Loading ...

Play interactive tourEdit tour

Analysis Report 749dd3optoor.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:225048
Start date:24.04.2020
Start time:04:17:40
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 12m 45s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:749dd3optoor.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:40
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal80.bank.troj.evad.winEXE@48/229@21/1
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 52.7% (good quality ratio 52.7%)
  • Quality average: 88.3%
  • Quality standard deviation: 20.2%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): taskhostw.exe, dllhost.exe, ielowutil.exe, WMIADAP.exe, WmiPrvSE.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 88.221.62.148, 2.18.68.82, 152.199.19.161, 8.248.113.254, 8.248.135.254, 8.248.131.254, 67.26.81.254, 8.253.95.120, 172.227.108.117
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ie9comview.vo.msecnd.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, go.microsoft.com.edgekey.net, audownload.windowsupdate.nsatc.net, auto.au.download.windowsupdate.com.c.footprint.net, prod.fs.microsoft.com.akadns.net, cs9.wpc.v0cdn.net
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold800 - 100false
Ursnif
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation21Winlogon Helper DLLProcess Injection2Masquerading1Input Capture1System Time Discovery1Application Deployment SoftwareInput Capture1Data Encrypted1Standard Cryptographic Protocol12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaExecution through API1Port MonitorsAccessibility FeaturesSoftware Packing21Network SniffingVirtualization/Sandbox Evasion1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesGraphical User Interface1Accessibility FeaturesPath InterceptionDisabling Security Tools1Input CaptureProcess Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingVirtualization/Sandbox Evasion1Credentials in FilesAccount Discovery1Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessProcess Injection2Account ManipulationSystem Owner/User Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceObfuscated Files or Information1Brute ForceSecurity Software Discovery21Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskSoftware PackingTwo-Factor Authentication InterceptionRemote System Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionIndicator BlockingBash HistoryFile and Directory Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess InjectionInput PromptSystem Information Discovery2Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Machine Learning detection for sampleShow sources
Source: 749dd3optoor.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 0.2.749dd3optoor.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
Source: 0.2.749dd3optoor.exe.640000.1.unpackAvira: Label: TR/Patched.Ren.Gen

Networking:

barindex
Creates a COM Internet Explorer objectShow sources
Source: C:\Users\user\Desktop\749dd3optoor.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
Source: C:\Users\user\Desktop\749dd3optoor.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
Source: C:\Users\user\Desktop\749dd3optoor.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\749dd3optoor.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
Source: C:\Users\user\Desktop\749dd3optoor.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Found strings which match to known social media urlsShow sources
Source: msapplication.xml0.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x231484b6,0x01d61a2a</date><accdate>0x231484b6,0x01d61a2a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x231484b6,0x01d61a2a</date><accdate>0x231484b6,0x01d61a2a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x231c0a73,0x01d61a2a</date><accdate>0x231c0a73,0x01d61a2a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x231c0a73,0x01d61a2a</date><accdate>0x231c0a73,0x01d61a2a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x231c0a73,0x01d61a2a</date><accdate>0x231c0a73,0x01d61a2a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.4.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x231c0a73,0x01d61a2a</date><accdate>0x231eb259,0x01d61a2a</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: woofwoofacademy.xyz
Urls found in memory or binary dataShow sources
Source: 749dd3optoor.exe, 00000000.00000002.2485872831.00000000008BF000.00000004.00000020.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: 749dd3optoor.exe, 00000000.00000002.2485872831.00000000008BF000.00000004.00000020.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
Source: 749dd3optoor.exe, 00000000.00000002.2485872831.00000000008BF000.00000004.00000020.sdmpString found in binary or memory: http://cps.letsencrypt.org0
Source: 749dd3optoor.exe, 00000000.00000002.2485872831.00000000008BF000.00000004.00000020.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: 749dd3optoor.exe, 00000000.00000002.2485872831.00000000008BF000.00000004.00000020.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: 749dd3optoor.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: 749dd3optoor.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: 749dd3optoor.exe, 00000000.00000002.2485872831.00000000008BF000.00000004.00000020.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
Source: 749dd3optoor.exe, 00000000.00000002.2485872831.00000000008BF000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
Source: 749dd3optoor.exeString found in binary or memory: http://ocsp.sectigo.com0
Source: imagestore.dat.38.drString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eas/sc/2b/a5ea21.ico
Source: msapplication.xml.4.drString found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.4.drString found in binary or memory: http://www.google.com/
Source: msapplication.xml2.4.drString found in binary or memory: http://www.live.com/
Source: msapplication.xml3.4.drString found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.4.drString found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.4.drString found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.4.drString found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.4.drString found in binary or memory: http://www.youtube.com/
Source: 749dd3optoor.exeString found in binary or memory: https://sectigo.com/CPS0C
Source: 749dd3optoor.exe, 00000000.00000003.771575484.0000000003560000.00000004.00000040.sdmpString found in binary or memory: https://woofwoofacademy.xyz
Source: 749dd3optoor.exe, 00000000.00000002.2485583538.0000000000820000.00000004.00000020.sdmpString found in binary or memory: https://woofwoofacademy.xyz/
Source: 749dd3optoor.exe, 00000000.00000002.2485583538.0000000000820000.00000004.00000020.sdmpString found in binary or memory: https://woofwoofacademy.xyz/F
Source: 749dd3optoor.exe, 00000000.00000002.2485499709.00000000006A0000.00000004.00000001.sdmp, 749dd3optoor.exe, 00000000.00000003.1713843998.00000000006A2000.00000004.00000001.sdmp, ~DFDBA237731E353E94.TMP.38.drString found in binary or memory: https://woofwoofacademy.xyz/index.htm
Source: 749dd3optoor.exe, 00000000.00000003.1713843998.00000000006A2000.00000004.00000001.sdmpString found in binary or memory: https://woofwoofacademy.xyz/index.htm$
Source: 749dd3optoor.exe, 00000000.00000003.1748284303.00000000008BF000.00000004.00000001.sdmpString found in binary or memory: https://woofwoofacademy.xyz/index.htm?
Source: 749dd3optoor.exe, 00000000.00000003.1713843998.00000000006A2000.00000004.00000001.sdmpString found in binary or memory: https://woofwoofacademy.xyz/index.htmB
Source: 749dd3optoor.exe, 00000000.00000003.1748284303.00000000008BF000.00000004.00000001.sdmpString found in binary or memory: https://woofwoofacademy.xyz/index.htmE
Source: {BA1C21C6-861D-11EA-AADD-C25F135D3C65}.dat.19.drString found in binary or memory: https://woofwoofacademy.xyz/index.htmRoot
Source: 749dd3optoor.exe, 00000000.00000003.1748284303.00000000008BF000.00000004.00000001.sdmpString found in binary or memory: https://woofwoofacademy.xyz/index.htmW
Source: 749dd3optoor.exe, 00000000.00000003.1748284303.00000000008BF000.00000004.00000001.sdmpString found in binary or memory: https://woofwoofacademy.xyz/index.htmg
Source: 749dd3optoor.exe, 00000000.00000003.1713695305.000000000088F000.00000004.00000001.sdmpString found in binary or memory: https://woofwoofacademy.xyz/index.htmi
Source: 749dd3optoor.exe, 00000000.00000003.914997249.000000000088F000.00000004.00000001.sdmpString found in binary or memory: https://woofwoofacademy.xyz/index.htmj
Source: 749dd3optoor.exe, 00000000.00000003.1659361652.0000000000853000.00000004.00000001.sdmpString found in binary or memory: https://woofwoofacademy.xyz/index.htmndary=f157d2cffe29e5d5L
Source: 749dd3optoor.exe, 00000000.00000002.2485499709.00000000006A0000.00000004.00000001.sdmpString found in binary or memory: https://woofwoofacademy.xyz/index.htmp
Source: 749dd3optoor.exe, 00000000.00000002.2485499709.00000000006A0000.00000004.00000001.sdmpString found in binary or memory: https://woofwoofacademy.xyz/index.htmx
Source: {BA1C21C6-861D-11EA-AADD-C25F135D3C65}.dat.19.drString found in binary or memory: https://woofwoofacademy.xyz/index.htmy.xyz/index.htm
Source: 749dd3optoor.exe, 00000000.00000003.771575484.0000000003560000.00000004.00000040.sdmpString found in binary or memory: https://woofwoofacademy.xyzx
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49766
Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49765
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49764
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49763
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
Source: unknownNetwork traffic detected: HTTP traffic on port 49766 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49764 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49759
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
Source: unknownNetwork traffic detected: HTTP traffic on port 49759 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49757
Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49756
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
Source: unknownNetwork traffic detected: HTTP traffic on port 49757 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49754
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49765 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49763 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49768 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49754 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49768
Source: unknownNetwork traffic detected: HTTP traffic on port 49756 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000000.00000003.771575484.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.767663275.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.771809687.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.771702490.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.769618962.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.767934445.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772342544.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772015165.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.771918127.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.768211389.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.766837475.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.770478758.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.771069193.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.769034460.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.769358208.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.771416337.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772281756.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772449280.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.767376594.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.2486849255.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.770705693.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772422296.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772387134.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.767112143.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.771232123.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.770044476.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.768533449.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772110991.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.770262148.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772207692.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.770902405.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.769829478.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.768773073.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.992865715.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: 749dd3optoor.exe PID: 3720, type: MEMORY
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: 749dd3optoor.exe, 00000000.00000002.2485583538.0000000000820000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000000.00000003.771575484.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.767663275.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.771809687.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.771702490.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.769618962.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.767934445.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772342544.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772015165.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.771918127.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.768211389.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.766837475.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.770478758.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.771069193.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.769034460.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.769358208.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.771416337.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772281756.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772449280.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.767376594.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.2486849255.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.770705693.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772422296.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772387134.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.767112143.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.771232123.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.770044476.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.768533449.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772110991.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.770262148.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772207692.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.770902405.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.769829478.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.768773073.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.992865715.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: 749dd3optoor.exe PID: 3720, type: MEMORY

System Summary:

barindex
Writes or reads registry keys via WMIShow sources
Source: C:\Users\user\Desktop\749dd3optoor.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\749dd3optoor.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\749dd3optoor.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\749dd3optoor.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\749dd3optoor.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMIShow sources
Source: C:\Users\user\Desktop\749dd3optoor.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\749dd3optoor.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\749dd3optoor.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\749dd3optoor.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\749dd3optoor.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\749dd3optoor.exeCode function: 0_2_00401EE1 NtQueryVirtualMemory,0_2_00401EE1
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\749dd3optoor.exeCode function: 0_2_00401CC00_2_00401CC0
Sample file is different than original file name gathered from version infoShow sources
Source: 749dd3optoor.exe, 00000000.00000002.2486313498.00000000024B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs 749dd3optoor.exe
Source: 749dd3optoor.exe, 00000000.00000002.2486397288.0000000002510000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs 749dd3optoor.exe
Source: 749dd3optoor.exe, 00000000.00000002.2486341582.00000000024C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs 749dd3optoor.exe
Source: 749dd3optoor.exe, 00000000.00000002.2486417133.0000000002520000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs 749dd3optoor.exe
Classification labelShow sources
Source: classification engineClassification label: mal80.bank.troj.evad.winEXE@48/229@21/1
Creates files inside the user directoryShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF37285C882A1500D3.TMPJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: 749dd3optoor.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\749dd3optoor.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Users\user\Desktop\749dd3optoor.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\749dd3optoor.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\749dd3optoor.exe 'C:\Users\user\Desktop\749dd3optoor.exe'
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5076 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5076 CREDAT:17418 /prefetch:2
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4740 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:860 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:744 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4892 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1228 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:604 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:660 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3148 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4704 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2912 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3816 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4228 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3484 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2712 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5076 CREDAT:17410 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5076 CREDAT:17418 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4740 CREDAT:17410 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:860 CREDAT:17410 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:744 CREDAT:17410 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4892 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1228 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:604 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:660 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3148 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4704 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2912 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3816 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4228 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3484 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2712 CREDAT:17410 /prefetch:2
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\749dd3optoor.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\Desktop\749dd3optoor.exeUnpacked PE file: 0.2.749dd3optoor.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.reloc:R;
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Users\user\Desktop\749dd3optoor.exeUnpacked PE file: 0.2.749dd3optoor.exe.400000.0.unpack
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\749dd3optoor.exeCode function: 0_2_00401A1C GetModuleHandleW,LoadLibraryW,GetProcAddress,0_2_00401A1C
PE file contains an invalid checksumShow sources
Source: 749dd3optoor.exeStatic PE information: real checksum: 0xd15c9 should be: 0xd186d
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\749dd3optoor.exeCode function: 0_2_0040507C push ecx; ret 0_2_0040507E
Source: C:\Users\user\Desktop\749dd3optoor.exeCode function: 0_2_00405083 push ecx; ret 0_2_00405086
Source: C:\Users\user\Desktop\749dd3optoor.exeCode function: 0_2_00401CAF push ecx; ret 0_2_00401CBF

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000000.00000003.771575484.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.767663275.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.771809687.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.771702490.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.769618962.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.767934445.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772342544.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772015165.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.771918127.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.768211389.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.766837475.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.770478758.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.771069193.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.769034460.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.769358208.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.771416337.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772281756.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772449280.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.767376594.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.2486849255.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.770705693.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772422296.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772387134.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.767112143.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.771232123.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.770044476.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.768533449.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772110991.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.770262148.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772207692.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.770902405.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.769829478.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.768773073.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.992865715.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: 749dd3optoor.exe PID: 3720, type: MEMORY

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\749dd3optoor.exe TID: 3996Thread sleep count: 108 > 30Jump to behavior
Source: C:\Users\user\Desktop\749dd3optoor.exe TID: 3996Thread sleep time: -54000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\749dd3optoor.exe TID: 4332Thread sleep time: -570000s >= -30000sJump to behavior
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: 749dd3optoor.exe, 00000000.00000003.872978739.0000000000881000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW&!
Source: 749dd3optoor.exe, 00000000.00000003.1806308631.00000000008A9000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: 749dd3optoor.exe, 00000000.00000003.873095513.00000000008B5000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWc
Program exit pointsShow sources
Source: C:\Users\user\Desktop\749dd3optoor.exeAPI call chain: ExitProcess graph end nodegraph_0-685

Anti Debugging:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\749dd3optoor.exeCode function: 0_2_00401A1C GetModuleHandleW,LoadLibraryW,GetProcAddress,0_2_00401A1C
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\749dd3optoor.exeCode function: 0_2_00401076 EntryPoint,GetModuleHandleA,GetProcessHeap,GetCurrentThread,WaitForSingleObject,ExitProcess,0_2_00401076
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\749dd3optoor.exeMemory protected: page execute read | page execute and read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: 749dd3optoor.exe, 00000000.00000002.2486036076.0000000000EB0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: 749dd3optoor.exe, 00000000.00000002.2486036076.0000000000EB0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: 749dd3optoor.exe, 00000000.00000002.2486036076.0000000000EB0000.00000002.00000001.sdmpBinary or memory string: hProgram ManagerWE
Source: 749dd3optoor.exe, 00000000.00000002.2486036076.0000000000EB0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\749dd3optoor.exeCode function: 0_2_00401668 GetSystemTimeAsFileTime,memcpy,memcpy,memcpy,memset,0_2_00401668
Contains functionality to query the account / user nameShow sources
Source: C:\Users\user\Desktop\749dd3optoor.exeCode function: 0_2_00419E90 IsClipboardFormatAvailable,GetEnhMetaFileA,IsClipboardFormatAvailable,GetEnhMetaFileA,IsClipboardFormatAvailable,GetEnhMetaFileA,IsClipboardFormatAvailable,GetEnhMetaFileA,IsClipboardFormatAvailable,GetEnhMetaFileA,IsClipboardFormatAvailable,GetEnhMetaFileA,IsClipboardFormatAvailable,GetEnhMetaFileA,IsClipboardFormatAvailable,GetEnhMetaFileA,IsClipboardFormatAvailable,GetEnhMetaFileA,IsClipboardFormatAvailable,GetEnhMetaFileA,IsClipboardFormatAvailable,GetEnhMetaFileA,IsClipboardFormatAvailable,GetEnhMetaFileA,GetUserNameA,DeleteMetaFile,CreateMetaFileA,CharNextA,LoadCursorW,LoadLibraryA,GetProcAddress,0_2_00419E90

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)Show sources
Source: C:\Users\user\Desktop\749dd3optoor.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antispywareproduct

Stealing of Sensitive Information:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000000.00000003.771575484.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.767663275.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.771809687.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.771702490.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.769618962.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.767934445.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772342544.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772015165.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.771918127.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.768211389.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.766837475.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.770478758.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.771069193.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.769034460.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.769358208.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.771416337.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772281756.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772449280.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.767376594.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.2486849255.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.770705693.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772422296.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772387134.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.767112143.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.771232123.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.770044476.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.768533449.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772110991.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.770262148.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772207692.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.770902405.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.769829478.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.768773073.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.992865715.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: 749dd3optoor.exe PID: 3720, type: MEMORY

Remote Access Functionality:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000000.00000003.771575484.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.767663275.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.771809687.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.771702490.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.769618962.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.767934445.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772342544.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772015165.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.771918127.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.768211389.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.766837475.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.770478758.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.771069193.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.769034460.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.769358208.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.771416337.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772281756.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772449280.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.767376594.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.2486849255.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.770705693.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772422296.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772387134.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.767112143.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.771232123.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.770044476.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.768533449.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772110991.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.770262148.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.772207692.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.770902405.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.769829478.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.768773073.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.992865715.0000000003560000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: 749dd3optoor.exe PID: 3720, type: MEMORY

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 225048 Sample: 749dd3optoor.exe Startdate: 24/04/2020 Architecture: WINDOWS Score: 80 34 woofwoofacademy.xyz 2->34 38 Yara detected  Ursnif 2->38 40 Machine Learning detection for sample 2->40 7 749dd3optoor.exe 2->7         started        11 iexplore.exe 2 87 2->11         started        13 iexplore.exe 1 50 2->13         started        15 13 other processes 2->15 signatures3 process4 dnsIp5 36 woofwoofacademy.xyz 7->36 42 Detected unpacking (changes PE section rights) 7->42 44 Detected unpacking (overwrites its own PE header) 7->44 46 Writes or reads registry keys via WMI 7->46 48 2 other signatures 7->48 17 iexplore.exe 33 11->17         started        20 iexplore.exe 32 11->20         started        22 iexplore.exe 32 13->22         started        24 iexplore.exe 32 15->24         started        26 iexplore.exe 15->26         started        28 iexplore.exe 15->28         started        30 10 other processes 15->30 signatures6 process7 dnsIp8 32 woofwoofacademy.xyz 45.147.201.55, 443, 49746, 49747 unknown Russian Federation 17->32

Simulations

Behavior and APIs

TimeTypeDescription
04:18:40API Interceptor20x Sleep call for process: 749dd3optoor.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
749dd3optoor.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.2.749dd3optoor.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
0.0.749dd3optoor.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
0.2.749dd3optoor.exe.640000.1.unpack100%AviraTR/Patched.Ren.GenDownload File

Domains

SourceDetectionScannerLabelLink
woofwoofacademy.xyz0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://ocsp.sectigo.com00%URL Reputationsafe
http://cps.letsencrypt.org00%URL Reputationsafe
https://woofwoofacademy.xyz/index.htmW0%Avira URL Cloudsafe
http://ocsp.int-x3.letsencrypt.org0/0%URL Reputationsafe
https://woofwoofacademy.xyz0%Avira URL Cloudsafe
https://woofwoofacademy.xyz/index.htm1%VirustotalBrowse
https://woofwoofacademy.xyz/index.htm0%Avira URL Cloudsafe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s1%VirustotalBrowse
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
https://woofwoofacademy.xyz/index.htmRoot0%Avira URL Cloudsafe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%VirustotalBrowse
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
https://woofwoofacademy.xyz/index.htmE0%Avira URL Cloudsafe
https://woofwoofacademy.xyz/index.htmB0%Avira URL Cloudsafe
https://woofwoofacademy.xyz/index.htmy.xyz/index.htm0%Avira URL Cloudsafe
https://woofwoofacademy.xyz/index.htm?0%Avira URL Cloudsafe
https://woofwoofacademy.xyz/F0%Avira URL Cloudsafe
https://woofwoofacademy.xyz/index.htmndary=f157d2cffe29e5d5L0%Avira URL Cloudsafe
https://woofwoofacademy.xyz/index.htmx0%Avira URL Cloudsafe
https://sectigo.com/CPS0C0%VirustotalBrowse
https://sectigo.com/CPS0C0%URL Reputationsafe
https://woofwoofacademy.xyz/index.htmp0%Avira URL Cloudsafe
http://www.wikipedia.com/0%VirustotalBrowse
http://www.wikipedia.com/0%URL Reputationsafe
https://woofwoofacademy.xyz/0%Avira URL Cloudsafe
https://woofwoofacademy.xyz/index.htmj0%Avira URL Cloudsafe
https://woofwoofacademy.xyz/index.htmi0%Avira URL Cloudsafe
https://woofwoofacademy.xyz/index.htmg0%Avira URL Cloudsafe
https://woofwoofacademy.xyzx0%Avira URL Cloudsafe
https://woofwoofacademy.xyz/index.htm$0%Avira URL Cloudsafe
http://cps.root-x1.letsencrypt.org00%URL Reputationsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.771575484.0000000003560000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.767663275.0000000003560000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.771809687.0000000003560000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000000.00000003.771702490.0000000003560000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000000.00000003.769618962.0000000003560000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            00000000.00000003.767934445.0000000003560000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
              00000000.00000003.772342544.0000000003560000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                00000000.00000003.772015165.0000000003560000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                  00000000.00000003.771918127.0000000003560000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                    00000000.00000003.768211389.0000000003560000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                      00000000.00000003.766837475.0000000003560000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                        00000000.00000003.770478758.0000000003560000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                          00000000.00000003.771069193.0000000003560000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                            00000000.00000003.769034460.0000000003560000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                              00000000.00000003.769358208.0000000003560000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                00000000.00000003.771416337.0000000003560000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                  00000000.00000003.772281756.0000000003560000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                    00000000.00000003.772449280.0000000003560000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                      00000000.00000003.767376594.0000000003560000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                        00000000.00000002.2486849255.0000000003560000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                          00000000.00000003.770705693.0000000003560000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                            00000000.00000003.772422296.0000000003560000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                              00000000.00000003.772387134.0000000003560000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                00000000.00000003.767112143.0000000003560000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                  00000000.00000003.771232123.0000000003560000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                    00000000.00000003.770044476.0000000003560000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                      00000000.00000003.768533449.0000000003560000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                        00000000.00000003.772110991.0000000003560000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                          00000000.00000003.770262148.0000000003560000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                            00000000.00000003.772207692.0000000003560000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                              00000000.00000003.770902405.0000000003560000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                                00000000.00000003.769829478.0000000003560000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                                  00000000.00000003.768773073.0000000003560000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                                    00000000.00000003.992865715.0000000003560000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                                      Process Memory Space: 749dd3optoor.exe PID: 3720JoeSecurity_UrsnifYara detected UrsnifJoe Security

                                                                        Unpacked PEs

                                                                        No yara matches

                                                                        Sigma Overview

                                                                        No Sigma rule has matched

                                                                        Joe Sandbox View / Context

                                                                        IPs

                                                                        No context

                                                                        Domains

                                                                        No context

                                                                        ASN

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        unknownJudgement_04222020_553.vbsGet hashmaliciousBrowse
                                                                        • 156.239.159.218
                                                                        app-debug_COVIDAPP.apkGet hashmaliciousBrowse
                                                                        • 173.194.69.188
                                                                        http://pushazam.com/ntfc.php?p=2201246Get hashmaliciousBrowse
                                                                        • 88.85.66.132
                                                                        G4YP8mLV5z.docGet hashmaliciousBrowse
                                                                        • 52.114.128.43
                                                                        SC-Fat-03929873874.vbsGet hashmaliciousBrowse
                                                                        • 192.236.147.100
                                                                        http://cdn.dsultra.com/js/registrar.jsGet hashmaliciousBrowse
                                                                        • 209.126.103.59
                                                                        #UfffdNexeosolutions_NewAudioMessage.htmGet hashmaliciousBrowse
                                                                        • 104.16.133.229
                                                                        http://custom-nonwoven.comGet hashmaliciousBrowse
                                                                        • 34.196.85.165
                                                                        http://www.custom-nickel.com/media/shared/general/_jh/footer_findmyhost2009.pngGet hashmaliciousBrowse
                                                                        • 34.199.136.0
                                                                        https://daily-flawless-stage.glitch.me/Get hashmaliciousBrowse
                                                                        • 152.199.23.37
                                                                        Details.exeGet hashmaliciousBrowse
                                                                        • 203.191.33.181
                                                                        Maria Martinez.xlsGet hashmaliciousBrowse
                                                                        • 5.101.51.127
                                                                        http://idcindy.o.smith.windstream.willowcreekcornpanies.com/Zm9scC9zaGlmdA==?bXVtbXk=cindy.o.smith@windstream.comGet hashmaliciousBrowse
                                                                        • 198.187.29.195
                                                                        http://bibiti.com.br/wp-content/uploads/2020/04/docs_9kq/88434030/Judgement_04222020_88434030.zipGet hashmaliciousBrowse
                                                                        • 156.239.159.218
                                                                        https://vistapolitecnica.com/USA.htmlGet hashmaliciousBrowse
                                                                        • 50.116.112.163
                                                                        calc.exeGet hashmaliciousBrowse
                                                                        • 198.54.125.57
                                                                        https://kpuemp-my.sharepoint.com/:o:/g/personal/desire_pedersen_kpu_ca/EkI0D7LTXN5ImLBJCeB110kBYBxa7ruahx0HeUN57QFOGQ?e=65sRusGet hashmaliciousBrowse
                                                                        • 152.199.23.37
                                                                        Remittance Advice.xlsxGet hashmaliciousBrowse
                                                                        • 198.23.194.179
                                                                        http://t.em.cox.com/r/?id=h186c61de,5cd1d28,5cd1d2b&p1=novelbargain.com/git/margo.quadrini@windstream.comGet hashmaliciousBrowse
                                                                        • 151.139.128.8
                                                                        Soportes de Facturas.vbsGet hashmaliciousBrowse
                                                                        • 160.153.128.31

                                                                        JA3 Fingerprints

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        9e10692f1b7f78228b2d4e424db3a98c#UfffdNexeosolutions_NewAudioMessage.htmGet hashmaliciousBrowse
                                                                        • 45.147.201.55
                                                                        http://custom-nonwoven.comGet hashmaliciousBrowse
                                                                        • 45.147.201.55
                                                                        http://www.custom-nickel.com/media/shared/general/_jh/footer_findmyhost2009.pngGet hashmaliciousBrowse
                                                                        • 45.147.201.55
                                                                        https://daily-flawless-stage.glitch.me/Get hashmaliciousBrowse
                                                                        • 45.147.201.55
                                                                        http://idcindy.o.smith.windstream.willowcreekcornpanies.com/Zm9scC9zaGlmdA==?bXVtbXk=cindy.o.smith@windstream.comGet hashmaliciousBrowse
                                                                        • 45.147.201.55
                                                                        https://vistapolitecnica.com/USA.htmlGet hashmaliciousBrowse
                                                                        • 45.147.201.55
                                                                        https://kpuemp-my.sharepoint.com/:o:/g/personal/desire_pedersen_kpu_ca/EkI0D7LTXN5ImLBJCeB110kBYBxa7ruahx0HeUN57QFOGQ?e=65sRusGet hashmaliciousBrowse
                                                                        • 45.147.201.55
                                                                        Remittance Advice.xlsxGet hashmaliciousBrowse
                                                                        • 45.147.201.55
                                                                        http://t.em.cox.com/r/?id=h186c61de,5cd1d28,5cd1d2b&p1=novelbargain.com/git/margo.quadrini@windstream.comGet hashmaliciousBrowse
                                                                        • 45.147.201.55
                                                                        Listen_925666-27677487.htmlGet hashmaliciousBrowse
                                                                        • 45.147.201.55
                                                                        http://custom-nickel.com/media/shared/general/_jh/footer_besthosts_hover.gifGet hashmaliciousBrowse
                                                                        • 45.147.201.55
                                                                        https://app.nutshell.com/email/click/11212/319222/27a1727334639b961c0cd54dbcdb0b745f2036adf71eadfb87f204844b103016Get hashmaliciousBrowse
                                                                        • 45.147.201.55
                                                                        Nuovo documento 1.vbsGet hashmaliciousBrowse
                                                                        • 45.147.201.55
                                                                        Payment Receipt.xlsxGet hashmaliciousBrowse
                                                                        • 45.147.201.55
                                                                        Payment Receipt.xlsxGet hashmaliciousBrowse
                                                                        • 45.147.201.55
                                                                        https://storage.googleapis.com/rvjzvkzhc/001.html#qs=r-adebbadihcjcdkkaecickiiaeecdkggaceggcabababakaiaccafbiacfhgagifiiacbGet hashmaliciousBrowse
                                                                        • 45.147.201.55
                                                                        https://estoteli1912.blogspot.sk/Get hashmaliciousBrowse
                                                                        • 45.147.201.55
                                                                        23-Apr.htmGet hashmaliciousBrowse
                                                                        • 45.147.201.55
                                                                        https://remitapp.one/Get hashmaliciousBrowse
                                                                        • 45.147.201.55
                                                                        https://khawdamchonburi.com/bonnie/mierzwaGet hashmaliciousBrowse
                                                                        • 45.147.201.55
                                                                        ce5f3254611a8c095a3d821d44539877Judgement_04222020_553.vbsGet hashmaliciousBrowse
                                                                        • 45.147.201.55
                                                                        Remittance Advice.xlsxGet hashmaliciousBrowse
                                                                        • 45.147.201.55
                                                                        Payment Receipt.xlsxGet hashmaliciousBrowse
                                                                        • 45.147.201.55
                                                                        Payment Receipt.xlsxGet hashmaliciousBrowse
                                                                        • 45.147.201.55
                                                                        DCR-30209829874987903.msiGet hashmaliciousBrowse
                                                                        • 45.147.201.55
                                                                        Bq0bgeZvMS.exeGet hashmaliciousBrowse
                                                                        • 45.147.201.55
                                                                        Quotation List.exeGet hashmaliciousBrowse
                                                                        • 45.147.201.55
                                                                        Book1.xlsGet hashmaliciousBrowse
                                                                        • 45.147.201.55
                                                                        Payment_Invoice.xlsxGet hashmaliciousBrowse
                                                                        • 45.147.201.55
                                                                        ResistanceWallet-windows-2.2.7.exeGet hashmaliciousBrowse
                                                                        • 45.147.201.55
                                                                        irs Doc Attached.exeGet hashmaliciousBrowse
                                                                        • 45.147.201.55
                                                                        Ayuda Covid-19.JSGet hashmaliciousBrowse
                                                                        • 45.147.201.55
                                                                        MSShell32.exeGet hashmaliciousBrowse
                                                                        • 45.147.201.55
                                                                        Book2.xlsxGet hashmaliciousBrowse
                                                                        • 45.147.201.55
                                                                        http://malwarebytes-free.com/Get hashmaliciousBrowse
                                                                        • 45.147.201.55
                                                                        Pdf Document.exeGet hashmaliciousBrowse
                                                                        • 45.147.201.55
                                                                        INF_NUM_80214.vbsGet hashmaliciousBrowse
                                                                        • 45.147.201.55
                                                                        INF_NUM_54303.vbsGet hashmaliciousBrowse
                                                                        • 45.147.201.55
                                                                        https://dpupr.lomboktengahkab.go.id/wp-content/uploads/2020/04/cursors/04981.zipGet hashmaliciousBrowse
                                                                        • 45.147.201.55
                                                                        WindowsDefender.exeGet hashmaliciousBrowse
                                                                        • 45.147.201.55

                                                                        Dropped Files

                                                                        No context

                                                                        Screenshots

                                                                        Thumbnails

                                                                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.