Analysis Report http://snenpinfrresertts.com/ref-151220-BTC2XU590R2HT8.xls

Overview

General Information

Sample URL: http://snenpinfrresertts.com/ref-151220-BTC2XU590R2HT8.xls
Analysis ID: 330745

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Ursnif
Score: 84
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

System process connects to network (likely due to code injection or exploit)
Yara detected Ursnif
Document exploit detected (process start blacklist hit)
Downloads files with wrong headers with respect to MIME Content-Type
Injects files into Windows application
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Writes registry values via WMI
Yara detected hidden Macro 4.0 in Excel
Allocates a big amount of memory (probably used for heap spraying)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Downloads executable code via HTTP
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\rundll32.exe Jump to behavior
Allocates a big amount of memory (probably used for heap spraying)
Source: excel.exe Memory has grown: Private usage: 1MB later: 115MB

Networking:

barindex
Downloads files with wrong headers with respect to MIME Content-Type
Source: http Image file has PE prefix: HTTP/1.1 200 OK Date: Tue, 15 Dec 2020 14:43:00 GMT Server: Apache/2.4.25 (Debian) Last-Modified: Tue, 15 Dec 2020 09:56:58 GMT ETag: "7d000-5b67dc7836e80" Accept-Ranges: bytes Content-Length: 512000 Connection: close Content-Type: image/png Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 06 dd 59 c9 42 bc 37 9a 42 bc 37 9a 42 bc 37 9a 65 7a 4a 9a 57 bc 37 9a 65 7a 59 9a 74 bc 37 9a 65 7a 5a 9a ca bc 37 9a 4b c4 a4 9a 45 bc 37 9a 42 bc 36 9a 29 bc 37 9a 65 7a 45 9a 43 bc 37 9a 65 7a 4d 9a 43 bc 37 9a 65 7a 4b 9a 43 bc 37 9a 65 7a 4f 9a 43 bc 37 9a 52 69 63 68 42 bc 37 9a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 6a 71 82 45 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 60 07 00 00 e0 00 00 00 00 00 00 8e 13 01 00 00 10 00 00 00 70 07 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 50 08 00 00 10 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 69 07 00 82 00 00 00 a4 60 07 00 50 00 00 00 00 10 08 00 00 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 08 00 f4 19 00 00 00 12 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 9f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 8c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e2 59 07 00 00 10 00 00 00 60 07 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 c8 9d 00 00 00 70 07 00 00 20 00 00 00 70 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 00 05 00 00 00 10 08 00 00 10 00 00 00 90 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 1c 29 00 00 00 20 08 00 00 30 00 00 00 a0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 15 Dec 2020 14:43:00 GMTServer: Apache/2.4.25 (Debian)Last-Modified: Tue, 15 Dec 2020 09:56:58 GMTETag: "7d000-5b67dc7836e80"Accept-Ranges: bytesContent-Length: 512000Connection: closeContent-Type: image/pngData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 06 dd 59 c9 42 bc 37 9a 42 bc 37 9a 42 bc 37 9a 65 7a 4a 9a 57 bc 37 9a 65 7a 59 9a 74 bc 37 9a 65 7a 5a 9a ca bc 37 9a 4b c4 a4 9a 45 bc 37 9a 42 bc 36 9a 29 bc 37 9a 65 7a 45 9a 43 bc 37 9a 65 7a 4d 9a 43 bc 37 9a 65 7a 4b 9a 43 bc 37 9a 65 7a 4f 9a 43 bc 37 9a 52 69 63 68 42 bc 37 9a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 6a 71 82 45 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 60 07 00 00 e0 00 00 00 00 00 00 8e 13 01 00 00 10 00 00 00 70 07 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 50 08 00 00 10 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 69 07 00 82 00 00 00 a4 60 07 00 50 00 00 00 00 10 08 00 00 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 08 00 f4 19 00 00 00 12 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 9f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 8c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e2 59 07 00 00 10 00 00 00 60 07 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 c8 9d 00 00 00 70 07 00 00 20 00 00 00 70 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 00 05 00 00 00 10 08 00 00 10 00 00 00 90 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 1c 29 00 00 00 20 08 00 00 30 00 00 00 a0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: GET /ref-151220-BTC2XU590R2HT8.xls HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: */*Accept-Encoding: identityHost: snenpinfrresertts.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /str.png HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: snenpinfrresertts.comConnection: Keep-Alive
Source: msapplication.xml0.17.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xc3a9ffe4,0x01d6d2f0</date><accdate>0xc3a9ffe4,0x01d6d2f0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.17.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xc3a9ffe4,0x01d6d2f0</date><accdate>0xc3a9ffe4,0x01d6d2f0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.17.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xc3aec46c,0x01d6d2f0</date><accdate>0xc3aec46c,0x01d6d2f0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.17.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xc3aec46c,0x01d6d2f0</date><accdate>0xc3aec46c,0x01d6d2f0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.17.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xc3aec46c,0x01d6d2f0</date><accdate>0xc3aec46c,0x01d6d2f0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.17.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xc3aec46c,0x01d6d2f0</date><accdate>0xc3aec46c,0x01d6d2f0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: unknown DNS traffic detected: queries for: snenpinfrresertts.com
Source: rundll32.exe, 00000004.00000003.747626172.0000000005F50000.00000004.00000040.sdmp String found in binary or memory: http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;
Source: rundll32.exe, 00000004.00000003.825823906.0000000000DB1000.00000004.00000001.sdmp String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: rundll32.exe, 00000004.00000003.825823906.0000000000DB1000.00000004.00000001.sdmp String found in binary or memory: http://cps.letsencrypt.org0
Source: rundll32.exe, 00000004.00000003.825823906.0000000000DB1000.00000004.00000001.sdmp String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: rundll32.exe, 00000004.00000003.825823906.0000000000DB1000.00000004.00000001.sdmp String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: rundll32.exe, 00000004.00000003.825823906.0000000000DB1000.00000004.00000001.sdmp String found in binary or memory: http://r3.i.lencr.org/0
Source: rundll32.exe, 00000004.00000003.825823906.0000000000DB1000.00000004.00000001.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: wget.exe, 00000002.00000002.653836313.00000000001C5000.00000004.00000040.sdmp, cmdline.out.2.dr String found in binary or memory: http://snenpinfrresertts.com/ref-151220-BTC2XU590R2HT8.xls
Source: wget.exe, 00000002.00000002.653836313.00000000001C5000.00000004.00000040.sdmp String found in binary or memory: http://snenpinfrresertts.com/ref-151220-BTC2XU590R2HT8.xls-
Source: wget.exe, 00000002.00000002.653836313.00000000001C5000.00000004.00000040.sdmp String found in binary or memory: http://snenpinfrresertts.com/ref-151220-BTC2XU590R2HT8.xlspose
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: msapplication.xml.17.dr String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.17.dr String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.17.dr String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.17.dr String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.17.dr String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.17.dr String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.17.dr String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.17.dr String found in binary or memory: http://www.youtube.com/
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://api.aadrm.com/
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://api.diagnostics.office.com
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://api.diagnosticssdf.office.com
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://api.microsoftstream.com/api/
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://api.office.net
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://api.onedrive.com
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://apis.live.net/v5.0/
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://augloop.office.com
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://augloop.office.com/v2
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://autodiscover-s.outlook.com/
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://cdn.entity.
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://clients.config.office.net/
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://config.edge.skype.com
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://contentstorage.omex.office.net/addinclassifier/officeentities
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://contentstorage.omex.office.net/addinclassifier/officeentitiesupdated
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://cortana.ai
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://cr.office.com
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://dataservice.o365filtering.com
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://dataservice.o365filtering.com/
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://devnull.onenote.com
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://directory.services.
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://entitlement.diagnostics.office.com
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://graph.ppe.windows.net
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://graph.ppe.windows.net/
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://graph.windows.net
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://graph.windows.net/
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&amp;premium=1
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&amp;premium=1
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&amp;premium=1
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://incidents.diagnostics.office.com
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://lifecycle.office.com
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://login.microsoftonline.com/
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://login.windows.local
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://management.azure.com
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://management.azure.com/
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://messaging.office.com/
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://ncus-000.contentsync.
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://ncus-000.pagecontentsync.
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://officeapps.live.com
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://onedrive.live.com
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://onedrive.live.com/embed?
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://outlook.office.com/
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://outlook.office365.com/
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://powerlift.acompli.net
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://settings.outlook.com
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://shell.suite.office.com:1443
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://skyapi.live.net/Activity/
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://store.office.cn/addinstemplate
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://store.office.com/addinstemplate
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://store.office.de/addinstemplate
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://tasks.office.com
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://templatelogging.office.com/client/log
Source: rundll32.exe, 00000004.00000003.747626172.0000000005F50000.00000004.00000040.sdmp String found in binary or memory: https://toldtonts.website
Source: rundll32.exe, 00000004.00000003.928235723.0000000000DB1000.00000004.00000001.sdmp String found in binary or memory: https://toldtonts.website/
Source: rundll32.exe, 00000004.00000003.928235723.0000000000DB1000.00000004.00000001.sdmp String found in binary or memory: https://toldtonts.website/E
Source: rundll32.exe, 00000004.00000002.1088930017.0000000000DA6000.00000004.00000001.sdmp, ~DF6CC44F9D650874C3.TMP.17.dr String found in binary or memory: https://toldtonts.website/index.htm
Source: {ECA749BB-3EE3-11EB-90EB-ECF4BBEA1588}.dat.17.dr String found in binary or memory: https://toldtonts.website/index.htmRoot
Source: {ECA749BB-3EE3-11EB-90EB-ECF4BBEA1588}.dat.17.dr String found in binary or memory: https://toldtonts.website/index.htmite/index.htm
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://web.microsoftstream.com/video/
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://webshell.suite.office.com
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://wus2-000.contentsync.
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://wus2-000.pagecontentsync.
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: BE0FADF8-31F9-477B-BB91-AE55517E7242.3.dr String found in binary or memory: https://www.odwebp.svc.ms
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.747626172.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747278419.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748655251.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747986077.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748565990.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747784344.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748768619.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748706961.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748439771.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747923961.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747187809.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748882453.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747462773.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748866102.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1090108573.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748524369.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748742031.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747541752.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748483745.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747705654.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748046989.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748608001.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747851363.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.754701787.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748794995.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747089322.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747369834.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748817707.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748192310.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748306925.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748386504.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748126666.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748842412.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748249184.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6524, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.747626172.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747278419.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748655251.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747986077.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748565990.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747784344.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748768619.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748706961.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748439771.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747923961.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747187809.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748882453.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747462773.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748866102.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1090108573.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748524369.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748742031.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747541752.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748483745.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747705654.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748046989.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748608001.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747851363.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.754701787.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748794995.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747089322.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747369834.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748817707.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748192310.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748306925.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748386504.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748126666.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748842412.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748249184.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6524, type: MEMORY

System Summary:

barindex
Office process drops PE file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\rsfsv\drgd.dbvf Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\str[1].png Jump to dropped file
Writes registry values via WMI
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Yara signature match
Source: C:\Users\user\Desktop\download\ref-151220-BTC2XU590R2HT8.xls, type: DROPPED Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: classification engine Classification label: mal84.troj.expl.evad.win@16/46@6/3
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\Desktop\cmdline.out Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:684:120:WilError_01
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\{850317AA-8546-462C-B1FE-96E615861FA5} - OProcSessId.dat Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from win32_process
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\rsfsv\drgd.dbvf,DllRegisterServer
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://snenpinfrresertts.com/ref-151220-BTC2XU590R2HT8.xls' > cmdline.out 2>&1
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://snenpinfrresertts.com/ref-151220-BTC2XU590R2HT8.xls'
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /dde
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\rsfsv\drgd.dbvf,DllRegisterServer
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5868 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6688 CREDAT:17410 /prefetch:2
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://snenpinfrresertts.com/ref-151220-BTC2XU590R2HT8.xls' Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\rsfsv\drgd.dbvf,DllRegisterServer Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5868 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6688 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Source: Binary string: c:\CompanyLast\SideCircle\LawRoad\storyForm\numberEat\smell.pdb source: drgd.dbvf.3.dr

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\rsfsv\drgd.dbvf Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\str[1].png Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\str[1].png Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\rsfsv\drgd.dbvf Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.747626172.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747278419.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748655251.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747986077.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748565990.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747784344.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748768619.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748706961.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748439771.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747923961.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747187809.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748882453.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747462773.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748866102.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1090108573.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748524369.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748742031.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747541752.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748483745.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747705654.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748046989.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748608001.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747851363.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.754701787.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748794995.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747089322.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747369834.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748817707.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748192310.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748306925.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748386504.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748126666.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748842412.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748249184.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6524, type: MEMORY
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\rundll32.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found dropped PE file which has not been started or loaded
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\str[1].png Jump to dropped file
Source: rundll32.exe, 00000004.00000003.825823906.0000000000DB1000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: wget.exe, 00000002.00000002.654002429.0000000000B78000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 45.142.213.232 187 Jump to behavior
Injects files into Windows application
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Injected file: C:\Users\user\Desktop\download\ref-151220-BTC2XU590R2HT8.xls was created by C:\Windows\SysWOW64\wget.exe Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Injected file: C:\Users\user\Desktop\download\ref-151220-BTC2XU590R2HT8.xls was created by C:\Windows\SysWOW64\wget.exe Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Injected file: C:\Users\user\Desktop\download\ref-151220-BTC2XU590R2HT8.xls was created by C:\Windows\SysWOW64\wget.exe Jump to behavior
Yara detected hidden Macro 4.0 in Excel
Source: Yara match File source: C:\Users\user\Desktop\download\ref-151220-BTC2XU590R2HT8.xls, type: DROPPED
Source: rundll32.exe, 00000004.00000002.1089562585.0000000003230000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: rundll32.exe, 00000004.00000002.1089562585.0000000003230000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000004.00000002.1089562585.0000000003230000.00000002.00000001.sdmp Binary or memory string: Progman
Source: rundll32.exe, 00000004.00000002.1089562585.0000000003230000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\wget.exe Queries volume information: C:\Users\user\Desktop\download VolumeInformation Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\SysWOW64\rundll32.exe WMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antispywareproduct

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.747626172.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747278419.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748655251.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747986077.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748565990.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747784344.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748768619.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748706961.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748439771.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747923961.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747187809.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748882453.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747462773.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748866102.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1090108573.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748524369.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748742031.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747541752.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748483745.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747705654.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748046989.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748608001.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747851363.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.754701787.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748794995.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747089322.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747369834.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748817707.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748192310.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748306925.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748386504.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748126666.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748842412.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748249184.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6524, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.747626172.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747278419.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748655251.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747986077.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748565990.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747784344.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748768619.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748706961.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748439771.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747923961.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747187809.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748882453.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747462773.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748866102.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1090108573.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748524369.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748742031.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747541752.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748483745.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747705654.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748046989.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748608001.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747851363.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.754701787.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748794995.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747089322.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.747369834.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748817707.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748192310.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748306925.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748386504.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748126666.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748842412.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.748249184.0000000005F50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6524, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 330745 URL: http://snenpinfrresertts.co... Startdate: 15/12/2020 Architecture: WINDOWS Score: 84 54 Yara detected  Ursnif 2->54 56 Downloads files with wrong headers with respect to MIME Content-Type 2->56 58 Sigma detected: Microsoft Office Product Spawning Windows Shell 2->58 60 2 other signatures 2->60 6 EXCEL.EXE 28 44 2->6         started        11 iexplore.exe 1 73 2->11         started        13 iexplore.exe 1 50 2->13         started        15 2 other processes 2->15 process3 dnsIp4 52 snenpinfrresertts.com 6->52 42 C:\rsfsv\drgd.dbvf, PE32 6->42 dropped 44 C:\Users\user\AppData\Local\...\str[1].png, PE32 6->44 dropped 66 Document exploit detected (process start blacklist hit) 6->66 68 Injects files into Windows application 6->68 17 rundll32.exe 6->17         started        21 iexplore.exe 35 11->21         started        24 iexplore.exe 33 13->24         started        26 wget.exe 2 15->26         started        28 iexplore.exe 22 15->28         started        30 conhost.exe 15->30         started        file5 signatures6 process7 dnsIp8 62 System process connects to network (likely due to code injection or exploit) 17->62 64 Writes registry values via WMI 17->64 46 toldtonts.website 45.142.213.232, 443, 49767, 49768 CLOUDSOLUTIONSRU Russian Federation 21->46 32 C:\Users\user\AppData\Local\...\http_404[1], HTML 21->32 dropped 34 C:\Users\user\...\httpErrorPagesScripts[1], UTF-8 21->34 dropped 48 192.168.2.1 unknown unknown 24->48 36 C:\Users\user\AppData\Local\...\http_404[2], HTML 24->36 dropped 38 C:\Users\user\...\httpErrorPagesScripts[1], UTF-8 24->38 dropped 50 snenpinfrresertts.com 176.118.165.119, 49746, 49750, 80 DIGITALENERGY-ASRU Russian Federation 26->50 40 C:\Users\...\ref-151220-BTC2XU590R2HT8.xls, 0 26->40 dropped file9 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
176.118.165.119
 unknown Russian Federation
43830 DIGITALENERGY-ASRU false
45.142.213.232
 unknown Russian Federation
202933 CLOUDSOLUTIONSRU true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
snenpinfrresertts.com 176.118.165.119 true
toldtonts.website 45.142.213.232 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://snenpinfrresertts.com/ref-151220-BTC2XU590R2HT8.xls true
    		unknown
    http://snenpinfrresertts.com/str.png true
    • Avira URL Cloud: safe
    		 unknown