Play interactive tourEdit tour
Analysis Report http://snenpinfrresertts.com/ref-151220-BTC2XU590R2HT8.xls
Overview
General Information
Detection
Hidden Macro 4.0 Ursnif
Score: | 84 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
System process connects to network (likely due to code injection or exploit)
Yara detected Ursnif
Document exploit detected (process start blacklist hit)
Downloads files with wrong headers with respect to MIME Content-Type
Injects files into Windows application
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Writes registry values via WMI
Yara detected hidden Macro 4.0 in Excel
Allocates a big amount of memory (probably used for heap spraying)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Downloads executable code via HTTP
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Uses code obfuscation techniques (call, push, ret)
Yara signature match
Classification
Startup |
---|
|
Malware Configuration |
---|
No configs have been found |
---|
Yara Overview |
---|
Dropped Files |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
SUSP_Excel4Macro_AutoOpen | Detects Excel4 macro use with auto open / close | John Lambert @JohnLaTwC |
| |
JoeSecurity_HiddenMacro | Yara detected hidden Macro 4.0 in Excel | Joe Security |
Memory Dumps |
---|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
Click to see the 30 entries |
Sigma Overview |
---|
System Summary: |
---|
Sigma detected: Microsoft Office Product Spawning Windows Shell | Show sources |
Source: | Author: Michael Haag, Florian Roth, Markus Neis: |
Signature Overview |
---|
Click to jump to signature section
Show All Signature Results
Software Vulnerabilities: |
---|
Document exploit detected (process start blacklist hit) | Show sources |
Source: | Process created: |
Source: | Memory has grown: |
Networking: |
---|
Downloads files with wrong headers with respect to MIME Content-Type | Show sources |
Source: | Image file has PE prefix: |