ID: 92618 Sample Name: n.xlsx Cookbook: defaultwindowsofficecookbook.jbs Time: 12:02:06 Date: 22/11/2018 Version: 24.0.0 Fire Opal Table of Contents
Table of Contents 2 Analysis Report n.xlsx 3 Overview 3 General Information 3 Detection 3 Confidence 3 Classification 4 Analysis Advice 4 Mitre Att&ck Matrix 5 Signature Overview 5 Networking: 5 Spam, unwanted Advertisements and Ransom Demands: 5 System Summary: 5 Hooking and other Techniques for Hiding and Protection: 5 Behavior Graph 5 Simulations 6 Behavior and APIs 6 Antivirus Detection 6 Initial Sample 6 Dropped Files 6 Unpacked PE Files 6 Domains 6 URLs 6 Yara Overview 7 Initial Sample 7 PCAP (Network Traffic) 7 Dropped Files 7 Memory Dumps 7 Unpacked PEs 7 Joe Sandbox View / Context 7 IPs 7 Domains 7 ASN 7 Dropped Files 8 Screenshots 8 Thumbnails 8 Startup 8 Created / dropped Files 8 Domains and IPs 11 Contacted Domains 11 URLs from Memory and Binaries 11 Contacted IPs 14 Static File Info 14 General 14 File Icon 15 Network Behavior 15 Code Manipulations 15 Statistics 15 System Behavior 15 Analysis Process: EXCEL.EXE PID: 3284 Parent PID: 3072 15 General 15 File Activities 15 File Deleted 16 File Written 16 Registry Activities 16 Disassembly 16
Copyright Joe Security LLC 2018 Page 2 of 16 Analysis Report n.xlsx
Overview
General Information
Joe Sandbox Version: 24.0.0 Fire Opal Analysis ID: 92618 Start date: 22.11.2018 Start time: 12:02:06 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 2m 28s Hypervisor based Inspection enabled: false Report type: light Sample file name: n.xlsx Cookbook file name: defaultwindowsofficecookbook.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1) Number of analysed new started processes analysed: 2 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies EGA enabled HDC enabled Analysis stop reason: Timeout Detection: SUS Classification: sus20.rans.winXLSX@1/12@0/0 Cookbook Comments: Adjust boot time Found application associated with file extension: .xlsx Found Word or Excel or PowerPoint or XPS Viewer Simulate clicks Number of clicks 76 Scroll down Close Viewer Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe
Detection
Strategy Score Range Reporting Detection
Threshold 20 0 - 100 Report FP / FN
Confidence
Strategy Score Range Further Analysis Required? Confidence
Copyright Joe Security LLC 2018 Page 3 of 16 Strategy Score Range Further Analysis Required? Confidence
Threshold 2 0 - 5 true
Classification
Ransomware
Miner Spreading
mmaallliiiccciiioouusss
malicious
Evader Phishing
sssuusssppiiiccciiioouusss
suspicious
cccllleeaann
clean
Exploiter Banker
Spyware Trojan / Bot
Adware
Analysis Advice
No malicious behavior found, analyze the document also on other version of Office / Acrobat
Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior Copyright Joe Security LLC 2018 Page 4 of 16 Sample might require command line arguments, analyze it with the command line cookbook
Mitre Att&ck Matrix
Initial Privilege Credential Lateral Command and Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration Control Valid Windows Remote Winlogon Port Monitors File System Credential System Application Data from Local Data Data Obfuscation Accounts Management Helper DLL Logical Offsets Dumping Information Deployment System Compressed Discovery 1 Software
Signature Overview
• Networking • Spam, unwanted Advertisements and Ransom Demands • System Summary • Hooking and other Techniques for Hiding and Protection
Click to jump to signature section
Networking:
Found strings which match to known social media urls
Urls found in memory or binary data
Spam, unwanted Advertisements and Ransom Demands:
May drop file containing decryption instructions (likely related to ransomware)
System Summary:
Classification label
Creates files inside the user directory
Creates temporary files
Reads ini files
Found graphical window changes (likely an installer)
Document is a ZIP file with path names indicative of goodware
Checks if Microsoft Office is installed
Uses new MSVCR Dlls
Hooking and other Techniques for Hiding and Protection:
Disables application error messsages (SetErrorMode)
Behavior Graph
Copyright Joe Security LLC 2018 Page 5 of 16 Hide Legend Legend: Process Signature Created File DNS/IP Info Is Dropped Behavior Graph Is Windows Process ID: 92618 Number of created Registry Values Sample: n.xlsx Number of created Files Startdate: 22/11/2018 Visual Basic Architecture: WINDOWS Score: 20 Delphi Java
.Net C# or VB.NET
C, C++ or other language May drop file containing decryption instructions started Is malicious (likely related to ransomware)
EXCEL.EXE
40 23
Simulations
Behavior and APIs
Time Type Description 12:02:42 API Interceptor 3x Sleep call for process: EXCEL.EXE modified
Antivirus Detection
Initial Sample
Source Detection Scanner Label Link n.xlsx 0% virustotal Browse
Dropped Files
No Antivirus matches
Unpacked PE Files
No Antivirus matches
Domains
No Antivirus matches
URLs
Copyright Joe Security LLC 2018 Page 6 of 16 Source Detection Scanner Label Link www.nyxbone.com/malware/brazilianRansom.html 0% virustotal Browse www.nyxbone.com/malware/brazilianRansom.html 0% Avira URL Cloud safe www.nyxbone.com/malware/RemindMe.html 1% virustotal Browse www.nyxbone.com/malware/RemindMe.html 0% Avira URL Cloud safe bartblaze.blogspot.com.co/2016/02/vipasana-ransomware-new-ransom-on-block.html 0% Avira URL Cloud safe www.nyxbone.com/malware/Strictor.html 0% virustotal Browse www.nyxbone.com/malware/Strictor.html 0% Avira URL Cloud safe www.nyxbone.com/malware/7ev3n-HONE$T.html; 0% virustotal Browse www.nyxbone.com/malware/7ev3n-HONE$T.html; 0% Avira URL Cloud safe www.nyxbone.com/malware/CryptoMix.html 2% virustotal Browse www.nyxbone.com/malware/CryptoMix.html 0% Avira URL Cloud safe https://malwarebreakdown.com/2017/03/16/sage-2-2-ransomware-from-good-man-gate 0% virustotal Browse https://malwarebreakdown.com/2017/03/16/sage-2-2-ransomware-from-good-man-gate 0% Avira URL Cloud safe nyxbone.com/malware/BlackShades.html 0% virustotal Browse nyxbone.com/malware/BlackShades.html 0% Avira URL Cloud safe www.nyxbone.com/malware/koreanRansom.html 2% virustotal Browse www.nyxbone.com/malware/koreanRansom.html 0% Avira URL Cloud safe https://reaqta.com/2016/06/raa-ransomware-delivering-pony/ 0% virustotal Browse https://reaqta.com/2016/06/raa-ransomware-delivering-pony/ 0% Avira URL Cloud safe nyxbone.com/malware/SNSLocker.html 0% virustotal Browse nyxbone.com/malware/SNSLocker.html 0% Avira URL Cloud safe
Yara Overview
Initial Sample
No yara matches
PCAP (Network Traffic)
No yara matches
Dropped Files
No yara matches
Memory Dumps
No yara matches
Unpacked PEs
No yara matches
Joe Sandbox View / Context
IPs
No context
Domains
No context
ASN
No context
Copyright Joe Security LLC 2018 Page 7 of 16 Dropped Files
No context
Screenshots
Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Startup
System is w7 EXCEL.EXE (PID: 3284 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /dde MD5: 716335EDBB91DA84FC102425BFDA957E) cleanup
Created / dropped Files
Copyright Joe Security LLC 2018 Page 8 of 16 C:\Users\user\AppData\Roaming\Microsoft\Excel\n307042103985578688\n((Autosaved-307042191330272160)).xlsb Process: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File Type: Microsoft Excel 2007+ Size (bytes): 78223 Entropy (8bit): 7.923956211832512 Encrypted: false MD5: 76B52E7BC924F0A39CD1A978D7183DDC SHA1: 1AD9CB4742681F6F829C51C4A039D517F790FA09 SHA-256: E3CABC27DD6CFE997B5A2B911F0D68557DFF81FC9C01126A96E50774D3F6E196 SHA-512: 60995728907BC023388E76DC118B746D3D6B78AE3B58C61AD4A662320DC166F0D03EDFBAA04EA67FCC15F3CCC7 A19E685BD4CC42F26A7F5FCDCC3EA720A35A5D Malicious: false Reputation: low
C:\Users\user\AppData\Roaming\Microsoft\Excel\n307042103985578688\n((Autosaved-307042191355909024)).xlsb Process: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File Type: Microsoft Excel 2007+ Size (bytes): 78230 Entropy (8bit): 7.92393574284663 Encrypted: false MD5: 739510D6E361C4DA1978E9D4AB41A026 SHA1: D713A30A5744374A3F817ED2DC80867E075E8C7F SHA-256: AFCB62F4BF442544840E5B880F71D902067943D72BA3AF5EA655303394929447 SHA-512: 2C648C121D2DBA450A9289942FEF19130EEA7C2C0E6AAD23E194FDB1A54AA3E9C6E42D518251B463AF8A50FF85 8AFF5E182B1D565BA3301254732BE1F3D171F4 Malicious: false Reputation: low
C:\Users\user\AppData\Roaming\Microsoft\Excel\n307042103985578688\n((Autosaved-307042191371431344)).xlsb Process: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File Type: Microsoft Excel 2007+ Size (bytes): 78233 Entropy (8bit): 7.924019259545063 Encrypted: false MD5: 2B353CF6598ED729F5ABAE0C1A2777F8 SHA1: 4D7338DEC605D3AA47C14F3073A7CD3B7BD692EC SHA-256: 72C6876B82B5116F7D925EB57FA37C7E19B4D7F1184FBEDE479DDA1CD40482B4 SHA-512: 896C2CDAAE969389B582752DF247C27270A23AE36E2C36448EDD36B9348CC2C46B5F6B793FBCD20F28691A6302 D4BA50B2A034E850BE09FF70C6A476F7696101 Malicious: false Reputation: low
C:\Users\user\AppData\Roaming\Microsoft\Excel\n307042103985578688\n((Autosaved-307042191383849200)).xlsb Process: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File Type: Microsoft Excel 2007+ Size (bytes): 78233 Entropy (8bit): 7.92390093829244 Encrypted: false MD5: 08113A57C2F5EBF268A3EC1DCF040A6C SHA1: 075B88360F842BD856BCE892AFD9E283C751AA24 SHA-256: EDCE3913AF8C2580B7CEE43D884CF368507A3302347380DD9CFD5F687558F866 SHA-512: 1A50D68BD8F9744D69029389AF4C0C7142C901CB8DAD18310DA3E69BB1AFAFD25B2DEA1E819D070914E72A212F CF5CF8D26F21E4741B4D09A35F8EDDAB294C71 Malicious: false Reputation: low
C:\Users\user\AppData\Roaming\Microsoft\Excel\n307042103985578688\n.xlsx.lnk Process: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Archive, ctime=Sun Sep 24 12:59:28 2017, mtime=Sun Sep 24 12:59:28 2017, atime=Thu No v 22 10:02:39 2018, length=70277, window=hide Size (bytes): 521 Entropy (8bit): 4.668210103559367 Encrypted: false MD5: FF1BC8E0569A30133894F04AF29D3B86 SHA1: 7E7B2207CAE165065CC8CF5195075C4C59F4C069 SHA-256: 9EBFDB9AA7BB009922C1BC6BE9FB51A42991FB60B8EF29846F9CD609F9D50F35
Copyright Joe Security LLC 2018 Page 9 of 16 C:\Users\user\AppData\Roaming\Microsoft\Excel\n307042103985578688\n.xlsx.lnk SHA-512: FA4D5A3CD6518FF8101489012895604CE5D82E8D6573B8D9A9C798EC765A73AA8B610F888A95156AEDF5486D74F 67AA11501B16423918F03BE38E9C3AC102C92 Malicious: false Reputation: low
