Loading ...

Play interactive tourEdit tour

Analysis Report kgVpfWk.bin

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:227470
Start date:05.05.2020
Start time:04:18:04
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 12m 54s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:kgVpfWk.bin (renamed file extension from bin to exe)
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:40
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal88.bank.troj.evad.winEXE@47/205@20/1
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 7.7% (good quality ratio 7.7%)
  • Quality average: 88.3%
  • Quality standard deviation: 20.2%
HCA Information:
  • Successful, ratio: 82%
  • Number of executed functions: 37
  • Number of non-executed functions: 21
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): taskhostw.exe, dllhost.exe, ielowutil.exe, MusNotifyIcon.exe, WmiPrvSE.exe, UsoClient.exe
  • Excluded IPs from analysis (whitelisted): 23.10.69.125, 93.184.221.240, 23.56.184.24, 51.104.136.2, 152.199.19.161, 104.84.244.61
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ie9comview.vo.msecnd.net, wu.ec.azureedge.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, settings-win.data.microsoft.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu.azureedge.net, settingsfd-geo.trafficmanager.net, e11290.dspg.akamaiedge.net, iecvlist.microsoft.com, go.microsoft.com, go.microsoft.com.edgekey.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, wu.wpc.apr-52dd2.edgecastdns.net, prod.fs.microsoft.com.akadns.net, cs9.wpc.v0cdn.net
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold880 - 100false
Ursnif
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation21Winlogon Helper DLLProcess Injection2Masquerading1Input Capture1System Time Discovery1Application Deployment SoftwareInput Capture1Data Encrypted1Standard Cryptographic Protocol12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaExecution through API2Port MonitorsAccessibility FeaturesSoftware Packing21Network SniffingVirtualization/Sandbox Evasion1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesGraphical User Interface1Accessibility FeaturesPath InterceptionDisabling Security Tools1Input CaptureProcess Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingVirtualization/Sandbox Evasion1Credentials in FilesSecurity Software Discovery21Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessProcess Injection2Account ManipulationRemote System Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceObfuscated Files or Information1Brute ForceFile and Directory Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskSoftware PackingTwo-Factor Authentication InterceptionSystem Information Discovery12Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: kgVpfWk.exeVirustotal: Detection: 26%Perma Link
Machine Learning detection for sampleShow sources
Source: kgVpfWk.exeJoe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 0.2.kgVpfWk.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
Source: 0.2.kgVpfWk.exe.590000.1.unpackAvira: Label: TR/Patched.Ren.Gen

Networking:

barindex
Creates a COM Internet Explorer objectShow sources
Source: C:\Users\user\Desktop\kgVpfWk.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
Source: C:\Users\user\Desktop\kgVpfWk.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
Source: C:\Users\user\Desktop\kgVpfWk.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\kgVpfWk.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
Source: C:\Users\user\Desktop\kgVpfWk.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Source: Joe Sandbox ViewJA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Found strings which match to known social media urlsShow sources
Source: msapplication.xml0.3.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x9ac36083,0x01d62283</date><accdate>0x9ac36083,0x01d62283</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.3.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x9ac36083,0x01d62283</date><accdate>0x9ac5c318,0x01d62283</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.3.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x9acd0fd8,0x01d62283</date><accdate>0x9acd0fd8,0x01d62283</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.3.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x9acd0fd8,0x01d62283</date><accdate>0x9acf720e,0x01d62283</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.3.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x9ad1e84e,0x01d62283</date><accdate>0x9ad1e84e,0x01d62283</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.3.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x9ad1e84e,0x01d62283</date><accdate>0x9ad1e84e,0x01d62283</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: respondcritique.xyz
Urls found in memory or binary dataShow sources
Source: kgVpfWk.exe, 00000000.00000003.1463439984.0000000000839000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: kgVpfWk.exe, 00000000.00000003.1463439984.0000000000839000.00000004.00000001.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
Source: kgVpfWk.exe, 00000000.00000003.1463439984.0000000000839000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
Source: kgVpfWk.exe, 00000000.00000003.1463439984.0000000000839000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: kgVpfWk.exe, 00000000.00000003.1463439984.0000000000839000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: kgVpfWk.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: kgVpfWk.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: kgVpfWk.exe, 00000000.00000003.1463439984.0000000000839000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
Source: kgVpfWk.exe, 00000000.00000003.1463439984.0000000000839000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
Source: kgVpfWk.exeString found in binary or memory: http://ocsp.sectigo.com0
Source: msapplication.xml.3.drString found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.3.drString found in binary or memory: http://www.google.com/
Source: msapplication.xml2.3.drString found in binary or memory: http://www.live.com/
Source: msapplication.xml3.3.drString found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.3.drString found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.3.drString found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.3.drString found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.3.drString found in binary or memory: http://www.youtube.com/
Source: kgVpfWk.exe, 00000000.00000003.1109491817.0000000003470000.00000004.00000040.sdmpString found in binary or memory: https://respondcritique.xyz
Source: kgVpfWk.exe, 00000000.00000002.2818830649.00000000007CA000.00000004.00000020.sdmpString found in binary or memory: https://respondcritique.xyz/
Source: kgVpfWk.exe, 00000000.00000002.2818830649.00000000007CA000.00000004.00000020.sdmpString found in binary or memory: https://respondcritique.xyz/61
Source: kgVpfWk.exe, 00000000.00000003.1463439984.0000000000839000.00000004.00000001.sdmp, kgVpfWk.exe, 00000000.00000002.2818964462.0000000000821000.00000004.00000020.sdmp, kgVpfWk.exe, 00000000.00000003.2648311070.0000000004013000.00000004.00000001.sdmp, kgVpfWk.exe, 00000000.00000002.2818830649.00000000007CA000.00000004.00000020.sdmp, kgVpfWk.exe, 00000000.00000003.1174873117.000000000080D000.00000004.00000001.sdmp, ~DF72256FDAC7DFBFB0.TMP.3.drString found in binary or memory: https://respondcritique.xyz/index.htm
Source: kgVpfWk.exe, 00000000.00000003.1757830808.0000000000839000.00000004.00000001.sdmpString found in binary or memory: https://respondcritique.xyz/index.htm48
Source: kgVpfWk.exe, 00000000.00000002.2818830649.00000000007CA000.00000004.00000020.sdmpString found in binary or memory: https://respondcritique.xyz/index.htmM
Source: {322BA11F-8E77-11EA-AAE6-9CC1A2A860C6}.dat.21.drString found in binary or memory: https://respondcritique.xyz/index.htmRoot
Source: {322BA11F-8E77-11EA-AAE6-9CC1A2A860C6}.dat.21.drString found in binary or memory: https://respondcritique.xyz/index.htme.xyz/index.htm
Source: kgVpfWk.exe, 00000000.00000002.2818830649.00000000007CA000.00000004.00000020.sdmpString found in binary or memory: https://respondcritique.xyz/index.htmndary=7a943578fe29dd7c
Source: kgVpfWk.exe, 00000000.00000002.2818830649.00000000007CA000.00000004.00000020.sdmpString found in binary or memory: https://respondcritique.xyz/index.htmu
Source: kgVpfWk.exe, 00000000.00000002.2818830649.00000000007CA000.00000004.00000020.sdmpString found in binary or memory: https://respondcritique.xyz/index.htmy
Source: kgVpfWk.exeString found in binary or memory: https://sectigo.com/CPS0C
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49945 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49951 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49949 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49953 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49947 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49932 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49935 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49933 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49958 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49956 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49958
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49935
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49957
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49956
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49933
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49955
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49932
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49954
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49931
Source: unknownNetwork traffic detected: HTTP traffic on port 49948 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49953
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49952
Source: unknownNetwork traffic detected: HTTP traffic on port 49950 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49951
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49950
Source: unknownNetwork traffic detected: HTTP traffic on port 49952 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49944 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49946 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49954 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49931 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49957 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49955 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49943 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49949
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49948
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49947
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49946
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49945
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49944
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49943

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000000.00000003.1109491817.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1104895216.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1109744596.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1102944710.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1105170389.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1108466065.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1105800178.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1366133200.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1103523489.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1109827801.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1106733343.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1108139659.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1109797791.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1109387957.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1107058159.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1103944902.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.2820262118.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1108646514.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1109587438.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1109118589.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1106416970.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1105498428.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1107620006.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1106106938.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1109673238.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1104277997.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1104576474.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1108819488.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1107324397.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1102547976.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1108953669.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1107886404.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1109279513.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1103221504.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: kgVpfWk.exe PID: 3364, type: MEMORY
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: kgVpfWk.exe, 00000000.00000002.2818830649.00000000007CA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000000.00000003.1109491817.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1104895216.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1109744596.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1102944710.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1105170389.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1108466065.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1105800178.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1366133200.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1103523489.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1109827801.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1106733343.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1108139659.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1109797791.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1109387957.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1107058159.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1103944902.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.2820262118.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1108646514.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1109587438.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1109118589.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1106416970.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1105498428.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1107620006.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1106106938.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1109673238.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1104277997.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1104576474.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1108819488.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1107324397.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1102547976.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1108953669.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1107886404.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1109279513.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1103221504.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: kgVpfWk.exe PID: 3364, type: MEMORY

System Summary:

barindex
Writes or reads registry keys via WMIShow sources
Source: C:\Users\user\Desktop\kgVpfWk.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\kgVpfWk.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\kgVpfWk.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\kgVpfWk.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\kgVpfWk.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMIShow sources
Source: C:\Users\user\Desktop\kgVpfWk.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\kgVpfWk.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\kgVpfWk.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\kgVpfWk.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\kgVpfWk.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\kgVpfWk.exeCode function: 0_2_00401EE1 NtQueryVirtualMemory,0_2_00401EE1
Source: C:\Users\user\Desktop\kgVpfWk.exeCode function: 0_2_005A152F memcpy,memcpy,lstrcatW,CreateEventA,_wcsupr,lstrlenW,NtQueryInformationProcess,CloseHandle,0_2_005A152F
Source: C:\Users\user\Desktop\kgVpfWk.exeCode function: 0_2_005A6FB6 NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,RtlNtStatusToDosError,0_2_005A6FB6
Source: C:\Users\user\Desktop\kgVpfWk.exeCode function: 0_2_005A2CD1 RtlInitUnicodeString,NtCreateKey,0_2_005A2CD1
Source: C:\Users\user\Desktop\kgVpfWk.exeCode function: 0_2_005A90C7 RtlInitUnicodeString,NtSetValueKey,NtDeleteValueKey,NtClose,RtlNtStatusToDosError,0_2_005A90C7
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\kgVpfWk.exeCode function: 0_2_00401CC00_2_00401CC0
Source: C:\Users\user\Desktop\kgVpfWk.exeCode function: 0_2_005AB4200_2_005AB420
Source: C:\Users\user\Desktop\kgVpfWk.exeCode function: 0_2_005AABCA0_2_005AABCA
PE file contains strange resourcesShow sources
Source: kgVpfWk.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: kgVpfWk.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: kgVpfWk.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: kgVpfWk.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: kgVpfWk.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: kgVpfWk.exe, 00000000.00000002.2819512413.00000000021C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs kgVpfWk.exe
Source: kgVpfWk.exe, 00000000.00000002.2819698251.00000000022D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs kgVpfWk.exe
Source: kgVpfWk.exe, 00000000.00000002.2819620297.00000000022B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs kgVpfWk.exe
Source: kgVpfWk.exe, 00000000.00000002.2819673158.00000000022C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs kgVpfWk.exe
Source: kgVpfWk.exe, 00000000.00000002.2818289032.000000000052A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamedxdiag.exej% vs kgVpfWk.exe
Source: kgVpfWk.exeBinary or memory string: OriginalFilenamedxdiag.exej% vs kgVpfWk.exe
Classification labelShow sources
Source: classification engineClassification label: mal88.bank.troj.evad.winEXE@47/205@20/1
Creates files inside the user directoryShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C3A31140-8E76-11EA-AAE6-9CC1A2A860C6}.datJump to behavior
Creates mutexesShow sources
Source: C:\Users\user\Desktop\kgVpfWk.exeMutant created: \Sessions\1\BaseNamedObjects\Local\BD0F010C-8477-D729-4003-A9471CBE2200
Creates temporary filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF04E092338D0D2019.TMPJump to behavior
PE file has an executable .text section and no other executable sectionShow sources
Source: kgVpfWk.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Reads ini filesShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\kgVpfWk.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Users\user\Desktop\kgVpfWk.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Desktop\kgVpfWk.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample is known by AntivirusShow sources
Source: kgVpfWk.exeVirustotal: Detection: 26%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\kgVpfWk.exe 'C:\Users\user\Desktop\kgVpfWk.exe'
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5024 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5024 CREDAT:17418 /prefetch:2
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5608 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4752 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2416 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5840 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2588 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4164 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2836 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5496 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5672 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1444 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4612 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5252 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5312 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5024 CREDAT:17410 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5024 CREDAT:17418 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5608 CREDAT:17410 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4752 CREDAT:17410 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2416 CREDAT:17410 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5840 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2588 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4164 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2836 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5496 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5672 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1444 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4612 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5252 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5312 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: unknown unknown
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\kgVpfWk.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Submission file is bigger than most known malware samplesShow sources
Source: kgVpfWk.exeStatic file information: File size 1245777 > 1048576
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\Desktop\kgVpfWk.exeUnpacked PE file: 0.2.kgVpfWk.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.reloc:R;
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Users\user\Desktop\kgVpfWk.exeUnpacked PE file: 0.2.kgVpfWk.exe.400000.0.unpack
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\kgVpfWk.exeCode function: 0_2_00401A1C GetModuleHandleW,LoadLibraryW,GetProcAddress,0_2_00401A1C
PE file contains an invalid checksumShow sources
Source: kgVpfWk.exeStatic PE information: real checksum: 0x136e7e should be: 0x136e9f
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\kgVpfWk.exeCode function: 0_2_0040E825 push eax; ret 0_2_0040E83E
Source: C:\Users\user\Desktop\kgVpfWk.exeCode function: 0_2_00401CAF push ecx; ret 0_2_00401CBF
Source: C:\Users\user\Desktop\kgVpfWk.exeCode function: 0_2_0058B7C0 push edx; ret 0_2_0058B94E
Source: C:\Users\user\Desktop\kgVpfWk.exeCode function: 0_2_005834CA push edx; iretd 0_2_005834CB
Source: C:\Users\user\Desktop\kgVpfWk.exeCode function: 0_2_00584D57 push esp; retf 0_2_00584D58
Source: C:\Users\user\Desktop\kgVpfWk.exeCode function: 0_2_00582179 pushad ; ret 0_2_005823E2
Source: C:\Users\user\Desktop\kgVpfWk.exeCode function: 0_2_00584DA7 push esi; ret 0_2_00584DB8
Source: C:\Users\user\Desktop\kgVpfWk.exeCode function: 0_2_00582648 push edi; iretd 0_2_00582652
Source: C:\Users\user\Desktop\kgVpfWk.exeCode function: 0_2_0058324A push ecx; iretd 0_2_0058325C
Source: C:\Users\user\Desktop\kgVpfWk.exeCode function: 0_2_005823D7 pushad ; ret 0_2_005823E2
Source: C:\Users\user\Desktop\kgVpfWk.exeCode function: 0_2_005AB40F push ecx; ret 0_2_005AB41F

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000000.00000003.1109491817.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1104895216.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1109744596.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1102944710.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1105170389.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1108466065.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1105800178.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1366133200.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1103523489.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1109827801.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1106733343.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1108139659.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1109797791.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1109387957.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1107058159.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1103944902.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.2820262118.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1108646514.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1109587438.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1109118589.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1106416970.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1105498428.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1107620006.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1106106938.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1109673238.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1104277997.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1104576474.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1108819488.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1107324397.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1102547976.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1108953669.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1107886404.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1109279513.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1103221504.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: kgVpfWk.exe PID: 3364, type: MEMORY

Malware Analysis System Evasion:

barindex
Found evasive API chain (date check)Show sources
Source: C:\Users\user\Desktop\kgVpfWk.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-4660
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\Desktop\kgVpfWk.exe TID: 3148Thread sleep count: 130 > 30Jump to behavior
Source: C:\Users\user\Desktop\kgVpfWk.exe TID: 3148Thread sleep time: -65000s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\kgVpfWk.exe TID: 5108Thread sleep time: -540000s >= -30000sJump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Users\user\Desktop\kgVpfWk.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\kgVpfWk.exeLast function: Thread delayed
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: kgVpfWk.exe, 00000000.00000002.2818830649.00000000007CA000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAWP?
Source: kgVpfWk.exe, 00000000.00000003.1463439984.0000000000839000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
Source: kgVpfWk.exe, 00000000.00000003.1620950730.0000000000831000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW,
Program exit pointsShow sources
Source: C:\Users\user\Desktop\kgVpfWk.exeAPI call chain: ExitProcess graph end nodegraph_0-4267

Anti Debugging:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\Desktop\kgVpfWk.exeCode function: 0_2_00401A1C GetModuleHandleW,LoadLibraryW,GetProcAddress,0_2_00401A1C
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\Desktop\kgVpfWk.exeCode function: 0_2_00401076 EntryPoint,GetModuleHandleA,GetProcessHeap,GetCurrentThread,WaitForSingleObject,ExitProcess,0_2_00401076
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\Desktop\kgVpfWk.exeMemory protected: page execute read | page execute and read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: kgVpfWk.exe, 00000000.00000002.2819261563.0000000000D50000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: kgVpfWk.exe, 00000000.00000002.2819261563.0000000000D50000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: kgVpfWk.exe, 00000000.00000002.2819261563.0000000000D50000.00000002.00000001.sdmpBinary or memory string: Progman
Source: kgVpfWk.exe, 00000000.00000002.2819261563.0000000000D50000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\Desktop\kgVpfWk.exeCode function: 0_2_005A893A cpuid 0_2_005A893A
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\Desktop\kgVpfWk.exeCode function: 0_2_00401668 GetSystemTimeAsFileTime,memcpy,memcpy,memcpy,memset,0_2_00401668

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)Show sources
Source: C:\Users\user\Desktop\kgVpfWk.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antispywareproduct

Stealing of Sensitive Information:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000000.00000003.1109491817.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1104895216.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1109744596.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1102944710.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1105170389.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1108466065.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1105800178.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1366133200.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1103523489.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1109827801.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1106733343.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1108139659.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1109797791.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1109387957.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1107058159.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1103944902.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.2820262118.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1108646514.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1109587438.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1109118589.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1106416970.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1105498428.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1107620006.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1106106938.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1109673238.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1104277997.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1104576474.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1108819488.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1107324397.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1102547976.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1108953669.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1107886404.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1109279513.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1103221504.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: kgVpfWk.exe PID: 3364, type: MEMORY

Remote Access Functionality:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000000.00000003.1109491817.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1104895216.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1109744596.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1102944710.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1105170389.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1108466065.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1105800178.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1366133200.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1103523489.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1109827801.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1106733343.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1108139659.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1109797791.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1109387957.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1107058159.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1103944902.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000002.2820262118.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1108646514.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1109587438.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1109118589.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1106416970.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1105498428.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1107620006.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1106106938.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1109673238.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1104277997.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1104576474.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1108819488.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1107324397.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1102547976.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1108953669.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1107886404.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1109279513.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000000.00000003.1103221504.0000000003470000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: kgVpfWk.exe PID: 3364, type: MEMORY

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 227470 Sample: kgVpfWk.bin Startdate: 05/05/2020 Architecture: WINDOWS Score: 88 34 respondcritique.xyz 2->34 38 Multi AV Scanner detection for submitted file 2->38 40 Yara detected  Ursnif 2->40 42 Machine Learning detection for sample 2->42 7 kgVpfWk.exe 2->7         started        11 iexplore.exe 1 76 2->11         started        13 iexplore.exe 1 50 2->13         started        15 13 other processes 2->15 signatures3 process4 dnsIp5 36 respondcritique.xyz 7->36 44 Detected unpacking (changes PE section rights) 7->44 46 Detected unpacking (overwrites its own PE header) 7->46 48 Writes or reads registry keys via WMI 7->48 50 2 other signatures 7->50 17 iexplore.exe 37 11->17         started        20 iexplore.exe 33 11->20         started        22 iexplore.exe 33 13->22         started        24 iexplore.exe 33 15->24         started        26 iexplore.exe 15->26         started        28 iexplore.exe 15->28         started        30 9 other processes 15->30 signatures6 process7 dnsIp8 32 respondcritique.xyz 91.211.245.161, 443, 49931, 49932 unknown Lithuania 17->32

Simulations

Behavior and APIs

TimeTypeDescription
04:19:18API Interceptor18x Sleep call for process: kgVpfWk.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
kgVpfWk.exe26%VirustotalBrowse
kgVpfWk.exe100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
0.2.kgVpfWk.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
0.0.kgVpfWk.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
0.2.kgVpfWk.exe.590000.1.unpack100%AviraTR/Patched.Ren.GenDownload File

Domains

SourceDetectionScannerLabelLink
respondcritique.xyz1%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://respondcritique.xyz/index.htmu0%Avira URL Cloudsafe
http://ocsp.sectigo.com00%URL Reputationsafe
http://cps.letsencrypt.org00%URL Reputationsafe
http://ocsp.int-x3.letsencrypt.org0/0%URL Reputationsafe
https://respondcritique.xyz/index.htmndary=7a943578fe29dd7c0%Avira URL Cloudsafe
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s1%VirustotalBrowse
http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%VirustotalBrowse
http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
https://respondcritique.xyz0%VirustotalBrowse
https://respondcritique.xyz0%Avira URL Cloudsafe
https://respondcritique.xyz/index.htmRoot0%Avira URL Cloudsafe
https://respondcritique.xyz/index.htmM0%Avira URL Cloudsafe
https://respondcritique.xyz/0%VirustotalBrowse
https://respondcritique.xyz/0%Avira URL Cloudsafe
https://respondcritique.xyz/index.htm480%Avira URL Cloudsafe
https://respondcritique.xyz/index.htm0%Avira URL Cloudsafe
https://sectigo.com/CPS0C0%VirustotalBrowse
https://sectigo.com/CPS0C0%URL Reputationsafe
http://www.wikipedia.com/0%VirustotalBrowse
http://www.wikipedia.com/0%URL Reputationsafe
https://respondcritique.xyz/index.htme.xyz/index.htm0%Avira URL Cloudsafe
https://respondcritique.xyz/610%Avira URL Cloudsafe
https://respondcritique.xyz/index.htmy0%Avira URL Cloudsafe
http://cps.root-x1.letsencrypt.org00%URL Reputationsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.1109491817.0000000003470000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.1104895216.0000000003470000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.1109744596.0000000003470000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000000.00000003.1102944710.0000000003470000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000000.00000003.1105170389.0000000003470000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            00000000.00000003.1108466065.0000000003470000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
              00000000.00000003.1105800178.0000000003470000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                00000000.00000003.1366133200.0000000003470000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                  00000000.00000003.1103523489.0000000003470000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                    00000000.00000003.1109827801.0000000003470000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                      00000000.00000003.1106733343.0000000003470000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                        00000000.00000003.1108139659.0000000003470000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                          00000000.00000003.1109797791.0000000003470000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                            00000000.00000003.1109387957.0000000003470000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                              00000000.00000003.1107058159.0000000003470000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                00000000.00000003.1103944902.0000000003470000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                  00000000.00000002.2820262118.0000000003470000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                    00000000.00000003.1108646514.0000000003470000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                      00000000.00000003.1109587438.0000000003470000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                        00000000.00000003.1109118589.0000000003470000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                          00000000.00000003.1106416970.0000000003470000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                            00000000.00000003.1105498428.0000000003470000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                              00000000.00000003.1107620006.0000000003470000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                00000000.00000003.1106106938.0000000003470000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                  00000000.00000003.1109673238.0000000003470000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                    00000000.00000003.1104277997.0000000003470000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                      00000000.00000003.1104576474.0000000003470000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                        00000000.00000003.1108819488.0000000003470000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                          00000000.00000003.1107324397.0000000003470000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                            00000000.00000003.1102547976.0000000003470000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                              00000000.00000003.1108953669.0000000003470000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                                00000000.00000003.1107886404.0000000003470000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                                  00000000.00000003.1109279513.0000000003470000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                                    00000000.00000003.1103221504.0000000003470000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                                                                      Process Memory Space: kgVpfWk.exe PID: 3364JoeSecurity_UrsnifYara detected UrsnifJoe Security

                                                                        Unpacked PEs

                                                                        No yara matches

                                                                        Sigma Overview

                                                                        No Sigma rule has matched

                                                                        Joe Sandbox View / Context

                                                                        IPs

                                                                        No context

                                                                        Domains

                                                                        No context

                                                                        ASN

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        unknownhttps://1drv.ms/b/s!AjeHcBKfhkYXcfIPDnaWRz06vZA?e=OjHRoaGet hashmaliciousBrowse
                                                                        • 172.217.168.66
                                                                        https://1drv.ms/b/s!AjeHcBKfhkYXcfIPDnaWRz06vZA?e=OjHRoa&d=DwMFAwGet hashmaliciousBrowse
                                                                        • 52.50.184.22
                                                                        http://196.2.9.178Get hashmaliciousBrowse
                                                                        • 196.2.9.178
                                                                        https://wholesaleserbia.com/NW.htmlGet hashmaliciousBrowse
                                                                        • 192.185.188.88
                                                                        https://zoomarte.com.br/newau.htmlGet hashmaliciousBrowse
                                                                        • 31.13.92.174
                                                                        salt_storerGet hashmaliciousBrowse
                                                                        • 8.209.115.89
                                                                        https://1drv.ms/u/s!AoUvKjbNY2nEatfZ4xKrNlKFhAs?e=Okd9x9Get hashmaliciousBrowse
                                                                        • 178.159.36.138
                                                                        https://www.e-icus.com/SD/Get hashmaliciousBrowse
                                                                        • 63.32.201.208
                                                                        http://www.acqnotes.com/Attachments/Production Readiness Review Checklist.xlsGet hashmaliciousBrowse
                                                                        • 192.124.249.170
                                                                        Invoice_066168_.xlsGet hashmaliciousBrowse
                                                                        • 8.208.83.31
                                                                        https://onedrive.live.com/view.aspx?resid=1A4116533EC50398!1032&authkey=!AEhxS1cHS1VlwMYGet hashmaliciousBrowse
                                                                        • 103.86.176.6
                                                                        https://slack-redir.net/link?url=https%3A%2F%2Fkusselink.blob.core.windows.net%2Ficon%2FAp3dXtP.html%23scameron@mus-nature.caGet hashmaliciousBrowse
                                                                        • 77.68.14.116
                                                                        salt-storeGet hashmaliciousBrowse
                                                                        • 144.217.129.111
                                                                        https://svsmandir.com/0000.path/?0@=josh.townsend@abcsupply.comGet hashmaliciousBrowse
                                                                        • 173.212.194.244
                                                                        http://sastaservices.com/dd/Get hashmaliciousBrowse
                                                                        • 108.167.146.228
                                                                        https://410935275899110-dot-b2n4y7h.uc.r.appspot.com/vires/?email=paul_erickson@baylor.eduGet hashmaliciousBrowse
                                                                        • 172.217.22.84
                                                                        https://302386683458566-dot-b2n4y7h.uc.r.appspot.com/vires/?email=jaileene_garza@baylor.eduGet hashmaliciousBrowse
                                                                        • 172.217.18.116
                                                                        http://www.8888scents.com/js/Get hashmaliciousBrowse
                                                                        • 67.227.236.45
                                                                        https://mayo.r1-pl.storage.arubacloud.pl/factura.htmlGet hashmaliciousBrowse
                                                                        • 23.254.217.20
                                                                        #Ud83d#Udd6aGlumac_NewAudioMessage.htmGet hashmaliciousBrowse
                                                                        • 99.84.94.40

                                                                        JA3 Fingerprints

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                        9e10692f1b7f78228b2d4e424db3a98chttps://1drv.ms/b/s!AjeHcBKfhkYXcfIPDnaWRz06vZA?e=OjHRoaGet hashmaliciousBrowse
                                                                        • 91.211.245.161
                                                                        https://1drv.ms/b/s!AjeHcBKfhkYXcfIPDnaWRz06vZA?e=OjHRoa&d=DwMFAwGet hashmaliciousBrowse
                                                                        • 91.211.245.161
                                                                        https://wholesaleserbia.com/NW.htmlGet hashmaliciousBrowse
                                                                        • 91.211.245.161
                                                                        https://zoomarte.com.br/newau.htmlGet hashmaliciousBrowse
                                                                        • 91.211.245.161
                                                                        https://1drv.ms/u/s!AoUvKjbNY2nEatfZ4xKrNlKFhAs?e=Okd9x9Get hashmaliciousBrowse
                                                                        • 91.211.245.161
                                                                        https://www.e-icus.com/SD/Get hashmaliciousBrowse
                                                                        • 91.211.245.161
                                                                        https://slack-redir.net/link?url=https%3A%2F%2Fkusselink.blob.core.windows.net%2Ficon%2FAp3dXtP.html%23scameron@mus-nature.caGet hashmaliciousBrowse
                                                                        • 91.211.245.161
                                                                        https://svsmandir.com/0000.path/?0@=josh.townsend@abcsupply.comGet hashmaliciousBrowse
                                                                        • 91.211.245.161
                                                                        https://410935275899110-dot-b2n4y7h.uc.r.appspot.com/vires/?email=paul_erickson@baylor.eduGet hashmaliciousBrowse
                                                                        • 91.211.245.161
                                                                        https://302386683458566-dot-b2n4y7h.uc.r.appspot.com/vires/?email=jaileene_garza@baylor.eduGet hashmaliciousBrowse
                                                                        • 91.211.245.161
                                                                        https://mayo.r1-pl.storage.arubacloud.pl/factura.htmlGet hashmaliciousBrowse
                                                                        • 91.211.245.161
                                                                        #Ud83d#Udd6aGlumac_NewAudioMessage.htmGet hashmaliciousBrowse
                                                                        • 91.211.245.161
                                                                        https://www.e-icus.com/SD/Get hashmaliciousBrowse
                                                                        • 91.211.245.161
                                                                        https://slack-redir.net/link?url=https%3A%2F%2Fkusselink.blob.core.windows.net%2Ficon%2FAp3dXtP.html%23sberberich@caiso.comGet hashmaliciousBrowse
                                                                        • 91.211.245.161
                                                                        https://herito.nl/93993/FUDWIW/Get hashmaliciousBrowse
                                                                        • 91.211.245.161
                                                                        https://v.ht/difDGet hashmaliciousBrowse
                                                                        • 91.211.245.161
                                                                        https://pastebin.com/raw/Q9FdzgH2Get hashmaliciousBrowse
                                                                        • 91.211.245.161
                                                                        http://gnural.net/Get hashmaliciousBrowse
                                                                        • 91.211.245.161
                                                                        Mashreq Audio__248796645.htmGet hashmaliciousBrowse
                                                                        • 91.211.245.161
                                                                        https://www.assaggiacilento.it/#nycobrandcoordination@lb.comGet hashmaliciousBrowse
                                                                        • 91.211.245.161
                                                                        ce5f3254611a8c095a3d821d44539877ServiceContractAgreement_516910236_05012020.vbsGet hashmaliciousBrowse
                                                                        • 91.211.245.161
                                                                        FATURA34109093137173917200003123.msiGet hashmaliciousBrowse
                                                                        • 91.211.245.161
                                                                        D#U0430t#U04300430 .vbsGet hashmaliciousBrowse
                                                                        • 91.211.245.161
                                                                        info_0430.vbsGet hashmaliciousBrowse
                                                                        • 91.211.245.161
                                                                        https://tracyoncb.icu/form/Form_Declaration_9.docGet hashmaliciousBrowse
                                                                        • 91.211.245.161
                                                                        DashlaneInstaller.exeGet hashmaliciousBrowse
                                                                        • 91.211.245.161
                                                                        Document-03774819274 (43).vbsGet hashmaliciousBrowse
                                                                        • 91.211.245.161
                                                                        Payment.xlsxGet hashmaliciousBrowse
                                                                        • 91.211.245.161
                                                                        anydown.exeGet hashmaliciousBrowse
                                                                        • 91.211.245.161
                                                                        runtests.batGet hashmaliciousBrowse
                                                                        • 91.211.245.161
                                                                        sSwGUuStAT.msiGet hashmaliciousBrowse
                                                                        • 91.211.245.161
                                                                        Judgement_04222020_40954.vbs