Analysis Report document-1370071295.xls

Overview

General Information

Sample Name: document-1370071295.xls
Analysis ID: 381642
MD5: 09d41d14738707c2ce1e28b2313e1e5c
SHA1: 5714bc70d7d24c3db8c939c89fcea4b1d62736df
SHA256: 4844dc6311611acbba6d5afd762bcee79e3b4a5cc0d3d89b0ddc9c486f7b8d5e
Tags: IcedIDxls
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Document exploit detected (drops PE files)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Ursnif
Yara detected Ursnif
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Found obfuscated Excel 4.0 Macro
Machine Learning detection for dropped file
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Writes registry values via WMI
Yara detected hidden Macro 4.0 in Excel
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains embedded VBA macros
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Uses code obfuscation techniques (call, push, ret)
Yara detected Xls With Macro 4.0
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 6.2.rundll32.exe.2e39590.9.raw.unpack Malware Configuration Extractor: Ursnif [{"RSA Public Key": "Om1HeBhXBR6NHvmWFG5B2kyl5mdcRMsb8ux2uo9VgGW0O2LzHZKk3w9bxw9stgphU0ayytcOYkK6GCNJlKSeMTZJ5WPgZiX+MaXiUccStEUTXkW1ubp0gdr16sb5U4M+rzWWPvc3s7bj9o1yqSJtP7PmMVp7E+3llLULQ9/DZbAD7SXaft6wcY8wFjSkI+8D"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]
Multi AV Scanner detection for domain / URL
Source: accesslinksgroup.com Virustotal: Detection: 8% Perma Link
Multi AV Scanner detection for submitted file
Source: document-1370071295.xls Virustotal: Detection: 16% Perma Link
Source: document-1370071295.xls Metadefender: Detection: 18% Perma Link
Source: document-1370071295.xls ReversingLabs: Detection: 48%
Machine Learning detection for dropped file
Source: C:\Users\user\fikftkm.thj2 Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\0104[1].gif Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 6.2.rundll32.exe.2a0000.2.unpack Avira: Label: TR/Crypt.XPACK.Gen3
Source: 6.2.rundll32.exe.10000000.10.unpack Avira: Label: TR/Crypt.XPACK.Gen8
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: unknown HTTPS traffic detected: 207.174.213.126:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.241.62.4:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknown HTTPS traffic detected: 192.185.129.4:443 -> 192.168.2.22:49172 version: TLS 1.2
Source: unknown HTTPS traffic detected: 5.100.155.169:443 -> 192.168.2.22:49173 version: TLS 1.2
Source: unknown HTTPS traffic detected: 198.50.218.68:443 -> 192.168.2.22:49174 version: TLS 1.2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_001C12D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 6_2_001C12D4

Software Vulnerabilities:

barindex
Document exploit detected (drops PE files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: 0104[1].gif.0.dr Jump to dropped file
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe

Networking:

barindex
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 207.174.213.126 207.174.213.126
Source: Joe Sandbox View IP Address: 162.241.62.4 162.241.62.4
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ Jump to behavior
Source: rundll32.exe, 00000003.00000002.2108057689.0000000001B80000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102163408.0000000001D30000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2504193532.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504502612.00000000020F0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2173123549.0000000001C10000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknown DNS traffic detected: queries for: vts.us.com
Source: rundll32.exe, 00000003.00000002.2108057689.0000000001B80000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102163408.0000000001D30000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2504193532.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504502612.00000000020F0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2173123549.0000000001C10000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2108057689.0000000001B80000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102163408.0000000001D30000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2504193532.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504502612.00000000020F0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2173123549.0000000001C10000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2108249236.0000000001D67000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102325978.0000000001F17000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2504417204.0000000001CA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504688386.00000000022D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2173362712.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2167173953.0000000001CC7000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2108249236.0000000001D67000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102325978.0000000001F17000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2504417204.0000000001CA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504688386.00000000022D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2173362712.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2167173953.0000000001CC7000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000003.00000002.2108249236.0000000001D67000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102325978.0000000001F17000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2504417204.0000000001CA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504688386.00000000022D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2173362712.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2167173953.0000000001CC7000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000006.00000002.2504310287.00000000004CD000.00000004.00000020.sdmp String found in binary or memory: http://under17.com
Source: rundll32.exe, 00000006.00000002.2504310287.00000000004CD000.00000004.00000020.sdmp String found in binary or memory: http://under17.com/joomla/W8irzuIA03OC/DHBetYa3Vzl/hddQ_2FkuTZ0IV/Oq1yvMr7E_2Frfr6f90DE/Wv_2B_2Bqw4C
Source: rundll32.exe, 00000003.00000002.2108249236.0000000001D67000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102325978.0000000001F17000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2504417204.0000000001CA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504688386.00000000022D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2173362712.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2167173953.0000000001CC7000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000003.00000002.2108057689.0000000001B80000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102163408.0000000001D30000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2504193532.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504502612.00000000020F0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2173123549.0000000001C10000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2108249236.0000000001D67000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102325978.0000000001F17000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2504417204.0000000001CA7000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504688386.00000000022D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2173362712.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2167173953.0000000001CC7000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2108057689.0000000001B80000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102163408.0000000001D30000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2504193532.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504502612.00000000020F0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2173123549.0000000001C10000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000009.00000002.2166965953.0000000001AE0000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown HTTPS traffic detected: 207.174.213.126:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.241.62.4:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknown HTTPS traffic detected: 192.185.129.4:443 -> 192.168.2.22:49172 version: TLS 1.2
Source: unknown HTTPS traffic detected: 5.100.155.169:443 -> 192.168.2.22:49173 version: TLS 1.2
Source: unknown HTTPS traffic detected: 198.50.218.68:443 -> 192.168.2.22:49174 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000006.00000002.2504044164.0000000000170000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 6.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.10000000.10.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000006.00000003.2495224017.00000000030CD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2357108464.00000000031CB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 2764, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000006.00000002.2504044164.0000000000170000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 6.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.10000000.10.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000006.00000003.2495224017.00000000030CD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2357108464.00000000031CB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 2764, type: MEMORY

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable Editing 11 from the yellow bar above 12 13 Once You have Enable Editing, please elk 14 Ru
Source: Screenshot number: 8 Screenshot OCR: Enable Editing 11 from the yellow bar above 12 13 Once You have Enable Editing, please clic 14 R
Source: Screenshot number: 12 Screenshot OCR: Enable Editing, please click Enable Content 14 1 from the yellow bar above 15 CI c? 16 17 I 18
Source: Screenshot number: 12 Screenshot OCR: Enable Content 14 1 from the yellow bar above 15 CI c? 16 17 I 18 I WHY I CANNOTOPEN THIS DOCU
Source: Document image extraction number: 9 Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing , please click Enable Conten
Source: Document image extraction number: 9 Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? You are using iOS or Andro
Source: Document image extraction number: 15 Screenshot OCR: Enable Editing from the yellow bar above CB Once You have Enable Editing, please click Enable Cont
Source: Document image extraction number: 15 Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? W You are using IDS or And
Source: Screenshot number: 16 Screenshot OCR: Enable Editing 11 1 from the yellow bar above 12 13 ' @ Once You have Enable Editing, please clic
Source: Screenshot number: 16 Screenshot OCR: Enable Content 14 1 from the yellow bar above 15 CI c? 16 17 I 18 I WHY I CANNOTOPEN THIS DOCU
Found Excel 4.0 Macro with suspicious formulas
Source: document-1370071295.xls Initial sample: CALL
Source: document-1370071295.xls Initial sample: EXEC
Found abnormal large hidden Excel 4.0 Macro sheet
Source: document-1370071295.xls Initial sample: Sheet size: 4081
Source: document-1370071295.xls Initial sample: Sheet size: 12790
Found obfuscated Excel 4.0 Macro
Source: document-1370071295.xls Initial sample: High usage of CHAR() function: 40
Office process drops PE file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\fikftkm.thj2 Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\0104[1].gif Jump to dropped file
Writes registry values via WMI
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetStringValue
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10001D9F NtMapViewOfSection, 6_2_10001D9F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10001EB5 GetProcAddress,NtCreateSection,memset, 6_2_10001EB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10002375 NtQueryVirtualMemory, 6_2_10002375
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_001C83B7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 6_2_001C83B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_001CB341 NtQueryVirtualMemory, 6_2_001CB341
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A348F 6_2_002A348F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A6424 6_2_002A6424
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A1000 6_2_002A1000
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A1918 6_2_002A1918
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A3314 6_2_002A3314
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A596E 6_2_002A596E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A237B 6_2_002A237B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A247B 6_2_002A247B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A5C76 6_2_002A5C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A1374 6_2_002A1374
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A554B 6_2_002A554B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A4859 6_2_002A4859
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A3FA8 6_2_002A3FA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A3A85 6_2_002A3A85
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A1B95 6_2_002A1B95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A28EB 6_2_002A28EB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A20EE 6_2_002A20EE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A52EC 6_2_002A52EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A5AF6 6_2_002A5AF6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A3BDB 6_2_002A3BDB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10002154 6_2_10002154
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_001C4094 6_2_001C4094
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_001CB11C 6_2_001CB11C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_001C97F2 6_2_001C97F2
Document contains embedded VBA macros
Source: document-1370071295.xls OLE indicator, VBA macros: true
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\0104[1].gif A05711289E9F8DBA5F0CE5FE3B3096F8C181F537D169997E2DB30F83036052D3
Source: Joe Sandbox View Dropped File: C:\Users\user\fikftkm.thj2 A05711289E9F8DBA5F0CE5FE3B3096F8C181F537D169997E2DB30F83036052D3
Yara signature match
Source: document-1370071295.xls, type: SAMPLE Matched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research
Source: document-1370071295.xls, type: SAMPLE Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: rundll32.exe, 00000003.00000002.2108057689.0000000001B80000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102163408.0000000001D30000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2504193532.0000000001AC0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504502612.00000000020F0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2173123549.0000000001C10000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.troj.expl.evad.winXLS@19/59@7/6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_001C757F CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 6_2_001C757F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_001C7B5D SetWaitableTimer,CoCreateInstance,CoSetProxyBlanket, 6_2_001C7B5D
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\19CE0000 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRC1D8.tmp Jump to behavior
Source: document-1370071295.xls OLE indicator, Workbook stream: true
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj,DllRegisterServer
Source: document-1370071295.xls Virustotal: Detection: 16%
Source: document-1370071295.xls Metadefender: Detection: 18%
Source: document-1370071295.xls ReversingLabs: Detection: 48%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj1,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj2,DllRegisterServer
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fikftkm.thj2,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj3,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj4,DllRegisterServer
Source: unknown Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\Internet Explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2824 CREDAT:275457 /prefetch:2
Source: unknown Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\Internet Explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3004 CREDAT:275457 /prefetch:2
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj,DllRegisterServer Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj1,DllRegisterServer Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj2,DllRegisterServer Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj3,DllRegisterServer Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj4,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fikftkm.thj2,DllRegisterServer Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2824 CREDAT:275457 /prefetch:2 Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3004 CREDAT:275457 /prefetch:2 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10001745 LoadLibraryA,GetProcAddress, 6_2_10001745
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A348F push dword ptr [ebp-10h]; mov dword ptr [esp], ecx 6_2_002A34A1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A348F push dword ptr [ebp-0Ch]; mov dword ptr [esp], ecx 6_2_002A3632
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A348F push 00000000h; mov dword ptr [esp], edx 6_2_002A37FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A348F push edx; mov dword ptr [esp], 00000002h 6_2_002A384A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A348F push 00000000h; mov dword ptr [esp], ecx 6_2_002A38D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A6194 push eax; mov dword ptr [esp], 00000004h 6_2_002A61AF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A6194 push esi; mov dword ptr [esp], 00001000h 6_2_002A61B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A6194 push 00000000h; mov dword ptr [esp], ebp 6_2_002A6267
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A6424 push dword ptr [ebp-08h]; mov dword ptr [esp], esp 6_2_002A644D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A6424 push 00000000h; mov dword ptr [esp], edi 6_2_002A64EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A6424 push 00000000h; mov dword ptr [esp], ecx 6_2_002A657A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A6424 push 00000000h; mov dword ptr [esp], ebp 6_2_002A65D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A6424 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 6_2_002A66E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A6424 push dword ptr [ebp-04h]; mov dword ptr [esp], ecx 6_2_002A6736
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A463F push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 6_2_002A4648
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A463F push ebp; mov dword ptr [esp], 00000003h 6_2_002A46A2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A463F push ebx; mov dword ptr [esp], 00F00000h 6_2_002A46AB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A6633 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 6_2_002A66E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A6633 push dword ptr [ebp-04h]; mov dword ptr [esp], ecx 6_2_002A6736
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A1000 push 00000000h; mov dword ptr [esp], ebp 6_2_002A110A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A1000 push 00000000h; mov dword ptr [esp], ebx 6_2_002A1146
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A1000 push 00000000h; mov dword ptr [esp], ebp 6_2_002A118E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A1000 push ebp; mov dword ptr [esp], 00000002h 6_2_002A1270
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A1000 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx 6_2_002A12E7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A1918 push dword ptr [ebp-24h]; mov dword ptr [esp], ebx 6_2_002A1927
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A1918 push 00000000h; mov dword ptr [esp], ecx 6_2_002A1B10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A1918 push 00000000h; mov dword ptr [esp], esi 6_2_002A1CD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A1918 push 00000000h; mov dword ptr [esp], esi 6_2_002A1D37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A1918 push dword ptr [ebp-20h]; mov dword ptr [esp], esi 6_2_002A1DC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A1918 push 00000000h; mov dword ptr [esp], ebp 6_2_002A1E4C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A1918 push dword ptr [ebp-20h]; mov dword ptr [esp], ecx 6_2_002A1F23

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\fikftkm.thj2 Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\0104[1].gif Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\fikftkm.thj2 Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\0104[1].gif Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\fikftkm.thj2 Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\fikftkm.thj2 Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000006.00000002.2504044164.0000000000170000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 6.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.10000000.10.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000006.00000003.2495224017.00000000030CD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2357108464.00000000031CB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 2764, type: MEMORY
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found dropped PE file which has not been started or loaded
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\0104[1].gif Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_001C12D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 6_2_001C12D4

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10001745 LoadLibraryA,GetProcAddress, 6_2_10001745
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_002A2DF5 or edx, dword ptr fs:[00000030h] 6_2_002A2DF5

HIPS / PFW / Operating System Protection Evasion:

barindex
Yara detected hidden Macro 4.0 in Excel
Source: Yara match File source: document-1370071295.xls, type: SAMPLE
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fikftkm.thj2,DllRegisterServer Jump to behavior
Yara detected Xls With Macro 4.0
Source: Yara match File source: document-1370071295.xls, type: SAMPLE
Source: rundll32.exe, 00000005.00000002.2504123727.00000000006C0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504465351.0000000000CF0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: rundll32.exe, 00000005.00000002.2504123727.00000000006C0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504465351.0000000000CF0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000005.00000002.2504123727.00000000006C0000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2504465351.0000000000CF0000.00000002.00000001.sdmp Binary or memory string: !Progman

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_001C269C cpuid 6_2_001C269C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_1000102F GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 6_2_1000102F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_001C269C RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 6_2_001C269C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 6_2_10001850 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 6_2_10001850
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000006.00000002.2504044164.0000000000170000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 6.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.10000000.10.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000006.00000003.2495224017.00000000030CD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2357108464.00000000031CB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 2764, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000006.00000002.2504044164.0000000000170000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 6.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.10000000.10.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000006.00000003.2495224017.00000000030CD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000003.2357108464.00000000031CB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 2764, type: MEMORY
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 381642 Sample: document-1370071295.xls Startdate: 04/04/2021 Architecture: WINDOWS Score: 100 52 Multi AV Scanner detection for domain / URL 2->52 54 Found malware configuration 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 13 other signatures 2->58 7 EXCEL.EXE 88 48 2->7         started        12 iexplore.exe 3 37 2->12         started        14 iexplore.exe 1 33 2->14         started        process3 dnsIp4 46 accesslinksgroup.com 192.185.129.4, 443, 49172 UNIFIEDLAYER-AS-1US United States 7->46 48 mundotecnologiasolar.com 162.241.62.4, 443, 49170 UNIFIEDLAYER-AS-1US United States 7->48 50 3 other IPs or domains 7->50 32 C:\Users\user\fikftkm.thj2, PE32 7->32 dropped 34 C:\Users\user\AppData\Local\...\0104[1].gif, PE32 7->34 dropped 36 C:\Users\user\fikftkm.thj, HTML 7->36 dropped 60 Document exploit detected (UrlDownloadToFile) 7->60 16 rundll32.exe 7->16         started        18 rundll32.exe 7->18         started        20 rundll32.exe 7->20         started        27 2 other processes 7->27 22 iexplore.exe 13 12->22         started        25 iexplore.exe 44 14->25         started        file5 signatures6 process7 dnsIp8 29 rundll32.exe 16->29         started        38 under17.com 185.243.114.196, 80 ACCELERATED-ITDE Netherlands 22->38 40 prda.aadg.msidentity.com 25->40 42 login.microsoftonline.com 25->42 44 a.privatelink.msidentity.com 25->44 process9 signatures10 62 Writes registry values via WMI 29->62
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
207.174.213.126
vts.us.com United States
394695 PUBLIC-DOMAIN-REGISTRYUS false
162.241.62.4
mundotecnologiasolar.com United States
46606 UNIFIEDLAYER-AS-1US false
5.100.155.169
ponchokhana.com United Kingdom
394695 PUBLIC-DOMAIN-REGISTRYUS false
185.243.114.196
under17.com Netherlands
31400 ACCELERATED-ITDE true
198.50.218.68
comosairdoburaco.com.br Canada
16276 OVHFR false
192.185.129.4
accesslinksgroup.com United States
46606 UNIFIEDLAYER-AS-1US true

Contacted Domains

Name IP Active
mundotecnologiasolar.com 162.241.62.4 true
accesslinksgroup.com 192.185.129.4 true
ponchokhana.com 5.100.155.169 true
under17.com 185.243.114.196 true
vts.us.com 207.174.213.126 true
comosairdoburaco.com.br 198.50.218.68 true
login.microsoftonline.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
0 true
    low