Loading ...

Play interactive tourEdit tour

Analysis Report PtLUp4eFKp

Overview

General Information

Sample Name:PtLUp4eFKp (renamed file extension from none to exe)
Analysis ID:297835
MD5:8ca2ae6ba5d55eb76144d6d82a635fd4
SHA1:0aef91a0009decb8ba191109c4ffa086800fa153
SHA256:2e0b219c5ac3285a08e126f11c07ea3ac60bc96d16d37c2dc24dd8f68c492a74
Tags:C2sandypatersoncomgoziinvalidsignatureElekonisfbursnif

Most interesting Screenshot:

Detection

Ursnif
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Writes or reads registry keys via WMI
Writes registry values via WMI
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • PtLUp4eFKp.exe (PID: 6640 cmdline: 'C:\Users\user\Desktop\PtLUp4eFKp.exe' MD5: 8CA2AE6BA5D55EB76144D6D82A635FD4)
  • iexplore.exe (PID: 6188 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5556 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6188 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 6856 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6964 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6856 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 6064 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 3564 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6064 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.313299990.0000000003570000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.377900250.0000000003570000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.313150912.0000000003570000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000000.00000003.313635375.0000000003570000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000000.00000003.313551433.0000000003570000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 30 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: PtLUp4eFKp.exeAvira: detected
            Multi AV Scanner detection for submitted fileShow sources
            Source: PtLUp4eFKp.exeVirustotal: Detection: 22%Perma Link
            Source: PtLUp4eFKp.exeReversingLabs: Detection: 18%
            Source: 0.2.PtLUp4eFKp.exe.1000000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: 0_2_0102E6D1 FindFirstFileExA,0_2_0102E6D1
            Source: msapplication.xml0.17.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x5f41b6a7,0x01d6a258</date><accdate>0x5f41b6a7,0x01d6a258</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml0.17.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x5f41b6a7,0x01d6a258</date><accdate>0x5f41b6a7,0x01d6a258</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
            Source: msapplication.xml5.17.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x5f467b76,0x01d6a258</date><accdate>0x5f467b76,0x01d6a258</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml5.17.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x5f467b76,0x01d6a258</date><accdate>0x5f467b76,0x01d6a258</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
            Source: msapplication.xml7.17.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x5f48ddc4,0x01d6a258</date><accdate>0x5f48ddc4,0x01d6a258</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: msapplication.xml7.17.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x5f48ddc4,0x01d6a258</date><accdate>0x5f48ddc4,0x01d6a258</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
            Source: unknownDNS traffic detected: queries for: sandypaterson.com
            Source: unknownHTTP traffic detected: POST /index.htm HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Content-Type: multipart/form-data; boundary=b5476718fe295da7Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: sandypaterson.comContent-Length: 732Connection: Keep-AliveCache-Control: no-cache
