File name:	IlUfY.xlsm
Full analysis:	https://app.any.run/tasks/053c6821-2d38-4bec-83ff-db5cf6add591
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Ursnif is a banking Trojan that usually infects corporate victims. It is based on an old malware but was substantially updated over the years and became quite powerful. Today Ursnif is one of the most widely spread banking Trojans in the world. Malware Trends Tracker >>>
Analysis date:	November 30, 2020, 05:42:26
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	loader trojan gozi ursnif dreambot
Indicators:
MIME:	application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
File info:	Microsoft Excel 2007+
MD5:	46E109A17C6911B360657707F182F373
SHA1:	2C4D88BDC88B88A4A4F3EE0A34191188C75F710C
SHA256:	12F1EA509D52A9695408A73BCF71DDD24F8A4FAEE2A99798A63B22CE2FBF73DC
SSDEEP:	1536:c5y66r66hPpVOxc2ZIQgW/TWexnHqPTdgnyLJxWRegWPgPTW/xWe+W/xWeeWR5Tg:cIpVMZBCLBPPPr8owdT9QP4q/AAi

.xlsx	\|	Excel Microsoft Office Open XML Format document (61.2)
.zip	\|	Open Packaging Conventions container (31.5)
.zip	\|	ZIP compressed archive (7.2)

ZipRequiredVersion:	20
ZipBitFlag:	0x0006
ZipCompression:	Deflated
ZipModifyDate:	1980:01:01 00:00:00
ZipCRC:	0x2dd8890b
ZipCompressedSize:	435
ZipUncompressedSize:	1543
ZipFileName:	[Content_Types].xml

Application:	Microsoft Excel
DocSecurity:	None
ScaleCrop:	No
HeadingPairs:	Листы 1 Макросы Excel 4.0 1
TitlesOfParts:	DocuSign SheetSO
LinksUpToDate:	No
SharedDoc:	No
HyperlinksChanged:	No
AppVersion:	15.03
LastModifiedBy:	-
CreateDate:	2006:09:16 00:00:00Z
ModifyDate:	2020:11:30 00:36:47Z


(PID) Process:	(2200) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
Operation:	write	Name:	r/<
Value: 722F3C0098080000010000000000000000000000
(PID) Process:	(2200) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1033
Value: Off
(PID) Process:	(2200) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1041
Value: Off
(PID) Process:	(2200) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1046
Value: Off
(PID) Process:	(2200) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1036
Value: Off
(PID) Process:	(2200) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1031
Value: Off
(PID) Process:	(2200) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1040
Value: Off
(PID) Process:	(2200) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1049
Value: Off
(PID) Process:	(2200) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	3082
Value: Off
(PID) Process:	(2200) EXCEL.EXE	Key:	HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages
Operation:	write	Name:	1042
Value: Off

PID	Process	Filename		Type
2200	EXCEL.EXE	C:\Users\admin\AppData\Local\Temp\CVREFD2.tmp.cvr		—
		MD5:—	SHA256:—
1236	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico		—
		MD5:—	SHA256:—
2200	EXCEL.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\122E3A6B.png		—
		MD5:—	SHA256:—
2200	EXCEL.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C129970.png		—
		MD5:—	SHA256:—
2200	EXCEL.EXE	C:\Users\admin\Desktop\~$IlUfY.xlsm		—
		MD5:—	SHA256:—
1236	iexplore.exe	C:\Users\admin\AppData\Local\Temp\Cab8C6B.tmp		—
		MD5:—	SHA256:—
1236	iexplore.exe	C:\Users\admin\AppData\Local\Temp\Tar8C6C.tmp		—
		MD5:—	SHA256:—
1236	iexplore.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\P0QS153W.txt		—
		MD5:—	SHA256:—
1236	iexplore.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\CF08APSG.txt		—
		MD5:—	SHA256:—
1236	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver9268.tmp		—
		MD5:—	SHA256:—

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3516	iexplore.exe	GET	—	65.55.44.109:80	http://web.vortex.data.microsoft.com/images/Iqg2K1kbUnlEm/aW7JqbhH/CbrtnXDQX_2BIsVR9cbAM2S/1qpo4El39l/mRLwF7w_2FDNtkxC1/NbsFQhDGyXQw/8BiYSz9wsO1/bGn1bj28_2FqO5/9J5KUFNBWSFiI2AzOpM2B/fB3nvTxw30BwetIJ/RVJSTOPWtD/v.avi	US	—	—	whitelisted
3844	iexplore.exe	GET	301	109.248.203.56:80	http://settingsline.com/images/jULPqDgCGp_2FU3XucF/xywCV1OoyO5A4rn_2BnszZ/E_2BqxpFjEjO3/6f0nwO5l/ZG_2FoHYnVEHPs_2F7kwJUm/NhMkzPC0fi/m_2FmMDhNOkvyPmRD/doDwRRIbHVb7/rA6aeYe4Y00/nrQ1MVXR3bkJHn/kfETk6KC/eCwxu.avi	RU	—	—	malicious
2200	EXCEL.EXE	GET	200	62.173.140.173:80	http://premialestats.co/con3cti0n.dll	RU	executable	206 Kb	malicious
1236	iexplore.exe	GET	200	93.184.220.29:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D	US	der	1.47 Kb	whitelisted
1236	iexplore.exe	GET	200	93.184.220.29:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D	US	der	1.47 Kb	whitelisted
1236	iexplore.exe	GET	200	93.184.220.29:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D	US	der	1.47 Kb	whitelisted
3844	iexplore.exe	GET	200	93.184.220.29:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D	US	der	471 b	whitelisted
3844	iexplore.exe	GET	200	93.184.220.29:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY%2Bsl%2Bj4yzQuAcL2oQno5fCgQUUWj%2FkK8CB3U8zNllZGKiErhZcjsCEApWMlDKGoeg3ENu%2BNxUpq8%3D	US	der	471 b	whitelisted
3844	iexplore.exe	GET	200	93.184.220.29:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D	US	der	471 b	whitelisted
3844	iexplore.exe	GET	200	93.184.220.29:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY%2Bsl%2Bj4yzQuAcL2oQno5fCgQUUWj%2FkK8CB3U8zNllZGKiErhZcjsCEAOU9JUxQfRjQ2m6K03uCyc%3D	US	der	471 b	whitelisted

Domain	IP	Reputation
premialestats.co	62.173.140.173	unknown
web.vortex.data.microsoft.com	65.55.44.109	whitelisted
api.bing.com	13.107.5.80	whitelisted
www.bing.com	204.79.197.200	whitelisted
iecvlist.microsoft.com	152.199.19.161	whitelisted
r20swj13mr.microsoft.com	152.199.19.161	whitelisted
ieonline.microsoft.com	204.79.197.200	whitelisted
ocsp.digicert.com	93.184.220.29	whitelisted
ocsp.sca1b.amazontrust.com	13.225.29.199 13.225.29.132	whitelisted
settingsline.com	109.248.203.56	malicious

PID	Process	Class	Message
3516	iexplore.exe	A Network Trojan was detected	AV TROJAN Ursnif Variant CnC Beacon 2019-09-18
3516	iexplore.exe	A Network Trojan was detected	MALWARE [PTsecurity] W32.Dreambot HTTP GET Check-in
3516	iexplore.exe	A Network Trojan was detected	MALWARE [PTsecurity] Ursnif
3464	iexplore.exe	A Network Trojan was detected	AV TROJAN Ursnif Variant CnC Beacon 2019-09-18
3464	iexplore.exe	A Network Trojan was detected	MALWARE [PTsecurity] W32.Dreambot HTTP GET Check-in
3844	iexplore.exe	A Network Trojan was detected	AV TROJAN Ursnif Variant CnC Beacon 2019-09-18
3844	iexplore.exe	A Network Trojan was detected	MALWARE [PTsecurity] W32.Dreambot HTTP GET Check-in
3844	iexplore.exe	A Network Trojan was detected	MALWARE [PTsecurity] Ursnif
2792	iexplore.exe	A Network Trojan was detected	AV TROJAN Ursnif Variant CnC Beacon 2019-09-18
2792	iexplore.exe	A Network Trojan was detected	MALWARE [PTsecurity] W32.Dreambot HTTP GET Check-in

PID	Process	IP	Domain	ASN	CN	Reputation
2200	EXCEL.EXE	62.173.140.173:80	premialestats.co	JSC Internet-Cosmos	RU	malicious
3516	iexplore.exe	65.55.44.109:80	web.vortex.data.microsoft.com	Microsoft Corporation	US	malicious
1236	iexplore.exe	204.79.197.200:80	www.bing.com	Microsoft Corporation	US	whitelisted
1236	iexplore.exe	152.199.19.161:443	iecvlist.microsoft.com	MCI Communications Services, Inc. d/b/a Verizon Business	US	whitelisted
1236	iexplore.exe	204.79.197.200:443	www.bing.com	Microsoft Corporation	US	whitelisted
1236	iexplore.exe	93.184.220.29:80	ocsp.digicert.com	MCI Communications Services, Inc. d/b/a Verizon Business	US	whitelisted
3844	iexplore.exe	109.248.203.56:80	settingsline.com	Business Consulting LLC	RU	malicious
3844	iexplore.exe	93.184.220.29:80	ocsp.digicert.com	MCI Communications Services, Inc. d/b/a Verizon Business	US	whitelisted
3844	iexplore.exe	66.254.114.238:443	www.redtube.com	Reflected Networks, Inc.	US	suspicious
3464	iexplore.exe	13.225.29.199:80	ocsp.sca1b.amazontrust.com	—	US	whitelisted

General Info

IlUfY.xlsm

46E109A17C6911B360657707F182F373

2C4D88BDC88B88A4A4F3EE0A34191188C75F710C

12F1EA509D52A9695408A73BCF71DDD24F8A4FAEE2A99798A63B22CE2FBF73DC

1536:c5y66r66hPpVOxc2ZIQgW/TWexnHqPTdgnyLJxWRegWPgPTW/xWe+W/xWeeWR5Tg:cIpVMZBCLBPPPr8owdT9QP4q/AAi

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Executable content was dropped or overwritten

Registers / Runs the DLL via REGSVR32.EXE

Unusual execution from Microsoft Office

Loads dropped or rewritten executable

URSNIF was detected

Connects to CnC server

SUSPICIOUS

Drops a file with too old compile date

Creates files in the program directory

Executed via COM

INFO

Creates files in the user directory

Reads Microsoft Office registry keys

Application launched itself

Changes internet zones settings

Changes settings of System certificates

Reads settings of System Certificates

Adds / modifies Windows certificates

Modifies the phishing filter of IE

Reads internet explorer settings

Malware configuration

Static information

TRiD

EXIF

ZIP

XML

XMP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings