Loading ...

Play interactive tourEdit tour

Analysis Report adam.cefai-596971.xls

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:220459
Start date:06.04.2020
Start time:13:22:38
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 40s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:adam.cefai-596971.xls
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Java 8.0.1440.1, Flash 30.0.0.113)
Number of analysed new started processes analysed:23
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.bank.troj.expl.evad.winXLS@21/60@16/3
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 13.9% (good quality ratio 13.9%)
  • Quality average: 88.3%
  • Quality standard deviation: 20.2%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 37
  • Number of non-executed functions: 23
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .xls
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WmiPrvSE.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 205.185.216.42, 205.185.216.10, 67.27.158.126, 67.26.73.254, 8.253.207.120, 67.27.157.126, 8.248.113.254, 104.92.97.140, 204.79.197.200, 13.107.21.200, 104.108.37.250, 92.123.7.209
  • Excluded domains from analysis (whitelisted): www.bing.com, dual-a-0001.a-msedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, e11290.dspg.akamaiedge.net, go.microsoft.com, any.edge.bing.com, a-0001.a-afdentry.net.trafficmanager.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, go.microsoft.com.edgekey.net, auto.au.download.windowsupdate.com.c.footprint.net, ieonline.microsoft.com
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Ursnif
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation21Winlogon Helper DLLProcess Injection2Masquerading1Credential DumpingSystem Time Discovery1Remote File Copy1Data from Local SystemData Encrypted1Standard Cryptographic Protocol12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaExecution through API1Port MonitorsAccessibility FeaturesSoftware Packing21Network SniffingVirtualization/Sandbox Evasion1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumRemote File Copy1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesExploitation for Client Execution4Accessibility FeaturesPath InterceptionDisabling Security Tools11Input CaptureProcess Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseGraphical User Interface1System FirmwareDLL Search Order HijackingVirtualization/Sandbox Evasion1Credentials in FilesApplication Window Discovery1Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol2SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessProcess Injection2Account ManipulationSecurity Software Discovery12Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceObfuscated Files or Information11Brute ForceRemote System Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskSoftware PackingTwo-Factor Authentication InterceptionFile and Directory Discovery3Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionIndicator BlockingBash HistorySystem Information Discovery24Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for domain / URLShow sources
Source: www.istitutobpascalweb.itVirustotal: Detection: 6%Perma Link
Source: istitutobpascalweb.itVirustotal: Detection: 6%Perma Link
Source: prlottonews.xyzVirustotal: Detection: 11%Perma Link
Source: https://prlottonews.xyzVirustotal: Detection: 10%Perma Link
Multi AV Scanner detection for dropped fileShow sources
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeVirustotal: Detection: 45%Perma Link
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeMetadefender: Detection: 42%Perma Link
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeReversingLabs: Detection: 87%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JPFGGPGF\508delicate[1].exeVirustotal: Detection: 45%Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JPFGGPGF\508delicate[1].exeMetadefender: Detection: 42%Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JPFGGPGF\508delicate[1].exeReversingLabs: Detection: 87%
Multi AV Scanner detection for submitted fileShow sources
Source: adam.cefai-596971.xlsVirustotal: Detection: 13%Perma Link
Source: adam.cefai-596971.xlsReversingLabs: Detection: 17%
Machine Learning detection for dropped fileShow sources
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JPFGGPGF\508delicate[1].exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 2.2.rCLGjyS.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
Source: 2.2.rCLGjyS.exe.1e0000.0.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 2.1.rCLGjyS.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Windows\System32\ie4uinit.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\ie4uinit.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\ie4uinit.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\ie4uinit.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
Source: C:\Windows\System32\ie4uinit.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\ie4uinit.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (creates forbidden files)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JPFGGPGF\508delicate[1].exeJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeJump to behavior
Document exploit detected (drops PE files)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: 508delicate[1].exe.0.drJump to dropped file
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeJump to behavior

Networking:

barindex
Creates a COM Internet Explorer objectShow sources
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeKey opened: HKEY_CURRENT_USER_CLASSES\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\ProgidJump to behavior
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\ProgidJump to behavior
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\ProgIDJump to behavior
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\ProgidJump to behavior
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\ProgidJump to behavior
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\ProgIDJump to behavior
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeKey opened: HKEY_CURRENT_USER_Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 89.46.109.62 89.46.109.62
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VSU5KGAG\renoovohostinglilnuxadvanced[1].htmJump to behavior
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: istitutobpascalweb.it
Urls found in memory or binary dataShow sources
Source: rCLGjyS.exe.0.drString found in binary or memory: http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r
Source: rCLGjyS.exe.0.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: rCLGjyS.exe.0.drString found in binary or memory: http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#
Source: rCLGjyS.exe.0.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: 77EC63BDA74BD0D0E0426DC8F8008506.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rCLGjyS.exe.0.drString found in binary or memory: http://ocsp.sectigo.com0
Source: rCLGjyS.exe, 00000002.00000002.1360355939.00273000.00000004.00000020.sdmp, rCLGjyS.exe, 00000002.00000002.1361189190.02670000.00000004.00000040.sdmpString found in binary or memory: https://prlottonews.xyz
Source: rCLGjyS.exe, 00000002.00000003.1288633434.002DD000.00000004.00000001.sdmp, ~DF7F511D59CEF8A3AB.TMP.5.drString found in binary or memory: https://prlottonews.xyz/index.htm
Source: {6E78C4B3-77F9-11EA-B813-B2C276BF9C88}.dat.20.drString found in binary or memory: https://prlottonews.xyz/index.htmRoot
Source: ~DF7F511D59CEF8A3AB.TMP.5.drString found in binary or memory: https://prlottonews.xyz/index.htmTravelLog
Source: rCLGjyS.exe, 00000002.00000002.1360355939.00273000.00000004.00000020.sdmpString found in binary or memory: https://prlottonews.xyz/index.htmps://prlottonews.xyz/index.htm
Source: rCLGjyS.exe.0.drString found in binary or memory: https://sectigo.com/CPS0B
Source: rCLGjyS.exe.0.drString found in binary or memory: https://sectigo.com/CPS0C
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49160 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49158
Source: unknownNetwork traffic detected: HTTP traffic on port 49158 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49160

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000002.00000002.1361189190.02670000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: rCLGjyS.exe PID: 1084, type: MEMORY

E-Banking Fraud:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000002.00000002.1361189190.02670000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: rCLGjyS.exe PID: 1084, type: MEMORY

