Windows Analysis Report aaaaaaaaaaa.xls

Overview

General Information

Sample Name:	aaaaaaaaaaa.xls
Analysis ID:	509333
MD5:	a8ca4b1a0ab594b286145586e6b4921c
SHA1:	2e8c2f19a0a58755d03bcf12a38e9383d49a8465
SHA256:	9cb3b49716b637ee57db8cc7bd17189ac2fa2489d8ba32a94a7c99f20fa82a5e
Tags:	xls
Infos:
Most interesting Screenshot:

Detection

Ursnif Dropper

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Detected Italy targeted Ursnif dropper document

Document contains an embedded VBA macro with suspicious strings

Document contains embedded VBA macros

Classification

Signatures

AV Detection:

Multi AV Scanner detection for submitted file

Source: aaaaaaaaaaa.xls

Virustotal: Detection: 13%

Perma Link

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

E-Banking Fraud:

Detected Italy targeted Ursnif dropper document

Source: Initial sample

OLE, VBA macro line: Ursnif specific tokens

System Summary:

Document contains an embedded VBA macro with suspicious strings

Source: aaaaaaaaaaa.xls	OLE, VBA macro line: Excel4MacroSheets.Add(Before:=Worksheets((1))).Name = Ecco_la: l_esperienza
Source: aaaaaaaaaaa.xls	OLE, VBA macro line: ActiveSheet.Visible = 0

Document contains embedded VBA macros

Source: aaaaaaaaaaa.xls

OLE indicator, VBA macros: true

Source: aaaaaaaaaaa.xls

Virustotal: Detection: 13%

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRDB70.tmp

Jump to behavior

Source: aaaaaaaaaaa.xls

OLE indicator, Workbook stream: true

Source: classification engine

Classification label: mal60.bank.expl.winXLS@1/0@0/0

Source: aaaaaaaaaaa.xls

Joe Sandbox Cloud Basic: Detection: clean Score: 0

Perma Link

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Automated click: OK
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

ID:	509333
Product:	CloudBasic
Start time:	12:19:09
Start date:	26.10.2021
Sample:	aaaaaaaaaaa.xls
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	a8ca4b1a0ab594b286145586e6b4921c
SHA1:	2e8c2f19a0a58755d03bcf12a38e9383d49a8465
SHA256:	9cb3b49716b637ee57db8cc7bd17189ac2fa2489d8ba32a94a7c99f20fa82a5e
Filetype:	Microsoft Excel sheet (30009/1) 78.94%

Windows Analysis Report aaaaaaaaaaa.xls

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

E-Banking Fraud:

System Summary:

Hooking and other Techniques for Hiding and Protection:

Screenshots

Behavior Graph

Network Map