Loading ...

Play interactive tourEdit tour

Analysis Report intersect.tgz

Overview

General Information

Sample Name:intersect.tgz (renamed file extension from tgz to exe)
Analysis ID:287439
MD5:67efc02e3e51fd306b69c5083206f106
SHA1:7df946eef6d88294c8b56e1d42e2c209d2127218
SHA256:3edfa92e944d223ddcd77ea1cab22c35f4534b74df5edb38b259ea17a9db71f0

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Creates a COM Internet Explorer object
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Writes or reads registry keys via WMI
Writes registry values via WMI
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found evasive API chain checking for process token information
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains strange resources
Queries the installation date of Windows
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • intersect.exe (PID: 6688 cmdline: 'C:\Users\user\Desktop\intersect.exe' MD5: 67EFC02E3E51FD306B69C5083206F106)
    • intersect.exe (PID: 6724 cmdline: 'C:\Users\user\Desktop\intersect.exe' MD5: 67EFC02E3E51FD306B69C5083206F106)
  • iexplore.exe (PID: 6168 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 2792 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6168 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 5292 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 3212 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5292 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 4500 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5216 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4500 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 2836 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 1808 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2836 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000003.256816419.0000000002F98000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000001.00000003.256834746.0000000002F98000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000001.00000003.256708547.0000000002F98000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000001.00000003.256662781.0000000002F98000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000001.00000003.256684676.0000000002F98000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 4 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: intersect.exeAvira: detected
            Antivirus detection for URL or domainShow sources
            Source: http://api10.laptok.at/api1/9f_2BZhM_2BD_2B2/xs20AKcKZsQE_2B/9YPzuBPsx2D1YU2ZXQ/tBkxiGH22/h8SMal23zUMV3HeeU6L1/0mSowaYoTV33fXLsILp/HkCPHWpSxBEkcoCXQFjchl/6uMWB3YaKwtrc/cgg59U4O/qSTy_2FpUjwxqvc_2BKB_2B/mNogxDDta_/2FGC_2B2_2BQSbef9/hQ400xnkSInK/rgLz_2BcVN8/jUtb_2Bm2tCtUQ/O2UrTv6GlU_2FTjDOZuBF/09JDTCO9bp45PcGD/p7I5tGFDHLJTIY_/0A_0DjJ_2Fw4wLjGL4/ODK_2F016/vZeeprdKic5ga_2Fbqe_/2BQ7Mw8W/oF8ywAvira URL Cloud: Label: malware
            Source: http://api10.laptok.at/api1/9f_2BZhM_2BD_2B2/xs20AKcKZsQE_2B/9YPzuBPsx2D1YU2ZXQ/tBkxiGH22/h8SMal23zUAvira URL Cloud: Label: malware
            Source: http://api10.laptok.at/api1/oNgEi06FjfalIuh_2FD3N5g/4QZA2XhWrH/FrY4X8UotpZiRVxZ_/2B_2Fnywl0D4/7mlTNLAvira URL Cloud: Label: malware
            Source: http://api10.laptok.at/api1/r1aDevbizxgI2/HlHAEZl0/o5mzLtqHvQRIbaxrQlxV045/sGFlBqfzle/1gKhxMpO2SCjyyAvira URL Cloud: Label: malware
            Source: http://api10.laptok.at/api1/oNgEi06FjfalIuh_2FD3N5g/4QZA2XhWrH/FrY4X8UotpZiRVxZ_/2B_2Fnywl0D4/7mlTNLNtFaF/iSVV6o6YMgC3yz/rp6EwfLTP82dDUTCWbFXC/fg_2BiN0YUBKqubv/EXro02Q5ZIvT2lz/mc4dCADDk6Fo1QE4c3/OZuCXhlGu/tL0w9qDLG52qBP_2FBUb/gDHKn7CHGnXgoIXAarp/ERmoBmwxL_2FKGndaZDCvt/3eA7XSmckqNUu/r6la9_2F/T1D4yaaCi_2BJhwpBx9b_0A/_0DYhzBFbo/FnevkwdsxarnIQMp5/bozwCn5H56J7/NkjeKr8k1mD/wpNSpwyyL2pWKgR/csXIJOAvira URL Cloud: Label: malware
            Source: http://api10.laptok.at/api1/au0UhAmu27zW0nUF4PkzOoQ/RNcQTyrYu3/AfdMgcB0Regomjh3a/uGX72yUFnBt6/Sq0Y2eAvira URL Cloud: Label: malware
            Source: http://api10.laptok.at/api1/r1aDevbizxgI2/HlHAEZl0/o5mzLtqHvQRIbaxrQlxV045/sGFlBqfzle/1gKhxMpO2SCjyyIgM/3h8lOjVudawg/IHSWMuoX9gz/I8NQ5iA6f_2FFL/5MUSQRb6PKBY0E0pTfCmW/wECJuAw4UTRFM_2F/8bq_2FUS0uqmMgM/EMpmlXMCczB8HoMfwD/WAOgD5AdV/JBvtrA_2BVgOhfOZWfjM/O_2BVqFznvfavl_2F65/QDxWxnv5PHyglob5ug72jy/7TC3LaBKzGRIA/9L3_0A_0/DhUzQVhhbkgf8EbmvNypliU/sK_2BS3x4b/u4tVA4ts1WSt_2Fn6/DwBTfpnOY8oR/J6VZw_2FVC/pbqAvira URL Cloud: Label: malware
            Multi AV Scanner detection for domain / URLShow sources
            Source: api10.laptok.atVirustotal: Detection: 7%Perma Link
            Multi AV Scanner detection for submitted fileShow sources
            Source: intersect.exeVirustotal: Detection: 57%Perma Link
            Source: intersect.exeMetadefender: Detection: 23%Perma Link
            Source: intersect.exeReversingLabs: Detection: 31%
            Machine Learning detection for sampleShow sources
            Source: intersect.exeJoe Sandbox ML: detected
            Source: 1.1.intersect.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 0.2.intersect.exe.21c0000.1.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 1.2.intersect.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\Desktop\intersect.exeCode function: 0_2_0040646B FindFirstFileA,FindClose,0_2_0040646B
            Source: C:\Users\user\Desktop\intersect.exeCode function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004058BF
            Source: C:\Users\user\Desktop\intersect.exeCode function: 1_2_00A257FE Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,1_2_00A257FE
            Source: C:\Users\user\Desktop\intersect.exeCode function: 4x nop then sub esp, 20h0_2_021BB688
            Source: C:\Users\user\Desktop\intersect.exeCode function: 4x nop then sub esp, 20h0_2_021BB60E
            Source: C:\Users\user\Desktop\intersect.exeCode function: 4x nop then sub esp, 20h0_2_021BB702
            Source: C:\Users\user\Desktop\intersect.exeCode function: 4x nop then sub esp, 20h0_2_021BB77C

            Networking:

            barindex
            Creates a COM Internet Explorer objectShow sources
            Source: C:\Users\user\Desktop\intersect.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Users\user\Desktop\intersect.exeKey opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Users\user\Desktop\intersect.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
            Source: C:\Users\user\Desktop\intersect.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAsJump to behavior
            Source: C:\Users\user\Desktop\intersect.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Users\user\Desktop\intersect.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}Jump to behavior
            Source: C:\Users\user\Desktop\intersect.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\intersect.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\intersect.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
            Source: C:\Users\user\Desktop\intersect.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32Jump to behavior
            Source: C:\Users\user\Desktop\intersect.exeKey opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
            Source: C:\Users\user\Desktop\intersect.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandlerJump to behavior
            Source: Joe Sandbox ViewIP Address: 8.208.101.13 8.208.101.13
            Source: Joe Sandbox ViewASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
            Source: global trafficHTTP traffic detected: GET /api1/9f_2BZhM_2BD_2B2/xs20AKcKZsQE_2B/9YPzuBPsx2D1YU2ZXQ/tBkxiGH22/h8SMal23zUMV3HeeU6L1/0mSowaYoTV33fXLsILp/HkCPHWpSxBEkcoCXQFjchl/6uMWB3YaKwtrc/cgg59U4O/qSTy_2FpUjwxqvc_2BKB_2B/mNogxDDta_/2FGC_2B2_2BQSbef9/hQ400xnkSInK/rgLz_2BcVN8/jUtb_2Bm2tCtUQ/O2UrTv6GlU_2FTjDOZuBF/09JDTCO9bp45PcGD/p7I5tGFDHLJTIY_/0A_0DjJ_2Fw4wLjGL4/ODK_2F016/vZeeprdKic5ga_2Fbqe_/2BQ7Mw8W/oF8yw HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/r1aDevbizxgI2/HlHAEZl0/o5mzLtqHvQRIbaxrQlxV045/sGFlBqfzle/1gKhxMpO2SCjyyIgM/3h8lOjVudawg/IHSWMuoX9gz/I8NQ5iA6f_2FFL/5MUSQRb6PKBY0E0pTfCmW/wECJuAw4UTRFM_2F/8bq_2FUS0uqmMgM/EMpmlXMCczB8HoMfwD/WAOgD5AdV/JBvtrA_2BVgOhfOZWfjM/O_2BVqFznvfavl_2F65/QDxWxnv5PHyglob5ug72jy/7TC3LaBKzGRIA/9L3_0A_0/DhUzQVhhbkgf8EbmvNypliU/sK_2BS3x4b/u4tVA4ts1WSt_2Fn6/DwBTfpnOY8oR/J6VZw_2FVC/pbq HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/au0UhAmu27zW0nUF4PkzOoQ/RNcQTyrYu3/AfdMgcB0Regomjh3a/uGX72yUFnBt6/Sq0Y2eOCvE4/xP0JMwhUD3ZVxE/wpRVnESz9RMc29Cu26s6A/p_2FPnEE_2F9SS6k/uIdBk0vdbTg6RYu/S8rWLPEzz6Kpf_2Fsg/bo6JjgVun/mvQNJ1oxpA4AKfQErKrW/NkIwCHj58F1Tfs0zwA_/2ByzuuRM_2FgM4Lqjr08oP/73SpPKmsnUXdb/3FoRNajW/fjeUIreOS3XobG_0A_0DsoC/fa24WwNXzj/2Xwugv_2BYZYFIarm/maOHQn9HViKu/CWvt2htabWM/20nLCqsR0/fTZqemqm HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /api1/oNgEi06FjfalIuh_2FD3N5g/4QZA2XhWrH/FrY4X8UotpZiRVxZ_/2B_2Fnywl0D4/7mlTNLNtFaF/iSVV6o6YMgC3yz/rp6EwfLTP82dDUTCWbFXC/fg_2BiN0YUBKqubv/EXro02Q5ZIvT2lz/mc4dCADDk6Fo1QE4c3/OZuCXhlGu/tL0w9qDLG52qBP_2FBUb/gDHKn7CHGnXgoIXAarp/ERmoBmwxL_2FKGndaZDCvt/3eA7XSmckqNUu/r6la9_2F/T1D4yaaCi_2BJhwpBx9b_0A/_0DYhzBFbo/FnevkwdsxarnIQMp5/bozwCn5H56J7/NkjeKr8k1mD/wpNSpwyyL2pWKgR/csXIJO HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: api10.laptok.atConnection: Keep-Alive
            Source: msapplication.xml1.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xcc01152d,0x01d68e11</date><accdate>0xcc01152d,0x01d68e11</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml1.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xcc01152d,0x01d68e11</date><accdate>0xcc01152d,0x01d68e11</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml6.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xcc05d9b1,0x01d68e11</date><accdate>0xcc05d9b1,0x01d68e11</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml6.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xcc05d9b1,0x01d68e11</date><accdate>0xcc05d9b1,0x01d68e11</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml8.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xcc083c1f,0x01d68e11</date><accdate>0xcc083c1f,0x01d68e11</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml8.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xcc083c1f,0x01d68e11</date><accdate>0xcc083c1f,0x01d68e11</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: unknownDNS traffic detected: queries for: api10.laptok.at
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 18 Sep 2020 14:16:24 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 36 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 00 95 26 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 40 11 1b 7d a8 34 c8 6c a0 22 28 2f 2f 3d 33 af 02 59 4e 1f 66 9a 3e d4 25 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6a(HML),I310Q/Qp/K&T";Ct@}4l"(//=3YNf>%a30
            Source: {F65CD732-FA04-11EA-90E8-ECF4BBEA1588}.dat.7.drString found in binary or memory: http://api10.laptok.at/api1/9f_2BZhM_2BD_2B2/xs20AKcKZsQE_2B/9YPzuBPsx2D1YU2ZXQ/tBkxiGH22/h8SMal23zU
            Source: {1F3D00FD-FA05-11EA-90E8-ECF4BBEA1588}.dat.25.dr, ~DFA77D75748E0783DD.TMP.25.drString found in binary or memory: http://api10.laptok.at/api1/au0UhAmu27zW0nUF4PkzOoQ/RNcQTyrYu3/AfdMgcB0Regomjh3a/uGX72yUFnBt6/Sq0Y2e
            Source: {2D602FDF-FA05-11EA-90E8-ECF4BBEA1588}.dat.29.drString found in binary or memory: http://api10.laptok.at/api1/oNgEi06FjfalIuh_2FD3N5g/4QZA2XhWrH/FrY4X8UotpZiRVxZ_/2B_2Fnywl0D4/7mlTNL
            Source: {104CC7D9-FA05-11EA-90E8-ECF4BBEA1588}.dat.19.dr, ~DF1E72D314DAFDB1C7.TMP.19.drString found in binary or memory: http://api10.laptok.at/api1/r1aDevbizxgI2/HlHAEZl0/o5mzLtqHvQRIbaxrQlxV045/sGFlBqfzle/1gKhxMpO2SCjyy
            Source: intersect.exeString found in binary or memory: http://down.360safe.com/setup.exe.exe
            Source: intersect.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
            Source: intersect.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: intersect.exeString found in binary or memory: http://pinst.360.cn/360haohua/safe_chaoqiang.cab?
            Source: msapplication.xml.7.drString found in binary or memory: http://www.amazon.com/
            Source: msapplication.xml2.7.drString found in binary or memory: http://www.google.com/
            Source: msapplication.xml3.7.drString found in binary or memory: http://www.live.com/
            Source: msapplication.xml4.7.drString found in binary or memory: http://www.nytimes.com/
            Source: msapplication.xml5.7.drString found in binary or memory: http://www.reddit.com/
            Source: msapplication.xml6.7.drString found in binary or memory: http://www.twitter.com/
            Source: msapplication.xml7.7.drString found in binary or memory: http://www.wikipedia.com/
            Source: msapplication.xml8.7.drString found in binary or memory: http://www.youtube.com/

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.256816419.0000000002F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.256834746.0000000002F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.256708547.0000000002F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.256662781.0000000002F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.256684676.0000000002F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.256750452.0000000002F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.256778291.0000000002F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.256639609.0000000002F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: intersect.exe PID: 6724, type: MEMORY
            Source: C:\Users\user\Desktop\intersect.exeCode function: 0_2_0040535C GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040535C

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.256816419.0000000002F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.256834746.0000000002F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.256708547.0000000002F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.256662781.0000000002F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.256684676.0000000002F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.256750452.0000000002F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.256778291.0000000002F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.256639609.0000000002F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: intersect.exe PID: 6724, type: MEMORY

            System Summary:

            barindex
            Writes or reads registry keys via WMIShow sources
            Source: C:\Users\user\Desktop\intersect.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
            Source: C:\Users\user\Desktop\intersect.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Users\user\Desktop\intersect.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Users\user\Desktop\intersect.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Users\user\Desktop\intersect.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Users\user\Desktop\intersect.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Users\user\Desktop\intersect.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Users\user\Desktop\intersect.exeCode function: 1_2_00401902 NtMapViewOfSection,1_2_00401902
            Source: C:\Users\user\Desktop\intersect.exeCode function: 1_2_00401A78 GetProcAddress,NtCreateSection,memset,1_2_00401A78
            Source: C:\Users\user\Desktop\intersect.exeCode function: 1_2_00A2143A NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,1_2_00A2143A
            Source: C:\Users\user\Desktop\intersect.exeCode function: 1_2_00A2B115 NtQueryVirtualMemory,1_2_00A2B115
            Source: C:\Users\user\Desktop\intersect.exeCode function: 1_1_00401A78 GetProcAddress,NtCreateSection,memset,1_1_00401A78
            Source: C:\Users\user\Desktop\intersect.exeCode function: 1_1_00401902 NtMapViewOfSection,1_1_00401902
            Source: C:\Users\user\Desktop\intersect.exeCode function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403348
            Source: C:\Users\user\Desktop\intersect.exeCode function: 0_2_004069450_2_00406945
            Source: C:\Users\user\Desktop\intersect.exeCode function: 0_2_0040711C0_2_0040711C
            Source: C:\Users\user\Desktop\intersect.exeCode function: 0_2_73261A980_2_73261A98
            Source: C:\Users\user\Desktop\intersect.exeCode function: 0_2_021BD7D70_2_021BD7D7
            Source: C:\Users\user\Desktop\intersect.exeCode function: 1_2_00A2AEF41_2_00A2AEF4
            Source: C:\Users\user\Desktop\intersect.exeCode function: 1_2_00A2639D1_2_00A2639D
            Source: intersect.exeStatic PE information: Resource name: RT_VERSION type: MIPSEB-LE MIPS-III ECOFF executable not stripped - version 0.79
            Source: intersect.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: intersect.exe, 00000000.00000003.219788366.00000000028C6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs intersect.exe
            Source: classification engineClassification label: mal100.bank.troj.evad.winEXE@15/64@4/2
            Source: C:\Users\user\Desktop\intersect.exeCode function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403348
            Source: C:\Users\user\Desktop\intersect.exeCode function: 0_2_0040460D GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_0040460D
            Source: C:\Users\user\Desktop\intersect.exeCode function: 1_2_00A216E8 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,1_2_00A216E8
            Source: C:\Users\user\Desktop\intersect.exeCode function: 0_2_0040216B CoCreateInstance,MultiByteToWideChar,0_2_0040216B
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
            Source: C:\Users\user\Desktop\intersect.exeFile created: C:\Users\user\AppData\Local\Temp\nsl71D.tmpJump to behavior
            Source: intersect.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\intersect.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\intersect.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: intersect.exeVirustotal: Detection: 57%
            Source: intersect.exeMetadefender: Detection: 23%
            Source: intersect.exeReversingLabs: Detection: 31%
            Source: C:\Users\user\Desktop\intersect.exeFile read: C:\Users\user\Desktop\intersect.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\intersect.exe 'C:\Users\user\Desktop\intersect.exe'
            Source: unknownProcess created: C:\Users\user\Desktop\intersect.exe 'C:\Users\user\Desktop\intersect.exe'
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6168 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5292 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4500 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2836 CREDAT:17410 /prefetch:2
            Source: C:\Users\user\Desktop\intersect.exeProcess created: C:\Users\user\Desktop\intersect.exe 'C:\Users\user\Desktop\intersect.exe' Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6168 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5292 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4500 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2836 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Users\user\Desktop\intersect.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\LyncJump to behavior
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: intersect.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: wntdll.pdbUGP source: intersect.exe, 00000000.00000003.217513847.00000000027B0000.00000004.00000001.sdmp
            Source: Binary string: wntdll.pdb source: intersect.exe, 00000000.00000003.217513847.00000000027B0000.00000004.00000001.sdmp

            Data Obfuscation:

            barindex
            Detected unpacking (changes PE section rights)Show sources
            Source: C:\Users\user\Desktop\intersect.exeUnpacked PE file: 1.2.intersect.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.ndata:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;
            Detected unpacking (overwrites its own PE header)Show sources
            Source: C:\Users\user\Desktop\intersect.exeUnpacked PE file: 1.2.intersect.exe.400000.0.unpack
            Source: C:\Users\user\Desktop\intersect.exeCode function: 0_2_73261A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,0_2_73261A98
            Source: C:\Users\user\Desktop\intersect.exeCode function: 0_2_73262F60 push eax; ret 0_2_73262F8E
            Source: C:\Users\user\Desktop\intersect.exeCode function: 0_2_021BDA4D push 6567A5A7h; retf 0_2_021BDA5B
            Source: C:\Users\user\Desktop\intersect.exeCode function: 1_2_00A2E895 push 00000038h; retf 1_2_00A2E897
            Source: C:\Users\user\Desktop\intersect.exeCode function: 1_2_00A2AEE3 push ecx; ret 1_2_00A2AEF3
            Source: C:\Users\user\Desktop\intersect.exeCode function: 1_2_00A2E6C6 push ebp; ret 1_2_00A2E6C7
            Source: C:\Users\user\Desktop\intersect.exeCode function: 1_2_00A2ABB0 push ecx; ret 1_2_00A2ABB9
            Source: C:\Users\user\Desktop\intersect.exeCode function: 1_2_00A2E548 push esi; retf 1_2_00A2E549
            Source: C:\Users\user\Desktop\intersect.exeFile created: C:\Users\user\AppData\Local\Temp\nsb818.tmp\System.dllJump to dropped file

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.256816419.0000000002F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.256834746.0000000002F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.256708547.0000000002F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.256662781.0000000002F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.256684676.0000000002F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.256750452.0000000002F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.256778291.0000000002F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.256639609.0000000002F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: intersect.exe PID: 6724, type: MEMORY
            Source: C:\Users\user\Desktop\intersect.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Users\user\Desktop\intersect.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\intersect.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\intersect.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\intersect.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\intersect.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\intersect.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
            Source: C:\Users\user\Desktop\intersect.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_1-3542
            Source: C:\Users\user\Desktop\intersect.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\intersect.exeCode function: 0_2_0040646B FindFirstFileA,FindClose,0_2_0040646B
            Source: C:\Users\user\Desktop\intersect.exeCode function: 0_2_004058BF GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004058BF
            Source: C:\Users\user\Desktop\intersect.exeCode function: 1_2_00A257FE Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,FindCloseChangeNotification,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,1_2_00A257FE
            Source: C:\Users\user\Desktop\intersect.exeAPI call chain: ExitProcess graph end nodegraph_0-4851
            Source: C:\Users\user\Desktop\intersect.exeAPI call chain: ExitProcess graph end nodegraph_0-4690
            Source: C:\Users\user\Desktop\intersect.exeCode function: 0_2_73261A98 GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,0_2_73261A98
            Source: C:\Users\user\Desktop\intersect.exeCode function: 0_2_021BC1D7 mov edx, dword ptr fs:[00000030h]0_2_021BC1D7
            Source: C:\Users\user\Desktop\intersect.exeCode function: 0_2_021BD6C7 mov eax, dword ptr fs:[00000030h]0_2_021BD6C7
            Source: C:\Users\user\Desktop\intersect.exeCode function: 0_2_021BD667 mov eax, dword ptr fs:[00000030h]0_2_021BD667

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\user\Desktop\intersect.exeMemory written: C:\Users\user\Desktop\intersect.exe base: 400000 value starts with: 4D5AJump to behavior
            Maps a DLL or memory area into another processShow sources
            Source: C:\Users\user\Desktop\intersect.exeSection loaded: unknown target: C:\Users\user\Desktop\intersect.exe protection: execute and read and writeJump to behavior
            Source: C:\Users\user\Desktop\intersect.exeProcess created: C:\Users\user\Desktop\intersect.exe 'C:\Users\user\Desktop\intersect.exe' Jump to behavior
            Source: intersect.exe, 00000001.00000002.464164910.0000000000E90000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: intersect.exe, 00000001.00000002.464164910.0000000000E90000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: intersect.exe, 00000001.00000002.464164910.0000000000E90000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: intersect.exe, 00000001.00000002.464164910.0000000000E90000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\intersect.exeCode function: 1_2_00A291E5 cpuid 1_2_00A291E5
            Source: C:\Users\user\Desktop\intersect.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,1_2_0040177A
            Source: C:\Users\user\Desktop\intersect.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,1_1_0040177A
            Source: C:\Users\user\Desktop\intersect.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
            Source: C:\Users\user\Desktop\intersect.exeCode function: 1_2_004017D0 GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,1_2_004017D0
            Source: C:\Users\user\Desktop\intersect.exeCode function: 1_2_00A291E5 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,1_2_00A291E5
            Source: C:\Users\user\Desktop\intersect.exeCode function: 0_2_00403348 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403348
            Source: C:\Users\user\Desktop\intersect.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.256816419.0000000002F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.256834746.0000000002F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.256708547.0000000002F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.256662781.0000000002F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.256684676.0000000002F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.256750452.0000000002F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.256778291.0000000002F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.256639609.0000000002F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: intersect.exe PID: 6724, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000001.00000003.256816419.0000000002F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.256834746.0000000002F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.256708547.0000000002F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.256662781.0000000002F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.256684676.0000000002F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.256750452.0000000002F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.256778291.0000000002F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000003.256639609.0000000002F98000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: intersect.exe PID: 6724, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation2Path InterceptionAccess Token Manipulation1Masquerading1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
            Default AccountsNative API2Boot or Logon Initialization ScriptsProcess Injection212Virtualization/Sandbox Evasion1LSASS MemoryQuery Registry1Remote Desktop ProtocolClipboard Data1Exfiltration Over BluetoothIngress Tool Transfer3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Access Token Manipulation1Security Account ManagerSecurity Software Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Process Injection212NTDSVirtualization/Sandbox Evasion1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information2LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSoftware Packing21Cached Domain CredentialsAccount Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Owner/User Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemFile and Directory Discovery2Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowSystem Information Discovery36Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet