popup

Report - Simplydisk_TPEB_Tariff_CtoC_16082021_Rev_9_142644520.xlsm

Malicious Packer Malicious Library PE File DLL PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.08.17 09:25 Machine s1_win7_x6403
Filename Simplydisk_TPEB_Tariff_CtoC_16082021_Rev_9_142644520.xlsm
Type Microsoft Excel 2007+
AI Score Not founds Behavior Score
7.2
ZERO API file : clean
VT API (file) 9 detected (XLS4, IcedID, MalDoc, ali1000101, Malicious, score, Probably Heur, W97ShellN, XmlMacroSheet, 07defname)
md5 fd7075efa74442ec550ba1b0613f0db3
sha256 56c2a6cd514956d83ac3d9f810ca1d942ba929f29a9af1d37aee3a1ce54a0283
ssdeep 6144:SWtZbAPPimNA/kjoitk17d3/zIZgddQIMgB0ViWir2Yv6ZtK2BnBkxXpsw:3tZbAPDNAcM5d3bFLKW0ir2YvoU2BnBS
imphash
impfuzzy
  Network IP location

Signature (18cnts)

Level Description
warning Uses WMI to create a new process
watch One or more non-whitelisted processes were created
watch Tries to unhook Windows functions monitored by Cuckoo
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the process mshta.exe
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Creates (office) documents on the filesystem
notice Creates a suspicious process
notice Creates executable files on the filesystem
notice Creates hidden or system file
notice File has been identified by 9 AntiVirus engines on VirusTotal as malicious
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info One or more processes crashed
info Queries for the computername

Rules (5cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (download)
watch Malicious_Packer_Zero Malicious Packer binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info PE_Header_Zero PE File Signature binaries (download)

Network (7cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://cdn.discordapp.com/attachments/876792192524501045/876810977381847040/222_mod.dll
whois
Unknown 162.159.129.233 clean
https://cdn.discordapp.com/attachments/876792192524501045/876811276905480202/222_mod.dll
whois
Unknown 162.159.129.233 clean
https://beklear.net/wp-content/plugins/nhpakbigch/9YfqVdDVOAG.php
whois
US CLOUDFLARENET 104.21.84.227 clean
beklear.net
whois
US CLOUDFLARENET 172.67.197.185 clean
cdn.discordapp.com
whois
Unknown 162.159.129.233 malware
104.21.84.227
whois
US CLOUDFLARENET 104.21.84.227 clean
162.159.129.233
whois
Unknown 162.159.129.233 malware

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

Similarity measure (PE file only) - Checking for service failure