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Document image extraction number: 0Screenshot OCR: ENABLE EDITING ENABLE CONTENT
Source: Document image extraction number: 0Screenshot OCR: ENABLE CONTENT
Source: Document image extraction number: 1Screenshot OCR: ENABLE EDITING ENABLE CONTENT
Source: Document image extraction number: 1Screenshot OCR: ENABLE CONTENT
Office process drops PE fileShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JPFGGPGF\508delicate[1].exeJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeJump to dropped file
Writes or reads registry keys via WMIShow sources
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeWMI Queries: IWbemServices::ExecMethod - StdRegProv::SetDWORDValue
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeWMI Queries: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeWMI Queries: IWbemServices::ExecMethod - StdRegProv::SetDWORDValue
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeWMI Queries: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeWMI Queries: IWbemServices::ExecMethod - StdRegProv::SetStringValue
Writes registry values via WMIShow sources
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeWMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetDWORDValue
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeWMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeWMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetDWORDValue
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeWMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeWMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetStringValue
Contains functionality to call native functionsShow sources
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeCode function: 2_2_00401EE1 NtQueryVirtualMemory,2_2_00401EE1
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeCode function: 2_2_001F152F memcpy,memcpy,lstrcatW,CreateEventA,_wcsupr,lstrlenW,NtQueryInformationProcess,CloseHandle,2_2_001F152F
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeCode function: 2_2_001F6FB6 NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,RtlNtStatusToDosError,2_2_001F6FB6
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeCode function: 2_2_001F2CD1 RtlInitUnicodeString,NtCreateKey,2_2_001F2CD1
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeCode function: 2_2_001F90C7 RtlInitUnicodeString,NtSetValueKey,NtDeleteValueKey,NtClose,RtlNtStatusToDosError,2_2_001F90C7
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeCode function: 2_1_00401EE1 NtQueryVirtualMemory,2_1_00401EE1
Detected potential crypto functionShow sources
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeCode function: 2_2_00401CC02_2_00401CC0
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeCode function: 2_2_001FB4202_2_001FB420
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeCode function: 2_2_001FABCA2_2_001FABCA
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeCode function: 2_1_00401CC02_1_00401CC0
Classification labelShow sources
Source: classification engineClassification label: mal100.bank.troj.expl.evad.winXLS@21/60@16/3
Contains functionality to instantiate COM classesShow sources
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeCode function: 2_2_001F1447 CoCreateInstance,2_2_001F1447
Creates files inside the user directoryShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\RecoveryJump to behavior
Creates mutexesShow sources
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeMutant created: \Sessions\1\BaseNamedObjects\Local\90F7A2A5-38B3-D6A8-D158-77488CED749A
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRCE72.tmpJump to behavior
Document contains an OLE Workbook stream indicating a Microsoft Excel fileShow sources
Source: adam.cefai-596971.xlsOLE indicator, Workbook stream: true
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Reads the hosts fileShow sources
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample is known by AntivirusShow sources
Source: adam.cefai-596971.xlsVirustotal: Detection: 13%
Source: adam.cefai-596971.xlsReversingLabs: Detection: 17%
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknownProcess created: C:\RPJbYuR\pvrDGVq\rCLGjyS.exe 'C:\RPJbYuR\pvrDGVq\rCLGjyS.exe'
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Windows\System32\ie4uinit.exe 'C:\Windows\System32\ie4uinit.exe' -ShowQLIcon
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:1064 CREDAT:275457 /prefetch:2
Source: unknownProcess created: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:1064 CREDAT:1717255 /prefetch:2
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:2808 CREDAT:275457 /prefetch:2
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3432 CREDAT:275457 /prefetch:2
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:400 CREDAT:275457 /prefetch:2
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\RPJbYuR\pvrDGVq\rCLGjyS.exe 'C:\RPJbYuR\pvrDGVq\rCLGjyS.exe' Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Windows\System32\ie4uinit.exe 'C:\Windows\System32\ie4uinit.exe' -ShowQLIconJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:1064 CREDAT:275457 /prefetch:2Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:1064 CREDAT:1717255 /prefetch:2Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -newJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:2808 CREDAT:275457 /prefetch:2Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3432 CREDAT:275457 /prefetch:2Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:400 CREDAT:275457 /prefetch:2
Uses an in-process (OLE) Automation serverShow sources
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
Writes ini filesShow sources
Source: C:\Windows\System32\ie4uinit.exeFile written: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItemsJump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dllJump to behavior
Document has a 'vbamacros' value indicative of goodwareShow sources
Source: adam.cefai-596971.xlsInitial sample: OLE indicators vbamacros = False
Document has an 'encrypted' value indicative of goodwareShow sources
Source: adam.cefai-596971.xlsInitial sample: OLE indicators encrypted = True

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeUnpacked PE file: 2.2.rCLGjyS.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.reloc:R;
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeUnpacked PE file: 2.2.rCLGjyS.exe.400000.1.unpack
Contains functionality to dynamically determine API callsShow sources
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeCode function: 2_2_00401A1C GetModuleHandleW,LoadLibraryW,GetProcAddress,2_2_00401A1C
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeCode function: 2_2_00401CAF push ecx; ret 2_2_00401CBF
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeCode function: 2_2_001DB7C0 push edx; ret 2_2_001DB94E
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeCode function: 2_2_001D589F push ecx; retf 2_2_001D58A1
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeCode function: 2_2_001D34CA push ebp; iretd 2_2_001D34CB
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeCode function: 2_2_001D2DD5 pushfd ; retf 2_2_001D2DDB
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeCode function: 2_2_001D2637 push ds; iretw 2_2_001D2639
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeCode function: 2_2_001D365F push edx; iretd 2_2_001D3669
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeCode function: 2_2_001FB40F push ecx; ret 2_2_001FB41F
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeCode function: 2_1_00401CAF push ecx; ret 2_1_00401CBF

