Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 14, 2022, 10:38 a.m.	April 14, 2022, 10:40 a.m.

Size	1.0MB
Type	Microsoft Excel 2007+
MD5	`dd1fb0f77e739767b1c57c2510b73a28`
SHA256	`68ecaf5dbc4d226c78ed9f50029259c112268ce7d329e07dd21a6876297c57fa`
CRC32	`CD64806E`
ssdeep	`24576:K9vBKAnpis3QXPH5sjl+opcMrAm9vBKAnpis3Q+9vBKAnpis3QSVLFUN:m5KA65VSrX5KAV5KAVNFK`
Yara	xlsb - Excel Binary Workbook file format detection Malicious_Library_Zero - Malicious_Library

EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\Office15\EXCEL.EXE" C:\Users\test22\AppData\Local\Temp\W-1611531349.xlsb
2324
- regsvr32.exe regsvr32 C:\Uduw\ehxw1.dll
  2520
- regsvr32.exe regsvr32 C:\Uduw\ehxw2.dll
  2616
- regsvr32.exe regsvr32 C:\Uduw\ehxw3.dll
  2704

Name	Response	Post-Analysis Lookup
natalespatagonia.cl	A 192.185.17.132	192.185.17.132
camarajocaclaudino.pb.gov.br	A 162.241.62.76	162.241.62.76
maramaabroo.com	A 31.22.4.117	31.22.4.117

IP Address	Status	Action
162.241.62.76	Active	Moloch
164.124.101.2	Active	Moloch
192.185.17.132	Active	Moloch
31.22.4.117	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 31.22.4.117:443 -> 192.168.56.103:49165	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49168 -> 192.185.17.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 162.241.62.76:443 -> 192.168.56.103:49176	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49170 -> 192.185.17.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49163 -> 31.22.4.117:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49164 -> 31.22.4.117:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.185.17.132:443 -> 192.168.56.103:49171	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49174 -> 162.241.62.76:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49175 -> 162.241.62.76:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ April 14, 2022, 10:38 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74de374b NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x74e02b08 NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x74dd801a SLClose-0x28c osppc+0x2cb5 @ 0x6c4e2cb5 SLLoadApplicationPolicies+0xb30 SLCallServer-0x31f osppc+0x15629 @ 0x6c4f5629 SLClose+0x4d1 SLpBeginGenuineTicketTransaction-0x4703 osppc+0x3412 @ 0x6c4e3412 SLpGetTokenActivationGrantInfo+0xd8 