Loading ...

Play interactive tourEdit tour

Analysis Report URGENT PRODUCTS WE NEED.pif.exe

Overview

General Information

Sample Name:URGENT PRODUCTS WE NEED.pif.exe
MD5:cacbd45701bb05bac8a5d1dbde770e02
SHA1:b77656cc8a0d352c56564c4be87331663dba5908
SHA256:4f7a7b673cd661ed298c3b4265d9e67934c4f7df14d7a698f366cce81b4dd284

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected FormBook
.NET source code contains method to dynamically call methods (often used by packers)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • URGENT PRODUCTS WE NEED.pif.exe (PID: 5320 cmdline: 'C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exe' MD5: CACBD45701BB05BAC8A5D1DBDE770E02)
    • schtasks.exe (PID: 4064 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\oayNIZ' /XML 'C:\Users\user\AppData\Local\Temp\tmp2AAD.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 3248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • URGENT PRODUCTS WE NEED.pif.exe (PID: 5372 cmdline: {path} MD5: CACBD45701BB05BAC8A5D1DBDE770E02)
      • explorer.exe (PID: 2928 cmdline: MD5: E4A81EDDFF8B844D85C8B45354E4144E)
        • autofmt.exe (PID: 2936 cmdline: C:\Windows\SysWOW64\autofmt.exe MD5: 799DAC47499E80129D45A4818CF75657)
        • netsh.exe (PID: 4684 cmdline: C:\Windows\SysWOW64\netsh.exe MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
          • cmd.exe (PID: 620 cmdline: /c del 'C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.824263527.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000004.00000002.824263527.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18429:$sqlite3step: 68 34 1C 7B E1
    • 0x1853c:$sqlite3step: 68 34 1C 7B E1
    • 0x18458:$sqlite3text: 68 38 2A 90 C5
    • 0x1857d:$sqlite3text: 68 38 2A 90 C5
    • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
    00000004.00000002.824263527.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x157a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15291:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x158a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x15a1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa69a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1450c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb393:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000004.00000002.825503008.0000000001330000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000004.00000002.825503008.0000000001330000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18429:$sqlite3step: 68 34 1C 7B E1
      • 0x1853c:$sqlite3step: 68 34 1C 7B E1
      • 0x18458:$sqlite3text: 68 38 2A 90 C5
      • 0x1857d:$sqlite3text: 68 38 2A 90 C5
      • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 10 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.URGENT PRODUCTS WE NEED.pif.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.URGENT PRODUCTS WE NEED.pif.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17629:$sqlite3step: 68 34 1C 7B E1
        • 0x1773c:$sqlite3step: 68 34 1C 7B E1
        • 0x17658:$sqlite3text: 68 38 2A 90 C5
        • 0x1777d:$sqlite3text: 68 38 2A 90 C5
        • 0x1766b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17793:$sqlite3blob: 68 53 D8 7F 8C
        4.2.URGENT PRODUCTS WE NEED.pif.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ab8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x149a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14491:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14aa7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14c1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x989a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1370c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa593:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19d17:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ad1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.2.URGENT PRODUCTS WE NEED.pif.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.2.URGENT PRODUCTS WE NEED.pif.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x18429:$sqlite3step: 68 34 1C 7B E1
          • 0x1853c:$sqlite3step: 68 34 1C 7B E1
          • 0x18458:$sqlite3text: 68 38 2A 90 C5
          • 0x1857d:$sqlite3text: 68 38 2A 90 C5
          • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 1 entries

          Sigma Overview


          System Summary:

          barindex
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\oayNIZ' /XML 'C:\Users\user\AppData\Local\Temp\tmp2AAD.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\oayNIZ' /XML 'C:\Users\user\AppData\Local\Temp\tmp2AAD.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exe' , ParentImage: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exe, ParentProcessId: 5320, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\oayNIZ' /XML 'C:\Users\user\AppData\Local\Temp\tmp2AAD.tmp', ProcessId: 4064

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for domain / URLShow sources
          Source: www.inrenuil-jp.comVirustotal: Detection: 7%Perma Link
          Source: http://www.inrenuil-jp.comVirustotal: Detection: 7%Perma Link
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\oayNIZ.exeVirustotal: Detection: 27%Perma Link
          Source: C:\Users\user\AppData\Roaming\oayNIZ.exeReversingLabs: Detection: 16%
          Multi AV Scanner detection for submitted fileShow sources
          Source: URGENT PRODUCTS WE NEED.pif.exeReversingLabs: Detection: 16%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.824263527.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.825503008.0000000001330000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.765968539.000000000422A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.825573581.0000000001360000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.765735053.0000000004190000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.URGENT PRODUCTS WE NEED.pif.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.URGENT PRODUCTS WE NEED.pif.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\oayNIZ.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: URGENT PRODUCTS WE NEED.pif.exeJoe Sandbox ML: detected
          Source: 4.2.URGENT PRODUCTS WE NEED.pif.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Source: unknownDNS traffic detected: query: www.dztdjt.com replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.inrenuil-jp.com replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.herbalberkah.net replaycode: Name error (3)
          Source: unknownDNS traffic detected: query: www.ferreteriaalinor.com replaycode: Name error (3)
          Source: unknownDNS traffic detected: queries for: www.inrenuil-jp.com
          Source: explorer.exe, 00000005.00000000.806440062.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000005.00000000.773003113.0000000000CF0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000005.00000000.806440062.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000000.806440062.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.casinos.watch
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.casinos.watch/ltp/
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.casinos.watch/ltp/www.death-star.online
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.casinos.watchReferer:
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.death-star.online
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.death-star.online/ltp/
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.death-star.onlineReferer:
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.dztdjt.com
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.dztdjt.com/ltp/
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.dztdjt.com/ltp/www.herbalberkah.net
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.dztdjt.comReferer:
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.ferreteriaalinor.com
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.ferreteriaalinor.com/ltp/
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.ferreteriaalinor.com/ltp/www.spatren.com
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.ferreteriaalinor.comReferer:
          Source: explorer.exe, 00000005.00000000.806440062.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000005.00000000.806440062.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000005.00000000.806440062.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000005.00000000.806440062.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.frontiermade.info
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.frontiermade.info/ltp/
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.frontiermade.info/ltp/www.multigelomt.com
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.frontiermade.infoReferer:
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.gobeyondtraining.com
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.gobeyondtraining.com/ltp/
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.gobeyondtraining.com/ltp/www.instacoolbooth.com
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.gobeyondtraining.comReferer:
          Source: explorer.exe, 00000005.00000000.806440062.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.heli4k.info
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.heli4k.info/ltp/
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.heli4k.info/ltp/www.taro-otani.net
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.heli4k.infoReferer:
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.herbalberkah.net
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.herbalberkah.net/ltp/
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.herbalberkah.net/ltp/www.ferreteriaalinor.com
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.herbalberkah.netReferer:
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.inrenuil-jp.com
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.inrenuil-jp.com/ltp/
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.inrenuil-jp.com/ltp/www.dztdjt.com
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.inrenuil-jp.comReferer:
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.instacoolbooth.com
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.instacoolbooth.com/ltp/
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.instacoolbooth.com/ltp/www.jamiesclafaneconsulting.com
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.instacoolbooth.comReferer:
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.jamiesclafaneconsulting.com
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.jamiesclafaneconsulting.com/ltp/
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.jamiesclafaneconsulting.com/ltp/www.heli4k.info
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.jamiesclafaneconsulting.comReferer:
          Source: explorer.exe, 00000005.00000000.806440062.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.masteryourcreativepower.com
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.masteryourcreativepower.com/ltp/
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.masteryourcreativepower.com/ltp/www.frontiermade.info
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.masteryourcreativepower.comReferer:
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.multigelomt.com
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.multigelomt.com/ltp/
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.multigelomt.com/ltp/www.gobeyondtraining.com
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.multigelomt.comReferer:
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.pgs-service.com
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.pgs-service.com/ltp/
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.pgs-service.com/ltp/www.masteryourcreativepower.com
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.pgs-service.comReferer:
          Source: explorer.exe, 00000005.00000000.806440062.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000005.00000000.806440062.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000005.00000000.806440062.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.spatren.com
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.spatren.com/ltp/
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.spatren.com/ltp/www.pgs-service.com
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.spatren.comReferer:
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.taro-otani.net
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.taro-otani.net/ltp/
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.taro-otani.net/ltp/www.casinos.watch
          Source: explorer.exe, 00000005.00000003.879716830.000000000CB09000.00000004.00000001.sdmpString found in binary or memory: http://www.taro-otani.netReferer:
          Source: explorer.exe, 00000005.00000000.806440062.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000005.00000000.806440062.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000005.00000000.806440062.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          Source: URGENT PRODUCTS WE NEED.pif.exe, 00000000.00000002.762375132.00000000011F0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.824263527.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.825503008.0000000001330000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.765968539.000000000422A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.825573581.0000000001360000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.765735053.0000000004190000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.URGENT PRODUCTS WE NEED.pif.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.URGENT PRODUCTS WE NEED.pif.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000004.00000002.824263527.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.824263527.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.825503008.0000000001330000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.825503008.0000000001330000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.765968539.000000000422A000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.765968539.000000000422A000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.825573581.0000000001360000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.825573581.0000000001360000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.765735053.0000000004190000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.765735053.0000000004190000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.URGENT PRODUCTS WE NEED.pif.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.URGENT PRODUCTS WE NEED.pif.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.URGENT PRODUCTS WE NEED.pif.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.URGENT PRODUCTS WE NEED.pif.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeCode function: 0_2_05470922 NtQuerySystemInformation,0_2_05470922
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeCode function: 0_2_054708F1 NtQuerySystemInformation,0_2_054708F1
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeCode function: 4_2_00419830 NtCreateFile,4_2_00419830
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeCode function: 4_2_004198E0 NtReadFile,4_2_004198E0
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeCode function: 4_2_00419960 NtClose,4_2_00419960
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeCode function: 4_2_00419A10 NtAllocateVirtualMemory,4_2_00419A10
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeCode function: 4_2_0041982B NtCreateFile,4_2_0041982B
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeCode function: 4_2_004198DC NtReadFile,4_2_004198DC
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeCode function: 0_2_02DD649D0_2_02DD649D
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeCode function: 0_2_02DD02B80_2_02DD02B8
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeCode function: 0_2_02DD72470_2_02DD7247
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeCode function: 0_2_02DD167C0_2_02DD167C
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeCode function: 0_2_02DD86C20_2_02DD86C2
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeCode function: 0_2_02DD84780_2_02DD8478
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeCode function: 0_2_02DD83D00_2_02DD83D0
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeCode function: 4_2_004010304_2_00401030
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeCode function: 4_2_0041C8A54_2_0041C8A5
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeCode function: 4_2_0041DD064_2_0041DD06
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeCode function: 4_2_00402D904_2_00402D90
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeCode function: 4_2_0041CDBE4_2_0041CDBE
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeCode function: 4_2_0041D7574_2_0041D757
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeCode function: 4_2_00409F5C4_2_00409F5C
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeCode function: 4_2_00409F604_2_00409F60
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeCode function: 4_2_00402FB04_2_00402FB0
          Source: URGENT PRODUCTS WE NEED.pif.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: URGENT PRODUCTS WE NEED.pif.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: URGENT PRODUCTS WE NEED.pif.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: oayNIZ.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: oayNIZ.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: oayNIZ.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: URGENT PRODUCTS WE NEED.pif.exeBinary or memory string: OriginalFilename vs URGENT PRODUCTS WE NEED.pif.exe
          Source: URGENT PRODUCTS WE NEED.pif.exe, 00000000.00000003.754556577.00000000056EF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamebKYsuRjoj.exe4 vs URGENT PRODUCTS WE NEED.pif.exe
          Source: URGENT PRODUCTS WE NEED.pif.exe, 00000000.00000002.764535634.0000000003190000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUserInterface.dll< vs URGENT PRODUCTS WE NEED.pif.exe
          Source: URGENT PRODUCTS WE NEED.pif.exe, 00000000.00000002.766976877.0000000005330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs URGENT PRODUCTS WE NEED.pif.exe
          Source: URGENT PRODUCTS WE NEED.pif.exe, 00000000.00000002.762375132.00000000011F0000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs URGENT PRODUCTS WE NEED.pif.exe
          Source: URGENT PRODUCTS WE NEED.pif.exe, 00000000.00000002.767713129.0000000005F90000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs URGENT PRODUCTS WE NEED.pif.exe
          Source: URGENT PRODUCTS WE NEED.pif.exe, 00000000.00000002.767964180.0000000006090000.00000002.00000001.sdmpBinary or memory string: originalfilename vs URGENT PRODUCTS WE NEED.pif.exe
          Source: URGENT PRODUCTS WE NEED.pif.exe, 00000000.00000002.767964180.0000000006090000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs URGENT PRODUCTS WE NEED.pif.exe
          Source: URGENT PRODUCTS WE NEED.pif.exeBinary or memory string: OriginalFilename vs URGENT PRODUCTS WE NEED.pif.exe
          Source: URGENT PRODUCTS WE NEED.pif.exe, 00000004.00000002.826176625.000000000153F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs URGENT PRODUCTS WE NEED.pif.exe
          Source: URGENT PRODUCTS WE NEED.pif.exe, 00000004.00000002.824834344.0000000000AC2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamebKYsuRjoj.exe4 vs URGENT PRODUCTS WE NEED.pif.exe
          Source: URGENT PRODUCTS WE NEED.pif.exe, 00000004.00000002.824461518.0000000000A32000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameUserInterface.dll< vs URGENT PRODUCTS WE NEED.pif.exe
          Source: URGENT PRODUCTS WE NEED.pif.exe, 00000004.00000002.825705414.00000000013B9000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamenetsh.exej% vs URGENT PRODUCTS WE NEED.pif.exe
          Source: URGENT PRODUCTS WE NEED.pif.exeBinary or memory string: OriginalFilenameUserInterface.dll< vs URGENT PRODUCTS WE NEED.pif.exe
          Source: URGENT PRODUCTS WE NEED.pif.exeBinary or memory string: OriginalFilenamebKYsuRjoj.exe4 vs URGENT PRODUCTS WE NEED.pif.exe
          Source: 00000004.00000002.824263527.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.824263527.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.825503008.0000000001330000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.825503008.0000000001330000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.765968539.000000000422A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.765968539.000000000422A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.825573581.0000000001360000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.825573581.0000000001360000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.765735053.0000000004190000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.765735053.0000000004190000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.URGENT PRODUCTS WE NEED.pif.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.URGENT PRODUCTS WE NEED.pif.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.URGENT PRODUCTS WE NEED.pif.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.URGENT PRODUCTS WE NEED.pif.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: URGENT PRODUCTS WE NEED.pif.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: oayNIZ.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@11/4@4/0
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeCode function: 0_2_054707A6 AdjustTokenPrivileges,0_2_054707A6
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeCode function: 0_2_0547076F AdjustTokenPrivileges,0_2_0547076F
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeFile created: C:\Users\user\AppData\Roaming\oayNIZ.exeJump to behavior
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeMutant created: \Sessions\1\BaseNamedObjects\sTPrquTdO
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5556:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3248:120:WilError_01
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeFile created: C:\Users\user\AppData\Local\Temp\tmp2AAD.tmpJump to behavior
          Source: URGENT PRODUCTS WE NEED.pif.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: URGENT PRODUCTS WE NEED.pif.exeReversingLabs: Detection: 16%
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeFile read: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exe 'C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\oayNIZ' /XML 'C:\Users\user\AppData\Local\Temp\tmp2AAD.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exe {path}
          Source: unknownProcess created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\oayNIZ' /XML 'C:\Users\user\AppData\Local\Temp\tmp2AAD.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeProcess created: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exe {path}Jump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exe'Jump to behavior
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
          Source: URGENT PRODUCTS WE NEED.pif.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
          Source: URGENT PRODUCTS WE NEED.pif.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.802957682.000000000D5B0000.00000002.00000001.sdmp
          Source: Binary string: netsh.pdb source: URGENT PRODUCTS WE NEED.pif.exe, 00000004.00000002.825669397.00000000013A0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: URGENT PRODUCTS WE NEED.pif.exe, 00000004.00000002.825721042.0000000001420000.00000040.00000001.sdmp
          Source: Binary string: netsh.pdbGCTL source: URGENT PRODUCTS WE NEED.pif.exe, 00000004.00000002.825669397.00000000013A0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: URGENT PRODUCTS WE NEED.pif.exe, 00000004.00000002.825721042.0000000001420000.00000040.00000001.sdmp
          Source: Binary string: mscorrc.pdb source: URGENT PRODUCTS WE NEED.pif.exe, 00000000.00000002.766976877.0000000005330000.00000002.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.802957682.000000000D5B0000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains method to dynamically call methods (often used by packers)Show sources
          Source: URGENT PRODUCTS WE NEED.pif.exe, PokerGame/XXXWWW.cs.Net Code: LateBinding.LateCall(V_3, null, "Invoke", new object[] { null, new object[] { J4.p, "PokerGame" } }, null, null)
          Source: oayNIZ.exe.0.dr, PokerGame/XXXWWW.cs.Net Code: LateBinding.LateCall(V_3, null, "Invoke", new object[] { null, new object[] { J4.p, "PokerGame" } }, null, null)
          Source: 0.2.URGENT PRODUCTS WE NEED.pif.exe.ac0000.0.unpack, PokerGame/XXXWWW.cs.Net Code: LateBinding.LateCall(V_3, null, "Invoke", new object[] { null, new object[] { J4.p, "PokerGame" } }, null, null)
          Source: 4.0.URGENT PRODUCTS WE NEED.pif.exe.a30000.0.unpack, PokerGame/XXXWWW.cs.Net Code: LateBinding.LateCall(V_3, null, "Invoke", new object[] { null, new object[] { J4.p, "PokerGame" } }, null, null)
          Source: 4.2.URGENT PRODUCTS WE NEED.pif.exe.a30000.1.unpack, PokerGame/XXXWWW.cs.Net Code: LateBinding.LateCall(V_3, null, "Invoke", new object[] { null, new object[] { J4.p, "PokerGame" } }, null, null)
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeCode function: 4_2_0041DD06 push edi; ret 4_2_0041E240
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeCode function: 4_2_0041C6F2 push eax; ret 4_2_0041C6F8
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeCode function: 4_2_0041C6FB push eax; ret 4_2_0041C762
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeCode function: 4_2_0041C6A5 push eax; ret 4_2_0041C6F8
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeCode function: 4_2_0041C75C push eax; ret 4_2_0041C762
          Source: initial sampleStatic PE information: section name: .text entropy: 7.7706370331
          Source: initial sampleStatic PE information: section name: .text entropy: 7.7706370331

          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeFile created: C:\Users\user\AppData\Roaming\oayNIZ.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\oayNIZ' /XML 'C:\Users\user\AppData\Local\Temp\tmp2AAD.tmp'

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x88 0x83 0x31
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeRDTSC instruction interceptor: First address: 00000000004098B4 second address: 00000000004098BA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeRDTSC instruction interceptor: First address: 0000000000409B1E second address: 0000000000409B24 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: 00000000009698B4 second address: 00000000009698BA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\netsh.exeRDTSC instruction interceptor: First address: 0000000000969B1E second address: 0000000000969B24 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeCode function: 4_2_00409A50 rdtsc 4_2_00409A50
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exe TID: 5284Thread sleep time: -33000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exe TID: 5288Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 3936Thread sleep count: 34 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 3936Thread sleep time: -68000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exe TID: 2988Thread sleep time: -75000s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: explorer.exe, 00000005.00000000.793855193.0000000007F90000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000005.00000000.793855193.0000000007F90000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000005.00000000.793855193.0000000007F90000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000005.00000000.793855193.0000000007F90000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeProcess information queried: ProcessInformationJump to behavior

          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeCode function: 4_2_00409A50 rdtsc 4_2_00409A50
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeCode function: 4_2_0040ADF0 LdrLoadDll,4_2_0040ADF0
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeMemory written: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exe base: 400000 value starts with: 4D5AJump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeSection loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeSection loaded: unknown target: C:\Windows\SysWOW64\netsh.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeThread register set: target process: 2928Jump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeThread register set: target process: 2928Jump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeSection unmapped: C:\Windows\SysWOW64\netsh.exe base address: 1220000Jump to behavior
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\oayNIZ' /XML 'C:\Users\user\AppData\Local\Temp\tmp2AAD.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeProcess created: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exe {path}Jump to behavior
          Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exe'Jump to behavior
          Source: explorer.exe, 00000005.00000000.773362108.00000000011C0000.00000002.00000001.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000005.00000000.773362108.00000000011C0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.773362108.00000000011C0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000005.00000000.773362108.00000000011C0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000005.00000000.772478644.0000000000BC0000.00000004.00000020.sdmpBinary or memory string: Progman9

          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeCode function: 0_2_010DB176 GetUserNameW,0_2_010DB176
          Source: C:\Users\user\Desktop\URGENT PRODUCTS WE NEED.pif.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Lowering of HIPS / PFW / Operating System Security Settings:

          barindex
          Uses netsh to modify the Windows network and firewall settingsShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.824263527.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.825503008.0000000001330000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.765968539.000000000422A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.825573581.0000000001360000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.765735053.0000000004190000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.URGENT PRODUCTS WE NEED.pif.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.URGENT PRODUCTS WE NEED.pif.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.824263527.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.825503008.0000000001330000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.765968539.000000000422A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.825573581.0000000001360000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.765735053.0000000004190000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.URGENT PRODUCTS WE NEED.pif.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.URGENT PRODUCTS WE NEED.pif.exe.400000.0.raw.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsScheduled Task1Hooking1Hooking1Rootkit1Hooking1Virtualization/Sandbox Evasion3Application Deployment SoftwareInput Capture1Data Encrypted1Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Replication Through Removable MediaExecution through Module Load1Scheduled Task1Access Token Manipulation1Masquerading1Input Capture1Process Discovery2Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          External Remote ServicesWindows Management InstrumentationAccessibility FeaturesProcess Injection512Software Packing13Input CaptureAccount Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Drive-by CompromiseScheduled TaskSystem FirmwareScheduled Task1Disabling Security Tools11Credentials in FilesSystem Owner/User Discovery1Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
          Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessVirtualization/Sandbox Evasion3Account ManipulationSecurity Software Discovery221Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceAccess Token Manipulation1Brute ForceRemote System Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
          Spearphishing AttachmentScriptingPath InterceptionScheduled TaskProcess Injection512Two-Factor Authentication InterceptionFile and Directory Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionObfuscated Files or Information2Bash HistorySystem Information Discovery12Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 238831 Sample: URGENT PRODUCTS WE NEED.pif.exe Startdate: 16/06/2020 Architecture: WINDOWS Score: 100 47 Multi AV Scanner detection for domain / URL 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Multi AV Scanner detection for dropped file 2->51 53 10 other signatures 2->53 10 URGENT PRODUCTS WE NEED.pif.exe 7 2->10         started        process3 file4 33 C:\Users\user\AppData\Roaming\oayNIZ.exe, PE32 10->33 dropped 35 C:\Users\user\...\oayNIZ.exe:Zone.Identifier, ASCII 10->35 dropped 37 C:\Users\user\AppData\Local\...\tmp2AAD.tmp, XML 10->37 dropped 39 C:\...\URGENT PRODUCTS WE NEED.pif.exe.log, ASCII 10->39 dropped 61 Injects a PE file into a foreign processes 10->61 14 URGENT PRODUCTS WE NEED.pif.exe 10->14         started        17 schtasks.exe 1 10->17         started        signatures5 process6 signatures7 63 Modifies the context of a thread in another process (thread injection) 14->63 65 Maps a DLL or memory area into another process 14->65 67 Sample uses process hollowing technique 14->67 69 Queues an APC in another process (thread injection) 14->69 19 explorer.exe 14->19 injected 22 conhost.exe 17->22         started        process8 dnsIp9 41 www.inrenuil-jp.com 19->41 43 www.herbalberkah.net 19->43 45 2 other IPs or domains 19->45 24 netsh.exe 19->24         started        27 autofmt.exe 19->27         started        process10 signatures11 55 Modifies the context of a thread in another process (thread injection) 24->55 57