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JPFGGPGF\508delicate[1].exeJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000002.00000002.1361189190.02670000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: rCLGjyS.exe PID: 1084, type: MEMORY
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\ie4uinit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\ie4uinit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\ie4uinit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\ie4uinit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\ie4uinit.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Document contains OLE streams with high entropy indicating encrypted embedded contentShow sources
Source: adam.cefai-596971.xlsStream path 'Workbook' entropy: 7.9854449002 (max. 8.0)

Malware Analysis System Evasion:

barindex
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeWindow / User API: threadDelayed 896Jump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exe TID: 2252Thread sleep count: 896 > 30Jump to behavior
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exe TID: 2252Thread sleep time: -53760000s >= -30000sJump to behavior
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exe TID: 2252Thread sleep time: -60000s >= -30000sJump to behavior
Enumerates the file systemShow sources
Source: C:\Windows\System32\ie4uinit.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\ie4uinit.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\ie4uinit.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\ie4uinit.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
Source: C:\Windows\System32\ie4uinit.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\ie4uinit.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
Program exit pointsShow sources
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeAPI call chain: ExitProcess graph end nodegraph_2-4041

Anti Debugging:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeCode function: 2_2_00401A1C GetModuleHandleW,LoadLibraryW,GetProcAddress,2_2_00401A1C
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeCode function: 2_2_00401076 EntryPoint,GetModuleHandleA,GetProcessHeap,GetCurrentThread,WaitForSingleObject,ExitProcess,2_2_00401076
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeMemory protected: page execute read | page execute and read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: rCLGjyS.exe, 00000002.00000002.1360689916.00620000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: rCLGjyS.exe, 00000002.00000002.1360689916.00620000.00000002.00000001.sdmpBinary or memory string: Progman
Source: rCLGjyS.exe, 00000002.00000002.1360689916.00620000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeCode function: 2_2_001F893A cpuid 2_2_001F893A
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\ie4uinit.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\ie4uinit.exeQueries volume information: C:\Program Files\Internet Explorer\iexplore.exe VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeCode function: 2_2_00401668 GetSystemTimeAsFileTime,memcpy,memcpy,memcpy,memset,2_2_00401668
Queries the cryptographic machine GUIDShow sources
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)Show sources
Source: C:\RPJbYuR\pvrDGVq\rCLGjyS.exeWMI Queries: IWbemServices::ExecQuery - select * from antispywareproduct

Stealing of Sensitive Information:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000002.00000002.1361189190.02670000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: rCLGjyS.exe PID: 1084, type: MEMORY

Remote Access Functionality:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000002.00000002.1361189190.02670000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: rCLGjyS.exe PID: 1084, type: MEMORY

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 220459 Sample: adam.cefai-596971.xls Startdate: 06/04/2020 Architecture: WINDOWS Score: 100 58 Multi AV Scanner detection for domain / URL 2->58 60 Multi AV Scanner detection for dropped file 2->60 62 Multi AV Scanner detection for submitted file 2->62 64 5 other signatures 2->64 7 EXCEL.EXE 53 25 2->7         started        12 iexplore.exe 59 87 2->12         started        14 iexplore.exe 1 32 2->14         started        16 2 other processes 2->16 process3 dnsIp4 54 istitutobpascalweb.it 89.46.109.62, 443, 49158, 49160 unknown Italy 7->54 56 www.istitutobpascalweb.it 7->56 36 C:\Users\user\AppData\...\508delicate[1].exe, PE32 7->36 dropped 38 C:\RPJbYuR\pvrDGVq\rCLGjyS.exe, PE32 7->38 dropped 74 Document exploit detected (creates forbidden files) 7->74 76 Document exploit detected (process start blacklist hit) 7->76 78 Document exploit detected (UrlDownloadToFile) 7->78 18 rCLGjyS.exe 7->18         started        22 iexplore.exe 15 12->22         started        24 iexplore.exe 13 12->24         started        26 ie4uinit.exe 1 7 12->26         started        28 iexplore.exe 13 14->28         started        30 iexplore.exe 13 16->30         started        32 iexplore.exe 16->32         started        file5 signatures6 process7 dnsIp8 40 prlottonews.xyz 18->40 66 Multi AV Scanner detection for dropped file 18->66 68 Detected unpacking (changes PE section rights) 18->68 70 Detected unpacking (overwrites its own PE header) 18->70 72 4 other signatures 18->72 42 prlottonews.xyz 22->42 52 2 other IPs or domains 22->52 34 ssvagent.exe 6 22->34         started        44 prlottonews.xyz 24->44 46 prlottonews.xyz 28->46 48 prlottonews.xyz 30->48 50 prlottonews.xyz 32->50 signatures9 process10