SLpGenerateTokenActivationChallenge-0xad osppc+0x129af @ 0x6c4f29af SLGetTokenActivationGrants+0x721 SLGetTokenActivationCertificates-0x7e7 osppcext+0x5a648 @ 0x6b18a648 _MsoWzFromIhtk@4+0x73207 mso+0x1404a94 @ 0x71dc4a94 _MsoWzFromIhtk@4+0x72f96 mso+0x1404823 @ 0x71dc4823 _MsoDwGimmeUserInstallBehavior@8+0x1ad15 _MsoHrShowMetSharedNotebooksDlg@20-0x7a9d0 mso+0xcc30d3 @ 0x716830d3 _MsoDwGimmeUserInstallBehavior@8+0x1aa61 _MsoHrShowMetSharedNotebooksDlg@20-0x7ac84 mso+0xcc2e1f @ 0x71682e1f _MsoFreeCvsList@4+0x261dac _MsoPwlfFromFlinfo@8-0x3674 mso+0x4e2b05 @ 0x70ea2b05 _MsoFreeCvsList@4+0x2616fd _MsoPwlfFromFlinfo@8-0x3d23 mso+0x4e2456 @ 0x70ea2456 0x972c19 _MsoHrSetupHTMLImport@8+0x2ee7 _MsoHrOscServicesManagerSharepointURL@8-0x8f03 mso+0x200fda @ 0x70bc0fda _MsoHrSetupHTMLImport@8+0x27d9 _MsoHrOscServicesManagerSharepointURL@8-0x9611 mso+0x2008cc @ 0x70bc08cc _MsoFIEPolicyAndVersion@8+0x37cd _MsoTelemetryOnEndVBAMacroCallback@0-0x3f32 mso+0x1efa61 @ 0x70bafa61 _MsoFIEPolicyAndVersion@8+0x3574 _MsoTelemetryOnEndVBAMacroCallback@0-0x418b mso+0x1ef808 @ 0x70baf808 _MsoFIEPolicyAndVersion@8+0x3534 _MsoTelemetryOnEndVBAMacroCallback@0-0x41cb mso+0x1ef7c8 @ 0x70baf7c8 _MsoFEnsureMsoTypelib@0+0x2a5 _MsoInitShrGlobal@4-0x1bdf mso+0x23b6d @ 0x709e3b6d _MsoExtTextOutW@32+0x85f _MsoFWndProcNeeded@4-0x4a1 mso+0x222ad @ 0x709e22ad _MsoFGetTbShowKbdShortcuts@0+0x8b11 _MsoFDigitCh@4-0xbf35 mso+0x1b522d @ 0x70b7522d _MsoFGetTbShowKbdShortcuts@0+0x8a6d _MsoFDigitCh@4-0xbfd9 mso+0x1b5189 @ 0x70b75189 _MsoFGetTbShowKbdShortcuts@0+0x795f _MsoFDigitCh@4-0xd0e7 mso+0x1b407b @ 0x70b7407b _MsoFGetTbShowKbdShortcuts@0+0x788d _MsoFDigitCh@4-0xd1b9 mso+0x1b3fa9 @ 0x70b73fa9 _MsoFGetTbShowKbdShortcuts@0+0x784f _MsoFDigitCh@4-0xd1f7 mso+0x1b3f6b @ 0x70b73f6b MdCallBack12-0x64a760 excel+0x37a4a @ 0xb47a4a MdCallBack12-0x64de96 excel+0x34314 @ 0xb44314 MdCallBack12-0x67d476 excel+0x4d34 @ 0xb14d34 MdCallBack12-0x67d76a excel+0x4a40 @ 0xb14a40 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc004f011 exception.offset: 46887 exception.address: 0x766fb727 registers.esp: 3731052 registers.edi: 3731216 registers.eax: 3731052 registers.ebp: 3731132 registers.edx: 0 registers.ebx: 3732268 registers.esi: 3221549073 registers.ecx: 2147483648	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

April 14, 2022, 10:38 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74de374b
NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x74e02b08
NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x74dd801a
SLClose-0x28c osppc+0x2cb5 @ 0x6c4e2cb5
SLLoadApplicationPolicies+0xb30 SLCallServer-0x31f osppc+0x15629 @ 0x6c4f5629
SLClose+0x4d1 SLpBeginGenuineTicketTransaction-0x4703 osppc+0x3412 @ 0x6c4e3412
SLpGetTokenActivationGrantInfo+0xd8 SLpGenerateTokenActivationChallenge-0xad osppc+0x129af @ 0x6c4f29af
SLGetTokenActivationGrants+0x721 SLGetTokenActivationCertificates-0x7e7 osppcext+0x5a648 @ 0x6b18a648
_MsoWzFromIhtk@4+0x73207 mso+0x1404a94 @ 0x71dc4a94
_MsoWzFromIhtk@4+0x72f96 mso+0x1404823 @ 0x71dc4823
_MsoDwGimmeUserInstallBehavior@8+0x1ad15 _MsoHrShowMetSharedNotebooksDlg@20-0x7a9d0 mso+0xcc30d3 @ 0x716830d3
_MsoDwGimmeUserInstallBehavior@8+0x1aa61 _MsoHrShowMetSharedNotebooksDlg@20-0x7ac84 mso+0xcc2e1f @ 0x71682e1f
_MsoFreeCvsList@4+0x261dac _MsoPwlfFromFlinfo@8-0x3674 mso+0x4e2b05 @ 0x70ea2b05
_MsoFreeCvsList@4+0x2616fd _MsoPwlfFromFlinfo@8-0x3d23 mso+0x4e2456 @ 0x70ea2456
0x972c19
_MsoHrSetupHTMLImport@8+0x2ee7 _MsoHrOscServicesManagerSharepointURL@8-0x8f03 mso+0x200fda @ 0x70bc0fda
_MsoHrSetupHTMLImport@8+0x27d9 _MsoHrOscServicesManagerSharepointURL@8-0x9611 mso+0x2008cc @ 0x70bc08cc
_MsoFIEPolicyAndVersion@8+0x37cd _MsoTelemetryOnEndVBAMacroCallback@0-0x3f32 mso+0x1efa61 @ 0x70bafa61
_MsoFIEPolicyAndVersion@8+0x3574 _MsoTelemetryOnEndVBAMacroCallback@0-0x418b mso+0x1ef808 @ 0x70baf808
_MsoFIEPolicyAndVersion@8+0x3534 _MsoTelemetryOnEndVBAMacroCallback@0-0x41cb mso+0x1ef7c8 @ 0x70baf7c8
_MsoFEnsureMsoTypelib@0+0x2a5 _MsoInitShrGlobal@4-0x1bdf mso+0x23b6d @ 0x709e3b6d
_MsoExtTextOutW@32+0x85f _MsoFWndProcNeeded@4-0x4a1 mso+0x222ad @ 0x709e22ad
_MsoFGetTbShowKbdShortcuts@0+0x8b11 _MsoFDigitCh@4-0xbf35 mso+0x1b522d @ 0x70b7522d
_MsoFGetTbShowKbdShortcuts@0+0x8a6d _MsoFDigitCh@4-0xbfd9 mso+0x1b5189 @ 0x70b75189
_MsoFGetTbShowKbdShortcuts@0+0x795f _MsoFDigitCh@4-0xd0e7 mso+0x1b407b @ 0x70b7407b
_MsoFGetTbShowKbdShortcuts@0+0x788d _MsoFDigitCh@4-0xd1b9 mso+0x1b3fa9 @ 0x70b73fa9
_MsoFGetTbShowKbdShortcuts@0+0x784f _MsoFDigitCh@4-0xd1f7 mso+0x1b3f6b @ 0x70b73f6b
MdCallBack12-0x64a760 excel+0x37a4a @ 0xb47a4a
MdCallBack12-0x64de96 excel+0x34314 @ 0xb44314
MdCallBack12-0x67d476 excel+0x4d34 @ 0xb14d34
MdCallBack12-0x67d76a excel+0x4a40 @ 0xb14a40
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xc004f011
exception.offset: 46887
exception.address: 0x766fb727
registers.esp: 3731052
registers.edi: 3731216
registers.eax: 3731052
registers.ebp: 3731132
registers.edx: 0
registers.ebx: 3732268
registers.esi: 3221549073
registers.ecx: 2147483648

Allocates read-write-execute memory (usually to unpack itself) (4 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 14, 2022, 10:38 a.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ba32000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2022, 10:38 a.m.	process_identifier: 2520 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c201000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2022, 10:38 a.m.	process_identifier: 2616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c201000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 14, 2022, 10:38 a.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6c201000 process_handle: 0xffffffff	1

An application raised an exception which may be indicative of an exploit crash (2 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process EXCEL.EXE with pid 2324 crashed
__exception__ April 14, 2022, 10:38 a.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74de374b NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x74e02b08 NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x74dd801a SLClose-0x28c osppc+0x2cb5 @ 0x6c4e2cb5 SLLoadApplicationPolicies+0xb30 SLCallServer-0x31f osppc+0x15629 @ 0x6c4f5629 SLClose+0x4d1 SLpBeginGenuineTicketTransaction-0x4703 osppc+0x3412 @ 0x6c4e3412 SLpGetTokenActivationGrantInfo+0xd8 SLpGenerateTokenActivationChallenge-0xad osppc+0x129af @ 0x6c4f29af SLGetTokenActivationGrants+0x721 SLGetTokenActivationCertificates-0x7e7 osppcext+0x5a648 @ 0x6b18a648 _MsoWzFromIhtk@4+0x73207 mso+0x1404a94 @ 0x71dc4a94 _MsoWzFromIhtk@4+0x72f96 mso+0x1404823 @ 0x71dc4823 _MsoDwGimmeUserInstallBehavior@8+0x1ad15 _MsoHrShowMetSharedNotebooksDlg@20-0x7a9d0 mso+0xcc30d3 @ 0x716830d3 _MsoDwGimmeUserInstallBehavior@8+0x1aa61 _MsoHrShowMetSharedNotebooksDlg@20-0x7ac84 mso+0xcc2e1f @ 0x71682e1f _MsoFreeCvsList@4+0x261dac _MsoPwlfFromFlinfo@8-0x3674 mso+0x4e2b05 @ 0x70ea2b05 _MsoFreeCvsList@4+0x2616fd _MsoPwlfFromFlinfo@8-0x3d23 mso+0x4e2456 @ 0x70ea2456 0x972c19 _MsoHrSetupHTMLImport@8+0x2ee7 _MsoHrOscServicesManagerSharepointURL@8-0x8f03 mso+0x200fda @ 0x70bc0fda _MsoHrSetupHTMLImport@8+0x27d9 _MsoHrOscServicesManagerSharepointURL@8-0x9611 mso+0x2008cc @ 0x70bc08cc _MsoFIEPolicyAndVersion@8+0x37cd _MsoTelemetryOnEndVBAMacroCallback@0-0x3f32 mso+0x1efa61 @ 0x70bafa61 _MsoFIEPolicyAndVersion@8+0x3574 _MsoTelemetryOnEndVBAMacroCallback@0-0x418b mso+0x1ef808 @ 0x70baf808 _MsoFIEPolicyAndVersion@8+0x3534 _MsoTelemetryOnEndVBAMacroCallback@0-0x41cb mso+0x1ef7c8 @ 0x70baf7c8 _MsoFEnsureMsoTypelib@0+0x2a5 _MsoInitShrGlobal@4-0x1bdf mso+0x23b6d @ 0x709e3b6d _MsoExtTextOutW@32+0x85f _MsoFWndProcNeeded@4-0x4a1 mso+0x222ad @ 0x709e22ad _MsoFGetTbShowKbdShortcuts@0+0x8b11 _MsoFDigitCh@4-0xbf35 mso+0x1b522d @ 0x70b7522d _MsoFGetTbShowKbdShortcuts@0+0x8a6d _MsoFDigitCh@4-0xbfd9 mso+0x1b5189 @ 0x70b75189 _MsoFGetTbShowKbdShortcuts@0+0x795f _MsoFDigitCh@4-0xd0e7 mso+0x1b407b @ 0x70b7407b _MsoFGetTbShowKbdShortcuts@0+0x788d _MsoFDigitCh@4-0xd1b9 mso+0x1b3fa9 @ 0x70b73fa9 _MsoFGetTbShowKbdShortcuts@0+0x784f _MsoFDigitCh@4-0xd1f7 mso+0x1b3f6b @ 0x70b73f6b MdCallBack12-0x64a760 excel+0x37a4a @ 0xb47a4a MdCallBack12-0x64de96 excel+0x34314 @ 0xb44314 MdCallBack12-0x67d476 excel+0x4d34 @ 0xb14d34 MdCallBack12-0x67d76a excel+0x4a40 @ 0xb14a40 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xc004f011 exception.offset: 46887 exception.address: 0x766fb727 registers.esp: 3731052 registers.edi: 3731216 registers.eax: 3731052 registers.ebp: 3731132 registers.edx: 0 registers.ebx: 3732268 registers.esi: 3221549073 registers.ecx: 2147483648	1	0	0

Application Crash

Process EXCEL.EXE with pid 2324 crashed

Time & API

Arguments

Status

Return

Repeated

__exception__

April 14, 2022, 10:38 a.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74de374b
NdrAllocate+0x5c8 RpcBindingFromStringBindingA-0xca4 rpcrt4+0x42b08 @ 0x74e02b08
NdrGetBuffer+0xf4 NdrSendReceive-0x6 rpcrt4+0x1801a @ 0x74dd801a
SLClose-0x28c osppc+0x2cb5 @ 0x6c4e2cb5
SLLoadApplicationPolicies+0xb30 SLCallServer-0x31f osppc+0x15629 @ 0x6c4f5629
SLClose+0x4d1 SLpBeginGenuineTicketTransaction-0x4703 osppc+0x3412 @ 0x6c4e3412
SLpGetTokenActivationGrantInfo+0xd8 SLpGenerateTokenActivationChallenge-0xad osppc+0x129af @ 0x6c4f29af
SLGetTokenActivationGrants+0x721 SLGetTokenActivationCertificates-0x7e7 osppcext+0x5a648 @ 0x6b18a648
_MsoWzFromIhtk@4+0x73207 mso+0x1404a94 @ 0x71dc4a94
_MsoWzFromIhtk@4+0x72f96 mso+0x1404823 @ 0x71dc4823
_MsoDwGimmeUserInstallBehavior@8+0x1ad15 _MsoHrShowMetSharedNotebooksDlg@20-0x7a9d0 mso+0xcc30d3 @ 0x716830d3
_MsoDwGimmeUserInstallBehavior@8+0x1aa61 _MsoHrShowMetSharedNotebooksDlg@20-0x7ac84 mso+0xcc2e1f @ 0x71682e1f
_MsoFreeCvsList@4+0x261dac _MsoPwlfFromFlinfo@8-0x3674 mso+0x4e2b05 @ 0x70ea2b05
_MsoFreeCvsList@4+0x2616fd _MsoPwlfFromFlinfo@8-0x3d23 mso+0x4e2456 @ 0x70ea2456
0x972c19
_MsoHrSetupHTMLImport@8+0x2ee7 _MsoHrOscServicesManagerSharepointURL@8-0x8f03 mso+0x200fda @ 0x70bc0fda
_MsoHrSetupHTMLImport@8+0x27d9 _MsoHrOscServicesManagerSharepointURL@8-0x9611 mso+0x2008cc @ 0x70bc08cc
_MsoFIEPolicyAndVersion@8+0x37cd _MsoTelemetryOnEndVBAMacroCallback@0-0x3f32 mso+0x1efa61 @ 0x70bafa61
_MsoFIEPolicyAndVersion@8+0x3574 _MsoTelemetryOnEndVBAMacroCallback@0-0x418b mso+0x1ef808 @ 0x70baf808
_MsoFIEPolicyAndVersion@8+0x3534 _MsoTelemetryOnEndVBAMacroCallback@0-0x41cb mso+0x1ef7c8 @ 0x70baf7c8
_MsoFEnsureMsoTypelib@0+0x2a5 _MsoInitShrGlobal@4-0x1bdf mso+0x23b6d @ 0x709e3b6d
_MsoExtTextOutW@32+0x85f _MsoFWndProcNeeded@4-0x4a1 mso+0x222ad @ 0x709e22ad
_MsoFGetTbShowKbdShortcuts@0+0x8b11 _MsoFDigitCh@4-0xbf35 mso+0x1b522d @ 0x70b7522d
_MsoFGetTbShowKbdShortcuts@0+0x8a6d _MsoFDigitCh@4-0xbfd9 mso+0x1b5189 @ 0x70b75189
_MsoFGetTbShowKbdShortcuts@0+0x795f _MsoFDigitCh@4-0xd0e7 mso+0x1b407b @ 0x70b7407b
_MsoFGetTbShowKbdShortcuts@0+0x788d _MsoFDigitCh@4-0xd1b9 mso+0x1b3fa9 @ 0x70b73fa9
_MsoFGetTbShowKbdShortcuts@0+0x784f _MsoFDigitCh@4-0xd1f7 mso+0x1b3f6b @ 0x70b73f6b
MdCallBack12-0x64a760 excel+0x37a4a @ 0xb47a4a
MdCallBack12-0x64de96 excel+0x34314 @ 0xb44314
MdCallBack12-0x67d476 excel+0x4d34 @ 0xb14d34
MdCallBack12-0x67d76a excel+0x4a40 @ 0xb14a40
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x768733ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

Creates executable files on the filesystem (3 events)

file	C:\Uduw\ehxw2.dll
file	C:\Uduw\ehxw1.dll
file	C:\Uduw\ehxw3.dll

Creates hidden or system file (1 event)

Time & API	Arguments	Status	Return	Repeated
NtCreateFile April 14, 2022, 10:38 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000474 filepath: C:\Users\test22\AppData\Local\Temp\~$W-1611531349.xlsb desired_access: 0xc0110080 (FILE_READ_ATTRIBUTES\|DELETE\|SYNCHRONIZE\|GENERIC_WRITE) file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: \??\C:\Users\test22\AppData\Local\Temp\~$W-1611531349.xlsb create_options: 4198496 (FILE_NON_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_DELETE_ON_CLOSE) status_info: 2 (FILE_CREATED) share_access: 1 (FILE_SHARE_READ)	1	0	0

Creates a suspicious process (3 events)

cmdline	regsvr32 C:\Uduw\ehxw2.dll
cmdline	regsvr32 C:\Uduw\ehxw1.dll
cmdline	regsvr32 C:\Uduw\ehxw3.dll

File has been identified by 7 AntiVirus engines on VirusTotal as malicious (7 events)

Sangfor	Malware.Generic-XLM.Save.ma35
Symantec	Scr.MalMacro!gen3
Kaspersky	HEUR:Trojan.Script.Generic
ZoneAlarm	HEUR:Trojan.MSOffice.Generic
GData	Macro.Trojan-Downloader.Agent.BDH
Rising	Downloader.Agent/XLM!1.DD40 (CLASSIC)
Fortinet	MSExcel/Agent.AC!tr.dldr

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 14, 2022, 10:38 a.m.	process_identifier: 2324 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x7ef70000 process_handle: 0xffffffff	1	0	0

Network communications indicative of a potential document or script payload download was initiated by the process excel.exe (3 events)

Time & API	Arguments	Return
URLDownloadToFileW April 14, 2022, 10:38 a.m.	url: https://maramaabroo.com/XGLCPZf6et/Cvnhfn.png stack_pivoted: 0 filepath_r: C:\Uduw\ehxw1.dll filepath: C:\Uduw\ehxw1.dll	2148270085
URLDownloadToFileW April 14, 2022, 10:38 a.m.	url: https://natalespatagonia.cl/w2X7dAxp/Cvnhfn.png stack_pivoted: 0 filepath_r: C:\Uduw\ehxw2.dll filepath: C:\Uduw\ehxw2.dll	2148270085
URLDownloadToFileW April 14, 2022, 10:38 a.m.	url: https://camarajocaclaudino.pb.gov.br/5jajRnhLV0/Cvnhfn.png stack_pivoted: 0 filepath_r: C:\Uduw\ehxw3.dll filepath: C:\Uduw\ehxw3.dll	2148270085

One or more non-whitelisted processes were created (3 events)

parent_process	excel.exe	martian_process	regsvr32 C:\Uduw\ehxw2.dll
parent_process	excel.exe	martian_process	regsvr32 C:\Uduw\ehxw1.dll
parent_process	excel.exe	martian_process	regsvr32 C:\Uduw\ehxw3.dll

W-1611531349.xlsb

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All