Windows Analysis Report
XSG2363662.xls

Overview

General Information

Sample Name: XSG2363662.xls
Analysis ID: 558779
MD5: 0a18e47e743c2a3bdb26333764d4d19c
SHA1: 434030db9b84e3832e5cc1019137205aa1c9de6f
SHA256: 6b3407cfd0ef9a6664e61733b8a838b9cd1d05e084a36a8eff0dddb0e21d34c4
Tags: BRTgoziisfbursnifxls
Infos:

Detection

Ursnif Dropper
Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Detected Italy targeted Ursnif dropper document
Document contains an embedded VBA macro with suspicious strings
Sigma detected: Suspicious Remote Thread Created
Document contains embedded VBA macros
Document misses a certain OLE stream usually present in this Microsoft Office document type

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: XSG2363662.xls Avira: detected
Multi AV Scanner detection for submitted file
Source: XSG2363662.xls Virustotal: Detection: 10% Perma Link
Source: XSG2363662.xls ReversingLabs: Detection: 13%
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

E-Banking Fraud
barindex
Detected Italy targeted Ursnif dropper document
Source: Initial sample OLE, VBA macro line: Ursnif specific tokens

System Summary
barindex
Document contains an embedded VBA macro with suspicious strings
Source: XSG2363662.xls OLE, VBA macro line: Workbooks.Application.DisplayAlerts = False: Application.Quit
Source: XSG2363662.xls OLE, VBA macro line: ActiveSheet.Visible = 0
Document contains embedded VBA macros
Source: XSG2363662.xls OLE indicator, VBA macros: true
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: 3977.tmp.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: XSG2363662.xls Virustotal: Detection: 10%
Source: XSG2363662.xls ReversingLabs: Detection: 13%
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRD863.tmp Jump to behavior
Source: XSG2363662.xls OLE indicator, Workbook stream: true
Source: classification engine Classification label: mal72.bank.expl.winXLS@1/4@0/0
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: 3977.tmp.0.dr Initial sample: OLE indicators vbamacros = False
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 558779 Sample: XSG2363662.xls Startdate: 24/01/2022 Architecture: WINDOWS Score: 72 7 Antivirus / Scanner detection for submitted sample 2->7 9 Multi AV Scanner detection for submitted file 2->9 11 Detected Italy targeted Ursnif dropper document 2->11 13 2 other signatures 2->13 5 EXCEL.EXE 53 15 2->5         started        process3
No contacted IP infos