Simulations

Behavior and APIs

TimeTypeDescription
13:24:33API Interceptor1912x Sleep call for process: rCLGjyS.exe modified
13:24:34API Interceptor2x Sleep call for process: ie4uinit.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
adam.cefai-596971.xls14%VirustotalBrowse
adam.cefai-596971.xls18%ReversingLabsDocument-Word.Trojan.Pederr

Dropped Files

SourceDetectionScannerLabelLink
C:\RPJbYuR\pvrDGVq\rCLGjyS.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JPFGGPGF\508delicate[1].exe100%Joe Sandbox ML
C:\RPJbYuR\pvrDGVq\rCLGjyS.exe46%VirustotalBrowse
C:\RPJbYuR\pvrDGVq\rCLGjyS.exe45%MetadefenderBrowse
C:\RPJbYuR\pvrDGVq\rCLGjyS.exe87%ReversingLabsWin32.Trojan.Netwalker
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JPFGGPGF\508delicate[1].exe46%VirustotalBrowse
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JPFGGPGF\508delicate[1].exe45%MetadefenderBrowse
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JPFGGPGF\508delicate[1].exe87%ReversingLabsWin32.Trojan.Netwalker

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
2.2.rCLGjyS.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
2.2.rCLGjyS.exe.1e0000.0.unpack100%AviraTR/Patched.Ren.GenDownload File
2.1.rCLGjyS.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

Domains

SourceDetectionScannerLabelLink
www.istitutobpascalweb.it6%VirustotalBrowse
istitutobpascalweb.it6%VirustotalBrowse
prlottonews.xyz12%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://prlottonews.xyz/index.htmTravelLog0%Avira URL Cloudsafe
http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r1%VirustotalBrowse
http://crl.sectigo.com/COMODOTimeStampingCA_2.crl0r0%URL Reputationsafe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%VirustotalBrowse
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
https://prlottonews.xyz/index.htmps://prlottonews.xyz/index.htm0%Avira URL Cloudsafe
http://ocsp.sectigo.com00%URL Reputationsafe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%VirustotalBrowse
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
https://prlottonews.xyz10%VirustotalBrowse
https://prlottonews.xyz0%Avira URL Cloudsafe
https://sectigo.com/CPS0B0%VirustotalBrowse
https://sectigo.com/CPS0B0%URL Reputationsafe
https://prlottonews.xyz/index.htmRoot0%Avira URL Cloudsafe
https://prlottonews.xyz/index.htm3%VirustotalBrowse
https://prlottonews.xyz/index.htm0%Avira URL Cloudsafe
http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#0%VirustotalBrowse
http://crt.sectigo.com/COMODOTimeStampingCA_2.crt0#0%URL Reputationsafe
https://sectigo.com/CPS0C0%VirustotalBrowse
https://sectigo.com/CPS0C0%URL Reputationsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.1361189190.02670000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    Process Memory Space: rCLGjyS.exe PID: 1084JoeSecurity_UrsnifYara detected UrsnifJoe Security

      Unpacked PEs

      No yara matches

      Sigma Overview

      No Sigma rule has matched

      Joe Sandbox View / Context

      IPs

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      89.46.109.62accounts-586355.xlsGet hashmaliciousBrowse
        accounts-586355.xlsGet hashmaliciousBrowse
          dommains33522637066.xlsGet hashmaliciousBrowse
            dommains335226370