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 14 Oct 2020 09:31:59 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 61 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 5d 8e b1 0a c2 30 14 45 7f 25 64 e9 22 a4 42 70 d0 97 0c 0e 3a 08 0a 0e ee 69 f3 6c 42 63 1e c4 27 d5 bf b7 a5 50 c1 f5 de cb 39 17 02 3f 92 85 80 ce 5b e0 c8 09 ad ae b5 38 13 8b 03 bd b2 07 35 87 90 62 ee 45 c1 64 64 6c 29 4b 11 0a de 8d f4 8e dd 76 d7 b8 27 6e f4 2a de f6 97 eb 50 9f 8e 1d 19 69 41 cd d0 86 fc 47 34 5d 4b 89 8a a9 86 10 19 2b 0b 2d 66 c6 32 8a d7 ff be 31 01 b5 d4 65 99 e6 2e e6 f7 af 51 13 77 92 4c ff bf 6b c6 28 18 c6 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a1]0E%d"Bp:ilBc'P9?[85bEddl)Kv'n*PiAG4]K+-f21e.QwLk(0
            Source: PtLUp4eFKp.exe, 00000000.00000003.377900250.0000000003570000.00000004.00000040.sdmpString found in binary or memory: http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;
            Source: PtLUp4eFKp.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
            Source: PtLUp4eFKp.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
            Source: PtLUp4eFKp.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
            Source: PtLUp4eFKp.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
            Source: PtLUp4eFKp.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
            Source: PtLUp4eFKp.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
            Source: PtLUp4eFKp.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
            Source: PtLUp4eFKp.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
            Source: PtLUp4eFKp.exeString found in binary or memory: http://ocsp.digicert.com0A
            Source: PtLUp4eFKp.exeString found in binary or memory: http://ocsp.digicert.com0C
            Source: PtLUp4eFKp.exeString found in binary or memory: http://ocsp.sectigo.com0
            Source: PtLUp4eFKp.exe, 00000000.00000003.377900250.0000000003570000.00000004.00000040.sdmpString found in binary or memory: http://sandypaterson.com
            Source: PtLUp4eFKp.exe, 00000000.00000003.468046237.0000000000615000.00000004.00000001.sdmp, ~DF74C3CBA6B07F4F9F.TMP.17.drString found in binary or memory: http://sandypaterson.com/index.htm
            Source: {88E38102-0E4B-11EB-90E4-ECF4BB862DED}.dat.17.drString found in binary or memory: http://sandypaterson.com/index.htmRoot
            Source: {88E38102-0E4B-11EB-90E4-ECF4BB862DED}.dat.17.drString found in binary or memory: http://sandypaterson.com/index.htmom/index.htm
            Source: PtLUp4eFKp.exe, 00000000.00000003.377900250.0000000003570000.00000004.00000040.sdmpString found in binary or memory: http://sandypaterson.comou
            Source: msapplication.xml.17.drString found in binary or memory: http://www.amazon.com/
            Source: PtLUp4eFKp.exeString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
            Source: msapplication.xml1.17.drString found in binary or memory: http://www.google.com/
            Source: msapplication.xml2.17.drString found in binary or memory: http://www.live.com/
            Source: msapplication.xml3.17.drString found in binary or memory: http://www.nytimes.com/
            Source: msapplication.xml4.17.drString found in binary or memory: http://www.reddit.com/
            Source: msapplication.xml5.17.drString found in binary or memory: http://www.twitter.com/
            Source: msapplication.xml6.17.drString found in binary or memory: http://www.wikipedia.com/
            Source: msapplication.xml7.17.drString found in binary or memory: http://www.youtube.com/
            Source: PtLUp4eFKp.exeString found in binary or memory: https://sectigo.com/CPS0
            Source: PtLUp4eFKp.exeString found in binary or memory: https://www.digicert.com/CPS0

