Loading ...

Play interactive tourEdit tour

Analysis Report rJrqK2EyAU

Overview

General Information

Sample Name:rJrqK2EyAU (renamed file extension from none to exe)
Analysis ID:276067
MD5:074cec853c53b01f11bd8570be6529aa
SHA1:b31a1e0c8db95e865d44620fca6f52227772edcc
SHA256:87c04cc74ea6e8958bcbc6319f7c1f8293d63ce4a2e34a3c99ba296e55fd0ff4

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Creates a COM Internet Explorer object
Machine Learning detection for sample
PE file has a writeable .text section
Writes or reads registry keys via WMI
Writes registry values via WMI
Antivirus or Machine Learning detection for unpacked file
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • rJrqK2EyAU.exe (PID: 6720 cmdline: 'C:\Users\user\Desktop\rJrqK2EyAU.exe' MD5: 074CEC853C53B01F11BD8570BE6529AA)
  • iexplore.exe (PID: 6476 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 4088 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6476 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 6940 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5784 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6940 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 2036 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 752 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2036 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"server": "12", "version": "250154", "uptime": "192ceLw", "crc": "1", "id": "8988", "user": "4229768108f8d2d8cdc8873acff01cf8", "soft": "3"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.277421606.00000000031E8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.277375165.00000000031E8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.277435653.00000000031E8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000000.00000003.277319301.00000000031E8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000000.00000003.277258561.00000000031E8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 5 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: rJrqK2EyAU.exeAvira: detected
            Found malware configurationShow sources
            Source: rJrqK2EyAU.exe.6720.0.memstrMalware Configuration Extractor: Ursnif {"server": "12", "version": "250154", "uptime": "192ceLw", "crc": "1", "id": "8988", "user": "4229768108f8d2d8cdc8873acff01cf8", "soft": "3"}
            Multi AV Scanner detection for domain / URLShow sources
            Source: gstat.rayzacastillo.comVirustotal: Detection: 8%Perma Link
            Multi AV Scanner detection for submitted fileShow sources
            Source: rJrqK2EyAU.exeVirustotal: Detection: 64%Perma Link
            Source: rJrqK2EyAU.exeReversingLabs: Detection: 77%
            Machine Learning detection for sampleShow sources
            Source: rJrqK2EyAU.exeJoe Sandbox ML: detected
            Source: 0.0.rJrqK2EyAU.exe.400000.0.unpackAvira: Label: TR/Casdet.bowts
            Source: 0.2.rJrqK2EyAU.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\Desktop\rJrqK2EyAU.exeCode function: 0_2_00AC1B81 CreateFileA,FindCloseChangeNotification,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,

            Networking:

            barindex
            Creates a COM Internet Explorer objectShow sources
            Source: C:\Users\user\Desktop\rJrqK2EyAU.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}
            Source: C:\Users\user\Desktop\rJrqK2EyAU.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs
            Source: C:\Users\user\Desktop\rJrqK2EyAU.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32
            Source: C:\Users\user\Desktop\rJrqK2EyAU.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32
            Source: C:\Users\user\Desktop\rJrqK2EyAU.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler
            Source: Joe Sandbox ViewASN Name: ASKONTELRU ASKONTELRU
            Source: global trafficTCP traffic: 192.168.2.4:49741 -> 109.248.11.134:80
            Source: global trafficTCP traffic: 192.168.2.4:49742 -> 95.181.178.238:80
            Source: msapplication.xml1.8.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x176258e7,0x01d67a4d</date><accdate>0x176258e7,0x01d67a4d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml1.8.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x176258e7,0x01d67a4d</date><accdate>0x176258e7,0x01d67a4d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml6.8.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x1764bb71,0x01d67a4d</date><accdate>0x1764bb71,0x01d67a4d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml6.8.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x1764bb71,0x01d67a4d</date><accdate>0x1764bb71,0x01d67a4d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml8.8.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x17671de4,0x01d67a4d</date><accdate>0x17671de4,0x01d67a4d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml8.8.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x17671de4,0x01d67a4d</date><accdate>0x17671de4,0x01d67a4d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: unknownDNS traffic detected: queries for: pop5.yahoo.com
            Source: {5BB532EA-E640-11EA-90E5-ECF4BBEA1588}.dat.20.drString found in binary or memory: http://pop5.yahoo.com/images/G8UoRVhlU1VEe9h_2/FpVCC0iiiBjG/m7u6W8xvO1P/Hk43jwdx_2Bk9M/OPhULEljrC6P_
            Source: {4232EE3D-E640-11EA-90E5-ECF4BBEA1588}.dat.8.drString found in binary or memory: http://pop5.yahoo.com/images/Xtu4P_2BvPSZMO_/2Bk_2BJOlqskUQl91y/gVrIa8b58/rACspmhW20Q6tvYG5wnY/Y00fx
            Source: msapplication.xml.8.drString found in binary or memory: http://www.amazon.com/
            Source: msapplication.xml2.8.drString found in binary or memory: http://www.google.com/
            Source: msapplication.xml3.8.drString found in binary or memory: http://www.live.com/
            Source: msapplication.xml4.8.drString found in binary or memory: http://www.nytimes.com/
            Source: msapplication.xml5.8.drString found in binary or memory: http://www.reddit.com/
            Source: msapplication.xml6.8.drString found in binary or memory: http://www.twitter.com/
            Source: msapplication.xml7.8.drString found in binary or memory: http://www.wikipedia.com/
            Source: msapplication.xml8.8.drString found in binary or memory: http://www.youtube.com/

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.277421606.00000000031E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.277375165.00000000031E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.277435653.00000000031E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.277319301.00000000031E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.277258561.00000000031E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.277344242.00000000031E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.277293309.00000000031E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.277396580.00000000031E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.474995744.00000000031E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rJrqK2EyAU.exe PID: 6720, type: MEMORY
            Source: rJrqK2EyAU.exe, 00000000.00000002.473657466.000000000067A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.277421606.00000000031E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.277375165.00000000031E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.277435653.00000000031E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.277319301.00000000031E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.277258561.00000000031E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.277344242.00000000031E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.277293309.00000000031E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.277396580.00000000031E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.474995744.00000000031E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rJrqK2EyAU.exe PID: 6720, type: MEMORY

            System Summary:

            barindex
            PE file has a writeable .text sectionShow sources
            Source: rJrqK2EyAU.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Writes or reads registry keys via WMIShow sources
            Source: C:\Users\user\Desktop\rJrqK2EyAU.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
            Source: C:\Users\user\Desktop\rJrqK2EyAU.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Users\user\Desktop\rJrqK2EyAU.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Users\user\Desktop\rJrqK2EyAU.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Users\user\Desktop\rJrqK2EyAU.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Users\user\Desktop\rJrqK2EyAU.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Users\user\Desktop\rJrqK2EyAU.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Users\user\Desktop\rJrqK2EyAU.exeCode function: 0_2_004018B3 GetProcAddress,NtCreateSection,memset,
            Source: C:\Users\user\Desktop\rJrqK2EyAU.exeCode function: 0_2_004014BC NtMapViewOfSection,
            Source: C:\Users\user\Desktop\rJrqK2EyAU.exeCode function: 0_2_00AC1AB7 LdrInitializeThunk,NtQueryInformationToken,NtQueryInformationToken,NtClose,NtClose,
            Source: C:\Users\user\Desktop\rJrqK2EyAU.exeCode function: 0_2_00ACAE9C
            Source: C:\Users\user\Desktop\rJrqK2EyAU.exeCode function: 0_2_00AC9421
            Source: rJrqK2EyAU.exe, 00000000.00000000.206519953.000000000041D000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameInteriorly0 vs rJrqK2EyAU.exe
            Source: rJrqK2EyAU.exeBinary or memory string: OriginalFilenameInteriorly0 vs rJrqK2EyAU.exe
            Source: classification engineClassification label: mal100.bank.troj.evad.winEXE@10/34@8/2
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DFB0DD79F0581A8153.TMPJump to behavior
            Source: rJrqK2EyAU.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\rJrqK2EyAU.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: rJrqK2EyAU.exeVirustotal: Detection: 64%
            Source: rJrqK2EyAU.exeReversingLabs: Detection: 77%
            Source: rJrqK2EyAU.exeString found in binary or memory: HeapFreeXVirtualProtect+SetEvent/LoadLibraryExA GetFileAttributesExWZCreateSemaphoreA=lstrcmpW&UnhandledExceptionFilterJDeleteCriticalSectionIsBadReadPtr5FileTimeToSystemTime;GlobalAlloc#HeapCreateDGetCurrentThreadId3EnterCriticalSection
            Source: unknownProcess created: C:\Users\user\Desktop\rJrqK2EyAU.exe 'C:\Users\user\Desktop\rJrqK2EyAU.exe'
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6476 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6940 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2036 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6476 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6940 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2036 CREDAT:17410 /prefetch:2
            Source: C:\Users\user\Desktop\rJrqK2EyAU.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Lync
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

            Data Obfuscation:

            barindex
            Detected unpacking (changes PE section rights)Show sources
            Source: C:\Users\user\Desktop\rJrqK2EyAU.exeUnpacked PE file: 0.2.rJrqK2EyAU.exe.400000.0.unpack .text:EW;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;
            Detected unpacking (overwrites its own PE header)Show sources
            Source: C:\Users\user\Desktop\rJrqK2EyAU.exeUnpacked PE file: 0.2.rJrqK2EyAU.exe.400000.0.unpack
            Source: rJrqK2EyAU.exeStatic PE information: real checksum: 0x2af84 should be: 0x2af77
            Source: C:\Users\user\Desktop\rJrqK2EyAU.exeCode function: 0_2_00ACAE8B push ecx; ret
            Source: C:\Users\user\Desktop\rJrqK2EyAU.exeCode function: 0_2_00ACAAD0 push ecx; ret

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.277421606.00000000031E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.277375165.00000000031E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.277435653.00000000031E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.277319301.00000000031E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.277258561.00000000031E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.277344242.00000000031E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.277293309.00000000031E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.277396580.00000000031E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.474995744.00000000031E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rJrqK2EyAU.exe PID: 6720, type: MEMORY
            Source: C:\Users\user\Desktop\rJrqK2EyAU.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\rJrqK2EyAU.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\rJrqK2EyAU.exe TID: 6836Thread sleep count: 54 > 30
            Source: C:\Users\user\Desktop\rJrqK2EyAU.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\rJrqK2EyAU.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\rJrqK2EyAU.exeCode function: 0_2_00AC1B81 CreateFileA,FindCloseChangeNotification,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,
            Source: C:\Users\user\Desktop\rJrqK2EyAU.exeCode function: 0_2_004013E4 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,LdrInitializeThunk,MapViewOfFile,GetLastError,CloseHandle,GetLastError,
            Source: C:\Users\user\Desktop\rJrqK2EyAU.exeCode function: 0_2_0040110E InitializeCriticalSection,TlsAlloc,RtlAddVectoredExceptionHandler,GetLastError,
            Source: rJrqK2EyAU.exe, 00000000.00000002.474026794.0000000000F80000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: rJrqK2EyAU.exe, 00000000.00000002.474026794.0000000000F80000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: rJrqK2EyAU.exe, 00000000.00000002.474026794.0000000000F80000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: rJrqK2EyAU.exe, 00000000.00000002.474026794.0000000000F80000.00000002.00000001.sdmpBinary or memory string: Program Manager[
            Source: C:\Users\user\Desktop\rJrqK2EyAU.exeCode function: 0_2_00AC12A7 cpuid
            Source: C:\Users\user\Desktop\rJrqK2EyAU.exeCode function: 0_2_004013E4 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,LdrInitializeThunk,MapViewOfFile,GetLastError,CloseHandle,GetLastError,
            Source: C:\Users\user\Desktop\rJrqK2EyAU.exeCode function: 0_2_00AC12A7 GetUserNameW,
            Source: C:\Users\user\Desktop\rJrqK2EyAU.exeCode function: 0_2_00401D1B CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.277421606.00000000031E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.277375165.00000000031E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.277435653.00000000031E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.277319301.00000000031E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.277258561.00000000031E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.277344242.00000000031E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.277293309.00000000031E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.277396580.00000000031E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.474995744.00000000031E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rJrqK2EyAU.exe PID: 6720, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.277421606.00000000031E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.277375165.00000000031E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.277435653.00000000031E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.277319301.00000000031E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.277258561.00000000031E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.277344242.00000000031E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.277293309.00000000031E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.277396580.00000000031E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.474995744.00000000031E8000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: rJrqK2EyAU.exe PID: 6720, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation2Path InterceptionProcess Injection2Masquerading1Input Capture1System Time Discovery1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsCommand and Scripting Interpreter2Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection2Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSAccount Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing21LSA SecretsSystem Owner/User Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsFile and Directory Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery14Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 276067 Sample: rJrqK2EyAU Startdate: 24/08/2020 Architecture: WINDOWS Score: 100 31 gstat.rayzacastillo.com 2->31 33 Multi AV Scanner detection for domain / URL 2->33 35 Found malware configuration 2->35 37 Antivirus / Scanner detection for submitted sample 2->37 39 4 other signatures 2->39 7 rJrqK2EyAU.exe 2->7         started        10 iexplore.exe 1 49 2->10         started        12 iexplore.exe 11 83 2->12         started        14 iexplore.exe 2 50 2->14         started        signatures3 process4 signatures5 41 Detected unpacking (changes PE section rights) 7->41 43 Detected unpacking (overwrites its own PE header) 7->43 45 Writes or reads registry keys via WMI 7->45 47 2 other signatures 7->47 16 iexplore.exe 24 10->16         started        19 iexplore.exe 36 12->19         started        21 iexplore.exe 31 14->21         started        process6 dnsIp7 23 gstat.rayzacastillo.com 109.248.11.134, 80 ASKONTELRU Russian Federation 16->23 25 95.181.178.238, 80 NEOHOST-ASUA Russian Federation 16->25 27 pop5.yahoo.com