Loading ...

Play interactive tourEdit tour

Windows Analysis Report VjLfUM5cMx

Overview

General Information

Sample Name:VjLfUM5cMx (renamed file extension from none to exe)
Analysis ID:480997
MD5:c07d4f7dcac497a3c06cbba9e6e9e711
SHA1:f9910595a15ee0ca41871bda8f1a23a3aa7f9360
SHA256:82aabb70809394ec910ecdff3dfe4982d652c6d65f7fa65e7da16b83ebf87192
Tags:exeFORTHPROPERTYLTD
Infos:

Most interesting Screenshot:

Detection

Ursnif Ursnif v3
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Ursnif
Multi AV Scanner detection for submitted file
Detected unpacking (changes PE section rights)
Yara detected Ursnif
Writes or reads registry keys via WMI
Writes registry values via WMI
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
PE file contains an invalid checksum
PE file contains strange resources
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
PE / OLE file has an invalid certificate
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

Process Tree

  • System is w10x64
  • VjLfUM5cMx.exe (PID: 6120 cmdline: 'C:\Users\user\Desktop\VjLfUM5cMx.exe' MD5: C07D4F7DCAC497A3C06CBBA9E6E9E711)
  • iexplore.exe (PID: 2856 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6960 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2856 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 1492 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 3740 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1492 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.743054194.0000000003640000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.742911268.0000000003640000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.742353433.0000000003640000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000000.00000003.743093279.0000000003640000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000000.00000003.743313694.0000000003640000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 29 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.3.VjLfUM5cMx.exe.dc9d7c.0.raw.unpackJoeSecurity_Ursnifv3Yara detected UrsnifJoe Security
              0.2.VjLfUM5cMx.exe.1000000.0.unpackJoeSecurity_Ursnifv3Yara detected UrsnifJoe Security

                Sigma Overview

                No Sigma rule has matched

                Jbx Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Multi AV Scanner detection for submitted fileShow sources
                Source: VjLfUM5cMx.exeVirustotal: Detection: 13%Perma Link
                Machine Learning detection for sampleShow sources
                Source: VjLfUM5cMx.exeJoe Sandbox ML: detected
                Source: 0.3.VjLfUM5cMx.exe.dc9d7c.0.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: 0.2.VjLfUM5cMx.exe.1000000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                Source: VjLfUM5cMx.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
                Source: Binary string: c:\Muchwin\WorkWhich\centstring\shinegray\WanthumanMarket.pdb source: VjLfUM5cMx.exe

                Networking:

                barindex
                Performs DNS queries to domains with low reputationShow sources
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: haverit.xyz
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: haverit.xyz
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: haverit.xyz
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeDNS query: haverit.xyz
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeDNS query: haverit.xyz
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: haverit.xyz
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: haverit.xyz
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: haverit.xyz
                Source: unknownDNS traffic detected: query: haverit.xyz replaycode: Name error (3)
                Source: msapplication.xml0.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xb71b6d91,0x01d7a604</date><accdate>0xb71b6d91,0x01d7a604</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
                Source: msapplication.xml0.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xb71b6d91,0x01d7a604</date><accdate>0xb71b6d91,0x01d7a604</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
                Source: msapplication.xml5.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xb71b6d91,0x01d7a604</date><accdate>0xb71b6d91,0x01d7a604</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
                Source: msapplication.xml5.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xb71b6d91,0x01d7a604</date><accdate>0xb71b6d91,0x01d7a604</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
                Source: msapplication.xml7.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xb7229583,0x01d7a604</date><accdate>0xb7229583,0x01d7a604</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
                Source: msapplication.xml7.7.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xb7229583,0x01d7a604</date><accdate>0xb7229583,0x01d7a604</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
                Source: VjLfUM5cMx.exe, 00000000.00000003.743266389.0000000003640000.00000004.00000040.sdmpString found in binary or memory: http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;
                Source: VjLfUM5cMx.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                Source: VjLfUM5cMx.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                Source: VjLfUM5cMx.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                Source: VjLfUM5cMx.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                Source: VjLfUM5cMx.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                Source: VjLfUM5cMx.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                Source: VjLfUM5cMx.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                Source: VjLfUM5cMx.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                Source: VjLfUM5cMx.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                Source: VjLfUM5cMx.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                Source: VjLfUM5cMx.exeString found in binary or memory: http://ocsp.comodoca.com0
                Source: VjLfUM5cMx.exeString found in binary or memory: http://ocsp.digicert.com0C
                Source: VjLfUM5cMx.exeString found in binary or memory: http://ocsp.digicert.com0O
                Source: VjLfUM5cMx.exeString found in binary or memory: http://ocsp.sectigo.com0
                Source: msapplication.xml.7.drString found in binary or memory: http://www.amazon.com/
                Source: VjLfUM5cMx.exeString found in binary or memory: http://www.digicert.com/CPS0
                Source: msapplication.xml1.7.drString found in binary or memory: http://www.google.com/
                Source: msapplication.xml2.7.drString found in binary or memory: http://www.live.com/
                Source: msapplication.xml3.7.drString found in binary or memory: http://www.nytimes.com/
                Source: msapplication.xml4.7.drString found in binary or memory: http://www.reddit.com/
                Source: msapplication.xml5.7.drString found in binary or memory: http://www.twitter.com/
                Source: msapplication.xml6.7.drString found in binary or memory: http://www.wikipedia.com/
                Source: msapplication.xml7.7.drString found in binary or memory: http://www.youtube.com/
                Source: VjLfUM5cMx.exe, VjLfUM5cMx.exe, 00000000.00000002.961204866.0000000000629000.00000004.00000020.sdmpString found in binary or memory: https://haverit.xyz
                Source: VjLfUM5cMx.exe, 00000000.00000003.929576578.000000000066A000.00000004.00000001.sdmpString found in binary or memory: https://haverit.xyz/0b
                Source: VjLfUM5cMx.exe, 00000000.00000003.800653313.0000000000669000.00000004.00000001.sdmpString found in binary or memory: https://haverit.xyz/Q
                Source: VjLfUM5cMx.exe, 00000000.00000002.961204866.0000000000629000.00000004.00000020.sdmp, ~DFD3F956B20687A278.TMP.7.drString found in binary or memory: https://haverit.xyz/index.htm
                Source: VjLfUM5cMx.exe, 00000000.00000002.961204866.0000000000629000.00000004.00000020.sdmpString found in binary or memory: https://haverit.xyz/index.htm&E
                Source: {077FA0D6-11F8-11EC-90EB-ECF4BBEA1588}.dat.15.drString found in binary or memory: https://haverit.xyz/index.htmRoot
                Source: {077FA0D6-11F8-11EC-90EB-ECF4BBEA1588}.dat.15.drString found in binary or memory: https://haverit.xyz/index.htmdex.htm
                Source: VjLfUM5cMx.exe, 00000000.00000003.892700634.000000000068C000.00000004.00000001.sdmpString found in binary or memory: https://haverit.xyz/index.htmr#
                Source: VjLfUM5cMx.exeString found in binary or memory: https://sectigo.com/CPS0
                Source: VjLfUM5cMx.exeString found in binary or memory: https://www.digicert.com/CPS0
                Source: unknownDNS traffic detected: queries for: haverit.xyz

                Key, Mouse, Clipboard, Microphone and Screen Capturing:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 0.3.VjLfUM5cMx.exe.dc9d7c.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.VjLfUM5cMx.exe.1000000.0.unpack, type: UNPACKEDPE
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000000.00000003.743054194.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742911268.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742353433.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743093279.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743313694.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742958135.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743290829.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.741931302.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742268425.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743331263.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743266389.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742496222.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743239058.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743391740.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.961646531.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743211426.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742430984.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742097013.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743177986.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743353889.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742801405.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742634138.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743003429.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742749222.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742570614.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743401742.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743138802.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742692154.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742188110.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742014211.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743370213.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742861166.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.741849479.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: VjLfUM5cMx.exe PID: 6120, type: MEMORYSTR

                E-Banking Fraud:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 0.3.VjLfUM5cMx.exe.dc9d7c.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.VjLfUM5cMx.exe.1000000.0.unpack, type: UNPACKEDPE
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000000.00000003.743054194.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742911268.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742353433.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743093279.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743313694.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742958135.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743290829.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.741931302.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742268425.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743331263.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743266389.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742496222.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743239058.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743391740.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.961646531.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743211426.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742430984.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742097013.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743177986.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743353889.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742801405.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742634138.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743003429.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742749222.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742570614.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743401742.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743138802.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742692154.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742188110.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742014211.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743370213.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742861166.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.741849479.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: VjLfUM5cMx.exe PID: 6120, type: MEMORYSTR

                System Summary:

                barindex
                Writes or reads registry keys via WMIShow sources
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetDWORDValue
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                Writes registry values via WMIShow sources
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                Source: VjLfUM5cMx.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Source: VjLfUM5cMx.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: VjLfUM5cMx.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: VjLfUM5cMx.exeStatic PE information: invalid certificate
                Source: VjLfUM5cMx.exeVirustotal: Detection: 13%
                Source: VjLfUM5cMx.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\VjLfUM5cMx.exe 'C:\Users\user\Desktop\VjLfUM5cMx.exe'
                Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2856 CREDAT:17410 /prefetch:2
                Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1492 CREDAT:17410 /prefetch:2
                Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2856 CREDAT:17410 /prefetch:2Jump to behavior
                Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:1492 CREDAT:17410 /prefetch:2Jump to behavior
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32Jump to behavior
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from win32_process
                Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E1A18F6F-11F7-11EC-90EB-ECF4BBEA1588}.datJump to behavior
                Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DFCE99751527B74E99.TMPJump to behavior
                Source: classification engineClassification label: mal88.troj.evad.winEXE@7/29@8/0
                Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
                Source: VjLfUM5cMx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: VjLfUM5cMx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: VjLfUM5cMx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: VjLfUM5cMx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: VjLfUM5cMx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: VjLfUM5cMx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: VjLfUM5cMx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: c:\Muchwin\WorkWhich\centstring\shinegray\WanthumanMarket.pdb source: VjLfUM5cMx.exe
                Source: VjLfUM5cMx.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: VjLfUM5cMx.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: VjLfUM5cMx.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: VjLfUM5cMx.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: VjLfUM5cMx.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                Data Obfuscation:

                barindex
                Detected unpacking (changes PE section rights)Show sources
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeUnpacked PE file: 0.2.VjLfUM5cMx.exe.1000000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.reloc:R;
                Source: VjLfUM5cMx.exeStatic PE information: real checksum: 0xe20f3 should be: 0xe153a
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeCode function: 0_3_0364198A push ds; retf 0_3_03641991
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeCode function: 0_3_0364198A push ds; retf 0_3_03641991
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeCode function: 0_3_0364198A push ds; retf 0_3_03641991
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeCode function: 0_3_0364198A push ds; retf 0_3_03641991
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeCode function: 0_3_0364198A push ds; retf 0_3_03641991
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeCode function: 0_3_0364198A push ds; retf 0_3_03641991
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeCode function: 0_3_0364198A push ds; retf 0_3_03641991
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeCode function: 0_3_0364198A push ds; retf 0_3_03641991
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeCode function: 0_3_0364198A push ds; retf 0_3_03641991
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeCode function: 0_3_0364198A push ds; retf 0_3_03641991
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeCode function: 0_3_0364198A push ds; retf 0_3_03641991
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeCode function: 0_3_0364198A push ds; retf 0_3_03641991
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeCode function: 0_3_0364198A push ds; retf 0_3_03641991
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeCode function: 0_3_0364198A push ds; retf 0_3_03641991
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeCode function: 0_3_0364198A push ds; retf 0_3_03641991
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeCode function: 0_3_0364198A push ds; retf 0_3_03641991
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeCode function: 0_3_0364198A push ds; retf 0_3_03641991
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeCode function: 0_3_0364198A push ds; retf 0_3_03641991
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeCode function: 0_3_0364198A push ds; retf 0_3_03641991
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeCode function: 0_3_0364198A push ds; retf 0_3_03641991
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeCode function: 0_3_0364198A push ds; retf 0_3_03641991
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeCode function: 0_3_0364198A push ds; retf 0_3_03641991
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeCode function: 0_3_0364198A push ds; retf 0_3_03641991
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeCode function: 0_3_0364198A push ds; retf 0_3_03641991
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeCode function: 0_3_0364198A push ds; retf 0_3_03641991
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeCode function: 0_3_0364198A push ds; retf 0_3_03641991
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeCode function: 0_3_0364198A push ds; retf 0_3_03641991
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeCode function: 0_3_0364198A push ds; retf 0_3_03641991
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeCode function: 0_3_0364198A push ds; retf 0_3_03641991
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeCode function: 0_3_0364198A push ds; retf 0_3_03641991
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeCode function: 0_3_0364198A push ds; retf 0_3_03641991
                Source: initial sampleStatic PE information: section name: .text entropy: 6.85141546298

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 0.3.VjLfUM5cMx.exe.dc9d7c.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.VjLfUM5cMx.exe.1000000.0.unpack, type: UNPACKEDPE
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000000.00000003.743054194.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742911268.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742353433.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743093279.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743313694.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742958135.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743290829.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.741931302.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742268425.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743331263.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743266389.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742496222.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743239058.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743391740.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.961646531.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743211426.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742430984.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742097013.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743177986.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743353889.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742801405.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742634138.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743003429.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742749222.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742570614.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743401742.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743138802.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742692154.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742188110.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742014211.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743370213.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742861166.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.741849479.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: VjLfUM5cMx.exe PID: 6120, type: MEMORYSTR
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exe TID: 4972Thread sleep time: -30000s >= -30000sJump to behavior
                Source: VjLfUM5cMx.exe, 00000000.00000003.943610130.000000000065B000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: VjLfUM5cMx.exe, 00000000.00000002.961561728.0000000001100000.00000002.00020000.sdmpBinary or memory string: Program Manager
                Source: VjLfUM5cMx.exe, 00000000.00000002.961561728.0000000001100000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                Source: VjLfUM5cMx.exe, 00000000.00000002.961561728.0000000001100000.00000002.00020000.sdmpBinary or memory string: Progman
                Source: VjLfUM5cMx.exe, 00000000.00000002.961561728.0000000001100000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: C:\Users\user\Desktop\VjLfUM5cMx.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antispywareproduct

                Stealing of Sensitive Information:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 0.3.VjLfUM5cMx.exe.dc9d7c.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.VjLfUM5cMx.exe.1000000.0.unpack, type: UNPACKEDPE
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000000.00000003.743054194.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742911268.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742353433.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743093279.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743313694.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742958135.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743290829.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.741931302.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742268425.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743331263.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743266389.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742496222.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743239058.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743391740.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.961646531.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743211426.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742430984.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742097013.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743177986.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743353889.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742801405.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742634138.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743003429.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742749222.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742570614.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743401742.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743138802.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742692154.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742188110.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742014211.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743370213.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742861166.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.741849479.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: VjLfUM5cMx.exe PID: 6120, type: MEMORYSTR

                Remote Access Functionality:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 0.3.VjLfUM5cMx.exe.dc9d7c.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.VjLfUM5cMx.exe.1000000.0.unpack, type: UNPACKEDPE
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000000.00000003.743054194.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742911268.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742353433.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743093279.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743313694.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742958135.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743290829.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.741931302.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742268425.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743331263.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743266389.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742496222.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743239058.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743391740.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.961646531.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743211426.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742430984.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742097013.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743177986.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743353889.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742801405.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742634138.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743003429.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742749222.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742570614.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743401742.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743138802.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742692154.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742188110.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742014211.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.743370213.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.742861166.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.741849479.0000000003640000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: VjLfUM5cMx.exe PID: 6120, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection2Masquerading1OS Credential DumpingQuery Registry1Remote ServicesData from Local SystemExfiltration Over Other Network MediumNon-Application Layer Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemorySecurity Software Discovery11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection2Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing12LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery3Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 480997 Sample: VjLfUM5cMx Startdate: 10/09/2021 Architecture: WINDOWS Score: 88 25 Multi AV Scanner detection for submitted file 2->25 27 Yara detected Ursnif 2->27 29 Yara detected  Ursnif 2->29 31 2 other signatures 2->31 6 VjLfUM5cMx.exe 2->6         started        10 iexplore.exe 1 73 2->10         started        12 iexplore.exe 1 50 2->12         started        process3 dnsIp4 19 haverit.xyz 6->19 33 Detected unpacking (changes PE section rights) 6->33 35 Performs DNS queries to domains with low reputation 6->35 37 Writes or reads registry keys via WMI 6->37 39 Writes registry values via WMI 6->39 14 iexplore.exe 29 10->14         started        17 iexplore.exe 29 12->17         started        signatures5 process6 dnsIp7 21 haverit.xyz 14->21 23 haverit.xyz 17->23

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.