            Key, Mouse, Clipboard, Microphone and Screen Capturing:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.313299990.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.377900250.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313150912.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313635375.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313551433.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313444212.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313521542.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312372024.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313096758.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312598436.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312671084.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313043847.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312295620.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312990571.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.474480567.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312211273.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313379527.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313341022.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312735589.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312523425.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313686479.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312126436.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313246617.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312038235.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313196766.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313479917.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313651237.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313613585.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313673973.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313584616.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312449748.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312865548.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312803349.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312923973.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: PtLUp4eFKp.exe PID: 6640, type: MEMORY

            E-Banking Fraud:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.313299990.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.377900250.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313150912.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313635375.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313551433.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313444212.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313521542.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312372024.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313096758.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312598436.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312671084.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313043847.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312295620.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312990571.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.474480567.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312211273.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313379527.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313341022.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312735589.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312523425.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313686479.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312126436.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313246617.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312038235.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313196766.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313479917.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313651237.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313613585.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313673973.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313584616.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312449748.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312865548.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312803349.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312923973.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: PtLUp4eFKp.exe PID: 6640, type: MEMORY

            System Summary:

            barindex
            Writes or reads registry keys via WMIShow sources
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetDWORDValue
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Writes registry values via WMIShow sources
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: 0_2_01001EC9 NtQueryVirtualMemory,0_2_01001EC9
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: 0_2_00425D95 memcpy,memcpy,lstrcatW,CreateEventA,NtQueryInformationProcess,CloseHandle,0_2_00425D95
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: 0_2_00429999 NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,RtlNtStatusToDosError,0_2_00429999
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: 0_2_00428793 RtlInitUnicodeString,NtClose,RtlNtStatusToDosError,0_2_00428793
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: 0_2_01001CA80_2_01001CA8
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: 0_2_0042F2300_2_0042F230
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: 0_2_0042E73B0_2_0042E73B
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: 0_2_010349D70_2_010349D7
            Source: PtLUp4eFKp.exeStatic PE information: invalid certificate
            Source: PtLUp4eFKp.exe, 00000000.00000002.474144394.0000000000A80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs PtLUp4eFKp.exe
            Source: PtLUp4eFKp.exe, 00000000.00000000.205053678.0000000001135000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameVilla.exeB vs PtLUp4eFKp.exe
            Source: PtLUp4eFKp.exe, 00000000.00000002.474222735.0000000000EB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs PtLUp4eFKp.exe
            Source: PtLUp4eFKp.exe, 00000000.00000002.473758041.0000000000450000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemsvfw32.dll.muij% vs PtLUp4eFKp.exe
            Source: PtLUp4eFKp.exeBinary or memory string: OriginalFilenameVilla.exeB vs PtLUp4eFKp.exe
            Source: PtLUp4eFKp.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal88.troj.evad.winEXE@10/49@6/1
            Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\HighJump to behavior
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeMutant created: \Sessions\1\BaseNamedObjects\Local\1978EE24-ED7A-8F95-C655-46BAE5CC03A0
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeFile created: C:\Users\user\AppData\Local\Temp\57A.binJump to behavior
            Source: PtLUp4eFKp.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from win32_process
            Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: PtLUp4eFKp.exeVirustotal: Detection: 22%
            Source: PtLUp4eFKp.exeReversingLabs: Detection: 18%
            Source: unknownProcess created: C:\Users\user\Desktop\PtLUp4eFKp.exe 'C:\Users\user\Desktop\PtLUp4eFKp.exe'
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6188 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6856 CREDAT:17410 /prefetch:2
            Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
            Source: unknownProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6064 CREDAT:17410 /prefetch:2
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6188 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6856 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6064 CREDAT:17410 /prefetch:2Jump to behavior
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
            Source: PtLUp4eFKp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: PtLUp4eFKp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: PtLUp4eFKp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: PtLUp4eFKp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: PtLUp4eFKp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: PtLUp4eFKp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: PtLUp4eFKp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: d:\62\Rock\Kept\46\26\Triangle\Tell\them\town\glass\90sleep.pdb source: PtLUp4eFKp.exe

            Data Obfuscation:

            barindex
            Detected unpacking (changes PE section rights)Show sources
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeUnpacked PE file: 0.2.PtLUp4eFKp.exe.1000000.4.unpack .text:ER;.data:W;.idata:R;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.reloc:R;
            Detected unpacking (overwrites its own PE header)Show sources
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeUnpacked PE file: 0.2.PtLUp4eFKp.exe.1000000.4.unpack
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: 0_2_0100183F GetModuleHandleW,LoadLibraryW,GetProcAddress,0_2_0100183F
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: 0_2_01001C97 push ecx; ret 0_2_01001CA7
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: 0_2_0042F21F push ecx; ret 0_2_0042F22F
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: 0_2_0101300C push ss; retn 0045h0_2_0101300D
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: 0_2_010180CA pushad ; ret 0_2_010180D2
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: 0_2_0101433F pushad ; retf 0_2_01014340
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: 0_2_01015A8A push esi; ret 0_2_01015A8B
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: 0_2_01013D59 push eax; iretd 0_2_01013D60
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: 0_2_01016D6F push edx; ret 0_2_01016D7E
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: 0_2_01019DE2 push eax; ret 0_2_01019DE4
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: 0_2_01027DF6 push ecx; ret 0_2_01027E09
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: 0_2_01019428 pushad ; ret 0_2_01019429
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: 0_2_0101873E push eax; iretd 0_2_01018750
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: 0_2_01018685 push edx; retf 0_2_0101868B
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: 0_2_0103C5E7 pushad ; retf 0_2_0103C5E8
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: 0_2_0103C001 push eax; iretd 0_2_0103C008
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: 0_2_0103B2B4 push ss; retn 0045h0_2_0103B2B5
            Source: initial sampleStatic PE information: section name: .text entropy: 7.02669490945

