ID: 191155 Sample Name: $06A896BA.xls Cookbook: defaultwindowsofficecookbook.jbs Time: 00:38:32 Date: 21/11/2019 Version: 28.0.0 Lapis Lazuli Table of Contents Table of Contents 2 Analysis Report $06A896BA.xls 4 Overview 4 General Information 4 Detection 4 Confidence 4 Classification 5 Analysis Advice 5 Mitre Att&ck Matrix 6 Signature Overview 6 Networking: 6 System Summary: 6 Hooking and other Techniques for Hiding and Protection: 6 HIPS / PFW / Operating System Protection Evasion: 6 Behavior Graph 7 Simulations 7 Behavior and APIs 7 Antivirus, Machine Learning and Genetic Malware Detection 7 Initial Sample 7 Dropped Files 7 Unpacked PE Files 7 Domains 7 URLs 8 Yara Overview 8 Initial Sample 8 PCAP (Network Traffic) 8 Dropped Files 8 Memory Dumps 8 Unpacked PEs 8 Sigma Overview 8 Joe Sandbox View / Context 8 IPs 8 Domains 8 ASN 8 JA3 Fingerprints 8 Dropped Files 8 Screenshots 9 Thumbnails 9 Startup 9 Created / dropped Files 9 Domains and IPs 9 Contacted Domains 10 URLs from Memory and Binaries 10 Contacted IPs 10 Static File Info 10 General 10 File Icon 10 Static OLE Info 10 General 10 OLE File "$06A896BA.xls" 10 Indicators 10 Summary 11 Document Summary 11 Streams 11 Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096 11 General 11 Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096 11 General 11 Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 15728 11 General 11 Copyright Joe Security LLC 2019 Page 2 of 13 Network Behavior 12 Code Manipulations 12 Statistics 12 System Behavior 12 Analysis Process: EXCEL.EXE PID: 3664 Parent PID: 548 12 General 12 File Activities 12 File Created 12 File Deleted 12 Registry Activities 12 Disassembly 13 Code Analysis 13 Copyright Joe Security LLC 2019 Page 3 of 13 Analysis Report $06A896BA.xls Overview General Information Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 191155 Start date: 21.11.2019 Start time: 00:38:32 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 3m 29s Hypervisor based Inspection enabled: false Report type: light Sample file name: $06A896BA.xls Cookbook file name: defaultwindowsofficecookbook.jbs Analysis system description: Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Java 8.0.1440.1, Flash 30.0.0.113) Number of analysed new started processes analysed: 2 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis stop reason: Timeout Detection: CLEAN Classification: clean0.winXLS@1/0@0/0 EGA Information: Failed HDC Information: Failed HCA Information: Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .xls Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe Detection Strategy Score Range Reporting Whitelisted Detection Threshold 0 0 - 100 false Confidence Copyright Joe Security LLC 2019 Page 4 of 13 Strategy Score Range Further Analysis Required? Confidence Threshold 4 0 - 5 false Classification Ransomware Miner Spreading mmaallliiiccciiioouusss malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious cccllleeaann clean Exploiter Banker Spyware Trojan / Bot Adware Analysis Advice No malicious behavior found, analyze the document also on other version of Office / Acrobat Copyright Joe Security LLC 2019 Page 5 of 13 Mitre Att&ck Matrix Privilege Defense Credential Lateral Command and Initial Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Impact Valid Accounts Windows Winlogon Process Process Credential Process Application Data from Data Data Data Remote Helper DLL Injection 1 Injection 1 Dumping Discovery 1 Deployment Local System Compressed Obfuscation Destruction Management Software Replication Service Port Accessibility Binary Network File and Remote Data from Exfiltration Fallback Data Encrypted Through Execution Monitors Features Padding Sniffing Directory Services Removable Over Other Channels for Impact Removable Discovery 1 Media Network Media Medium External Windows Accessibility Path Rootkit Input System Windows Data from Automated Custom Disk Structure Remote Management Features Interception Capture Information Remote Network Exfiltration Cryptographic Wipe Services Instrumentation Discovery 1 Management Shared Drive Protocol Signature Overview • Networking • System Summary • Hooking and other Techniques for Hiding and Protection • HIPS / PFW / Operating System Protection Evasion Click to jump to signature section Networking: Urls found in memory or binary data System Summary: Classification label Creates temporary files Document contains an OLE Workbook stream indicating a Microsoft Excel file Reads ini files Found graphical window changes (likely an installer) Checks if Microsoft Office is installed Uses new MSVCR Dlls Binary contains paths to debug symbols Document has a 'vbamacros' value indicative of goodware Hooking and other Techniques for Hiding and Protection: Disables application error messsages (SetErrorMode) HIPS / PFW / Operating System Protection Evasion: May try to detect the Windows Explorer process (often used for injection) Copyright Joe Security LLC 2019 Page 6 of 13 Behavior Graph Hide Legend Legend: Process Signature Created File DNS/IP Info Is Dropped Is Windows Process Behavior Graph Number of created Registry Values Number of created Files ID: 191155 Visual Basic Sample: $06A896BA.xls Startdate: 21/11/2019 Delphi Architecture: WINDOWS Java Score: 0 .Net C# or VB.NET C, C++ or other language started Is malicious Internet EXCEL.EXE 53 12 Simulations Behavior and APIs No simulations Antivirus, Machine Learning and Genetic Malware Detection Initial Sample Source Detection Scanner Label Link $06A896BA.xls 0% Virustotal Browse Dropped Files No Antivirus matches Unpacked PE Files No Antivirus matches Domains Copyright Joe Security LLC 2019 Page 7 of 13 No Antivirus matches URLs Source Detection Scanner Label Link Myserver/Mydoc.htm 0% Avira URL Cloud safe Yara Overview Initial Sample No yara matches PCAP (Network Traffic) No yara matches Dropped Files No yara matches Memory Dumps No yara matches Unpacked PEs No yara matches Sigma Overview No Sigma rule has matched Joe Sandbox View / Context IPs No context Domains No context ASN No context JA3 Fingerprints No context Dropped Files No context Copyright Joe Security LLC 2019 Page 8 of 13 Screenshots Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow. Startup System is w7 EXCEL.EXE (PID: 3664 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 716335EDBB91DA84FC102425BFDA957E) cleanup Created / dropped Files No created / dropped files found Domains and IPs Copyright Joe Security LLC 2019 Page 9 of 13 Contacted Domains No contacted domains info URLs from Memory and Binaries Name Source Malicious Antivirus Detection Reputation Myserver/Mydoc.htm EXCEL.EXE, 00000000.00000002.2 false Avira URL Cloud: safe low 449019344.01290000.00000002.00 000001.sdmp Contacted IPs No contacted IP infos Static File Info General File type: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Name of Creating Application: Microsoft Excel, Create Time/Date: Tue May 21 14:18:28 2019, Last Saved Ti me/Date: Tue May 21 14:18:38 2019, Security: 0 Entropy (8bit): 3.8239443784590437 TrID: Microsoft Excel sheet (30009/1) 78.94% Generic OLE2 / Multistream Compound File (8008/1) 21.06% File name: $06A896BA.xls File size: 25600 MD5: b34c3871405271e1b86e09e73fc6ca5c SHA1: 6bce4d9274e4dbe97cceeff6355f930146482640 SHA256: 49f0f0510e226c4bb4051635bc371a9bfa069a7ef5c145e 13950dee617f70c65 SHA512: aeef5c209b80a23d091e1b2e75c0575ce4d19cd3ab0b42 5b16cfcf77b18d0b5b1e7f33c69bf8b2b3047d59a362b86 3c31d519560bb4feca0befe8db9d552f081 SSDEEP: 768:yrlk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJoWNr1: 6lk3hbdlylKsgqopeJBWhZFGkE+cL2Ny File Content Preview: ........................>.......................0.........................../.......... ......................................................................................... ............................................................................... File Icon Icon Hash: e4eea286a4b4bcb4 Static OLE Info General Document Type: OLE Number of OLE Files: 1 OLE File "$06A896BA.xls" Indicators Has Summary Info: True Application Name: Microsoft Excel Encrypted Document: False Contains Word Document Stream: False Contains Workbook/Book Stream: True Contains PowerPoint Document Stream: False Contains Visio Document Stream: False Contains ObjectPool Stream: Flash Objects Count: Copyright Joe Security LLC 2019 Page 10 of 13 Indicators Contains VBA Macros: False Summary Code Page: 1252 Create Time: 2019-05-21 13:18:28.709000 Last Saved Time: 2019-05-21 13:18:38 Creating Application: Microsoft Excel Security: 0 Document Summary Document Code Page: 1252 Thumbnail Scaling Desired: False Company: Contains Dirty Links: False Shared Document: False Changed Hyperlinks: False Application Version: 1048576 Streams Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096 General Stream Path: \x5DocumentSummaryInformation