Loading ...

Play interactive tourEdit tour

Analysis Report wCBF18f9qE

Overview

General Information

Sample Name:wCBF18f9qE (renamed file extension from none to exe)
MD5:a51e01aea30de8b559438d2cfc051af0
SHA1:15442aa7beb997dc9333a7a09ca773443ac66e58
SHA256:b9a3270fb18059176da80a1ed62a5ae44542fae7887167b4369329f5b16190bf

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Ursnif
Yara detected Ursnif
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Found Tor onion address
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Overwrites Mozilla Firefox settings
Sigma detected: Suspicious Svchost Process
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains functionality locales information (e.g. system language)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to get notified if a device is plugged in / out
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • wCBF18f9qE.exe (PID: 2532 cmdline: 'C:\Users\user\Desktop\wCBF18f9qE.exe' MD5: A51E01AEA30DE8B559438D2CFC051AF0)
    • wCBF18f9qE.exe (PID: 1820 cmdline: C:\Users\user\Desktop\wCBF18f9qE.exe MD5: A51E01AEA30DE8B559438D2CFC051AF0)
      • svchost.exe (PID: 2416 cmdline: C:\Windows\system32\svchost.exe MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000003.1142889095.0000021D4F0D0000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000003.00000003.1142889095.0000021D4F0D0000.00000004.00000001.sdmpGoziRuleWin32.GoziCCN-CERT
    • 0x890:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
    00000005.00000002.1192031354.000001F270030000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000005.00000002.1192031354.000001F270030000.00000004.00000001.sdmpGoziRuleWin32.GoziCCN-CERT
      • 0x890:$: 63 00 6F 00 6F 00 6B 00 69 00 65 00 73 00 2E 00 73 00 71 00 6C 00 69 00 74 00 65 00 2D 00 6A 00 ...
      00000003.00000002.1174299430.0000000000DB0000.00000004.00000001.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        Click to see the 6 entries

        Sigma Overview


        System Summary:

        barindex
        Sigma detected: UrsnifShow sources
        Source: Registry Key setAuthor: megan201296: Data: Details: F9 03 00 00 1C 80 00 00 50 1C 61 32 E3 9A 3A A7 A7 DA 71 1C 7B BA 0D D5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, Image: C:\Windows\System32\svchost.exe, ProcessId: 2416, TargetObject: HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\4657FA74-ED45-68EE-A7DA-711CCBAE3510\Client
        Sigma detected: Suspicious Svchost ProcessShow sources
        Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\system32\svchost.exe, CommandLine: C:\Windows\system32\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Users\user\Desktop\wCBF18f9qE.exe, ParentImage: C:\Users\user\Desktop\wCBF18f9qE.exe, ParentProcessId: 1820, ProcessCommandLine: C:\Windows\system32\svchost.exe, ProcessId: 2416
        Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\system32\svchost.exe, CommandLine: C:\Windows\system32\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: C:\Users\user\Desktop\wCBF18f9qE.exe, ParentImage: C:\Users\user\Desktop\wCBF18f9qE.exe, ParentProcessId: 1820, ProcessCommandLine: C:\Windows\system32\svchost.exe, ProcessId: 2416

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus / Scanner detection for submitted sampleShow sources
        Source: wCBF18f9qE.exeAvira: detected
        Multi AV Scanner detection for submitted fileShow sources
        Source: wCBF18f9qE.exeVirustotal: Detection: 83%Perma Link
        Source: wCBF18f9qE.exeMetadefender: Detection: 68%Perma Link
        Source: wCBF18f9qE.exeReversingLabs: Detection: 89%
        Machine Learning detection for sampleShow sources
        Source: wCBF18f9qE.exeJoe Sandbox ML: detected
        Source: 1.2.wCBF18f9qE.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen

        Source: C:\Windows\explorer.exeCode function: 4_2_0598A68C RegisterDeviceNotificationA,4_2_0598A68C
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 0_2_0086EF32 FindFirstFileExA,0_2_0086EF32
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 1_2_0086EF32 FindFirstFileExA,1_2_0086EF32
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 1_2_01BB421E CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindNextFileA,StrChrA,memcpy,FindNextFileA,CompareFileTime,FindClose,HeapFree,HeapFree,1_2_01BB421E
        Source: C:\Windows\explorer.exeCode function: 4_2_05986CF0 CreateFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,4_2_05986CF0
        Source: C:\Windows\explorer.exeCode function: 4_2_05983B3C RtlAllocateHeap,RtlAllocateHeap,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,RtlReleasePrivilege,RtlReleasePrivilege,RtlReleasePrivilege,4_2_05983B3C
        Source: C:\Windows\explorer.exeCode function: 4_2_05986DF8 FindCloseChangeNotification,FindFirstFileA,4_2_05986DF8

        Networking:

        barindex
        Found Tor onion addressShow sources
        Source: svchost.exe, 00000003.00000003.1142889095.0000021D4F0D0000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientIniKeysScrLastTaskLastConfigCrHookOpHookExec.onion/TorClientTorCrc%s %s HTTP/1.1
        Source: explorer.exe, 00000004.00000002.1211072572.00000000059A0000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientIniKeysScrLastTaskLastConfigCrHookOpHookExec.onion/TorClientTorCrc%s %s HTTP/1.1
        Source: RuntimeBroker.exe, 00000005.00000002.1192031354.000001F270030000.00000004.00000001.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientIniKeysScrLastTaskLastConfigCrHookOpHookExec.onion/TorClientTorCrc%s %s HTTP/1.1
        Source: svchost.exe, 00000003.00000003.1142889095.0000021D4F0D0000.00000004.00000001.sdmp, explorer.exe, 00000004.00000002.1211072572.00000000059A0000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000005.00000002.1192031354.000001F270030000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
        Source: svchost.exe, 00000003.00000003.1142889095.0000021D4F0D0000.00000004.00000001.sdmp, explorer.exe, 00000004.00000002.1211072572.00000000059A0000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000005.00000002.1192031354.000001F270030000.00000004.00000001.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
        Source: explorer.exe, 00000004.00000000.1163096258.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: svchost.exe, 00000003.00000003.1142889095.0000021D4F0D0000.00000004.00000001.sdmp, explorer.exe, 00000004.00000002.1211072572.00000000059A0000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000005.00000002.1192031354.000001F270030000.00000004.00000001.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
        Source: RuntimeBroker.exe, 00000006.00000000.1184489473.000002DB87ADC000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cmg
        Source: RuntimeBroker.exe, 00000006.00000000.1184489473.000002DB87ADC000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.ux9
        Source: RuntimeBroker.exe, 00000006.00000000.1184489473.000002DB87ADC000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobp/y
        Source: RuntimeBroker.exe, 00000006.00000000.1184489473.000002DB87ADC000.00000004.00000001.sdmpString found in binary or memory: http://ns.micro/1Y
        Source: explorer.exe, 00000004.00000000.1163096258.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: explorer.exe, 00000004.00000000.1160896752.0000000007A37000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
        Source: explorer.exe, 00000004.00000000.1163096258.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: explorer.exe, 00000004.00000000.1163096258.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
        Source: explorer.exe, 00000004.00000000.1163096258.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: explorer.exe, 00000004.00000000.1163096258.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: explorer.exe, 00000004.00000000.1163096258.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: explorer.exe, 00000004.00000000.1163096258.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: explorer.exe, 00000004.00000000.1163096258.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: explorer.exe, 00000004.00000000.1163096258.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: explorer.exe, 00000004.00000000.1163096258.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: explorer.exe, 00000004.00000000.1163096258.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: explorer.exe, 00000004.00000000.1163096258.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: explorer.exe, 00000004.00000000.1163096258.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: explorer.exe, 00000004.00000000.1163096258.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

        Key, Mouse, Clipboard, Microphone and Screen Capturing:

        barindex
        Yara detected UrsnifShow sources
        Source: Yara matchFile source: 00000003.00000003.1142889095.0000021D4F0D0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.1192031354.000001F270030000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.1174299430.0000000000DB0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.1211072572.00000000059A0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 2928, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2416, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 3552, type: MEMORY

        E-Banking Fraud:

        barindex
        Yara detected UrsnifShow sources
        Source: Yara matchFile source: 00000003.00000003.1142889095.0000021D4F0D0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.1192031354.000001F270030000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.1174299430.0000000000DB0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.1211072572.00000000059A0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 2928, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2416, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 3552, type: MEMORY
        Disables SPDY (HTTP compression, likely to perform web injects)Show sources
        Source: C:\Windows\explorer.exeRegistry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0Jump to behavior

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000003.00000003.1142889095.0000021D4F0D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
        Source: 00000005.00000002.1192031354.000001F270030000.00000004.00000001.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
        Source: 00000003.00000002.1174299430.0000000000DB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
        Source: 00000004.00000002.1211072572.00000000059A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Win32.Gozi Author: CCN-CERT
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 1_2_01BB3D6C NtQuerySystemInformation,RtlNtStatusToDosError,1_2_01BB3D6C
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 1_2_01BB3095 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose,1_2_01BB3095
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 1_2_01BB34E7 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,1_2_01BB34E7
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 1_2_01BB1C25 memcpy,memcpy,memcpy,NtUnmapViewOfSection,RtlNtStatusToDosError,FindCloseChangeNotification,memset,1_2_01BB1C25
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 1_2_01BB3472 GetProcAddress,NtWow64ReadVirtualMemory64,1_2_01BB3472
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 1_2_01BB2702 NtCreateSection,memset,RtlNtStatusToDosError,NtClose,1_2_01BB2702
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 1_2_01BB3E85 NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,1_2_01BB3E85
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 1_2_01BB32DC GetProcAddress,NtWow64QueryInformationProcess64,1_2_01BB32DC
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 1_2_01BB26C3 NtMapViewOfSection,RtlNtStatusToDosError,1_2_01BB26C3
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 1_2_01BB3E44 NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,1_2_01BB3E44
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 1_2_01BB3C78 memset,NtQueryInformationProcess,1_2_01BB3C78
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 1_2_01BB3ED5 NtGetContextThread,NtGetContextThread,1_2_01BB3ED5
        Source: C:\Windows\System32\svchost.exeCode function: 3_2_00D9C0F4 NtMapViewOfSection,3_2_00D9C0F4
        Source: C:\Windows\System32\svchost.exeCode function: 3_2_00D9595C NtSetContextThread,3_2_00D9595C
        Source: C:\Windows\System32\svchost.exeCode function: 3_2_00D962D4 NtWriteVirtualMemory,3_2_00D962D4
        Source: C:\Windows\System32\svchost.exeCode function: 3_2_00D9AE8C NtCreateSection,NtUnmapViewOfSection,FindCloseChangeNotification,RtlDeleteBoundaryDescriptor,3_2_00D9AE8C
        Source: C:\Windows\System32\svchost.exeCode function: 3_2_00D95668 NtQueryInformationProcess,3_2_00D95668
        Source: C:\Windows\System32\svchost.exeCode function: 3_2_00D96B9C NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose,3_2_00D96B9C
        Source: C:\Windows\explorer.exeCode function: 4_2_059861DC NtQuerySystemInformation,4_2_059861DC
        Source: C:\Windows\explorer.exeCode function: 4_2_0598595C NtSetContextThread,4_2_0598595C
        Source: C:\Windows\explorer.exeCode function: 4_2_0598C0F4 NtMapViewOfSection,4_2_0598C0F4
        Source: C:\Windows\explorer.exeCode function: 4_2_05986320 NtAllocateVirtualMemory,4_2_05986320
        Source: C:\Windows\explorer.exeCode function: 4_2_05986288 NtReadVirtualMemory,4_2_05986288
        Source: C:\Windows\explorer.exeCode function: 4_2_0598AE8C NtCreateSection,NtUnmapViewOfSection,4_2_0598AE8C
        Source: C:\Windows\explorer.exeCode function: 4_2_059862D4 NtWriteVirtualMemory,4_2_059862D4
        Source: C:\Windows\explorer.exeCode function: 4_2_05985668 NtQueryInformationProcess,4_2_05985668
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 0_2_0085E9F00_2_0085E9F0
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 0_2_0085DA0A0_2_0085DA0A
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 0_2_0085D2100_2_0085D210
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 0_2_0085E2560_2_0085E256
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 0_2_008763200_2_00876320
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 0_2_0085ACAF0_2_0085ACAF
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 0_2_008614140_2_00861414
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 0_2_0085DE9E0_2_0085DE9E
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 0_2_0085E62B0_2_0085E62B
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 0_2_00869E710_2_00869E71
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 0_2_0086D7B90_2_0086D7B9
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 0_2_008637600_2_00863760
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 0_2_0086176B0_2_0086176B
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 1_2_0085E9F01_2_0085E9F0
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 1_2_0085DA0A1_2_0085DA0A
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 1_2_0085D2101_2_0085D210
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 1_2_0085E2561_2_0085E256
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 1_2_0085ACAF1_2_0085ACAF
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 1_2_008614141_2_00861414
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 1_2_0085DE9E1_2_0085DE9E
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 1_2_0085E62B1_2_0085E62B
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 1_2_00869E711_2_00869E71
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 1_2_008637601_2_00863760
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 1_2_0086176B1_2_0086176B
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 1_2_01BB4F481_2_01BB4F48
        Source: C:\Windows\System32\svchost.exeCode function: 3_2_00D919A03_2_00D919A0
        Source: C:\Windows\System32\svchost.exeCode function: 3_2_00D9AE8C3_2_00D9AE8C
        Source: C:\Windows\System32\svchost.exeCode function: 3_2_00D813E43_2_00D813E4
        Source: C:\Windows\System32\svchost.exeCode function: 3_2_00D96CF03_2_00D96CF0
        Source: C:\Windows\System32\svchost.exeCode function: 3_2_00D868543_2_00D86854
        Source: C:\Windows\System32\svchost.exeCode function: 3_2_00D8206C3_2_00D8206C
        Source: C:\Windows\System32\svchost.exeCode function: 3_2_00D810003_2_00D81000
        Source: C:\Windows\System32\svchost.exeCode function: 3_2_00D9FC2C3_2_00D9FC2C
        Source: C:\Windows\System32\svchost.exeCode function: 3_2_00D9EDB83_2_00D9EDB8
        Source: C:\Windows\System32\svchost.exeCode function: 3_2_00D9A92C3_2_00D9A92C
        Source: C:\Windows\System32\svchost.exeCode function: 3_2_00D9F2D43_2_00D9F2D4
        Source: C:\Windows\System32\svchost.exeCode function: 3_2_00D95AE03_2_00D95AE0
        Source: C:\Windows\System32\svchost.exeCode function: 3_2_00D9E6883_2_00D9E688
        Source: C:\Windows\System32\svchost.exeCode function: 3_2_00D8C2583_2_00D8C258
        Source: C:\Windows\System32\svchost.exeCode function: 3_2_00D85A1C3_2_00D85A1C
        Source: C:\Windows\System32\svchost.exeCode function: 3_2_00D8B6343_2_00D8B634
        Source: C:\Windows\System32\svchost.exeCode function: 3_2_00D90E283_2_00D90E28
        Source: C:\Windows\System32\svchost.exeCode function: 3_2_00D986203_2_00D98620
        Source: C:\Windows\System32\svchost.exeCode function: 3_2_00D863DC3_2_00D863DC
        Source: C:\Windows\System32\svchost.exeCode function: 3_2_00D8D3DC3_2_00D8D3DC
        Source: C:\Windows\System32\svchost.exeCode function: 3_2_00D8CFD03_2_00D8CFD0
        Source: C:\Windows\System32\svchost.exeCode function: 3_2_00D903C03_2_00D903C0
        Source: C:\Windows\System32\svchost.exeCode function: 3_2_00D90BC43_2_00D90BC4
        Source: C:\Windows\System32\svchost.exeCode function: 3_2_00D89F903_2_00D89F90
        Source: C:\Windows\System32\svchost.exeCode function: 3_2_00DA13903_2_00DA1390
        Source: C:\Windows\System32\svchost.exeCode function: 3_2_00D9C7A03_2_00D9C7A0
        Source: C:\Windows\System32\svchost.exeCode function: 3_2_00D92B7C3_2_00D92B7C
        Source: C:\Windows\System32\svchost.exeCode function: 3_2_00D843743_2_00D84374
        Source: C:\Windows\System32\svchost.exeCode function: 3_2_00D93B3C3_2_00D93B3C
        Source: C:\Windows\explorer.exeCode function: 4_2_0598A92C4_2_0598A92C
        Source: C:\Windows\explorer.exeCode function: 4_2_05986CF04_2_05986CF0
        Source: C:\Windows\explorer.exeCode function: 4_2_05983B3C4_2_05983B3C
        Source: C:\Windows\explorer.exeCode function: 4_2_0598AE8C4_2_0598AE8C
        Source: C:\Windows\explorer.exeCode function: 4_2_0598EDB84_2_0598EDB8
        Source: C:\Windows\explorer.exeCode function: 4_2_059819A04_2_059819A0
        Source: C:\Windows\explorer.exeCode function: 4_2_059710004_2_05971000
        Source: C:\Windows\explorer.exeCode function: 4_2_0598FC2C4_2_0598FC2C
        Source: C:\Windows\explorer.exeCode function: 4_2_059768544_2_05976854
        Source: C:\Windows\explorer.exeCode function: 4_2_0597206C4_2_0597206C
        Source: C:\Windows\explorer.exeCode function: 4_2_05979F904_2_05979F90
        Source: C:\Windows\explorer.exeCode function: 4_2_059913904_2_05991390
        Source: C:\Windows\explorer.exeCode function: 4_2_0598C7A04_2_0598C7A0
        Source: C:\Windows\explorer.exeCode function: 4_2_0597CFD04_2_0597CFD0
        Source: C:\Windows\explorer.exeCode function: 4_2_059763DC4_2_059763DC
        Source: C:\Windows\explorer.exeCode function: 4_2_0597D3DC4_2_0597D3DC
        Source: C:\Windows\explorer.exeCode function: 4_2_059803C04_2_059803C0
        Source: C:\Windows\explorer.exeCode function: 4_2_05980BC44_2_05980BC4
        Source: C:\Windows\explorer.exeCode function: 4_2_059713E44_2_059713E4
        Source: C:\Windows\explorer.exeCode function: 4_2_05982B7C4_2_05982B7C
        Source: C:\Windows\explorer.exeCode function: 4_2_0598E6884_2_0598E688
        Source: C:\Windows\explorer.exeCode function: 4_2_0598F2D44_2_0598F2D4
        Source: C:\Windows\explorer.exeCode function: 4_2_05985AE04_2_05985AE0
        Source: C:\Windows\explorer.exeCode function: 4_2_05975A1C4_2_05975A1C
        Source: C:\Windows\explorer.exeCode function: 4_2_0597B6344_2_0597B634
        Source: C:\Windows\explorer.exeCode function: 4_2_05980E284_2_05980E28
        Source: C:\Windows\explorer.exeCode function: 4_2_059886204_2_05988620
        Source: C:\Windows\explorer.exeCode function: 4_2_0597C2584_2_0597C258
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: String function: 008645A4 appears 42 times
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: String function: 0086A8A8 appears 34 times
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: String function: 0085C2A0 appears 88 times
        Source: wCBF18f9qE.exe, 00000001.00000003.1138670016.0000000003FE2000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs wCBF18f9qE.exe
        Source: 00000003.00000003.1142889095.0000021D4F0D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
        Source: 00000005.00000002.1192031354.000001F270030000.00000004.00000001.sdmp, type: MEMORYMatched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
        Source: 00000003.00000002.1174299430.0000000000DB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
        Source: 00000004.00000002.1211072572.00000000059A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: GoziRule author = CCN-CERT, description = Win32.Gozi, version = 1.0, ref = https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos.html
        Source: classification engineClassification label: mal100.phis.bank.troj.spyw.evad.winEXE@5/2@0/0
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\AuthtencJump to behavior
        Source: C:\Windows\System32\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\{F671AD64-DDC0-98CC-178A-614C3B5E2540}
        Source: wCBF18f9qE.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: wCBF18f9qE.exeVirustotal: Detection: 83%
        Source: wCBF18f9qE.exeMetadefender: Detection: 68%
        Source: wCBF18f9qE.exeReversingLabs: Detection: 89%
        Source: unknownProcess created: C:\Users\user\Desktop\wCBF18f9qE.exe 'C:\Users\user\Desktop\wCBF18f9qE.exe'
        Source: unknownProcess created: C:\Users\user\Desktop\wCBF18f9qE.exe C:\Users\user\Desktop\wCBF18f9qE.exe
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeProcess created: C:\Users\user\Desktop\wCBF18f9qE.exe C:\Users\user\Desktop\wCBF18f9qE.exeJump to behavior
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exeJump to behavior
        Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32Jump to behavior
        Source: wCBF18f9qE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
        Source: wCBF18f9qE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
        Source: wCBF18f9qE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
        Source: wCBF18f9qE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: wCBF18f9qE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
        Source: wCBF18f9qE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
        Source: wCBF18f9qE.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: wCBF18f9qE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
        Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000002.1212449244.0000000007010000.00000002.00000001.sdmp
        Source: Binary string: \source\repos\Project22\Release\Project22.pdb source: wCBF18f9qE.exe
        Source: Binary string: ntdll.pdb source: wCBF18f9qE.exe, 00000001.00000003.1140607513.0000000003E70000.00000004.00000001.sdmp
        Source: Binary string: ntdll.pdbUGP source: wCBF18f9qE.exe, 00000001.00000003.1140607513.0000000003E70000.00000004.00000001.sdmp
        Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000002.1212449244.0000000007010000.00000002.00000001.sdmp
        Source: wCBF18f9qE.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
        Source: wCBF18f9qE.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
        Source: wCBF18f9qE.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
        Source: wCBF18f9qE.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
        Source: wCBF18f9qE.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 0_2_0085C2E6 push ecx; ret 0_2_0085C2F9
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 0_2_0085BD6E push ecx; ret 0_2_0085BD81
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 1_2_0086E116 push esp; retf 1_2_0086E117
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 1_2_0085C2E6 push ecx; ret 1_2_0085C2F9
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 1_2_0086DB18 push esp; retf 1_2_0086DB20
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 1_2_00876CCA push esp; retf 1_2_00876CCB
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 1_2_0085BD6E push ecx; ret 1_2_0085BD81
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 1_2_008766A8 push esp; retf 1_2_008766B0
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 1_2_01BB4F37 push ecx; ret 1_2_01BB4F47

        Boot Survival:

        barindex
        Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)Show sources
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeWindow found: window name: ProgManJump to behavior
        Source: C:\Windows\explorer.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run apprkeDSJump to behavior
        Source: C:\Windows\explorer.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run apprkeDSJump to behavior

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Yara detected UrsnifShow sources
        Source: Yara matchFile source: 00000003.00000003.1142889095.0000021D4F0D0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.1192031354.000001F270030000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.1174299430.0000000000DB0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.1211072572.00000000059A0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 2928, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2416, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 3552, type: MEMORY
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 0_2_0085ACAF GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0085ACAF

        Source: C:\Users\user\Desktop\wCBF18f9qE.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_1-20556
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 0_2_0086EF32 FindFirstFileExA,0_2_0086EF32
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 1_2_0086EF32 FindFirstFileExA,1_2_0086EF32
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 1_2_01BB421E CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindNextFileA,StrChrA,memcpy,FindNextFileA,CompareFileTime,FindClose,HeapFree,HeapFree,1_2_01BB421E
        Source: C:\Windows\explorer.exeCode function: 4_2_05986CF0 CreateFileA,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,4_2_05986CF0
        Source: C:\Windows\explorer.exeCode function: 4_2_05983B3C RtlAllocateHeap,RtlAllocateHeap,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,RtlReleasePrivilege,RtlReleasePrivilege,RtlReleasePrivilege,4_2_05983B3C
        Source: C:\Windows\explorer.exeCode function: 4_2_05986DF8 FindCloseChangeNotification,FindFirstFileA,4_2_05986DF8
        Source: explorer.exe, 00000004.00000000.1160180324.0000000007340000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: explorer.exe, 00000004.00000000.1160180324.0000000007340000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: explorer.exe, 00000004.00000000.1160180324.0000000007340000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: explorer.exe, 00000004.00000000.1160180324.0000000007340000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeProcess information queried: ProcessInformationJump to behavior

        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 0_2_00864015 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00864015
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 0_2_00867058 mov eax, dword ptr fs:[00000030h]0_2_00867058
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 0_2_008762F0 mov ebx, dword ptr fs:[00000030h]0_2_008762F0
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 0_2_0086FE11 mov eax, dword ptr fs:[00000030h]0_2_0086FE11
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 1_2_00867058 mov eax, dword ptr fs:[00000030h]1_2_00867058
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 1_2_008762F0 mov ebx, dword ptr fs:[00000030h]1_2_008762F0
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 1_2_0086FE11 mov eax, dword ptr fs:[00000030h]1_2_0086FE11
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 0_2_0086CF61 GetProcessHeap,0_2_0086CF61
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 0_2_0085C03B SetUnhandledExceptionFilter,0_2_0085C03B
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 0_2_00864015 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00864015
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 0_2_0085C4A6 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_0085C4A6
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 0_2_0085BF1C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0085BF1C
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 1_2_00864015 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00864015
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 1_2_0085C03B SetUnhandledExceptionFilter,1_2_0085C03B
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 1_2_0085C4A6 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_0085C4A6
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 1_2_0085BF1C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0085BF1C

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        Allocates memory in foreign processesShow sources
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeMemory allocated: C:\Windows\System32\svchost.exe base: E10000 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1F26FDE0000 protect: page execute and read and writeJump to behavior
        Changes memory attributes in foreign processes to executable or writableShow sources
        Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF87CDF1460 protect: page execute and read and writeJump to behavior
        Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF87CDF1460 protect: page execute readJump to behavior
        Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FF87CDF1460 protect: page execute and read and writeJump to behavior
        Contains functionality to inject code into remote processesShow sources
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 0_2_008758E0 GetDC,CreateCompatibleDC,MoveToEx,MoveToEx,CreateCompatibleDC,MoveToEx,GetDesktopWindow,GetWindowDC,GdiplusStartup,CreateProcessA,GetDesktopWindow,VirtualAlloc,CreatePen,MoveToEx,MoveToEx,GetThreadContext,MoveToEx,ReadProcessMemory,GetModuleHandleA,GetProcAddress,VirtualAllocEx,MoveToEx,TerminateProcess,WriteProcessMemory,MoveToEx,WriteProcessMemory,WriteProcessMemory,MoveToEx,MoveToEx,SetThreadContext,ResumeThread,ExitProcess,0_2_008758E0
        Creates a thread in another existing process (thread injection)Show sources
        Source: C:\Windows\System32\svchost.exeThread created: C:\Windows\explorer.exe EIP: 7CDF1460Jump to behavior
        Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: 7CDF1460Jump to behavior
        Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: 7CDF1460Jump to behavior
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeMemory written: C:\Users\user\Desktop\wCBF18f9qE.exe base: 400000 value starts with: 4D5AJump to behavior
        Injects code into the Windows Explorer (explorer.exe)Show sources
        Source: C:\Windows\System32\svchost.exeMemory written: PID: 2928 base: 7FF87CDF1460 value: EBJump to behavior
        Source: C:\Windows\System32\svchost.exeMemory written: PID: 2928 base: CA0000 value: 60Jump to behavior
        Source: C:\Windows\System32\svchost.exeMemory written: PID: 2928 base: 7FF87CDF1460 value: 40Jump to behavior
        Maps a DLL or memory area into another processShow sources
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeSection loaded: unknown target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
        Source: C:\Windows\explorer.exeSection loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and writeJump to behavior
        Modifies the context of a thread in another process (thread injection)Show sources
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeThread register set: target process: 2416Jump to behavior
        Source: C:\Windows\System32\svchost.exeThread register set: target process: 2928Jump to behavior
        Source: C:\Windows\explorer.exeThread register set: target process: 3552Jump to behavior
        Writes to foreign memory regionsShow sources
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeMemory written: C:\Windows\System32\svchost.exe base: E10000Jump to behavior
        Source: C:\Windows\System32\svchost.exeMemory written: C:\Windows\explorer.exe base: 7FF87CDF1460Jump to behavior
        Source: C:\Windows\System32\svchost.exeMemory written: C:\Windows\explorer.exe base: CA0000Jump to behavior
        Source: C:\Windows\System32\svchost.exeMemory written: C:\Windows\explorer.exe base: 7FF87CDF1460Jump to behavior
        Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF87CDF1460Jump to behavior
        Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1F26FDE0000Jump to behavior
        Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FF87CDF1460Jump to behavior
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeProcess created: C:\Users\user\Desktop\wCBF18f9qE.exe C:\Users\user\Desktop\wCBF18f9qE.exeJump to behavior
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exeJump to behavior
        Source: explorer.exe, 00000004.00000000.1144710895.0000000001170000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000005.00000000.1176862700.000001F26D790000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000006.00000002.1189940595.000002DB88060000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: wCBF18f9qE.exe, 00000001.00000002.1147861423.0000000001BB7000.00000004.00000001.sdmpBinary or memory string: ProgMan
        Source: explorer.exe, 00000004.00000000.1144710895.0000000001170000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000005.00000000.1176862700.000001F26D790000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000006.00000002.1189940595.000002DB88060000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: explorer.exe, 00000004.00000000.1144710895.0000000001170000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000005.00000000.1176862700.000001F26D790000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000006.00000002.1189940595.000002DB88060000.00000002.00000001.sdmpBinary or memory string: hProgram ManagerWE
        Source: explorer.exe, 00000004.00000000.1144710895.0000000001170000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000005.00000000.1176862700.000001F26D790000.00000002.00000001.sdmp, RuntimeBroker.exe, 00000006.00000002.1189940595.000002DB88060000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: wCBF18f9qE.exe, 00000001.00000002.1147861423.0000000001BB7000.00000004.00000001.sdmpBinary or memory string: 64RtlSetUnhandledExceptionFilterSystemRoot%08X-%04X-%04X-%04X-%08X%04X{%08X-%04X-%04X-%04X-%08X%04X}*.*LdrGetProcedureAddressADVAPI32.DLLRtlExitUserThreadCreateRemoteThreadZwWriteVirtualMemoryLdrLoadDllZwProtectVirtualMemorykernelbaseLdrRegisterDllNotificationLdrUnregisterDllNotificationCreateProcessAsUserA.exe\%TEMP%\LowCreateProcessACreateProcessWCreateProcessAsUserW"%S" "%S"runascmd.exe/C "copy "%s" "%s" /y && rundll32 "%s",%S"version=%u&soft=%u&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s/C "copy "%s" "%s" /y && "%s" "%s""Low\ProgManMicrosoftIsWow64ProcessWow64EnableWow64FsRedirectionD:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)DllRegisterServer
        Source: explorer.exe, 00000004.00000002.1193540839.0000000000A30000.00000004.00000020.sdmpBinary or memory string: Progman{
        Source: explorer.exe, 00000004.00000002.1193540839.0000000000A30000.00000004.00000020.sdmpBinary or memory string: PProgmancci\Ap

        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00872086
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: EnumSystemLocalesW,0_2_008719C0
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: EnumSystemLocalesW,0_2_00871AA6
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: EnumSystemLocalesW,0_2_00871A0B
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: GetLocaleInfoW,0_2_0086ABBA
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00871B33
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: GetLocaleInfoW,0_2_00871D83
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: EnumSystemLocalesW,0_2_0086A5F8
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00871EAC
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: GetLocaleInfoW,0_2_00871FB3
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00871748
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,1_2_00872086
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: EnumSystemLocalesW,1_2_008719C0
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: EnumSystemLocalesW,1_2_00871AA6
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: EnumSystemLocalesW,1_2_00871A0B
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: GetLocaleInfoW,1_2_0086ABBA
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,1_2_00871B33
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: GetLocaleInfoW,1_2_00871D83
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: EnumSystemLocalesW,1_2_0086A5F8
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,1_2_00871EAC
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: GetLocaleInfoW,1_2_00871FB3
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,1_2_00871748
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 0_2_0085C2FB cpuid 0_2_0085C2FB
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 0_2_0085C12A GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_0085C12A
        Source: C:\Windows\System32\svchost.exeCode function: 3_2_00D919A0 CreateMutexExA,GetUserNameA,CreateThread,CreateThread,3_2_00D919A0
        Source: C:\Users\user\Desktop\wCBF18f9qE.exeCode function: 1_2_01BB296E CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,1_2_01BB296E

        Lowering of HIPS / PFW / Operating System Security Settings:

        barindex
        Overwrites Mozilla Firefox settingsShow sources
        Source: C:\Windows\explorer.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\prefs.jsJump to behavior

        Stealing of Sensitive Information:

        barindex
        Yara detected UrsnifShow sources
        Source: Yara matchFile source: 00000003.00000003.1142889095.0000021D4F0D0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.1192031354.000001F270030000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.1174299430.0000000000DB0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.1211072572.00000000059A0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 2928, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2416, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 3552, type: MEMORY
        Tries to harvest and steal browser information (history, passwords, etc)Show sources
        Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\6c4zjj0s.default\prefs.jsJump to behavior

        Remote Access Functionality:

        barindex
        Yara detected UrsnifShow sources
        Source: Yara matchFile source: 00000003.00000003.1142889095.0000021D4F0D0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.1192031354.000001F270030000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.1174299430.0000000000DB0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000004.00000002.1211072572.00000000059A0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 2928, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2416, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 3552, type: MEMORY

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsExecution through API1Application Shimming1Process Injection912Masquerading1Credential Dumping1System Time Discovery1Application Deployment SoftwareMan in the Browser1Data Encrypted1Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
        Replication Through Removable MediaService ExecutionRegistry Run Keys / Startup Folder1Application Shimming1Software Packing1Network SniffingProcess Discovery2Remote ServicesData from Local System1Exfiltration Over Other Network MediumConnection Proxy1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionProcess Injection912Input CapturePeripheral Device Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingDeobfuscate/Decode Files or Information1Credentials in FilesAccount Discovery1Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
        Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessObfuscated Files or Information2Account ManipulationSystem Owner/User Discovery1Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceConnection Proxy1Brute ForceSecurity Software Discovery121Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
        Spearphishing AttachmentScriptingPath InterceptionScheduled TaskSoftware PackingTwo-Factor Authentication InterceptionFile and Directory Discovery2Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionIndicator BlockingBash HistorySystem Information Discovery23Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 232329 Sample: wCBF18f9qE Startdate: 22/05/2020 Architecture: WINDOWS Score: 100 28 Malicious sample detected (through community Yara rule) 2->28 30 Antivirus / Scanner detection for submitted sample 2->30 32 Multi AV Scanner detection for submitted file 2->32 34 5 other signatures 2->34 9 wCBF18f9qE.exe 2->9         started        process3 signatures4 44 Contains functionality to inject code into remote processes 9->44 46 Injects a PE file into a foreign processes 9->46 12 wCBF18f9qE.exe 1 3 9->12         started        process5 signatures6 48 Writes to foreign memory regions 12->48 50 Allocates memory in foreign processes 12->50 52 Modifies the context of a thread in another process (thread injection) 12->52 54 2 other signatures 12->54 15 svchost.exe 1 12->15         started        process7 signatures8 56 Injects code into the Windows Explorer (explorer.exe) 15->56 58 Writes to foreign memory regions 15->58 60 Modifies the context of a thread in another process (thread injection) 15->60 62 2 other signatures 15->62 18 explorer.exe 3 1 15->18 injected process9 file10 26 C:\Users\user\AppData\Roaming\...\prefs.js, ASCII 18->26 dropped 36 Changes memory attributes in foreign processes to executable or writable 18->36 38 Overwrites Mozilla Firefox settings 18->38 40 Tries to harvest and steal browser information (history, passwords, etc) 18->40 42 6 other signatures 18->42 22 RuntimeBroker.exe 18->22 injected 24 RuntimeBroker.exe 18->24 injected signatures11 process12

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.