Analysis Report document-1245492889.xls

ID:	383157
Product:	CloudBasic
Start time:	10:55:10
Start date:	07.04.2021
Sample:	document-1245492889.xls
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	e30c71417d7675c13ca725d3bb4172eb
SHA1:	80350061fb497c3fc79ac2cd4f8a315aceae412e
SHA256:	05d2f75e43502476f32925c3f8ca82245c4f5433c4d405779e6fd178cd37ea13
Filetype:	Microsoft Excel sheet (30009/1) 78.94%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	Microsoft Cabinet archive data, 58596 bytes, 1 file	61A03D15CF62612F50B74867090DBE79	15228F34067B4B107E917BEBAF17CC7C3C1280A8	F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A	data	D4AE187B4574036C2D76B6DF8A8C1A30	B06F409FA14BAB33CBAF4A37811B8740B624D9E5	A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	data	933FF45DA6B4A343AEEC08A091A0BAEE	41E1BB9E9E742EB28DBE56E40BCA6F81B1E26CF1	18AAC2CBE90A2C0EB724E76527F9DD392C5F90C601D2945AE5BD38E3D7EC3B17
C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A	data	4B29AE3F4B4A3D5A3E8F2369603F007B	9408647A0936E4ED1D803963436369E2FFEA7AA1	1A35BA761920227FB7A7FCB72F10AB5A5598EA5AAA26ED01CFAA0B2A568B6877
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\suspendedpage[1].htm	HTML document, ASCII text, with very long lines	116091ED739B7E0F1AD7F819560A0602	C30A527A2A5F25BC1A63359CAD76A8BAB67CB4FB	0445F0A98A263C472AE1C8D8E28275AFEA1BDDD7692746AA5286097B311B29B1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\suspendedpage[1].htm	HTML document, ASCII text, with very long lines	190F2D4BCDE1E366EAAB903C29C7A699	346D44A0619C97AA226EF52F146F9A133F4DCAAF	20C2D643754869BA5763DDC6289A0FADBBF2DE81236F1F80B7FA3588B14F6EBB
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\0104[1].gif	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	9BDF7C3BDB07C77AB4AE0BECC716B6D0	C5B2ED793BCFE4D96B2CE93B202B2F551AFB8C87	4106E859C225B6FED690E1640CC98E4808E1FF7C5CB041C18493996B04805E48
C:\Users\user\AppData\Local\Temp\1DCE0000	data	59485B13A6C7B5873A40FB2EC45BD39F	941883BDB59D930E7E3986D058B233C34630A6BF	B643678F376F596E7EDA854BF5254525B7049E08D940411366E70F0DC7EE8550
C:\Users\user\AppData\Local\Temp\CabD53B.tmp	Microsoft Cabinet archive data, 58596 bytes, 1 file	61A03D15CF62612F50B74867090DBE79	15228F34067B4B107E917BEBAF17CC7C3C1280A8	F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
C:\Users\user\AppData\Local\Temp\TarD53C.tmp	data	4E0487E929ADBBA279FD752E7FB9A5C4	2497E03F42D2CBB4F4989E87E541B5BB27643536	AE781E4F9625949F7B8A9445B8901958ADECE7E3B95AF344E2FCB24FE989EEB7
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Wed Apr 7 16:55:37 2021, atime=Wed Apr 7 16:55:37 2021, length=8192, window=hide	ADAA11F5477E217D89FE1276B7B4DF31	73C4A6FF57F2AEF1A2829D6C9C5D7B18F1029386	F16FD70438671887819B69CC1339ECCA391B78744FB4AA530888C6521912F2B2
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\document-1245492889.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Wed Apr 7 16:55:37 2021, atime=Wed Apr 7 16:55:38 2021, length=185344, window=hide	47C7590884F78400BB263A71C493D9D8	90C93F3C61B70B65CB0502E2EF3B996649B16E07	EAFAC668BB1A633FE299BDFF5859A9BD5FA5CD0DDEC45C188824EA9A0D77717B
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	D2AF0D62D75E6CE864E75765FCF0AA3D	32AAE53E47D7E027E1240B2C39129F6001D4FAD5	8CFA902A46D50CCDBD04EC7C62CCF4D2F5BC05297ADCD89241209C044920FEFA
C:\Users\user\Desktop\EDCE0000	Applesoft BASIC program data, first line number 16	EA7F4AD655E501AC7BBCDB3967275D9E	81829B1A969FB1FCDF97AB3D8DADA9865EB899F3	9723784C3A4FD7DDFA5EEE186EFE907C995310121C7BD0CC536F1270970CE824
C:\Users\user\fikftkm.thj	HTML document, ASCII text, with very long lines	116091ED739B7E0F1AD7F819560A0602	C30A527A2A5F25BC1A63359CAD76A8BAB67CB4FB	0445F0A98A263C472AE1C8D8E28275AFEA1BDDD7692746AA5286097B311B29B1
C:\Users\user\fikftkm.thj2	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	9BDF7C3BDB07C77AB4AE0BECC716B6D0	C5B2ED793BCFE4D96B2CE93B202B2F551AFB8C87	4106E859C225B6FED690E1640CC98E4808E1FF7C5CB041C18493996B04805E48
C:\Users\user\fikftkm.thj3	HTML document, ASCII text, with very long lines	190F2D4BCDE1E366EAAB903C29C7A699	346D44A0619C97AA226EF52F146F9A133F4DCAAF	20C2D643754869BA5763DDC6289A0FADBBF2DE81236F1F80B7FA3588B14F6EBB

AV Detection:

Found malware configuration

Source: 6.2.rundll32.exe.270000.1.raw.unpack

Malware Configuration Extractor: Ursnif [[{"RSA Public Key": "bUd4GFcFHo0e+ZYUbkHaTKXmZ1xEyxvy7Ha6j1WAZbQ7YvMdkqTfD1vHD2y2CmFTRrLK1w5iQroYI0mUpJ4xNknlY+BmJf4xpeJRxxK0RRNeRbW5unSB2vXqxvlTgz6vNZY+9zeztuP2jXKpIm0/s+YxWnsT7eWUtQtD38NlsAPtJdp+3rBxjzAWNKQj7wMA"}, {"c2_domain": ["bing.com", "update4.microsoft.com", "under17.com", "urs-world.com"], "botnet": "5566", "server": "12", "serpent_key": "10301029JSJUYDWG", "sleep_time": "10", "SetWaitableTimer_value": "0", "DGA_count": "10"}]]

Multi AV Scanner detection for submitted file

Source: document-1245492889.xls	Virustotal: Detection: 54%			Perma Link
Source: document-1245492889.xls	Metadefender: Detection: 32%			Perma Link
Source: document-1245492889.xls	ReversingLabs: Detection: 18%

Machine Learning detection for dropped file

Source: C:\Users\user\fikftkm.thj2	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\0104[1].gif	Joe Sandbox ML: detected

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 207.174.213.126:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.241.62.4:443 -> 192.168.2.22:49168 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.129.4:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.100.155.169:443 -> 192.168.2.22:49171 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 198.50.218.68:443 -> 192.168.2.22:49173 version: TLS 1.2

Software Vulnerabilities:

Document exploit detected (drops PE files)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: 0104[1].gif.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: vts.us.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 207.174.213.126:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 207.174.213.126:443

Networking:

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 207.174.213.126 207.174.213.126
Source: Joe Sandbox View	IP Address: 198.50.218.68 198.50.218.68

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Downloads files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ

Jump to behavior

Found strings which match to known social media urls

Source: rundll32.exe, 00000003.00000002.2115424423.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2109348201.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2278669504.0000000001A90000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2275869797.0000000001BD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2177701429.0000000001BB0000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: vts.us.com

URLs found in memory or binary data

Source: rundll32.exe, 00000003.00000002.2115424423.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2109348201.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2278669504.0000000001A90000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2275869797.0000000001BD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2177701429.0000000001BB0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2115424423.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2109348201.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2278669504.0000000001A90000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2275869797.0000000001BD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2177701429.0000000001BB0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2115568867.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2109524493.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2278827735.0000000001C77000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2277292535.0000000001DB7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2177880792.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2171790992.0000000001CC7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2115568867.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2109524493.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2278827735.0000000001C77000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2277292535.0000000001DB7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2177880792.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2171790992.0000000001CC7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: rundll32.exe, 00000003.00000002.2115568867.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2109524493.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2278827735.0000000001C77000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2277292535.0000000001DB7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2177880792.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2171790992.0000000001CC7000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2115568867.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2109524493.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2278827735.0000000001C77000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2277292535.0000000001DB7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2177880792.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2171790992.0000000001CC7000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: rundll32.exe, 00000003.00000002.2115424423.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2109348201.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2278669504.0000000001A90000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2275869797.0000000001BD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2177701429.0000000001BB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2115568867.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2109524493.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2278827735.0000000001C77000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2277292535.0000000001DB7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2177880792.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2171790992.0000000001CC7000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2115424423.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2109348201.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2278669504.0000000001A90000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2275869797.0000000001BD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2177701429.0000000001BB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000008.00000002.2177701429.0000000001BB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.

Uses HTTPS

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown	Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49173 -> 443

Uses secure TLS version for HTTPS connections

Source: unknown	HTTPS traffic detected: 207.174.213.126:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.241.62.4:443 -> 192.168.2.22:49168 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 192.185.129.4:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 5.100.155.169:443 -> 192.168.2.22:49171 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 198.50.218.68:443 -> 192.168.2.22:49173 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Source: Yara match	File source: 00000006.00000002.2275673660.0000000000270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 6.2.rundll32.exe.270000.1.raw.unpack, type: UNPACKEDPE

E-Banking Fraud:

Yara detected Ursnif

Source: Yara match	File source: 00000006.00000002.2275673660.0000000000270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 6.2.rundll32.exe.270000.1.raw.unpack, type: UNPACKEDPE

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable Editing 11 from the yellow bar above 12 13 Once You have Enable Editing, please elk 14 Ru
Source: Screenshot number: 8	Screenshot OCR: Enable Editing 11 from the yellow bar above 12 13 Once You have Enable Editing, please ell 14 R
Source: Screenshot number: 12	Screenshot OCR: Enable Editing, please click Enable Content 14 1 from the yellow bar above 15 CI c? 16 17 I 18
Source: Screenshot number: 12	Screenshot OCR: Enable Content 14 1 from the yellow bar above 15 CI c? 16 17 I 18 I WHY I CANNOTOPEN THIS DOCU
Source: Document image extraction number: 9	Screenshot OCR: Enable Editing from the yellow bar above Once You have Enable Editing , please click Enable Conten
Source: Document image extraction number: 9	Screenshot OCR: Enable Content from the yellow bar above WHYICANNOTOPEN THIS DOCUMENT? You are using iOS or Andro
Source: Screenshot number: 16	Screenshot OCR: Enable Editing 11 1 from the yellow bar above 12 13 ' @ Once You have Enable Editing, please clic
Source: Screenshot number: 16	Screenshot OCR: Enable Content 14 1 from the yellow bar above 15 CI c? 16 17 I 18 I WHY I CANNOTOPEN THIS DOCU
Source: Screenshot number: 20	Screenshot OCR: Enable Editing 11 1 from the yellow bar above 12 13 ' @ Once You have Enable Editing, please clic
Source: Screenshot number: 20	Screenshot OCR: Enable Content 14 1 from the yellow bar above 15 CI c? 16 17 I 18 I WHY I CANNOTOPEN THIS DOCU

Found Excel 4.0 Macro with suspicious formulas

Source: document-1245492889.xls	Initial sample: CALL
Source: document-1245492889.xls	Initial sample: EXEC

Found abnormal large hidden Excel 4.0 Macro sheet

Source: document-1245492889.xls	Initial sample: Sheet size: 4081
Source: document-1245492889.xls	Initial sample: Sheet size: 12790

Found obfuscated Excel 4.0 Macro

Source: document-1245492889.xls

Initial sample: High usage of CHAR() function: 40

Office process drops PE file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\fikftkm.thj2			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\0104[1].gif			Jump to dropped file

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00125F16		6_2_00125F16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00123A14		6_2_00123A14
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00121B1E		6_2_00121B1E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_0012150C		6_2_0012150C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00125A25		6_2_00125A25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00125378		6_2_00125378
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00125262		6_2_00125262
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00122566		6_2_00122566
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00121967		6_2_00121967
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00122A69		6_2_00122A69
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001292B2		6_2_001292B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001231B3		6_2_001231B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001288BA		6_2_001288BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00123FAB		6_2_00123FAB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00122FAF		6_2_00122FAF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00121CD0		6_2_00121CD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001227D4		6_2_001227D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001243D8		6_2_001243D8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_001213C5		6_2_001213C5

Document contains embedded VBA macros

Source: document-1245492889.xls

OLE indicator, VBA macros: true

Yara signature match

Source: document-1245492889.xls, type: SAMPLE	Matched rule: SUSP_EnableContent_String_Gen date = 2019-02-12, hash1 = 525ba2c8d35f6972ac8fcec8081ae35f6fe8119500be20a4113900fe57d6a0de, author = Florian Roth, description = Detects suspicious string that asks to enable active content in Office Doc, reference = Internal Research
Source: document-1245492889.xls, type: SAMPLE	Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f

Binary contains paths to development resources

Source: rundll32.exe, 00000003.00000002.2115424423.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2109348201.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000005.00000002.2278669504.0000000001A90000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2275869797.0000000001BD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2177701429.0000000001BB0000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Classification label

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLS@13/17@5/5

Creates files inside the user directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\EDCE0000

Jump to behavior

Creates temporary files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC58F.tmp

Jump to behavior

Document contains an OLE Workbook stream indicating a Microsoft Excel file

Source: document-1245492889.xls

OLE indicator, Workbook stream: true

Reads ini files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Runs a DLL by calling functions

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj,DllRegisterServer

Sample is known by Antivirus

Source: document-1245492889.xls	Virustotal: Detection: 54%
Source: document-1245492889.xls	Metadefender: Detection: 32%
Source: document-1245492889.xls	ReversingLabs: Detection: 18%

Spawns processes

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj1,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj2,DllRegisterServer
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fikftkm.thj2,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj3,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj4,DllRegisterServer
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj,DllRegisterServer			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj1,DllRegisterServer			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj2,DllRegisterServer			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj3,DllRegisterServer			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\rundll32.exe rundll32 ..\fikftkm.thj4,DllRegisterServer			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fikftkm.thj2,DllRegisterServer			Jump to behavior

Found GUI installer (many successful clicks)

Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK
Source: C:\Windows\System32\rundll32.exe	Automated click: OK

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Checks if Microsoft Office is installed

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00125F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx		6_2_00125F7B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00125F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax		6_2_00125F94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00125F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax		6_2_00125FDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00125F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax		6_2_0012604B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00125F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax		6_2_00126124
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00125F16 push 00000000h; mov dword ptr [esp], edi		6_2_0012614F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00125F16 push 00000000h; mov dword ptr [esp], edx		6_2_0012625E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00125F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax		6_2_001262B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00125F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax		6_2_00126343
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00125F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax		6_2_0012635D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00125F16 push 00000000h; mov dword ptr [esp], ebp		6_2_00126368
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00125F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax		6_2_00126385
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00125F16 push 00000000h; mov dword ptr [esp], edx		6_2_001263B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00125F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax		6_2_00126483
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00125F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax		6_2_001264F2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00125F16 push dword ptr [ebp-10h]; mov dword ptr [esp], eax		6_2_001264FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00125F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax		6_2_0012650A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00125F16 push 00000000h; mov dword ptr [esp], edi		6_2_00126567
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00125F16 push 00000000h; mov dword ptr [esp], edi		6_2_001265A9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00125F16 push 00000000h; mov dword ptr [esp], eax		6_2_00126610
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00125F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax		6_2_00126685
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00125F16 push dword ptr [ebp-08h]; mov dword ptr [esp], ecx		6_2_001266C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00125F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax		6_2_001266E8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00125F16 push 00000000h; mov dword ptr [esp], edi		6_2_00126781
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00125F16 push 00000000h; mov dword ptr [esp], edx		6_2_001267B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00125F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax		6_2_0012684C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00125F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax		6_2_00126858
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00125F16 push dword ptr [ebp-10h]; mov dword ptr [esp], edx		6_2_00126926
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00125F16 push dword ptr [ebp-08h]; mov dword ptr [esp], eax		6_2_00126945
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00125F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], eax		6_2_00126951
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_2_00125F16 push dword ptr [ebp-0Ch]; mov dword ptr [esp], edx		6_2_001269D6

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\fikftkm.thj2			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\0104[1].gif			Jump to dropped file

Drops PE files to the user directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\fikftkm.thj2

Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\0104[1].gif			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	File created: C:\Users\user\fikftkm.thj2			Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\fikftkm.thj2

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Source: Yara match	File source: 00000006.00000002.2275673660.0000000000270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 6.2.rundll32.exe.270000.1.raw.unpack, type: UNPACKEDPE

Disables application error messsages (SetErrorMode)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\rundll32.exe

Window / User API: threadDelayed 463

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\0104[1].gif

Jump to dropped file

Anti Debugging:

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 6_2_00122A69 xor edi, dword ptr fs:[00000030h]

6_2_00122A69

HIPS / PFW / Operating System Protection Evasion:

Yara detected hidden Macro 4.0 in Excel

Source: Yara match

File source: document-1245492889.xls, type: SAMPLE

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\rundll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\fikftkm.thj2,DllRegisterServer

Jump to behavior

Yara detected Xls With Macro 4.0

Source: Yara match

File source: document-1245492889.xls, type: SAMPLE

Stealing of Sensitive Information:

Yara detected Ursnif

Source: Yara match	File source: 00000006.00000002.2275673660.0000000000270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 6.2.rundll32.exe.270000.1.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Yara detected Ursnif

Source: Yara match	File source: 00000006.00000002.2275673660.0000000000270000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 6.2.rundll32.exe.270000.1.raw.unpack, type: UNPACKEDPE