C:\Users\user\AppData\Roaming\Microsoft\Excel\~ar17D0.xar Process: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File Type: data Size (bytes): 78223 Entropy (8bit): 7.923956211832512 Encrypted: false MD5: 9B74BE8DF96EEC2BE3200AFB39023DF7 SHA1: C975BB0895B2F2C0C8D20A75211E0FB3983FD83C SHA-256: C0A1EDF93BAA6B021C8CDCBA32235BDD7CDF0E5ED641F2938978A5EA01B9F0A0 SHA-512: E15E8DED6D2F77E786139033628CC04030F94E6E7B1E38EE2BA9F2A55C75820E6336EFC44FA2E4933242AF10E4 D9F207ACB73A4BC4B65E4E1FF281A8DE8B89DD Malicious: false Reputation: low
C:\Users\user\AppData\Roaming\Microsoft\Excel\~ar3885.xar Process: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File Type: data Size (bytes): 78230 Entropy (8bit): 7.92393574284663 Encrypted: false MD5: 54870164147197A0D165B044CB67F35A SHA1: B9998D10D9F27B4F0D6DD7B10CC11BD96F4424DE SHA-256: 04D15FF46B3C3A1BC51208F5B8C4CF75D93F47DA0EFEBD41D9ECD3812F3C9C89 SHA-512: 9B7A214A966947C64E84F568E1B5C05717F9BCBF377BBA9C58B8F148F01B2F72AB6D248ACA3F00CD4CB941DEB CA2CDE046AE0CE672C46AF975ACBDC6153DCC8E Malicious: false Reputation: low
C:\Users\user\AppData\Roaming\Microsoft\Excel\~ar4BAE.xar Process: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File Type: data Size (bytes): 78233 Entropy (8bit): 7.924019259545063 Encrypted: false MD5: BBAC9B73F568A28E6E65E5C787BCBD53 SHA1: 587F1EBE6C772F8E5943F26CAEA3414154A0AB64 SHA-256: 5EB0ACCBD6C9D56876C71B0C5EA5E0FEA354A3938D1041281C570643FED601EB SHA-512: DC1782E82611DCAD51FD060AB2B5EA9BE738E8B3608EF0F8BADF296394B7B77B595B83F74197F600E90EEB8FA 7B4266C368C9CD97A93F09EFEE8F8470501B8BF Malicious: false Reputation: low
C:\Users\user\AppData\Roaming\Microsoft\Excel\~ar5CCC.xar Process: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File Type: data Size (bytes): 78233 Entropy (8bit): 7.92390093829244 Encrypted: false MD5: D20E5693335AA3FF0AA64993443D0AED SHA1: 5B92019B2992B3468268C1E19DEC4A7B256AD5A1 SHA-256: FF10264D7AED412816F2D4AEDAAF5B7D13D1795F867894B44E64EB6988912137 SHA-512: 5DD9F56329D2F7D09DCC0F052DE9103B240ACA6574790ECE8451AC25FCAB8A4DB0673D86C9D3E9738B091A0861 488A361C01E1C71AC30751530297536FB9CEFD Malicious: false Reputation: low
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Process: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File Type: ASCII text, with CRLF line terminators Size (bytes): 43 Entropy (8bit): 3.83316025553889
Copyright Joe Security LLC 2018 Page 10 of 16 C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Encrypted: false MD5: 012F7A17DA968E544FC6D3471F28287A SHA1: 016F4773E2D7AFFCB132E261847983C99EA86497 SHA-256: D414DD05BC98F94253DD98D99061FCEECDE4F056980A98561BBAD79D0765BC18 SHA-512: EDD11035A1E9941203650BA2CD8808A52235976A01970ED2058A97C0ACAD010974F1003265A16746D1CBECB0FFB B455BC7EE503734FA72DA2B16EE355CFB2CF3 Malicious: false Reputation: low
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\n.LNK Process: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File Type: MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Sep 24 1 2:59:28 2017, mtime=Sun Sep 24 12:59:28 2017, atime=Thu Nov 22 10:02:39 2018, length=70277, window=hide Size (bytes): 2006 Entropy (8bit): 4.547536525987582 Encrypted: false MD5: 765BE824512E64E51F34C91E378CD70C SHA1: 49A13641D958F28A63D7AC403E3E43FB121D74C5 SHA-256: 46A83DC78C2B5AAC12C859975D96C3927423633A3F7723B8DE795E81B29154E5 SHA-512: 19CC96203F099B10BC5750DE7F9849176D321F25D029C798E7408F7C7B9420CEAA8DC02FD38C5D301C76364A28E C01094DDBDA3D0AB89D65C6E9E74DB55B9EFA Malicious: false Reputation: low
C:\Users\user\Desktop\~$n.xlsx Process: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File Type: data Size (bytes): 165 Entropy (8bit): 2.061509798351639 Encrypted: false MD5: 3DB57C825E10B373BE838EB89784C950 SHA1: 016B7A62E5D5A234CB3D654A4CDD02F8EAA8BEE0 SHA-256: 1C6801A064A0D077FD545EE311F68B65E7F2900C0C0E93A2AA64918AE31BC444 SHA-512: 2AB92D7DAD022614DE5FDAD6378EE2D3E4796AFCC98DA3C6D96A475A1EE4773DB9DCB687B6A651EF9EC2201B 688ED2F0557A92DCDC5B7CA86F9B966A82A1C563 Malicious: false Reputation: moderate, very likely benign file
Domains and IPs
Contacted Domains
No contacted domains info
URLs from Memory and Binaries
Name Source Malicious Antivirus Detection Reputation www.nyxbone.com/malware/brazilianRansom.html sharedStrings.xml false 0%, virustotal, Browse low Avira URL Cloud: safe sharedStrings.xml false high https://www.bleepingcomputer.com/news/security/revenge- ransomware-a-cryptomix-variant-being-distribu sharedStrings.xml false high https://twitter.com/struppigel/status/791639214152617985 sharedStrings.xml false high https://twitter.com/JakubKroustek/status/75726755034664140 8 sharedStrings.xml false high https://twitter.com/struppigel/status/791557636164558848 sharedStrings.xml false high https://twitter.com/JakubKroustek/status/80400983151857254 4 https://securelist.com/blog/research/76153/teamxrat- sharedStrings.xml false high brazilian-cybercrime-meets-ransomware/ https://www.bleepingcomputer.com/news/security/star- sharedStrings.xml false high trek-themed-kirk-ransomware-brings-us-monero-and
Copyright Joe Security LLC 2018 Page 11 of 16 Name Source Malicious Antivirus Detection Reputation sharedStrings.xml false high https://twitter.com/jiriatvirlab/status/808015275367002113 sharedStrings.xml false high https://twitter.com/BleepinComputer/status/803288396814839 808 sharedStrings.xml false high https://twitter.com/struppigel/status/801812325657440256 sharedStrings.xml false high https://twitter.com/BroadAnalysis/status/845688819533930497 https://blog.fortinet.com/2016/06/03/cooking-up-autumn- sharedStrings.xml false high herbst-ransomware www.bleepingcomputer.com/forums/t/559463/keyholder- sharedStrings.xml false high ransomware-support-and-help-topic-how-decr www.nyxbone.com/malware/RemindMe.html sharedStrings.xml false 1%, virustotal, Browse low Avira URL Cloud: safe bartblaze.blogspot.com.co/2016/02/vipasana- sharedStrings.xml false Avira URL Cloud: safe low ransomware-new-ransom-on-block.html sharedStrings.xml false high https://twitter.com/demonslay335/status/83922145736019558 9 https://cdn.streamable.com/video/mp4/kfh3.mp4 sharedStrings.xml false high www.nyxbone.com/malware/Strictor.html sharedStrings.xml false 0%, virustotal, Browse low Avira URL Cloud: safe sharedStrings.xml false high https://twitter.com/rommeljoven17/status/84697326565033574 4 sharedStrings.xml false high https://www.bleepingcomputer.com/forums/t/627582/unblocku pc-ransomware-help-support-topic-files-encr https://github.com/aaaddress1/my-Little-Ransomware sharedStrings.xml false high sharedStrings.xml false high https://twitter.com/JAMESWT_MHT/status/834783231476166 657 sharedStrings.xml false high https://twitter.com/struppigel/status/842047409446387714 https://www.bleepingcomputer.com/news/security/new- sharedStrings.xml false high macos-patcher-ransomware-locks-data-for-good-no-w sharedStrings.xml false high https://twitter.com/malwrhunterteam/status/836995570384453 632 https://twitter.com/fwosar/status/803682662481174528 sharedStrings.xml false high www.bleepingcomputer.com/news/security/the-globe- sharedStrings.xml false high ransomware-wants-to-purge-your-files/ www.nyxbone.com/malware/7ev3n-HONE$T.html; sharedStrings.xml false 0%, virustotal, Browse low Avira URL Cloud: safe sharedStrings.xml false high https://twitter.com/malwrhunterteam/status/839467168760725 508 sharedStrings.xml false high https://www.symantec.com/security_response/writeup.jsp? docid=2009-041513-1400-99&tabid=2 https://www.proofpoint.com/us/threat- sharedStrings.xml false high insight/post/MarsJoke-Ransomware-Mimics-CTB-Locker https://www.bleepingcomputer.com/news/security/new- sharedStrings.xml false high trump-locker-ransomware-is-a-fraud-just-venuslock sharedStrings.xml false high https://twitter.com/benkow_/status/747813034006020096 www.bleepingcomputer.com/news/security/petya-is- sharedStrings.xml false high back-and-with-a-friend-named-mischa-ransomwar www.nyxbone.com/malware/CryptoMix.html sharedStrings.xml false 2%, virustotal, Browse low Avira URL Cloud: safe https://malwarebreakdown.com/2017/03/16/sage-2-2- sharedStrings.xml false 0%, virustotal, Browse unknown ransomware-from-good-man-gate Avira URL Cloud: safe https://www.bleepingcomputer.com/news/security/dyna- sharedStrings.xml false high crypt-not-only-encrypts-your-files-but-also-stea nyxbone.com/malware/BlackShades.html sharedStrings.xml false 0%, virustotal, Browse low Avira URL Cloud: safe www.pandasecurity.com/mediacenter/panda- sharedStrings.xml false high security/cryptobit/ https://twitter.com/siri_urz/status/842452104279134209 sharedStrings.xml false high sharedStrings.xml false high https://twitter.com/struppigel/status/795630452128227333 blog.trendmicro.com/trendlabs-security- sharedStrings.xml false high intelligence/netflix-scam-delivers-ransomware/
Copyright Joe Security LLC 2018 Page 12 of 16 Name Source Malicious Antivirus Detection Reputation sharedStrings.xml false high https://twitter.com/malwrhunterteam/status/845183290873044 994 sharedStrings.xml false high https://twitter.com/jiriatvirlab/status/825411602535088129 www.bleepingcomputer.com/news/security/eviltwins- sharedStrings.xml false high exotic-ransomware-targets-executable-files/ sharedStrings.xml false high https://twitter.com/demonslay335/status/74609048372268646 5 sharedStrings.xml false high https://twitter.com/demonslay335/status/79613426474408346 0 sharedStrings.xml false high https://otx.alienvault.com/pulse/57976b52b900fe01376feb01/ sharedStrings.xml false high https://twitter.com/JakubKroustek/status/75787397604769792 0 www.bleepingcomputer.com/forums/t/611342/gnl-locker- sharedStrings.xml false high support-and-help-topic-locked-and-unlock- www.bleepingcomputer.com/news/security/teslacrypt-4- sharedStrings.xml false high 2-released-with-quite-a-few-modifications sharedStrings.xml false high https://twitter.com/demonslay335/status/79033474648836505 7 www.bleepingcomputer.com/news/security/the- sharedStrings.xml false high crylocker-ransomware-communicates-using-udp-and-st sharedStrings.xml false high www.bleepingcomputer.com/forums/t/617395/dedcryptor-ded- help-support-topic/ sharedStrings.xml false high https://twitter.com/malwrhunterteam/status/811613888705859 586 sharedStrings.xml false high https://twitter.com/struppigel/status/807169774098796544 https://www.bleepingcomputer.com/news/security/the- sharedStrings.xml false high dxxd-ransomware-displays-legal-notice-before-user www.bleepingcomputer.com/news/security/the-shark- sharedStrings.xml false high ransomware-project-allows-to-create-your-own sharedStrings.xml false high https://twitter.com/malwrhunterteam/status/846705481741733 892 sharedStrings.xml false high https://twitter.com/BleepinComputer/status/817851339078336 513 sharedStrings.xml false high https://twitter.com/struppigel/status/810766686005719040 sharedStrings.xml false high https://twitter.com/CryptoInsane/status/846181140025282561 https://blog.malwarebytes.org/threat- sharedStrings.xml false high analysis/2016/03/cerber-ransomware-new-but-mature/ phishme.com/rockloader-downloading-new- sharedStrings.xml false high ransomware-bart/ www.nyxbone.com/malware/koreanRansom.html sharedStrings.xml false 2%, virustotal, Browse low Avira URL Cloud: safe news.softpedia.com/news/new-open-source-linux- sharedStrings.xml false high ransomware-shows-infosec-community-divide-50866 sharedStrings.xml false high https://twitter.com/JakubKroustek/status/82579058497147290 2 sharedStrings.xml false high https://www.bleepingcomputer.com/forums/t/648384/lockcrypt- lock-support-topic-readmetxt/ sharedStrings.xml false high https://twitter.com/PolarToffee/status/796079699478900736 https://reaqta.com/2016/06/raa-ransomware-delivering- sharedStrings.xml false 0%, virustotal, Browse unknown pony/ Avira URL Cloud: safe https://www.carbonblack.com/2016/03/25/threat-alert- sharedStrings.xml false high powerware-new-ransomware-written-in-powershell-t www.bleepingcomputer.com/news/security/new-alfa-or- sharedStrings.xml false high alpha-ransomware-from-the-same-devs-as-cer sharedStrings.xml false high https://twitter.com/JakubKroustek/status/76056014713140838 4 sharedStrings.xml false high https://twitter.com/struppigel/status/828902907668000770
Copyright Joe Security LLC 2018 Page 13 of 16 Name Source Malicious Antivirus Detection Reputation sharedStrings.xml false high https://twitter.com/JakubKroustek/status/79938828933767168 0 sharedStrings.xml false high https://twitter.com/malwrhunterteam/status/830116190873849 856 sharedStrings.xml false high https://twitter.com/struppigel/status/791554654664552448 https://www.bleepingcomputer.com/news/security/the- sharedStrings.xml false high kangaroo-ransomware-not-only-encrypts-your-data-b https://blog.malwarebytes.org/threat- sharedStrings.xml false high analysis/2016/02/dma-locker-strikes-back/ sharedStrings.xml false high https://twitter.com/malwrhunterteam/status/841747002438361 089 sharedStrings.xml false high https://twitter.com/struppigel/status/847689644854595584 sharedStrings.xml false high https://www.bleepingcomputer.com/news/security/erebus- ransomware-utilizes-a-uac-bypass-and-request-a sharedStrings.xml false high https://twitter.com/malwrhunterteam/status/842781575410597 894 sharedStrings.xml false high https://twitter.com/PolarToffee/status/811249250285842432 https://www.bleepingcomputer.com/news/security/new- sharedStrings.xml false high lltp-ransomware-appears-to-be-a-rewritten-venus-l sharedStrings.xml false high https://twitter.com/BleepinComputer/status/817069320937345 024 nyxbone.com/malware/SNSLocker.html sharedStrings.xml false 0%, virustotal, Browse low Avira URL Cloud: safe https://www.bleepingcomputer.com/news/security/new- sharedStrings.xml false high raas-portal-preparing-to-spread-unlock26-ransomwa sharedStrings.xml false high https://twitter.com/malwrhunterteam/status/798268218364358 656 sharedStrings.xml false high https://twitter.com/malwrhunterteam/status/844826339186135 040 https://www.bleepingcomputer.com/news/security/xdata- sharedStrings.xml false high ransomware-on-a-rampage-in-ukraine/#.WR-iz69z-M sharedStrings.xml false high www.enigmasoftware.com/prismyourcomputerhasbeenlockedr ansomware-removal/ sharedStrings.xml false high https://twitter.com/drProct0r/status/810500976415281154 sharedStrings.xml false high https://twitter.com/malwrhunterteam/status/817648547231371 264 sharedStrings.xml false high https://twitter.com/demonslay335/status/80687880350710169 6 sharedStrings.xml false high https://twitter.com/struppigel/status/807161652663742465 https://www.bleepingcomputer.com/news/security/sage- sharedStrings.xml false high 2-0-ransomware-gearing-up-for-possible-greater-d https://blog.avast.com/hucky-ransomware-a-hungarian- sharedStrings.xml false high locky-wannabe https://blog.fortinet.com/post/fakben-team-ransomware- sharedStrings.xml false high uses-open-source-hidden-tear-code
Contacted IPs
No contacted IP infos
Static File Info
General File type: Microsoft Excel 2007+ Entropy (8bit): 7.912488458981032
Copyright Joe Security LLC 2018 Page 14 of 16 General TrID: Excel Microsoft Office Open XML Format document (50504/1) 92.65% ZIP compressed archive (4004/1) 7.35%
File name: n.xlsx File size: 70277 MD5: b56a8af4ed66a6a05afe4a350960e894 SHA1: a6a4f975bc9ec01956d3d756cb4b195f8eaa85ed SHA256: 43f1f6a408332850a846e21ecabc111b035967d3f640e99 e5d28bebd95e39c0c SHA512: d778ff952251d73dd6b85c72d576b63d9194d0efb09a8d0 dc4c6e66424c9f9687521f41afad428d7d654150c60398e 1dd013454959cd75f53e1c81e1c2f92b0d File Content Preview: PK...... !....yh...... [Content_Types].xml ...(......
File Icon
Network Behavior
No network behavior found
Code Manipulations
Statistics
System Behavior
Analysis Process: EXCEL.EXE PID: 3284 Parent PID: 3072
General
Start time: 12:02:41 Start date: 22/11/2018 Path: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Wow64 process (32bit): false Commandline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /dde Imagebase: 0x2f350000 File size: 20392608 bytes MD5 hash: 716335EDBB91DA84FC102425BFDA957E Has administrator privileges: true Programmed in: "C, C++ or other language Reputation: high
File Activities
Copyright Joe Security LLC 2018 Page 15 of 16 Source File Path Access Attributes Options Completion Count Address Symbol
File Deleted
Source File Path Completion Count Address Symbol C:\Users\user\AppData\Roaming\Microsoft\Excel\~ar17D0.xar success or wait 1 2F7B153C DeleteFileW C:\Users\user\AppData\Roaming\Microsoft\Excel\~ar3885.xar success or wait 1 2F7B153C DeleteFileW C:\Users\user\AppData\Roaming\Microsoft\Excel\~ar4BAE.xar success or wait 1 2F7B153C DeleteFileW
Source Old File Path New File Path Completion Count Address Symbol
File Written
Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\Desktop\~$n.xlsx unknown 55 0e 48 65 72 62 20 42 .user s u c cess or wait 1 2F60B3AB WriteFile 6c 61 63 6b 62 75 72 6e 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 C:\Users\user\Desktop\~$n.xlsx unknown 110 0e 00 48 00 65 00 72 ..H.e.r.b. success or wait 1 2F60B40A WriteFile 00 62 00 20 00 42 00 .B.l.a.c.k.b.u.r.n...... 6c 00 61 00 63 00 6b ...... 00 62 00 75 00 72 00 ...... 6e 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00 20 00
Source File Path Offset Length Completion Count Address Symbol
Registry Activities
Source Key Path Completion Count Address Symbol
Source Key Path Name Type Data Completion Count Address Symbol
Source Key Path Name Type Old Data New Data Completion Count Address Symbol
Disassembly
Copyright Joe Security LLC 2018 Page 16 of 16