Translations.csv
This report is generated from a file or URL submitted to this webservice on September 10th 2020 10:17:01 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.31 © Hybrid Analysis
Incident Response
MITRE ATT&CK™ Techniques Detection
Additional Context
Related Sandbox Artifacts
- Associated SHA256s
- a764f0b0238fec83194e82fe189f37228921afecd4177e19397fec9f00920706
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 1
-
Unusual Characteristics
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
- details
-
Found keyword "AutoOpen" which indicates: "Runs when the Word document is opened"
Found keyword "Auto_Close" which indicates: "Runs when the Excel Workbook is closed"
Found keyword "AutoClose" which indicates: "Runs when the Word document is closed" - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1137 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
-
Suspicious Indicators 1
-
Unusual Characteristics
-
Contains embedded VBA macros with suspicious keywords
- details
-
Found suspicious keyword "Run" which indicates: "May run an executable file or a system command"
Found suspicious keyword "Open" which indicates: "May open a file"
Found suspicious keyword "system" which indicates: "May run an executable file or a system command on a Mac (if combined with libc.dylib)"
Found suspicious keyword "Windows" which indicates: "May enumerate application windows (if combined with Shell.Application object)"
Found suspicious keyword "command" which indicates: "May run PowerShell commands"
Found suspicious keyword "Output" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Binary" which indicates: "May read or write a binary file (if combined with Open)" - source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1204 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains embedded VBA macros with suspicious keywords
-
Informative 10
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/55 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Contains embedded VBA macros
- details
- details too long to display
- source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1204 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains embedded VBA macros (normalized)
- details
-
Normalized macro string: "http"
Normalized macro string: "GESCHWIN_WERTE_SPORT_KGM,Speed"
Normalized macro string: "http,"
Normalized macro string: "HEAD_UNIT_TYPE,"
Normalized macro string: "ISPEECH_TP_FUNKTION,iSpeech"
Normalized macro string: "httph"
Normalized macro string: "ISPEECH_VA_SEATVENT,iSpeech"
Normalized macro string: "httpe"
Normalized macro string: "K4116_EINH_TEMPERATUR,Temperature"
Normalized macro string: "httppt"
Normalized macro string: "LEUCHTDICHTE_EXPO,Exponential"
Normalized macro string: "httptl"
Normalized macro string: "LEUCHTDICHTE_EXPONENTIEL,Light"
Normalized macro string: "NACHLZ_BISTABR_TRANSPM,"
Normalized macro string: "P_HBG_FLOSS_PLAT_TOP,"
Normalized macro string: "PAO_SCHWELLWERT_UNTR,Open"
Normalized macro string: "PHONE_PARAMETER,Telephone"
Normalized macro string: "RUECKSCHALTUNG_AKT_KMH,Speed"
Normalized macro string: "httpt"
Normalized macro string: "STANDHEIZUNG_TIMEOUT,Independent" - source
- File/Memory
- relevance
- 10/10
- ATT&CK ID
- T1137 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
"Local\ZonesLockedCacheCounterMutex"
"Local\ZonesCacheCounterMutex"
"Local\x64_10MU_ACB10_S-1-5-5-0-65411"
"Local\x64_10MU_ACBPIDS_S-1-5-5-0-65411"
"Global\552FFA80-3393-423d-8671-7BA046BB5906"
"Global\MsoShellExtRegAccess_S-1-5-21-686412048-2446563785-1323799475-1001"
"\Sessions\1\BaseNamedObjects\Local\x64_10MU_ACBPIDS_S-1-5-5-0-65411"
"\Sessions\1\BaseNamedObjects\Local\x64_10MU_ACB10_S-1-5-5-0-65411"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\MsoShellExtRegAccess_S-1-5-21-686412048-2446563785-1323799475-1001" - source
- Created Mutant
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "EXCEL.EXE" loaded module "%COMMONPROGRAMFILES%\Microsoft Shared\OFFICE14\RICHED20.DLL" at E7170000
- source
- Loaded Module
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains embedded VBA macros
-
Installation/Persistence
-
Dropped files
- details
-
"Translations.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Archive ctime=Thu Sep 10 10:17:55 2020 mtime=Thu Sep 10 10:17:55 2020 atime=Thu Sep 10 10:18:15 2020 length=1082333 window=hide"
"index.dat" has type "data" - source
- Binary File
- relevance
- 3/10
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
- "EXCEL.EXE" opened "\Device\MountPointManager"
- source
- API Call
- relevance
- 5/10
-
Touches files in the Windows directory
- details
-
"EXCEL.EXE" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"EXCEL.EXE" touched file "C:\Windows\Fonts\StaticCache.dat"
"EXCEL.EXE" touched file "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks.dll"
"EXCEL.EXE" touched file "C:\Windows\System32\en-US\user32.dll.mui"
"EXCEL.EXE" touched file "C:\Windows\System32\en-US\msctf.dll.mui"
"EXCEL.EXE" touched file "C:\Windows\System32\rsaenh.dll"
"EXCEL.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"EXCEL.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"EXCEL.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000001e.db"
"EXCEL.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\mso2DBA.tmp"
"EXCEL.EXE" touched file "C:\Windows\System32\tzres.dll"
"EXCEL.EXE" touched file "C:\Windows\System32\oleacc.dll"
"EXCEL.EXE" touched file "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\clr.dll"
"EXCEL.EXE" touched file "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll"
"EXCEL.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
System Security
-
Hooks API calls
- details
-
"VariantClear@OLEAUT32.DLL" in "EXCEL.EXE"
"SysFreeString@OLEAUT32.DLL" in "EXCEL.EXE"
"SysAllocStringByteLen@OLEAUT32.DLL" in "EXCEL.EXE"
"OleLoadFromStream@OLE32.DLL" in "EXCEL.EXE"
"VariantChangeType@OLEAUT32.DLL" in "EXCEL.EXE" - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Hooks API calls
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"EXCEL.EXE" wrote bytes "e933f08800" to virtual address "0xFE801180" ("VariantClear@OLEAUT32.DLL")
"EXCEL.EXE" wrote bytes "0010d7fcfe070000" to virtual address "0xFCD8FE18" (part of module "SSPICLI.DLL")
"EXCEL.EXE" wrote bytes "0010d7fcfe070000" to virtual address "0xFCD8FB18" (part of module "SSPICLI.DLL")
"EXCEL.EXE" wrote bytes "4013d7fcfe070000" to virtual address "0xFCD8FE10" (part of module "SSPICLI.DLL")
"EXCEL.EXE" wrote bytes "0010d7fcfe070000" to virtual address "0xFCD8FE50" (part of module "SSPICLI.DLL")
"EXCEL.EXE" wrote bytes "4013d7fcfe070000" to virtual address "0xFCD8FB10" (part of module "SSPICLI.DLL")
"EXCEL.EXE" wrote bytes "0010d7fcfe070000" to virtual address "0xFCD8FB50" (part of module "SSPICLI.DLL")
"EXCEL.EXE" wrote bytes "7c17bff35b87d601" to virtual address "0xEE5F2350" (part of module "OART.DLL")
"EXCEL.EXE" wrote bytes "e933ef8800cccc" to virtual address "0xFE801210" ("SysFreeString@OLEAUT32.DLL")
"EXCEL.EXE" wrote bytes "4013d7fcfe070000" to virtual address "0xFCD8FE48" (part of module "SSPICLI.DLL")
"EXCEL.EXE" wrote bytes "4013d7fcfe070000" to virtual address "0xFCD8FB48" (part of module "SSPICLI.DLL")
"EXCEL.EXE" wrote bytes "301211f5fe070000" to virtual address "0xFE5C1648" (part of module "WININET.DLL")
"EXCEL.EXE" wrote bytes "48b8101611f5fe070000ffe0" to virtual address "0xFCD71000" (part of module "SSPICLI.DLL")
"EXCEL.EXE" wrote bytes "48b8601311f5fe070000ffe0" to virtual address "0xFCD71340" (part of module "SSPICLI.DLL")
"EXCEL.EXE" wrote bytes "33f5c2f35b87d601" to virtual address "0xEF59FA00" (part of module "GFX.DLL")
"EXCEL.EXE" wrote bytes "e9abc08800cc" to virtual address "0xFE804060" ("SysAllocStringByteLen@OLEAUT32.DLL")
"EXCEL.EXE" wrote bytes "40130000" to virtual address "0xFCD88538" (part of module "SSPICLI.DLL")
"EXCEL.EXE" wrote bytes "40130000" to virtual address "0xFCD88478" (part of module "SSPICLI.DLL")
"EXCEL.EXE" wrote bytes "48b8e01111f5fe070000ffe0" to virtual address "0xFE601000" (part of module "WS2_32.DLL")
"EXCEL.EXE" wrote bytes "e913b0e7ff" to virtual address "0xFF2150C0" ("OleLoadFromStream@OLE32.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Installs hooks/patches the running process
File Details
Translations.csv
- Filename
- Translations.csv
- Size
- 1MiB (1082333 bytes)
- Type
- csv text
- Description
- ISO-8859 text, with very long lines, with CRLF line terminators
- Architecture
- WINDOWS
- SHA256
- e270baf90a99a380bb6685d167026f906a33ef4455252113b013eba99f7414b3
- MD5
- 89bad56211fd18169b7efe70232a2adb
- SHA1
- e48b60543acc5d66ae482a6c24ec4ef1f91e5cb7
- ssdeep
- 6144:ZGmFU4e7T8X+nLuon1Ql5yRBsZlytdwFZCA+lVmkL5Nvr2jEdyETFvIzJ8/jb9c+:ov90NfmBhDXmH/iZh
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total.
- EXCEL.EXE /dde (PID: 2272)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Informative 2
-
-
Translations.LNK
- Size
- 473B (473 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Sep 10 10:17:55 2020, mtime=Thu Sep 10 10:17:55 2020, atime=Thu Sep 10 10:18:15 2020, length=1082333, window=hide
- Runtime Process
- EXCEL.EXE (PID: 2272)
- MD5
- 9c29511194e74cb7ec6011e67ec1ef78
- SHA1
- 4fee7dd1b30ae1681e3f9e3962b2061dffdbd91b
- SHA256
- 2ca9d3a307551bb43346abb7271fbeb22f3918204413bc1071482d5b47dcb375
-
index.dat
- Size
- 113B (113 bytes)
- Type
- data
- Runtime Process
- EXCEL.EXE (PID: 2272)
- MD5
- 743417bfcab5798c13536e441039950a
- SHA1
- 524be37c6d7f9d6b1e2ec3bdf69502c8dd0313bc
- SHA256
- 6e46f06a067dc4d5ca0dc19ef66d4855028c3222350eea3b2b006c8db1c385f8
-
Notifications
-
Runtime
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "string-50" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)