Source: Dridex-06-bc1b.xlsm |
Avira: detected |
Source: Dridex-06-bc1b.xlsm |
Virustotal: Detection: 50% |
Perma Link |
Source: Dridex-06-bc1b.xlsm |
ReversingLabs: Detection: 58% |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Section loaded: unknown origin: URLDownloadToFileA |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\56C9D0A7.emf |
Jump to behavior |
Source: DWWIN.EXE, 00000003.00000002.3522976184.0000000003450000.00000002.00000001.sdmp |
String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail) |
Source: DWWIN.EXE, 00000003.00000002.3522976184.0000000003450000.00000002.00000001.sdmp |
String found in binary or memory: http://investor.msn.com |
Source: DWWIN.EXE, 00000003.00000002.3522976184.0000000003450000.00000002.00000001.sdmp |
String found in binary or memory: http://investor.msn.com/ |
Source: DWWIN.EXE, 00000003.00000002.3523274332.0000000003637000.00000002.00000001.sdmp |
String found in binary or memory: http://localizability/practices/XML.asp |
Source: DWWIN.EXE, 00000003.00000002.3523274332.0000000003637000.00000002.00000001.sdmp |
String found in binary or memory: http://localizability/practices/XMLConfiguration.asp |
Source: DWWIN.EXE, 00000003.00000002.3521034549.00000000023E0000.00000002.00000001.sdmp |
String found in binary or memory: http://servername/isapibackend.dll |
Source: DWWIN.EXE, 00000003.00000002.3523274332.0000000003637000.00000002.00000001.sdmp |
String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check |
Source: DWWIN.EXE, 00000003.00000002.3523274332.0000000003637000.00000002.00000001.sdmp |
String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true |
Source: DWWIN.EXE, 00000003.00000002.3522976184.0000000003450000.00000002.00000001.sdmp |
String found in binary or memory: http://www.hotmail.com/oe |
Source: DWWIN.EXE, 00000003.00000002.3523274332.0000000003637000.00000002.00000001.sdmp |
String found in binary or memory: http://www.icra.org/vocabulary/. |
Source: DWWIN.EXE, 00000003.00000002.3522976184.0000000003450000.00000002.00000001.sdmp |
String found in binary or memory: http://www.msnbc.com/news/ticker.txt |
Source: DWWIN.EXE, 00000003.00000002.3522976184.0000000003450000.00000002.00000001.sdmp |
String found in binary or memory: http://www.windows.com/pctv. |
Source: Dridex-06-bc1b.xlsm |
OLE, VBA macro line: Private Sub pagoUno_Layout() |
|
Source: Dridex-06-bc1b.xlsm |
OLE indicator, VBA macros: true |
Source: unknown |
Process created: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE 'C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE' -x -s 1228 |
Source: DWWIN.EXE, 00000003.00000002.3522976184.0000000003450000.00000002.00000001.sdmp |
Binary or memory string: .VBPud<_ |
Source: classification engine |
Classification label: mal64.expl.winXLSM@5/6@0/0 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\Desktop\~$Dridex-06-bc1b.xlsm |
Jump to behavior |
Source: C:\Windows\System32\DWWIN.EXE |
Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1916 |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File created: C:\Users\user\AppData\Local\Temp\CVRF66F.tmp |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File read: C:\Users\desktop.ini |
Jump to behavior |
Source: C:\Windows\System32\DWWIN.EXE |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: Dridex-06-bc1b.xlsm |
Virustotal: Detection: 50% |
Source: Dridex-06-bc1b.xlsm |
ReversingLabs: Detection: 58% |
Source: unknown |
Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding |
|
Source: unknown |
Process created: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE 'C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE' -x -s 1228 |
|
Source: unknown |
Process created: C:\Windows\System32\DWWIN.EXE C:\Windows\system32\dwwin.exe -x -s 1228 |
|
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process created: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE 'C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE' -x -s 1228 |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE |
Process created: C:\Windows\System32\DWWIN.EXE C:\Windows\system32\dwwin.exe -x -s 1228 |
Jump to behavior |
Source: C:\Windows\System32\DWWIN.EXE |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{713AACC8-3B71-435C-A3A1-BE4E53621AB1}\InProcServer32 |
Jump to behavior |
Source: Window Recorder |
Window detected: More than 3 window changes detected |
Source: Dridex-06-bc1b.xlsm |
Initial sample: OLE zip file path = xl/media/image2.png |
Source: Dridex-06-bc1b.xlsm |
Initial sample: OLE zip file path = xl/media/image3.png |
Source: Dridex-06-bc1b.xlsm |
Initial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll |
Jump to behavior |
Source: Dridex-06-bc1b.xlsm |
Initial sample: OLE indicators vbamacros = False |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\DWWIN.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\DWWIN.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\DWWIN.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\DWWIN.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\DWWIN.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\DWWIN.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\DWWIN.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\DWWIN.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\DWWIN.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\DWWIN.EXE |
Window / User API: foregroundWindowGot 483 |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE |
Process information queried: ProcessInformation |
Jump to behavior |
Source: C:\Program Files\Common Files\Microsoft Shared\DW\DW20.EXE |
Process created: C:\Windows\System32\DWWIN.EXE C:\Windows\system32\dwwin.exe -x -s 1228 |
Jump to behavior |
Source: DWWIN.EXE, 00000003.00000002.3520684964.0000000000770000.00000002.00000001.sdmp |
Binary or memory string: Program Manager |
Source: DWWIN.EXE, 00000003.00000002.3520684964.0000000000770000.00000002.00000001.sdmp |
Binary or memory string: Shell_TrayWnd |
Source: DWWIN.EXE, 00000003.00000002.3520684964.0000000000770000.00000002.00000001.sdmp |
Binary or memory string: !Progman |