Loading ...

Play interactive tourEdit tour

Analysis Report nazionale.bin

Overview

General Information

Sample Name:nazionale.bin (renamed file extension from bin to exe)
Analysis ID:266882
MD5:8f3156ba5435223bb30229eb2e2c4234
SHA1:cd2faa0ea08db2a1c9c430891c4a82304d3add57
SHA256:8e5d52727fd76e7fc3078c8bc3607e8d0fc2b4d9eaf09de824c59f2ed26b0f21

Most interesting Screenshot:

Detection

Ursnif
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Yara detected Ursnif
Creates a COM Internet Explorer object
Machine Learning detection for sample
Maps a DLL or memory area into another process
Writes or reads registry keys via WMI
Writes registry values via WMI
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found inlined nop instructions (likely shell or obfuscated code)
PE file contains executable resources (Code or Archives)
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • nazionale.exe (PID: 6920 cmdline: 'C:\Users\user\Desktop\nazionale.exe' MD5: 8F3156BA5435223BB30229EB2E2C4234)
    • nazionale.exe (PID: 5436 cmdline: 'C:\Users\user\Desktop\nazionale.exe' MD5: 8F3156BA5435223BB30229EB2E2C4234)
  • iexplore.exe (PID: 6068 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5276 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6068 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 4380 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 1000 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4380 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 4216 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 3820 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4216 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"server": "12", "version": "250154", "uptime": "214ceL", "crc": "1", "id": "8988", "user": "4229768108f8d2d8cdc8873aaa86f1c9", "soft": "3"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000003.323523949.00000000014D8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000004.00000003.323556179.00000000014D8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000004.00000003.323544358.00000000014D8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000004.00000003.323491935.00000000014D8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000004.00000003.323466900.00000000014D8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 5 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: nazionale.exe.5436.4.memstrMalware Configuration Extractor: Ursnif {"server": "12", "version": "250154", "uptime": "214ceL", "crc": "1", "id": "8988", "user": "4229768108f8d2d8cdc8873aaa86f1c9", "soft": "3"}
            Machine Learning detection for sampleShow sources
            Source: nazionale.exeJoe Sandbox ML: detected
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 0_2_00406313 FindFirstFileA,FindClose,0_2_00406313
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 0_2_004057D8 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004057D8
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 0_2_00402765 FindFirstFileA,0_2_00402765
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 4_2_004B1B81 CreateFileA,FindCloseChangeNotification,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,4_2_004B1B81
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 4x nop then sub esp, 20h0_2_0230A9B2
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 4x nop then sub esp, 20h0_2_0230A938
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 4x nop then sub esp, 20h0_2_0230A8BE
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 4x nop then sub esp, 20h0_2_0230AB20
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 4x nop then sub esp, 20h0_2_0230AAA6
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 4x nop then sub esp, 20h0_2_0230AA2C
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 4x nop then sub esp, 20h0_2_0230A84D

            Networking:

            barindex
            Creates a COM Internet Explorer objectShow sources
            Source: C:\Users\user\Desktop\nazionale.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Users\user\Desktop\nazionale.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
            Source: C:\Users\user\Desktop\nazionale.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\nazionale.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
            Source: C:\Users\user\Desktop\nazionale.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
            Source: global trafficTCP traffic: 192.168.2.4:49734 -> 109.248.11.134:80
            Source: global trafficTCP traffic: 192.168.2.4:49735 -> 95.181.178.238:80
            Source: msapplication.xml1.13.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xb3729235,0x01d6736d</date><accdate>0xb3729235,0x01d6736d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml1.13.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xb3729235,0x01d6736d</date><accdate>0xb3729235,0x01d6736d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml6.13.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xb379b95a,0x01d6736d</date><accdate>0xb379b95a,0x01d6736d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml6.13.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xb379b95a,0x01d6736d</date><accdate>0xb379b95a,0x01d6736d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml8.13.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xb37c1bbf,0x01d6736d</date><accdate>0xb37c1bbf,0x01d6736d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml8.13.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xb37c1bbf,0x01d6736d</date><accdate>0xb37c1bbf,0x01d6736d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: unknownDNS traffic detected: queries for: pop5.yahoo.com
            Source: nazionale.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
            Source: nazionale.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: {F7DAE101-DF60-11EA-90E5-ECF4BBEA1588}.dat.21.drString found in binary or memory: http://pop5.yahoo.com/images/6O6RLa3hunuI/_2BItcI8ZPZ/1kAPY3yy_2Bywe/vMpJ3u_2FDVzndtuCo95H/OSOcNtjR3
            Source: ~DFFA52E00F2E415B01.TMP.13.dr, {DE11168C-DF60-11EA-90E5-ECF4BBEA1588}.dat.13.drString found in binary or memory: http://pop5.yahoo.com/images/7eUBuihBOMcrlPYYzf/MfiHjqxFD/QNlpRgxhzxtb5N5t0v8S/IJI6SeiY6wdSh5RLKQa/N
            Source: msapplication.xml.13.drString found in binary or memory: http://www.amazon.com/
            Source: msapplication.xml2.13.drString found in binary or memory: http://www.google.com/
            Source: msapplication.xml3.13.drString found in binary or memory: http://www.live.com/
            Source: msapplication.xml4.13.drString found in binary or memory: http://www.nytimes.com/
            Source: msapplication.xml5.13.drString found in binary or memory: http://www.reddit.com/
            Source: msapplication.xml6.13.drString found in binary or memory: http://www.twitter.com/
            Source: msapplication.xml7.13.drString found in binary or memory: http://www.wikipedia.com/
            Source: msapplication.xml8.13.drString found in binary or memory: http://www.youtube.com/

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.323523949.00000000014D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.323556179.00000000014D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.323544358.00000000014D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.323491935.00000000014D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.323466900.00000000014D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.323376822.00000000014D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.323440612.00000000014D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.323409799.00000000014D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.490613326.00000000014D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: nazionale.exe PID: 5436, type: MEMORY
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 0_2_00405275 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405275

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.323523949.00000000014D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.323556179.00000000014D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.323544358.00000000014D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.323491935.00000000014D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.323466900.00000000014D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.323376822.00000000014D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.323440612.00000000014D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.323409799.00000000014D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.490613326.00000000014D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: nazionale.exe PID: 5436, type: MEMORY

            System Summary:

            barindex
            Writes or reads registry keys via WMIShow sources
            Source: C:\Users\user\Desktop\nazionale.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
            Source: C:\Users\user\Desktop\nazionale.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Users\user\Desktop\nazionale.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Users\user\Desktop\nazionale.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Users\user\Desktop\nazionale.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Users\user\Desktop\nazionale.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Users\user\Desktop\nazionale.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 4_2_004018B3 GetProcAddress,NtCreateSection,LdrInitializeThunk,memset,4_2_004018B3
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 4_2_004014BC LdrInitializeThunk,NtMapViewOfSection,4_2_004014BC
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 4_2_004B1AB7 LdrInitializeThunk,NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose,4_2_004B1AB7
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 4_1_004018B3 GetProcAddress,NtCreateSection,LdrInitializeThunk,memset,4_1_004018B3
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 4_1_004014BC LdrInitializeThunk,NtMapViewOfSection,4_1_004014BC
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 0_2_0040326B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040326B
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 0_2_00406FC40_2_00406FC4
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 0_2_004067ED0_2_004067ED
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 0_2_731A1A980_2_731A1A98
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 0_2_0230CA9B0_2_0230CA9B
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 4_2_004B94214_2_004B9421
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 4_2_004BAE9C4_2_004BAE9C
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 4_2_004B5D5B4_2_004B5D5B
            Source: nazionale.exeStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
            Source: nazionale.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: nazionale.exe, 00000000.00000003.261374963.00000000029D6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs nazionale.exe
            Source: classification engineClassification label: mal92.bank.troj.evad.winEXE@12/36@7/2
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 0_2_0040326B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040326B
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 0_2_00404530 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404530
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 0_2_00402138 CoCreateInstance,MultiByteToWideChar,0_2_00402138
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
            Source: C:\Users\user\Desktop\nazionale.exeFile created: C:\Users\user\AppData\Local\Temp\nslAA53.tmpJump to behavior
            Source: nazionale.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\nazionale.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\nazionale.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\nazionale.exeFile read: C:\Users\user\Desktop\nazionale.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\nazionale.exe 'C:\Users\user\Desktop\nazionale.exe'
            Source: unknownProcess created: C:\Users\user\Desktop\nazionale.exe 'C:\Users\user\Desktop\nazionale.exe'
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6068 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4380 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4216 CREDAT:17410 /prefetch:2
            Source: C:\Users\user\Desktop\nazionale.exeProcess created: C:\Users\user\Desktop\nazionale.exe 'C:\Users\user\Desktop\nazionale.exe' Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6068 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4380 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4216 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Users\user\Desktop\nazionale.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\LyncJump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: nazionale.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: wntdll.pdbUGP source: nazionale.exe, 00000000.00000003.261165105.00000000028C0000.00000004.00000001.sdmp
            Source: Binary string: wntdll.pdb source: nazionale.exe, 00000000.00000003.261165105.00000000028C0000.00000004.00000001.sdmp

            Data Obfuscation:

            barindex
            Detected unpacking (changes PE section rights)Show sources
            Source: C:\Users\user\Desktop\nazionale.exeUnpacked PE file: 4.2.nazionale.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;
            Detected unpacking (overwrites its own PE header)Show sources
            Source: C:\Users\user\Desktop\nazionale.exeUnpacked PE file: 4.2.nazionale.exe.400000.0.unpack
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 0_2_731A1A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,0_2_731A1A98
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 0_2_731A2F60 push eax; ret 0_2_731A2F8E
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 4_2_004BAAD0 push ecx; ret 4_2_004BAAD9
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 4_2_004BAE8B push ecx; ret 4_2_004BAE9B
            Source: C:\Users\user\Desktop\nazionale.exeFile created: C:\Users\user\AppData\Local\Temp\nsbAB4E.tmp\System.dllJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.323523949.00000000014D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.323556179.00000000014D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.323544358.00000000014D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.323491935.00000000014D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.323466900.00000000014D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.323376822.00000000014D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.323440612.00000000014D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.323409799.00000000014D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.490613326.00000000014D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: nazionale.exe PID: 5436, type: MEMORY
            Source: C:\Users\user\Desktop\nazionale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nazionale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nazionale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nazionale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nazionale.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\nazionale.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
            Source: C:\Users\user\Desktop\nazionale.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\nazionale.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 0_2_00406313 FindFirstFileA,FindClose,0_2_00406313
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 0_2_004057D8 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004057D8
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 0_2_00402765 FindFirstFileA,0_2_00402765
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 4_2_004B1B81 CreateFileA,FindCloseChangeNotification,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,4_2_004B1B81
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 4_2_00401254 KiUserExceptionDispatcher,GetLongPathNameW,GetLongPathNameW,LdrInitializeThunk,LdrInitializeThunk,GetLongPathNameW,CreateThread,GetLastError,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,4_2_00401254
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 0_2_731A1A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,0_2_731A1A98
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 0_2_0230C92B mov eax, dword ptr fs:[00000030h]0_2_0230C92B
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 0_2_0230B49B mov edx, dword ptr fs:[00000030h]0_2_0230B49B
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 0_2_0230C98B mov eax, dword ptr fs:[00000030h]0_2_0230C98B
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 4_2_0040110E InitializeCriticalSection,TlsAlloc,RtlAddVectoredExceptionHandler,GetLastError,4_2_0040110E
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 4_1_0040110E InitializeCriticalSection,TlsAlloc,RtlAddVectoredExceptionHandler,GetLastError,4_1_0040110E

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Maps a DLL or memory area into another processShow sources
            Source: C:\Users\user\Desktop\nazionale.exeSection loaded: unknown target: C:\Users\user\Desktop\nazionale.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\nazionale.exeProcess created: C:\Users\user\Desktop\nazionale.exe 'C:\Users\user\Desktop\nazionale.exe' Jump to behavior
            Source: nazionale.exe, 00000004.00000002.490650744.0000000001880000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: nazionale.exe, 00000004.00000002.490650744.0000000001880000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: nazionale.exe, 00000004.00000002.490650744.0000000001880000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: nazionale.exe, 00000004.00000002.490650744.0000000001880000.00000002.00000001.sdmpBinary or memory string: Program Manager[
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 4_2_004B12A7 cpuid 4_2_004B12A7
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 4_2_004013E4 LdrInitializeThunk,GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,LdrInitializeThunk,LdrInitializeThunk,MapViewOfFile,GetLastError,CloseHandle,GetLastError,4_2_004013E4
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 4_2_004B12A7 GetUserNameW,4_2_004B12A7
            Source: C:\Users\user\Desktop\nazionale.exeCode function: 0_2_0040326B EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040326B
            Source: C:\Users\user\Desktop\nazionale.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.323523949.00000000014D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.323556179.00000000014D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.323544358.00000000014D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.323491935.00000000014D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.323466900.00000000014D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.323376822.00000000014D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.323440612.00000000014D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.323409799.00000000014D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.490613326.00000000014D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: nazionale.exe PID: 5436, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000004.00000003.323523949.00000000014D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.323556179.00000000014D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.323544358.00000000014D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.323491935.00000000014D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.323466900.00000000014D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.323376822.00000000014D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.323440612.00000000014D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000003.323409799.00000000014D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.490613326.00000000014D8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: nazionale.exe PID: 5436, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation2Path InterceptionAccess Token Manipulation1Masquerading1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
            Default AccountsNative API1Boot or Logon Initialization ScriptsProcess Injection112Virtualization/Sandbox Evasion1LSASS MemorySecurity Software Discovery1Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Access Token Manipulation1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection112NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsAccount Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing2Cached Domain CredentialsSystem Owner/User Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncFile and Directory Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemSystem Information Discovery16Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet