Windows Analysis Report 2021_0002565_DDT.xls

Overview

General Information

Sample Name: 2021_0002565_DDT.xls
Analysis ID: 636
MD5: 5b239ac2b45218ad505553d52203c744
SHA1: abefd9905f25fdcea76783cfd877c19206d117ab
SHA256: f3ff9603b23796a30d10ae2cfa0001212752705a3e602371ae74d0f4d8defb71

Most interesting Screenshot:

Detection

Ursnif Dropper
Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Italy targeted Ursnif dropper document
Document contains an embedded VBA macro with suspicious strings
Document contains embedded VBA macros

Classification

Source: excel.exe Memory has grown: Private usage: 2MB later: 17MB

E-Banking Fraud:

barindex
Detected Italy targeted Ursnif dropper document
Source: Initial sample OLE, VBA macro line: Ursnif specific tokens

System Summary:

barindex
Document contains an embedded VBA macro with suspicious strings
Source: 2021_0002565_DDT.xls OLE, VBA macro line: Excel4MacroSheets.Add(Before:=Worksheets((1))).Name = vgiom: ottoB
Source: 2021_0002565_DDT.xls OLE, VBA macro line: ActiveSheet.Visible = 0
Document contains embedded VBA macros
Source: 2021_0002565_DDT.xls OLE indicator, VBA macros: true
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE File created: C:\Users\alfredo\AppData\Local\Temp\{5831B89B-9FC5-4859-BBDB-4598E8DC4C22} - OProcSessId.dat
Source: 2021_0002565_DDT.xls OLE indicator, Workbook stream: true
Source: classification engine Classification label: mal52.bank.expl.winXLS@1/8@0/72
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE File read: C:\Users\desktop.ini
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE File created: C:\Users\alfredo\AppData\Local\Microsoft\Office\16.0\WebServiceCache
Source: Window Recorder Window detected: More than 3 window changes detected
Source: 2021_0002565_DDT.xls Initial sample: OLE summary comments = ''BRT
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Process information set: NOOPENFILEERRORBOX
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
52.113.194.132
 unknown United States
8068 MICROSOFT-CORP-MSN-AS-BLOCKUS false
52.109.88.177
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
52.109.28.63
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
2.21.140.114
 unknown European Union
16625 AKAMAI-ASUS false
20.50.201.195
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false
52.109.88.34
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS false

Private
IP
192.168.2.1