popup

Report - INV.-54490_20210915.xlsm

Malicious Library PE File DLL PE32
  1. Resubmit analysis
  2. Detailed report
ScreenShot
Created 2021.09.16 09:56 Machine s1_win7_x6403
Filename INV.-54490_20210915.xlsm
Type Microsoft Excel 2007+
AI Score Not founds Behavior Score
7.2
ZERO API file : clean
VT API (file) 11 detected (XLS4, IcedID, XLSM, Camelot, Artemis, ZLoader, Probably Heur, W97ShellN, XmlMacroSheet)
md5 f2bec56e09883a139201183f00f400a4
sha256 4a8d3e1f28dcddd8177e378b14b49dc0e23dad9772931f6616ce64ad17585fa7
ssdeep 6144:PxDLPBIdMuECZyERj/s8pzQFHr5/bDc8dI:PxXQBAy/sMkBr5/cF
imphash
impfuzzy
  Network IP location

Signature (19cnts)

Level Description
warning Uses WMI to create a new process
watch File has been identified by 11 AntiVirus engines on VirusTotal as malicious
watch One or more non-whitelisted processes were created
notice A process attempted to delay the analysis task.
notice Allocates read-write-execute memory (usually to unpack itself)
notice An executable file was downloaded by the process mshta.exe
notice Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time)
notice Creates (office) documents on the filesystem
notice Creates a suspicious process
notice Creates hidden or system file
notice One or more potentially interesting buffers were extracted
notice Performs some HTTP requests
notice Uses Windows utilities for basic Windows functionality
info Checks amount of memory in system
info Checks if process is being debugged by a debugger
info Collects information to fingerprint the system (MachineGuid
info Command line console output was observed
info One or more processes crashed
info Queries for the computername

Rules (4cnts)

Level Name Description Collection
watch Malicious_Library_Zero Malicious_Library binaries (download)
info IsDLL (no description) binaries (download)
info IsPE32 (no description) binaries (download)
info PE_Header_Zero PE File Signature binaries (download)

Network (3cnts) ?

Request CC ASN Co IP4 Rule ? ZERO ?
https://cdn.discordapp.com/attachments/887666439396421665/887666505632858112/9_SensorsApi.dll.dll
whois
Unknown 162.159.133.233 clean
cdn.discordapp.com
whois
Unknown 162.159.135.233 malware
162.159.133.233
whois
Unknown 162.159.133.233 malware

Suricata ids

SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)

Similarity measure (PE file only) - Checking for service failure