Analysis Report 2tsY1gtYQe.exe

Overview

General Information

Sample Name: 2tsY1gtYQe.exe
Analysis ID: 324124
MD5: 75dd85a6d1389e53fb125ebd9d2711a3
SHA1: 39d33f5c7aa2364f0f345f566946758ad3af80d4
SHA256: 2b120acc21bb146f94d229b7efeef732ab31dc9874fa00174f61e7673982a309
Tags: exeGoziISFBUrsnif

Most interesting Screenshot:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Ursnif
Creates a COM Internet Explorer object
Machine Learning detection for sample
Writes or reads registry keys via WMI
Writes registry values via WMI
Antivirus or Machine Learning detection for unpacked file
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 2tsY1gtYQe.exe.6536.1.memstr Malware Configuration Extractor: Ursnif {"server": "12", "version": "250162", "uptime": "353hh|", "crc": "1", "id": "1001", "user": "4229768108f8d2d8cdc8873a7f098255", "soft": "3"}
Multi AV Scanner detection for domain / URL
Source: loadshemsplot.xyz Virustotal: Detection: 6% Perma Link
Multi AV Scanner detection for submitted file
Source: 2tsY1gtYQe.exe Virustotal: Detection: 63% Perma Link
Source: 2tsY1gtYQe.exe ReversingLabs: Detection: 82%
Machine Learning detection for sample
Source: 2tsY1gtYQe.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.2.2tsY1gtYQe.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen7
Source: 1.3.2tsY1gtYQe.exe.a50000.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Code function: 1_2_0254523B RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 1_2_0254523B

Networking:

barindex
Creates a COM Internet Explorer object
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046} Jump to behavior
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Key opened: HKEY_LOCAL_MACHINE\Software\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046} Jump to behavior
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs Jump to behavior
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\TreatAs Jump to behavior
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046} Jump to behavior
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046} Jump to behavior
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32 Jump to behavior
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler32 Jump to behavior
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Key opened: HKEY_CURRENT_USER_Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler Jump to behavior
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046}\InprocHandler Jump to behavior
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 151.101.1.192 151.101.1.192
Source: Joe Sandbox View IP Address: 192.229.221.185 192.229.221.185
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 9e10692f1b7f78228b2d4e424db3a98c
Source: de-ch[1].htm.15.dr String found in binary or memory: <img src="//www.microsoft.com/onerfstatics/marketingsites-neu-prod/_h/85288795/coreui.statics/images/social/facebook.png" alt="Facebook"> equals www.facebook.com (Facebook)
Source: de-ch[1].htm.15.dr String found in binary or memory: <img src="//www.microsoft.com/onerfstatics/marketingsites-neu-prod/_h/93690392/coreui.statics/images/social/twitter.png" alt="Twitter"> equals www.twitter.com (Twitter)
Source: de-ch[1].htm.15.dr String found in binary or memory: <img src="//www.microsoft.com/onerfstatics/marketingsites-neu-prod/_h/b23f9ba2/coreui.statics/images/social/linkedin.png" alt="LinkedIn"> equals www.linkedin.com (Linkedin)
Source: de-ch[1].htm.15.dr String found in binary or memory: <img src="//www.microsoft.com/onerfstatics/marketingsites-neu-prod/_h/c79952ca/coreui.statics/images/social/youtube.png" alt="Youtube"> equals www.youtube.com (Youtube)
Source: de-ch[1].htm.15.dr String found in binary or memory: <source type="image/svg+xml" srcset="//www.microsoft.com/onerfstatics/marketingsites-neu-prod/_h/2532198d/coreui.statics/images/social/facebook.svg"> equals www.facebook.com (Facebook)
Source: de-ch[1].htm.15.dr String found in binary or memory: <source type="image/svg+xml" srcset="//www.microsoft.com/onerfstatics/marketingsites-neu-prod/_h/2d505657/coreui.statics/images/social/youtube.svg"> equals www.youtube.com (Youtube)
Source: de-ch[1].htm.15.dr String found in binary or memory: <source type="image/svg+xml" srcset="//www.microsoft.com/onerfstatics/marketingsites-neu-prod/_h/413bd4a8/coreui.statics/images/social/linkedin.svg"> equals www.linkedin.com (Linkedin)
Source: de-ch[1].htm.15.dr String found in binary or memory: <source type="image/svg+xml" srcset="//www.microsoft.com/onerfstatics/marketingsites-neu-prod/_h/6f40299c/coreui.statics/images/social/twitter.svg"> equals www.twitter.com (Twitter)
Source: de-ch[1].htm.15.dr String found in binary or memory: <a data-m='{"id":"n1m1r5a2","sN":1,"aN":"m1r5a2"}' itemprop="sameAs" href="https://www.facebook.com/microsoftschweiz" title="Microsoft auf Facebook folgen (&#246;ffnet in einem neuen Tab)." target=&quot;_blank&quot;> equals www.facebook.com (Facebook)
Source: de-ch[1].htm.15.dr String found in binary or memory: <a data-m='{"id":"n3m1r5a2","sN":3,"aN":"m1r5a2"}' itemprop="sameAs" href="https://www.linkedin.com/company/1035" title="Microsoft auf LinkedIn folgen (&#246;ffnet in einem neuen Tab)." target=&quot;_blank&quot;> equals www.linkedin.com (Linkedin)
Source: de-ch[1].htm.15.dr String found in binary or memory: <a data-m='{"id":"n4m1r5a2","sN":4,"aN":"m1r5a2"}' itemprop="sameAs" href="https://www.youtube.com/user/MicrosoftCH" title="Microsoft auf YouTube folgen (&#246;ffnet in einem neuen Tab)." target=&quot;_blank&quot;> equals www.youtube.com (Youtube)
Source: msapplication.xml0.4.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x04859bd8,0x01d6c576</date><accdate>0x04859bd8,0x01d6c576</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.4.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x04859bd8,0x01d6c576</date><accdate>0x04859bd8,0x01d6c576</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.4.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x0487fe38,0x01d6c576</date><accdate>0x0487fe38,0x01d6c576</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.4.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x0487fe38,0x01d6c576</date><accdate>0x048a60d1,0x01d6c576</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.4.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x048a60d1,0x01d6c576</date><accdate>0x048a60d1,0x01d6c576</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.4.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x048a60d1,0x01d6c576</date><accdate>0x048a60d1,0x01d6c576</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: unknown DNS traffic detected: queries for: assets.onestore.ms
Source: de-ch[1].htm.15.dr String found in binary or memory: http://github.com/aFarkas/lazysizes
Source: de-ch[1].htm.15.dr String found in binary or memory: http://github.com/requirejs/domReady
Source: de-ch[1].htm.15.dr String found in binary or memory: http://github.com/requirejs/requirejs/LICENSE
Source: 65-478888[1].css.5.dr String found in binary or memory: http://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1LLAb
Source: {580999A0-3169-11EB-90EB-ECF4BBEA1588}.dat.20.dr String found in binary or memory: http://loadshemsplot.xyz/images/8jSAGaJNlFMs5Juw8GoMW1/Q6WLSSXNTDcyW/ldhSm_2F/zJeoUXPhkoOe7NGj_2Bqww
Source: de-ch[1].htm.15.dr String found in binary or memory: http://schema.org/Organization
Source: msapplication.xml.4.dr String found in binary or memory: http://www.amazon.com/
Source: social[1].js.5.dr String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: msapplication.xml1.4.dr String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.4.dr String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.4.dr String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.4.dr String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.4.dr String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.4.dr String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.4.dr String found in binary or memory: http://www.youtube.com/
Source: de-ch[1].htm.15.dr String found in binary or memory: https://assets.onestore.ms
Source: iframe[1].htm.5.dr String found in binary or memory: https://az725175.vo.msecnd.net/scripts/jsll-4.js
Source: de-ch[1].htm.15.dr String found in binary or memory: https://channel9.msdn.com/
Source: lp_ada_enhancements-prod[1].js.5.dr String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/Accessibility/ARIA/Roles/Alert_Role
Source: de-ch[1].htm.15.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net
Source: de-ch[1].htm.15.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE1Mu3b?ver=5c31
Source: de-ch[1].htm.15.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE3Vc2M?ver=4043&amp;q=
Source: de-ch[1].htm.15.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4CFyx?ver=25c5&amp;q=
Source: de-ch[1].htm.15.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4E4rT?ver=2072&amp;q=
Source: de-ch[1].htm.15.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Gi17?ver=7aa4&amp;q=
Source: de-ch[1].htm.15.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4GyBM?ver=8aca&amp;q=
Source: de-ch[1].htm.15.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4H4KA?ver=ffb2&amp;q=
Source: de-ch[1].htm.15.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4HJjy?ver=d2bb&amp;q=
Source: de-ch[1].htm.15.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4HSnu?ver=0caa&amp;q=
Source: de-ch[1].htm.15.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4HuBM?ver=52b6&amp;q=
Source: de-ch[1].htm.15.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4Hykp?ver=9413&amp;q=
Source: de-ch[1].htm.15.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4I2aJ?ver=5b8a&amp;q=
Source: de-ch[1].htm.15.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4pkvE?ver=d8fc&amp;q=
Source: de-ch[1].htm.15.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4pndL?ver=5217&amp;q=
Source: de-ch[1].htm.15.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4pxBu?ver=eae5&amp;q=
Source: de-ch[1].htm.15.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4rriw?ver=b2d5&amp;q=
Source: de-ch[1].htm.15.dr String found in binary or memory: https://img-prod-cms-rt-microsoft-com.akamaized.net/cms/api/am/imageFileData/RE4sQDc?ver=30c2&amp;q=
Source: iframe[1].htm.5.dr String found in binary or memory: https://lpcdn.lpsnmedia.net
Source: iframe[1].htm.5.dr String found in binary or memory: https://lpcdn.lpsnmedia.net/le_unified_window/9.12.0.19-release_4769/resources/loader_on_warmGray5_7
Source: de-ch[1].htm.15.dr String found in binary or memory: https://mem.gfx.ms
Source: de-ch[1].htm.15.dr String found in binary or memory: https://mem.gfx.ms/meversion?partner=MSHomePage&amp;market=de-ch&amp;uhf=1
Source: de-ch[1].htm.15.dr String found in binary or memory: https://microsoftwindows.112.2o7.net
Source: de-ch[1].htm.15.dr String found in binary or memory: https://onedrive.live.com/about/de-ch/
Source: de-ch[1].htm.15.dr String found in binary or memory: https://outlook.live.com/owa/
Source: de-ch[1].htm.15.dr String found in binary or memory: https://products.office.com/de-ch/academic/compare-office-365-education-plans
Source: de-ch[1].htm.15.dr String found in binary or memory: https://publisher.liveperson.net
Source: de-ch[1].htm.15.dr String found in binary or memory: https://publisher.liveperson.net/iframe-le-tag/iframe.html?lpsite=60270350&amp;lpsection=store-sales
Source: iframe[1].htm.5.dr String found in binary or memory: https://release.moscnuat.com
Source: de-ch[1].htm.15.dr String found in binary or memory: https://schema.org/ItemList
Source: lp_ada_enhancements-prod[1].js.5.dr String found in binary or memory: https://static-assets.fs.liveperson.com/microsoft/lp_ada_enhancements-prod.css
Source: lp_ada_enhancements-prod[1].js.5.dr String found in binary or memory: https://support.office.com/ar-sa/article/get-support-or-advice-18948a4c-3eb1-4b30-b1bc-a4cc29eb7655
Source: lp_ada_enhancements-prod[1].js.5.dr String found in binary or memory: https://support.office.com/article/get-support-or-advice-18948a4c-3eb1-4b30-b1bc-a4cc29eb7655
Source: lp_ada_enhancements-prod[1].js.5.dr String found in binary or memory: https://support.office.com/cs-cz/article/get-support-or-advice-18948a4c-3eb1-4b30-b1bc-a4cc29eb7655
Source: lp_ada_enhancements-prod[1].js.5.dr String found in binary or memory: https://support.office.com/da-dk/article/get-support-or-advice-18948a4c-3eb1-4b30-b1bc-a4cc29eb7655
Source: lp_ada_enhancements-prod[1].js.5.dr String found in binary or memory: https://support.office.com/de-ch/article/get-support-or-advice-18948a4c-3eb1-4b30-b1bc-a4cc29eb7655
Source: lp_ada_enhancements-prod[1].js.5.dr String found in binary or memory: https://support.office.com/de-de/article/get-support-or-advice-18948a4c-3eb1-4b30-b1bc-a4cc29eb7655
Source: lp_ada_enhancements-prod[1].js.5.dr String found in binary or memory: https://support.office.com/en-ae/article/get-support-or-advice-18948a4c-3eb1-4b30-b1bc-a4cc29eb7655
Source: lp_ada_enhancements-prod[1].js.5.dr String found in binary or memory: https://support.office.com/en-ca/article/get-support-or-advice-18948a4c-3eb1-4b30-b1bc-a4cc29eb7655
Source: lp_ada_enhancements-prod[1].js.5.dr String found in binary or memory: https://support.office.com/en-gb/article/get-support-or-advice-18948a4c-3eb1-4b30-b1bc-a4cc29eb7655
Source: lp_ada_enhancements-prod[1].js.5.dr String found in binary or memory: https://support.office.com/en-ie/article/get-support-or-advice-18948a4c-3eb1-4b30-b1bc-a4cc29eb7655
Source: lp_ada_enhancements-prod[1].js.5.dr String found in binary or memory: https://support.office.com/en-in/article/get-support-or-advice-18948a4c-3eb1-4b30-b1bc-a4cc29eb7655
Source: lp_ada_enhancements-prod[1].js.5.dr String found in binary or memory: https://support.office.com/en-ng/article/get-support-or-advice-18948a4c-3eb1-4b30-b1bc-a4cc29eb7655
Source: lp_ada_enhancements-prod[1].js.5.dr String found in binary or memory: https://support.office.com/en-us/article/get-support-or-advice-18948a4c-3eb1-4b30-b1bc-a4cc29eb7655
Source: lp_ada_enhancements-prod[1].js.5.dr String found in binary or memory: https://support.office.com/en-za/article/get-support-or-advice-18948a4c-3eb1-4b30-b1bc-a4cc29eb7655
Source: lp_ada_enhancements-prod[1].js.5.dr String found in binary or memory: https://support.office.com/es-cl/article/get-support-or-advice-18948a4c-3eb1-4b30-b1bc-a4cc29eb7655
Source: lp_ada_enhancements-prod[1].js.5.dr String found in binary or memory: https://support.office.com/es-co/article/get-support-or-advice-18948a4c-3eb1-4b30-b1bc-a4cc29eb7655
Source: lp_ada_enhancements-prod[1].js.5.dr String found in binary or memory: https://support.office.com/es-es/article/get-support-or-advice-18948a4c-3eb1-4b30-b1bc-a4cc29eb7655
Source: lp_ada_enhancements-prod[1].js.5.dr String found in binary or memory: https://support.office.com/es-mx/article/get-support-or-advice-18948a4c-3eb1-4b30-b1bc-a4cc29eb7655
Source: lp_ada_enhancements-prod[1].js.5.dr String found in binary or memory: https://support.office.com/fi-fi/article/get-support-or-advice-18948a4c-3eb1-4b30-b1bc-a4cc29eb7655
Source: lp_ada_enhancements-prod[1].js.5.dr String found in binary or memory: https://support.office.com/fr-ch/article/get-support-or-advice-18948a4c-3eb1-4b30-b1bc-a4cc29eb7655
Source: lp_ada_enhancements-prod[1].js.5.dr String found in binary or memory: https://support.office.com/fr-fr/article/get-support-or-advice-18948a4c-3eb1-4b30-b1bc-a4cc29eb7655
Source: lp_ada_enhancements-prod[1].js.5.dr String found in binary or memory: https://support.office.com/he-il/article/get-support-or-advice-18948a4c-3eb1-4b30-b1bc-a4cc29eb7655
Source: lp_ada_enhancements-prod[1].js.5.dr String found in binary or memory: https://support.office.com/hu-hu/article/get-support-or-advice-18948a4c-3eb1-4b30-b1bc-a4cc29eb7655
Source: lp_ada_enhancements-prod[1].js.5.dr String found in binary or memory: https://support.office.com/id-id/article/get-support-or-advice-18948a4c-3eb1-4b30-b1bc-a4cc29eb7655
Source: lp_ada_enhancements-prod[1].js.5.dr String found in binary or memory: https://support.office.com/it-it/article/get-support-or-advice-18948a4c-3eb1-4b30-b1bc-a4cc29eb7655
Source: lp_ada_enhancements-prod[1].js.5.dr String found in binary or memory: https://support.office.com/ja-jp/article/get-support-or-advice-18948a4c-3eb1-4b30-b1bc-a4cc29eb7655
Source: lp_ada_enhancements-prod[1].js.5.dr String found in binary or memory: https://support.office.com/ko-kr/article/get-support-or-advice-18948a4c-3eb1-4b30-b1bc-a4cc29eb7655
Source: lp_ada_enhancements-prod[1].js.5.dr String found in binary or memory: https://support.office.com/nb-no/article/get-support-or-advice-18948a4c-3eb1-4b30-b1bc-a4cc29eb7655
Source: lp_ada_enhancements-prod[1].js.5.dr String found in binary or memory: https://support.office.com/nl-nl/article/get-support-or-advice-18948a4c-3eb1-4b30-b1bc-a4cc29eb7655
Source: lp_ada_enhancements-prod[1].js.5.dr String found in binary or memory: https://support.office.com/pl-pl/article/get-support-or-advice-18948a4c-3eb1-4b30-b1bc-a4cc29eb7655
Source: lp_ada_enhancements-prod[1].js.5.dr String found in binary or memory: https://support.office.com/pt-br/article/get-support-or-advice-18948a4c-3eb1-4b30-b1bc-a4cc29eb7655
Source: lp_ada_enhancements-prod[1].js.5.dr String found in binary or memory: https://support.office.com/pt-pt/article/get-support-or-advice-18948a4c-3eb1-4b30-b1bc-a4cc29eb7655
Source: lp_ada_enhancements-prod[1].js.5.dr String found in binary or memory: https://support.office.com/ru-ru/article/get-support-or-advice-18948a4c-3eb1-4b30-b1bc-a4cc29eb7655
Source: lp_ada_enhancements-prod[1].js.5.dr String found in binary or memory: https://support.office.com/sk-sk/article/get-support-or-advice-18948a4c-3eb1-4b30-b1bc-a4cc29eb7655
Source: lp_ada_enhancements-prod[1].js.5.dr String found in binary or memory: https://support.office.com/sv-se/article/get-support-or-advice-18948a4c-3eb1-4b30-b1bc-a4cc29eb7655
Source: lp_ada_enhancements-prod[1].js.5.dr String found in binary or memory: https://support.office.com/th-th/article/get-support-or-advice-18948a4c-3eb1-4b30-b1bc-a4cc29eb7655
Source: lp_ada_enhancements-prod[1].js.5.dr String found in binary or memory: https://support.office.com/tr-tr/article/get-support-or-advice-18948a4c-3eb1-4b30-b1bc-a4cc29eb7655
Source: lp_ada_enhancements-prod[1].js.5.dr String found in binary or memory: https://support.office.com/vi-vn/article/get-support-or-advice-18948a4c-3eb1-4b30-b1bc-a4cc29eb7655
Source: lp_ada_enhancements-prod[1].js.5.dr String found in binary or memory: https://support.office.com/zh-cn/article/get-support-or-advice-18948a4c-3eb1-4b30-b1bc-a4cc29eb7655
Source: lp_ada_enhancements-prod[1].js.5.dr String found in binary or memory: https://support.office.com/zh-hk/article/get-support-or-advice-18948a4c-3eb1-4b30-b1bc-a4cc29eb7655
Source: lp_ada_enhancements-prod[1].js.5.dr String found in binary or memory: https://support.office.com/zh-tw/article/get-support-or-advice-18948a4c-3eb1-4b30-b1bc-a4cc29eb7655
Source: de-ch[1].htm.15.dr String found in binary or memory: https://twitter.com/microsoft_ch
Source: de-ch[1].htm.15.dr String found in binary or memory: https://ussearchprod.trafficmanager.net/services/api/v1.0/store/categories
Source: iframe[1].htm.5.dr String found in binary or memory: https://va.idp.liveperson.net
Source: iframe[1].htm.5.dr String found in binary or memory: https://va.msg.liveperson.net
Source: lp_ada_enhancements-prod[1].js.5.dr String found in binary or memory: https://www.21vbluecloud.com/dynamics365/
Source: de-ch[1].htm.15.dr String found in binary or memory: https://www.instagram.com/microsoftch/
Source: de-ch[1].htm.15.dr String found in binary or memory: https://www.linkedin.com/company/1035
Source: lp_ada_enhancements-prod[1].js.5.dr String found in binary or memory: https://www.microsoftestore.com.hk/partner?locale=zh_HK
Source: iframe[1].htm.5.dr String found in binary or memory: https://www.microsoftstore.com.cn/cart
Source: iframe[1].htm.5.dr String found in binary or memory: https://www.microsoftstore.com.cn/checkout
Source: iframe[1].htm.5.dr String found in binary or memory: https://www.microsoftstore.com.cn/hardware/accessories/surface
Source: iframe[1].htm.5.dr String found in binary or memory: https://www.microsoftstore.com.cn/hardware/accessories/xbox
Source: iframe[1].htm.5.dr String found in binary or memory: https://www.microsoftstore.com.cn/hardware/surface
Source: iframe[1].htm.5.dr String found in binary or memory: https://www.microsoftstore.com.cn/hardware/xbox
Source: iframe[1].htm.5.dr String found in binary or memory: https://www.microsoftstore.com.cn/microsoft-365/microsoft-365
Source: iframe[1].htm.5.dr String found in binary or memory: https://www.microsoftstore.com.cn/software/microsoft-365
Source: iframe[1].htm.5.dr String found in binary or memory: https://www.microsoftstore.com.cn/surface
Source: iframe[1].htm.5.dr String found in binary or memory: https://www.microsoftstore.com.cn/xbox
Source: de-ch[1].htm.15.dr String found in binary or memory: https://www.onenote.com/?omkt=de-CH
Source: de-ch[1].htm.15.dr String found in binary or memory: https://www.skype.com/de/
Source: de-ch[1].htm.15.dr String found in binary or memory: https://www.xbox.com/
Source: de-ch[1].htm.15.dr String found in binary or memory: https://www.youtube.com/user/MicrosoftCH
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.713969974.0000000003248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.810687783.0000000002FCD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.810749079.0000000002FCD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.810673766.0000000002FCD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.713981277.0000000003248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.713850490.0000000003248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.713931366.0000000003248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.713804401.0000000003248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.713880426.0000000003248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.756942325.00000000030CB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.931050218.0000000002E50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.713643686.0000000003248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.713707327.0000000003248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 2tsY1gtYQe.exe PID: 6536, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.713969974.0000000003248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.810687783.0000000002FCD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.810749079.0000000002FCD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.810673766.0000000002FCD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.713981277.0000000003248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.713850490.0000000003248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.713931366.0000000003248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.713804401.0000000003248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.713880426.0000000003248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.756942325.00000000030CB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.931050218.0000000002E50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.713643686.0000000003248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.713707327.0000000003248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 2tsY1gtYQe.exe PID: 6536, type: MEMORY

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functions
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Code function: 1_2_00401115 GetProcAddress,NtCreateSection,memset, 1_2_00401115
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Code function: 1_2_004012AF NtMapViewOfSection, 1_2_004012AF
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Code function: 1_2_02546066 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 1_2_02546066
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Code function: 1_2_0254B10D NtQueryVirtualMemory, 1_2_0254B10D
Detected potential crypto function
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Code function: 1_2_0254AEEC 1_2_0254AEEC
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Code function: 1_2_025415CD 1_2_025415CD
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Code function: 1_2_00416C5F 1_2_00416C5F
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Code function: 1_2_00417D48 1_2_00417D48
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Code function: 1_2_0041566A 1_2_0041566A
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Code function: 1_2_00410317 1_2_00410317
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Code function: 1_2_00410BC0 1_2_00410BC0
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Code function: 1_2_00410FCC 1_2_00410FCC
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Code function: 1_2_004107EC 1_2_004107EC
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Code function: 1_2_004113EC 1_2_004113EC
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Code function: 1_2_00415BAE 1_2_00415BAE
Source: 2tsY1gtYQe.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.bank.troj.evad.winEXE@10/83@20/4
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Code function: 1_2_02545946 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 1_2_02545946
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2DF065A5-3169-11EB-90EB-ECF4BBEA1588}.dat Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DFDB45CE98218A909C.TMP Jump to behavior
Source: 2tsY1gtYQe.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 2tsY1gtYQe.exe Virustotal: Detection: 63%
Source: 2tsY1gtYQe.exe ReversingLabs: Detection: 82%
Source: unknown Process created: C:\Users\user\Desktop\2tsY1gtYQe.exe 'C:\Users\user\Desktop\2tsY1gtYQe.exe'
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6580 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5532 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6824 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6580 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5532 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6824 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Unpacked PE file: 1.2.2tsY1gtYQe.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.rsrc:R;.reloc:R;
Detected unpacking (overwrites its own PE header)
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Unpacked PE file: 1.2.2tsY1gtYQe.exe.400000.0.unpack
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Code function: 1_2_0254AEDB push ecx; ret 1_2_0254AEEB
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Code function: 1_2_0254AB20 push ecx; ret 1_2_0254AB29
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Code function: 1_2_008E2AC3 push cs; iretd 1_2_008E2ACB
