked PE Files 5 Domains 5 URLs 5 Domains and IPs 7 Contacted Domains 7 URLs from Memory and Binaries 7 Contacted IPs 7 General Information 7 Simulations 8 Behavior and APIs 8 Joe Sandbox View / Context 8 IPs 8 Domains 8 ASN 8 JA3 Fingerprints 8 Dropped Files 8 Created / dropped Files 8 Static File Info 9 General 9 File Icon 9 Network Behavior 9 Network Port Distribution 9 UDP Packets 10 Code Manipulations 10 Statistics 10 System Behavior 10 Analysis Process: EXCEL.EXE PID: 4424 Parent PID: 792 10 General 10 File Activities 10 Registry Activities 10 Key Created 10 Key Value Created 10 Disassembly 10
Copyright Joe Security LLC 2021 Page 2 of 10 Windows Analysis Report 5101_06282021_REQ_PLANN…ER 0_MISC.xls
Overview
General Information Detection Signatures Classification
Sample 5101_06282021_REQ_PL No high impact signatures. Name: ANNER 0_MISC.xls Analysis ID: 441325
MD5: 11aff487dcbd7df…
SHA1: 08e9b1c77f3653e… Ransomware
Miner Spreading SHA256: e99b4d5df922cc6…
mmaallliiiccciiioouusss Infos: malicious Evader Phishing
sssuusssppiiiccciiioouusss
suspicious
Most interesting Screenshot: cccllleeaann clean
Exploiter Banker
Spyware Trojan / Bot
Adware
Score: 0 Range: 0 - 100 Whitelisted: false Confidence: 80%
Process Tree
System is w10x64 EXCEL.EXE (PID: 4424 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E) cleanup
Malware Configuration
No configs have been found
Yara Overview
No yara matches
Sigma Overview
No Sigma rule has matched
Signature Overview
Click to jump to signature section
There are no malicious signatures, click here to show all signatures .
Copyright Joe Security LLC 2021 Page 3 of 10 Mitre Att&ck Matrix
Command Remote Initial Privilege Defense Credential Lateral and Network Service Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Effects Effects Impact Valid Windows Path Path Masquerading 1 OS File and Remote Data from Exfiltration Data Eavesdrop on Remotely Modify Accounts Management Interception Interception Credential Directory Services Local Over Other Obfuscation Insecure Track Device System Instrumentation Dumping Discovery 1 System Network Network Without Partition Medium Communication Authorization Default Scheduled Boot or Boot or Rootkit LSASS System Remote Data from Exfiltration Junk Data Exploit SS7 to Remotely Device Accounts Task/Job Logon Logon Memory Information Desktop Removable Over Redirect Phone Wipe Data Lockout Initialization Initialization Discovery 1 Protocol Media Bluetooth Calls/SMS Without Scripts Scripts Authorization
Behavior Graph
Hide Legend Legend: Process Signature Behavior Graph Created File DNS/IP Info ID: 441325 Is Dropped
Is Windows Process Sample: 5101_06282021_REQ_PLANNER 0... Number of created Registry Values Startdate: 28/06/2021 Number of created Files Visual Basic Architecture: WINDOWS Delphi Score: 0 Java .Net C# or VB.NET
C, C++ or other language
Is malicious started Internet
EXCEL.EXE
29 24
Screenshots
Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Copyright Joe Security LLC 2021 Page 4 of 10 Antivirus, Machine Learning and Genetic Malware Detection
Initial Sample
No Antivirus matches
Dropped Files
No Antivirus matches
Unpacked PE Files
No Antivirus matches
Domains
No Antivirus matches
URLs
Copyright Joe Security LLC 2021 Page 5 of 10 Source Detection Scanner Label Link https://cdn.entity. 0% URL Reputation safe https://cdn.entity. 0% URL Reputation safe https://cdn.entity. 0% URL Reputation safe https://cdn.entity. 0% URL Reputation safe https://powerlift.acompli.net 0% URL Reputation safe https://powerlift.acompli.net 0% URL Reputation safe https://powerlift.acompli.net 0% URL Reputation safe https://powerlift.acompli.net 0% URL Reputation safe https://rpsticket.partnerservices.getmicrosoftkey.com 0% URL Reputation safe https://rpsticket.partnerservices.getmicrosoftkey.com 0% URL Reputation safe https://rpsticket.partnerservices.getmicrosoftkey.com 0% URL Reputation safe https://rpsticket.partnerservices.getmicrosoftkey.com 0% URL Reputation safe https://cortana.ai 0% URL Reputation safe https://cortana.ai 0% URL Reputation safe https://cortana.ai 0% URL Reputation safe https://cortana.ai 0% URL Reputation safe https://api.aadrm.com/ 0% URL Reputation safe https://api.aadrm.com/ 0% URL Reputation safe https://api.aadrm.com/ 0% URL Reputation safe https://api.aadrm.com/ 0% URL Reputation safe https://ofcrecsvcapi-int.azurewebsites.net/ 0% Virustotal Browse https://ofcrecsvcapi-int.azurewebsites.net/ 0% Avira URL Cloud safe https://res.getmicrosoftkey.com/api/redemptionevents 0% URL Reputation safe https://res.getmicrosoftkey.com/api/redemptionevents 0% URL Reputation safe https://res.getmicrosoftkey.com/api/redemptionevents 0% URL Reputation safe https://res.getmicrosoftkey.com/api/redemptionevents 0% URL Reputation safe https://powerlift-frontdesk.acompli.net 0% URL Reputation safe https://powerlift-frontdesk.acompli.net 0% URL Reputation safe https://powerlift-frontdesk.acompli.net 0% URL Reputation safe https://powerlift-frontdesk.acompli.net 0% URL Reputation safe https://officeci.azurewebsites.net/api/ 0% Virustotal Browse https://officeci.azurewebsites.net/api/ 0% Avira URL Cloud safe https://store.office.cn/addinstemplate 0% URL Reputation safe https://store.office.cn/addinstemplate 0% URL Reputation safe https://store.office.cn/addinstemplate 0% URL Reputation safe https://store.office.cn/addinstemplate 0% URL Reputation safe https://store.officeppe.com/addinstemplate 0% URL Reputation safe https://store.officeppe.com/addinstemplate 0% URL Reputation safe https://store.officeppe.com/addinstemplate 0% URL Reputation safe https://store.officeppe.com/addinstemplate 0% URL Reputation safe https://dev0-api.acompli.net/autodetect 0% URL Reputation safe https://dev0-api.acompli.net/autodetect 0% URL Reputation safe https://dev0-api.acompli.net/autodetect 0% URL Reputation safe https://dev0-api.acompli.net/autodetect 0% URL Reputation safe https://www.odwebp.svc.ms 0% URL Reputation safe https://www.odwebp.svc.ms 0% URL Reputation safe https://www.odwebp.svc.ms 0% URL Reputation safe https://www.odwebp.svc.ms 0% URL Reputation safe https://dataservice.o365filtering.com/ 0% URL Reputation safe https://dataservice.o365filtering.com/ 0% URL Reputation safe https://dataservice.o365filtering.com/ 0% URL Reputation safe https://dataservice.o365filtering.com/ 0% URL Reputation safe https://officesetup.getmicrosoftkey.com 0% URL Reputation safe https://officesetup.getmicrosoftkey.com 0% URL Reputation safe https://officesetup.getmicrosoftkey.com 0% URL Reputation safe https://officesetup.getmicrosoftkey.com 0% URL Reputation safe https://prod-global-autodetect.acompli.net/autodetect 0% URL Reputation safe https://prod-global-autodetect.acompli.net/autodetect 0% URL Reputation safe https://prod-global-autodetect.acompli.net/autodetect 0% URL Reputation safe https://prod-global-autodetect.acompli.net/autodetect 0% URL Reputation safe https://ncus.contentsync. 0% URL Reputation safe https://ncus.contentsync. 0% URL Reputation safe https://ncus.contentsync. 0% URL Reputation safe https://ncus.contentsync. 0% URL Reputation safe
Copyright Joe Security LLC 2021 Page 6 of 10 Source Detection Scanner Label Link https://apis.live.net/v5.0/ 0% URL Reputation safe https://apis.live.net/v5.0/ 0% URL Reputation safe https://apis.live.net/v5.0/ 0% URL Reputation safe https://apis.live.net/v5.0/ 0% URL Reputation safe https://wus2.contentsync. 0% URL Reputation safe https://wus2.contentsync. 0% URL Reputation safe https://wus2.contentsync. 0% URL Reputation safe https://wus2.contentsync. 0% URL Reputation safe https://asgsmsproxyapi.azurewebsites.net/ 0% Virustotal Browse https://asgsmsproxyapi.azurewebsites.net/ 0% Avira URL Cloud safe https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile 0% URL Reputation safe https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile 0% URL Reputation safe https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile 0% URL Reputation safe https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile 0% URL Reputation safe https://ncus.pagecontentsync. 0% URL Reputation safe https://ncus.pagecontentsync. 0% URL Reputation safe https://ncus.pagecontentsync. 0% URL Reputation safe https://ncus.pagecontentsync. 0% URL Reputation safe https://skyapi.live.net/Activity/ 0% URL Reputation safe https://skyapi.live.net/Activity/ 0% URL Reputation safe https://skyapi.live.net/Activity/ 0% URL Reputation safe https://skyapi.live.net/Activity/ 0% URL Reputation safe https://dataservice.o365filtering.com 0% URL Reputation safe https://dataservice.o365filtering.com 0% URL Reputation safe https://dataservice.o365filtering.com 0% URL Reputation safe https://dataservice.o365filtering.com 0% URL Reputation safe https://api.cortana.ai 0% URL Reputation safe https://api.cortana.ai 0% URL Reputation safe https://api.cortana.ai 0% URL Reputation safe https://api.cortana.ai 0% URL Reputation safe https://ovisualuiapp.azurewebsites.net/pbiagave/ 0% Avira URL Cloud safe https://directory.services. 0% URL Reputation safe https://directory.services. 0% URL Reputation safe https://directory.services. 0% URL Reputation safe
Domains and IPs
Contacted Domains
No contacted domains info
URLs from Memory and Binaries
Contacted IPs
No contacted IP infos
General Information
Joe Sandbox Version: 32.0.0 Black Diamond Analysis ID: 441325 Start date: 28.06.2021 Start time: 17:12:52 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 4m 46s Hypervisor based Inspection enabled: false Report type: light Copyright Joe Security LLC 2021 Page 7 of 10 Sample file name: 5101_06282021_REQ_PLANNER 0_MISC.xls Cookbook file name: defaultwindowsofficecookbook.jbs Analysis system description: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211 Run name: Potential for more IOCs and behavior Number of analysed new started processes 27 analysed: Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis Mode: default Analysis stop reason: Timeout Detection: CLEAN Classification: clean0.winXLS@1/1@0/0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .xls Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer
Warnings: Show All
Simulations
Behavior and APIs
No simulations
Joe Sandbox View / Context
IPs
No context
Domains
No context
ASN
No context
JA3 Fingerprints
No context
Dropped Files
No context
Created / dropped Files
Copyright Joe Security LLC 2021 Page 8 of 10 C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\1775BB8B-7762-4420-809B-1B2989C0DF44 Process: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File Type: XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators Category: dropped Size (bytes): 135189 Entropy (8bit): 5.363305102448308 Encrypted: false SSDEEP: 1536:scQIKNgeBTA3gBwlpQ9DQW+z7Y34ZliKWXboOidX5E6LWME9:+EQ9DQW+zvXO1 MD5: 3633202781951A047502585B64072D4E SHA1: 3DE818DFFB87550E8FC137B3D018130D08FEE4F9 SHA-256: 4CD0B03D422E8A14CF2E936BBC932F63750FC3FD0F789C54057AFC68EBB0F045 SHA-512: 4E5D42C28AE02298926F18EB23F725258B215141B270C3A4CBB5E2A248187E9A73CBB234A5DABBE79840C9E0A9ABBEAB6E682104BC7B32F2E5EB1CECBB5C49 98 Malicious: false Reputation: low Preview: .. Static File Info General File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: MIS, Last Saved By: Macklin, Colleen, Name of Creating Application: Microsoft Excel, Last Printed: Mon Jun 29 16:43:36 2020, Create Time/Date: Fri Nov 3 14 :25:15 2006, Last Saved Time/Date: Mon Jun 28 15:3 4:18 2021, Security: 0 Entropy (8bit): 3.762881104870982 TrID: Microsoft Excel sheet (30009/1) 78.94% Generic OLE2 / Multistream Compound File (8008/1) 21.06% File name: 5101_06282021_REQ_PLANNER 0_MISC.xls File size: 2448384 MD5: 11aff487dcbd7df2d783ab3b570420dc SHA1: 08e9b1c77f3653eff7299df82674c8067ebfb08b SHA256: e99b4d5df922cc69aee421cf3b8b29910fa00df5b689c2f7 a02d51c1bc7918dd SHA512: 525bf215e7a81fca3504945a063a4ff12bd1ddf139729d36 cb05ca14eecc44733cc70a73cb3ec74b5fb5273e34ab45 016769122e58765b30074ba2bd2d35eb4b SSDEEP: 12288:toNnMUUItUvlusXFNxj9eT8BmlMIyy7VEHnVlib8 :KMIUtu4FFo8wl75Euw File Content Preview: ...... >...... &...... File Icon Icon Hash: 74ecd4c6c3c6c4d8 Network Behavior Network Port Distribution Copyright Joe Security LLC 2021 Page 9 of 10 UDP Packets Code Manipulations Statistics System Behavior Analysis Process: EXCEL.EXE PID: 4424 Parent PID: 792 General Start time: 17:13:54 Start date: 28/06/2021 Path: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Wow64 process (32bit): true Commandline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding Imagebase: 0xe90000 File size: 27110184 bytes MD5 hash: 5D6638F2C8F8571C593999C58866007E Has elevated privileges: true Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high File Activities Show Windows behavior Registry Activities Show Windows behavior Key Created Key Value Created Disassembly Copyright Joe Security LLC Joe Sandbox Cloud Basic 32.0.0 Black Diamond Copyright Joe Security LLC 2021 Page 10 of 10