Loading ...

Play interactive tourEdit tour

Analysis Report catalogue-41.xlsb

Overview

General Information

Sample Name:catalogue-41.xlsb
Analysis ID:382840
MD5:3ab9cf4d043027eae77763f1addd41af
SHA1:753abe817ad3a4b2c5cb71ea139924ac1179e6f1
SHA256:968278e0bd31a649e48f01fa8eac1291d41a5015dfcfed6ad45739a181a50b40
Tags:Hostgatorxlsb
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (drops PE files)
Found malware configuration
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Ursnif
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Found obfuscated Excel 4.0 Macro
Machine Learning detection for dropped file
Office process drops PE file
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Yara detected Xls With Macro 4.0

Classification

Startup

  • System is w10x64
  • EXCEL.EXE (PID: 4600 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • rundll32.exe (PID: 4276 cmdline: rundll32 ..\fikftkm.thj,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 4876 cmdline: rundll32 ..\fikftkm.thj1,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6356 cmdline: rundll32 ..\fikftkm.thj2,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6392 cmdline: rundll32 ..\fikftkm.thj3,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 6424 cmdline: rundll32 ..\fikftkm.thj4,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

Threatname: Ursnif

[[{"RSA Public Key": "bUd4GFcFHo0e+ZYUbkHaTKXmZ1xEyxvy7Ha6j1WAZbQ7YvMdkqTfD1vHD2y2CmFTRrLK1w5iQroYI0mUpJ4xNknlY+BmJf4xpeJRxxK0RRNeRbW5unSB2vXqxvlTgz6vNZY+9zeztuP2jXKpIm0/s+YxWnsT7eWUtQtD38NlsAPtJdp+3rBxjzAWNKQj7wMA"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]]

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
app.xmlJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000004.00000002.270814494.00000000041A0000.00000004.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.rundll32.exe.41a0000.2.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security

        Sigma Overview

        No Sigma rule has matched

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Found malware configurationShow sources
        Source: 4.2.rundll32.exe.41a0000.2.raw.unpackMalware Configuration Extractor: Ursnif [[{"RSA Public Key": "bUd4GFcFHo0e+ZYUbkHaTKXmZ1xEyxvy7Ha6j1WAZbQ7YvMdkqTfD1vHD2y2CmFTRrLK1w5iQroYI0mUpJ4xNknlY+BmJf4xpeJRxxK0RRNeRbW5unSB2vXqxvlTgz6vNZY+9zeztuP2jXKpIm0/s+YxWnsT7eWUtQtD38NlsAPtJdp+3rBxjzAWNKQj7wMA"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]]
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\fikftkm.thj1Joe Sandbox ML: detected
        Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\0504[1].gifJoe Sandbox ML: detected
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
        Source: unknownHTTPS traffic detected: 108.167.180.111:443 -> 192.168.2.3:49714 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 5.100.152.162:443 -> 192.168.2.3:49716 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 43.229.135.209:443 -> 192.168.2.3:49717 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 5.100.155.169:443 -> 192.168.2.3:49718 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 50.116.95.68:443 -> 192.168.2.3:49720 version: TLS 1.2

        Software Vulnerabilities:

        barindex
        Document exploit detected (drops PE files)Show sources
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: 0504[1].gif.0.drJump to dropped file
        Document exploit detected (UrlDownloadToFile)Show sources
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXESection loaded: unknown origin: URLDownloadToFileAJump to behavior
        Document exploit detected (process start blacklist hit)Show sources
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe
        Source: global trafficDNS query: name: ethereality.info
        Source: global trafficTCP traffic: 192.168.2.3:49714 -> 108.167.180.111:443
        Source: global trafficTCP traffic: 192.168.2.3:49714 -> 108.167.180.111:443
        Source: Joe Sandbox ViewIP Address: 5.100.155.169 5.100.155.169
        Source: Joe Sandbox ViewIP Address: 5.100.152.162 5.100.152.162
        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
        Source: unknownDNS traffic detected: queries for: ethereality.info
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://api.aadrm.com/
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://api.cortana.ai
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://api.diagnostics.office.com
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://api.microsoftstream.com/api/
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://api.office.net
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://api.onedrive.com
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://apis.live.net/v5.0/
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://augloop.office.com
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://augloop.office.com/v2
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://cdn.entity.
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://clients.config.office.net/
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://config.edge.skype.com
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://cortana.ai
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://cortana.ai/api
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://cr.office.com
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://dataservice.o365filtering.com
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://dataservice.o365filtering.com/
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://dev.cortana.ai
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://devnull.onenote.com
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://directory.services.
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://graph.ppe.windows.net
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://graph.ppe.windows.net/
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://graph.windows.net
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://graph.windows.net/
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://incidents.diagnostics.office.com
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://lifecycle.office.com
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://login.microsoftonline.com/
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://login.windows.local
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://management.azure.com
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://management.azure.com/
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://messaging.office.com/
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://ncus.contentsync.
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://ncus.pagecontentsync.
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://officeapps.live.com
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://onedrive.live.com
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://onedrive.live.com/embed?
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://outlook.office.com/
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://outlook.office365.com/
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://powerlift.acompli.net
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://settings.outlook.com
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://shell.suite.office.com:1443
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://skyapi.live.net/Activity/
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://staging.cortana.ai
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://store.office.cn/addinstemplate
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://store.office.com/addinstemplate
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://store.office.de/addinstemplate
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://tasks.office.com
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://templatelogging.office.com/client/log
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://web.microsoftstream.com/video/
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://webshell.suite.office.com
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://wus2.contentsync.
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://wus2.pagecontentsync.
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
        Source: C620B1EB-48B4-4D81-8EB0-1C63D8D3D019.0.drString found in binary or memory: https://www.odwebp.svc.ms
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
        Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
        Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
        Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
        Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
        Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
        Source: unknownHTTPS traffic detected: 108.167.180.111:443 -> 192.168.2.3:49714 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 5.100.152.162:443 -> 192.168.2.3:49716 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 43.229.135.209:443 -> 192.168.2.3:49717 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 5.100.155.169:443 -> 192.168.2.3:49718 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 50.116.95.68:443 -> 192.168.2.3:49720 version: TLS 1.2

        Key, Mouse, Clipboard, Microphone and Screen Capturing:

        barindex
        Yara detected UrsnifShow sources
        Source: Yara matchFile source: 00000004.00000002.270814494.00000000041A0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 4.2.rundll32.exe.41a0000.2.raw.unpack, type: UNPACKEDPE

        E-Banking Fraud:

        barindex
        Yara detected UrsnifShow sources
        Source: Yara matchFile source: 00000004.00000002.270814494.00000000041A0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 4.2.rundll32.exe.41a0000.2.raw.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
        Source: Screenshot number: 4Screenshot OCR: Enable Editing 9 10 from the yellow bar above 11 12 @ Once You have Enable Editing, please click
        Source: Screenshot number: 4Screenshot OCR: Enable Content 13 from the yellow bar above 14 15 " WHY I CANNOT OPEN THIS DOCUMENT? 17 18 ::
        Source: Screenshot number: 12Screenshot OCR: Enable Editing 9 10 from the yellow bar above 11 RunDLL X 12 @ Once You have Enable Editing, pl
        Found Excel 4.0 Macro with suspicious formulasShow sources
        Source: catalogue-41.xlsbInitial sample: EXEC
        Source: catalogue-41.xlsbInitial sample: CALL
        Found abnormal large hidden Excel 4.0 Macro sheetShow sources
        Source: catalogue-41.xlsbInitial sample: Sheet size: 21162
        Source: catalogue-41.xlsbInitial sample: Sheet size: 10013
        Found obfuscated Excel 4.0 MacroShow sources
        Source: catalogue-41.xlsbInitial sample: High usage of CHAR() function: 40
        Office process drops PE fileShow sources
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\0504[1].gifJump to dropped file
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\fikftkm.thj1Jump to dropped file
        Source: classification engineClassification label: mal100.troj.expl.evad.winXLSB@11/11@5/5
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{DA5B546F-1D16-4FAC-AF46-1B670536C5A1} - OProcSessId.datJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fikftkm.thj,DllRegisterServer
        Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fikftkm.thj,DllRegisterServer
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fikftkm.thj1,DllRegisterServer
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fikftkm.thj2,DllRegisterServer
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fikftkm.thj3,DllRegisterServer
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fikftkm.thj4,DllRegisterServer
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fikftkm.thj,DllRegisterServerJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fikftkm.thj1,DllRegisterServerJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fikftkm.thj2,DllRegisterServerJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fikftkm.thj3,DllRegisterServerJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fikftkm.thj4,DllRegisterServerJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
        Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
        Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
        Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: catalogue-41.xlsbInitial sample: OLE zip file path = xl/media/image1.png
        Source: catalogue-41.xlsbInitial sample: OLE zip file path = xl/media/image2.png
        Source: catalogue-41.xlsbInitial sample: OLE zip file path = xl/media/image3.png
        Source: catalogue-41.xlsbInitial sample: OLE zip file path = xl/media/image4.png
        Source: catalogue-41.xlsbInitial sample: OLE zip file path = xl/printerSettings/printerSettings2.bin
        Source: catalogue-41.xlsbInitial sample: OLE zip file path = xl/printerSettings/printerSettings3.bin
        Source: catalogue-41.xlsbInitial sample: OLE zip file path = xl/printerSettings/printerSettings4.bin
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguagesJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dllJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\0504[1].gifJump to dropped file
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\fikftkm.thj1Jump to dropped file
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\fikftkm.thj1Jump to dropped file
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\0504[1].gifJump to dropped file
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\fikftkm.thj1Jump to dropped file

        Boot Survival:

        barindex
        Drops PE files to the user root directoryShow sources
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\fikftkm.thj1Jump to dropped file

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Yara detected UrsnifShow sources
        Source: Yara matchFile source: 00000004.00000002.270814494.00000000041A0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 4.2.rundll32.exe.41a0000.2.raw.unpack, type: UNPACKEDPE
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\0504[1].gifJump to dropped file
        Source: rundll32.exe, 00000002.00000002.248730159.0000000002DC0000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.285120374.0000000004880000.00000002.00000001.sdmp, rundll32.exe, 0000000B.00000002.279717486.0000000002A00000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: rundll32.exe, 00000002.00000002.248730159.0000000002DC0000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.285120374.0000000004880000.00000002.00000001.sdmp, rundll32.exe, 0000000B.00000002.279717486.0000000002A00000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: rundll32.exe, 00000002.00000002.248730159.0000000002DC0000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.285120374.0000000004880000.00000002.00000001.sdmp, rundll32.exe, 0000000B.00000002.279717486.0000000002A00000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: rundll32.exe, 00000002.00000002.248730159.0000000002DC0000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.285120374.0000000004880000.00000002.00000001.sdmp, rundll32.exe, 0000000B.00000002.279717486.0000000002A00000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: Yara matchFile source: app.xml, type: SAMPLE

        Stealing of Sensitive Information:

        barindex
        Yara detected UrsnifShow sources
        Source: Yara matchFile source: 00000004.00000002.270814494.00000000041A0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 4.2.rundll32.exe.41a0000.2.raw.unpack, type: UNPACKEDPE

        Remote Access Functionality:

        barindex
        Yara detected UrsnifShow sources
        Source: Yara matchFile source: 00000004.00000002.270814494.00000000041A0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 4.2.rundll32.exe.41a0000.2.raw.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsScripting3Path InterceptionProcess Injection1Masquerading121OS Credential DumpingSecurity Software Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Default AccountsExploitation for Client Execution33Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryFile and Directory Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Rundll321Security Account ManagerSystem Information Discovery2SMB/Windows Admin Shares