Source: initial sample Static PE information: section name: .text entropy: 7.29958716191

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.713969974.0000000003248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.810687783.0000000002FCD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.810749079.0000000002FCD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.810673766.0000000002FCD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.713981277.0000000003248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.713850490.0000000003248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.713931366.0000000003248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.713804401.0000000003248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.713880426.0000000003248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.756942325.00000000030CB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.931050218.0000000002E50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.713643686.0000000003248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.713707327.0000000003248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 2tsY1gtYQe.exe PID: 6536, type: MEMORY
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe TID: 6656 Thread sleep count: 35 > 30 Jump to behavior
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe TID: 6656 Thread sleep count: 37 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Code function: 1_2_0254523B RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 1_2_0254523B

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Code function: 1_2_0040EDCC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_0040EDCC
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Code function: 1_2_008E0D90 mov eax, dword ptr fs:[00000030h] 1_2_008E0D90
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Code function: 1_2_008E092B mov eax, dword ptr fs:[00000030h] 1_2_008E092B
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Code function: 1_2_004132DB __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,RtlAllocateHeap,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 1_2_004132DB
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Code function: 1_2_0040EDCC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_0040EDCC
Source: 2tsY1gtYQe.exe, 00000001.00000002.930747905.00000000010F0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: 2tsY1gtYQe.exe, 00000001.00000002.930747905.00000000010F0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: 2tsY1gtYQe.exe, 00000001.00000002.930747905.00000000010F0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: 2tsY1gtYQe.exe, 00000001.00000002.930747905.00000000010F0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Code function: 1_2_025465CE cpuid 1_2_025465CE
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Code function: GetLocaleInfoW, 1_2_0041705B
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Code function: _LcidFromHexString,GetLocaleInfoA, 1_2_0040FCE4
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Code function: _GetPrimaryLen,EnumSystemLocalesA, 1_2_004100EA
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Code function: _GetPrimaryLen,EnumSystemLocalesA, 1_2_00410083
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Code function: GetLastError,WideCharToMultiByte,GetLocaleInfoA, 1_2_0041708F
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen, 1_2_0040FD7C
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Code function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale, 1_2_00410126
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Code function: __crtGetLocaleInfoA_stat, 1_2_004171CE
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Code function: GetLocaleInfoA, 1_2_00411B35
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Code function: _LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 1_2_0040FFC2
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP, 1_2_0040FBCD
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Code function: 1_2_004011DD GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 1_2_004011DD
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Code function: 1_2_025465CE RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 1_2_025465CE
Source: C:\Users\user\Desktop\2tsY1gtYQe.exe Code function: 1_2_004017E9 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 1_2_004017E9

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.713969974.0000000003248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.810687783.0000000002FCD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.810749079.0000000002FCD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.810673766.0000000002FCD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.713981277.0000000003248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.713850490.0000000003248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.713931366.0000000003248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.713804401.0000000003248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.713880426.0000000003248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.756942325.00000000030CB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.931050218.0000000002E50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.713643686.0000000003248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.713707327.0000000003248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 2tsY1gtYQe.exe PID: 6536, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.713969974.0000000003248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.810687783.0000000002FCD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.810749079.0000000002FCD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.810673766.0000000002FCD000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.713981277.0000000003248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.713850490.0000000003248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.713931366.0000000003248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.713804401.0000000003248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.713880426.0000000003248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.756942325.00000000030CB000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.931050218.0000000002E50000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.713643686.0000000003248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.713707327.0000000003248000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 2tsY1gtYQe.exe PID: 6536, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 324124 Sample: 2tsY1gtYQe.exe Startdate: 28/11/2020 Architecture: WINDOWS Score: 100 36 microsoftwindows.112.2o7.net 2->36 38 mem.gfx.ms 2->38 40 2 other IPs or domains 2->40 54 Multi AV Scanner detection for domain / URL 2->54 56 Found malware configuration 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 2 other signatures 2->60 7 2tsY1gtYQe.exe 2->7         started        10 iexplore.exe 1 50 2->10         started        12 iexplore.exe 1 72 2->12         started        15 iexplore.exe 1 50 2->15         started        signatures3 process4 dnsIp5 62 Detected unpacking (changes PE section rights) 7->62 64 Detected unpacking (overwrites its own PE header) 7->64 66 Writes or reads registry keys via WMI 7->66 68 2 other signatures 7->68 17 iexplore.exe 31 10->17         started        42 microsoftwindows.112.2o7.net 12->42 44 mem.gfx.ms 12->44 46 assets.onestore.ms 12->46 20 iexplore.exe 3 83 12->20         started        48 microsoftwindows.112.2o7.net 15->48 50 mem.gfx.ms 15->50 52 assets.onestore.ms 15->52 22 iexplore.exe 37 15->22         started        signatures6 process7 dnsIp8 24 loadshemsplot.xyz 185.219.220.94, 80 SERVINGADE Sweden 17->24 26 liveperson.map.fastly.net 151.101.1.192, 443, 49756, 49757 FASTLYUS United States 20->26 28 cs1227.wpc.alphacdn.net 192.229.221.185, 443, 49773, 49774 EDGECASTUS United States 20->28 34 8 other IPs or domains 20->34 30 publisher.liveperson.net 22->30 32 accdn.lpsnmedia.net 22->32
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
151.101.1.192
 unknown United States
54113 FASTLYUS false
192.229.221.185
 unknown United States
15133 EDGECASTUS false
185.219.220.94
 unknown Sweden
39378 SERVINGADE true
143.204.215.116
 unknown United States
16509 AMAZON-02US false

Contacted Domains

Name IP Active
microsoftwindows.112.2o7.net 15.237.136.106 true
dh1y47vf5ttia.cloudfront.net 143.204.215.116 true
loadshemsplot.xyz 185.219.220.94 true
cs1227.wpc.alphacdn.net 192.229.221.185 true
liveperson.map.fastly.net 151.101.1.192 true
logincdn.msauth.net unknown unknown
accdn.lpsnmedia.net unknown unknown
publisher.liveperson.net unknown unknown
assets.onestore.ms unknown unknown
lptag.liveperson.net unknown unknown
static-assets.fs.liveperson.com unknown unknown
mem.gfx.ms unknown unknown