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.313299990.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.377900250.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313150912.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313635375.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313551433.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313444212.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313521542.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312372024.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313096758.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312598436.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312671084.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313043847.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312295620.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312990571.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.474480567.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312211273.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313379527.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313341022.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312735589.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312523425.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313686479.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312126436.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313246617.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312038235.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313196766.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313479917.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313651237.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313613585.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313673973.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313584616.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312449748.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312865548.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312803349.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312923973.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: PtLUp4eFKp.exe PID: 6640, type: MEMORY
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exe TID: 2428Thread sleep time: -60000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: 0_2_0102E6D1 FindFirstFileExA,0_2_0102E6D1
            Source: PtLUp4eFKp.exe, 00000000.00000003.468046237.0000000000615000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: 0_2_0102C842 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0102C842
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: 0_2_0100183F GetModuleHandleW,LoadLibraryW,GetProcAddress,0_2_0100183F
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: 0_2_004104FD mov eax, dword ptr fs:[00000030h]0_2_004104FD
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: 0_2_004104FD mov eax, dword ptr fs:[00000030h]0_2_004104FD
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: 0_2_004100C9 push dword ptr fs:[00000030h]0_2_004100C9
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: 0_2_0102BDE2 mov eax, dword ptr fs:[00000030h]0_2_0102BDE2
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: 0_2_0103977B mov eax, dword ptr fs:[00000030h]0_2_0103977B
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: 0_2_0103977B mov eax, dword ptr fs:[00000030h]0_2_0103977B
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: 0_2_01039347 push dword ptr fs:[00000030h]0_2_01039347
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: 0_2_01001535 EntryPoint,GetModuleHandleA,GetProcessHeap,GetCurrentThread,WaitForSingleObject,ExitProcess,0_2_01001535
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: 0_2_0102C842 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0102C842
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: 0_2_01027B50 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_01027B50
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: 0_2_010276C7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_010276C7
            Source: PtLUp4eFKp.exe, 00000000.00000002.474414299.0000000001140000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: PtLUp4eFKp.exe, 00000000.00000002.474414299.0000000001140000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: PtLUp4eFKp.exe, 00000000.00000002.474414299.0000000001140000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: PtLUp4eFKp.exe, 00000000.00000002.474414299.0000000001140000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: 0_2_00429B02 cpuid 0_2_00429B02
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,0_2_0042695B
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: 0_2_00429A56 GetSystemTime,0_2_00429A56
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: 0_2_00429B02 GetUserNameW,0_2_00429B02
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: 0_2_0102E09F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_0102E09F
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeCode function: 0_2_0042221F CreateMutexW,GetLastError,GetLastError,GetVersionExA,GetModuleHandleA,RtlImageNtHeader,CloseHandle,0_2_0042221F
            Source: C:\Users\user\Desktop\PtLUp4eFKp.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antispywareproduct

            Stealing of Sensitive Information:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.313299990.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.377900250.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313150912.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313635375.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313551433.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313444212.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313521542.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312372024.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313096758.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312598436.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312671084.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313043847.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312295620.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312990571.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.474480567.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312211273.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313379527.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313341022.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312735589.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312523425.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313686479.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312126436.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313246617.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312038235.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313196766.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313479917.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313651237.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313613585.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313673973.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313584616.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312449748.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312865548.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312803349.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312923973.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: PtLUp4eFKp.exe PID: 6640, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected UrsnifShow sources
            Source: Yara matchFile source: 00000000.00000003.313299990.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.377900250.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313150912.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313635375.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313551433.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313444212.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313521542.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312372024.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313096758.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312598436.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312671084.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313043847.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312295620.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312990571.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.474480567.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312211273.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313379527.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313341022.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312735589.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312523425.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313686479.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312126436.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313246617.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312038235.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313196766.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313479917.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313651237.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313613585.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313673973.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.313584616.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312449748.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312865548.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312803349.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.312923973.0000000003570000.00000004.00000040.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: PtLUp4eFKp.exe PID: 6640, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection2Masquerading1OS Credential DumpingSystem Time Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsNative API1Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemoryQuery Registry1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection2Security Account ManagerSecurity Software Discovery31SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSVirtualization/Sandbox Evasion1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing23LSA SecretsProcess Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsAccount Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Owner/User Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadowFile and Directory Discovery2Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
            Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingSystem Information Discovery24Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet