Windows Analysis Report nheQqfaVcS

Overview

General Information

Sample Name: nheQqfaVcS (renamed file extension from none to exe)
Analysis ID: 480998
MD5: 2926d2ff62efaa0fbfdcc3fb7e77c6d2
SHA1: dc5ebad8503139f8ce84927fda0ec9adb5b77200
SHA256: 041d5d8edb606415cdcb6670b69ed4b2a2d80a8eb3e4dc75f0a9b2d558bedf60
Tags: exeFORTHPROPERTYLTD
Infos:

Most interesting Screenshot:

Detection

Ursnif Ursnif v3
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Ursnif
Multi AV Scanner detection for submitted file
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for domain / URL
Yara detected Ursnif
Writes or reads registry keys via WMI
Writes registry values via WMI
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
PE file contains an invalid checksum
PE file contains strange resources
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
PE / OLE file has an invalid certificate
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: nheQqfaVcS.exe Virustotal: Detection: 19% Perma Link
Multi AV Scanner detection for domain / URL
Source: haverit.xyz Virustotal: Detection: 5% Perma Link
Machine Learning detection for sample
Source: nheQqfaVcS.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.nheQqfaVcS.exe.1000000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen7
Source: 0.3.nheQqfaVcS.exe.ea9d7c.0.unpack Avira: Label: TR/Patched.Ren.Gen

Compliance:

barindex
Uses 32bit PE files
Source: nheQqfaVcS.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: Binary string: c:\Muchwin\WorkWhich\centstring\shinegray\WanthumanMarket.pdb source: nheQqfaVcS.exe

Networking:

barindex
Performs DNS queries to domains with low reputation
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe DNS query: haverit.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe DNS query: haverit.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe DNS query: haverit.xyz
Source: C:\Users\user\Desktop\nheQqfaVcS.exe DNS query: haverit.xyz
Source: C:\Users\user\Desktop\nheQqfaVcS.exe DNS query: haverit.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe DNS query: haverit.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe DNS query: haverit.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe DNS query: haverit.xyz
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: haverit.xyz replaycode: Name error (3)
Source: msapplication.xml0.13.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x26116b42,0x01d7a650</date><accdate>0x26116b42,0x01d7a650</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.13.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x26116b42,0x01d7a650</date><accdate>0x26116b42,0x01d7a650</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.13.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x26189557,0x01d7a650</date><accdate>0x26189557,0x01d7a650</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.13.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x26189557,0x01d7a650</date><accdate>0x26189557,0x01d7a650</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.13.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x26189557,0x01d7a650</date><accdate>0x26189557,0x01d7a650</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.13.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x26189557,0x01d7a650</date><accdate>0x26189557,0x01d7a650</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: nheQqfaVcS.exe, 00000000.00000003.313289878.00000000036D0000.00000004.00000040.sdmp String found in binary or memory: http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;
Source: nheQqfaVcS.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: nheQqfaVcS.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: nheQqfaVcS.exe String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: nheQqfaVcS.exe String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: nheQqfaVcS.exe String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: nheQqfaVcS.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: nheQqfaVcS.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: nheQqfaVcS.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: nheQqfaVcS.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: nheQqfaVcS.exe String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: nheQqfaVcS.exe String found in binary or memory: http://ocsp.comodoca.com0
Source: nheQqfaVcS.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: nheQqfaVcS.exe String found in binary or memory: http://ocsp.digicert.com0O
Source: nheQqfaVcS.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: msapplication.xml.13.dr String found in binary or memory: http://www.amazon.com/
Source: nheQqfaVcS.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: msapplication.xml1.13.dr String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.13.dr String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.13.dr String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.13.dr String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.13.dr String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.13.dr String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.13.dr String found in binary or memory: http://www.youtube.com/
Source: nheQqfaVcS.exe String found in binary or memory: https://haverit.xyz
Source: ~DF165B26F914703F17.TMP.13.dr String found in binary or memory: https://haverit.xyz/index.htm
Source: {7678AF57-1243-11EC-90E5-ECF4BB570DC9}.dat.26.dr String found in binary or memory: https://haverit.xyz/index.htmRoot
Source: {7678AF57-1243-11EC-90E5-ECF4BB570DC9}.dat.26.dr String found in binary or memory: https://haverit.xyz/index.htmdex.htm
Source: nheQqfaVcS.exe String found in binary or memory: https://sectigo.com/CPS0
Source: nheQqfaVcS.exe String found in binary or memory: https://www.digicert.com/CPS0
Source: unknown DNS traffic detected: queries for: haverit.xyz

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 0.2.nheQqfaVcS.exe.1000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.nheQqfaVcS.exe.ea9d7c.0.raw.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.313661419.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.533943454.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313428934.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313350824.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312765827.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313524102.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313391092.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313620745.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313575015.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312402940.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313494038.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313143533.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313289878.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313551158.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313087674.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312317005.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313243229.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312902480.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.311981135.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313033304.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313650621.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313636918.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312584205.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313461705.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312495587.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313193145.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312229401.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312975464.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312836081.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312674731.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313595976.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312150380.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312065477.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: nheQqfaVcS.exe PID: 6572, type: MEMORYSTR

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 0.2.nheQqfaVcS.exe.1000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.nheQqfaVcS.exe.ea9d7c.0.raw.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.313661419.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.533943454.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313428934.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313350824.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312765827.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313524102.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313391092.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313620745.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313575015.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312402940.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313494038.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313143533.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313289878.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313551158.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313087674.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312317005.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313243229.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312902480.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.311981135.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313033304.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313650621.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313636918.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312584205.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313461705.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312495587.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313193145.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312229401.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312975464.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312836081.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312674731.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313595976.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312150380.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312065477.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: nheQqfaVcS.exe PID: 6572, type: MEMORYSTR

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Users\user\Desktop\nheQqfaVcS.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetDWORDValue
Source: C:\Users\user\Desktop\nheQqfaVcS.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\nheQqfaVcS.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\nheQqfaVcS.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\nheQqfaVcS.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\nheQqfaVcS.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Users\user\Desktop\nheQqfaVcS.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\nheQqfaVcS.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\nheQqfaVcS.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\nheQqfaVcS.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\nheQqfaVcS.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Uses 32bit PE files
Source: nheQqfaVcS.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
PE file contains strange resources
Source: nheQqfaVcS.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: nheQqfaVcS.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
PE / OLE file has an invalid certificate
Source: nheQqfaVcS.exe Static PE information: invalid certificate
Source: nheQqfaVcS.exe Virustotal: Detection: 19%
Source: nheQqfaVcS.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\nheQqfaVcS.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\nheQqfaVcS.exe 'C:\Users\user\Desktop\nheQqfaVcS.exe'
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6256 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5720 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6256 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5720 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Users\user\Desktop\nheQqfaVcS.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\nheQqfaVcS.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\1978EE24-ED7A-8F95-C655-46BAE5CC03A0
Source: C:\Users\user\Desktop\nheQqfaVcS.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from win32_process
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{506886DB-1243-11EC-90E5-ECF4BB570DC9}.dat Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DFCDB1AD29A328B9E8.TMP Jump to behavior
Source: classification engine Classification label: mal96.troj.evad.winEXE@7/29@8/0
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\nheQqfaVcS.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\nheQqfaVcS.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: nheQqfaVcS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: nheQqfaVcS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: nheQqfaVcS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: nheQqfaVcS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: nheQqfaVcS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: nheQqfaVcS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: nheQqfaVcS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\Muchwin\WorkWhich\centstring\shinegray\WanthumanMarket.pdb source: nheQqfaVcS.exe
Source: nheQqfaVcS.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: nheQqfaVcS.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: nheQqfaVcS.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: nheQqfaVcS.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: nheQqfaVcS.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\nheQqfaVcS.exe Unpacked PE file: 0.2.nheQqfaVcS.exe.1000000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.reloc:R;
PE file contains an invalid checksum
Source: nheQqfaVcS.exe Static PE information: real checksum: 0xe2b91 should be: 0xe302d
Source: initial sample Static PE information: section name: .text entropy: 6.85141828955

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 0.2.nheQqfaVcS.exe.1000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.nheQqfaVcS.exe.ea9d7c.0.raw.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.313661419.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.533943454.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313428934.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313350824.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312765827.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313524102.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313391092.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313620745.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313575015.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312402940.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313494038.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313143533.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313289878.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313551158.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313087674.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312317005.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313243229.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312902480.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.311981135.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313033304.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313650621.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313636918.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312584205.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313461705.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312495587.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313193145.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312229401.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312975464.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312836081.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312674731.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313595976.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312150380.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312065477.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: nheQqfaVcS.exe PID: 6572, type: MEMORYSTR
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\nheQqfaVcS.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\nheQqfaVcS.exe TID: 6236 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: nheQqfaVcS.exe, 00000000.00000002.533850677.0000000001100000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: nheQqfaVcS.exe, 00000000.00000002.533850677.0000000001100000.00000002.00020000.sdmp Binary or memory string: Progman
Source: nheQqfaVcS.exe, 00000000.00000002.533850677.0000000001100000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: nheQqfaVcS.exe, 00000000.00000002.533850677.0000000001100000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: nheQqfaVcS.exe, 00000000.00000002.533850677.0000000001100000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: C:\Users\user\Desktop\nheQqfaVcS.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\nheQqfaVcS.exe WMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antispywareproduct

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 0.2.nheQqfaVcS.exe.1000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.nheQqfaVcS.exe.ea9d7c.0.raw.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.313661419.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.533943454.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313428934.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313350824.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312765827.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313524102.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313391092.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313620745.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313575015.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312402940.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313494038.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313143533.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313289878.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313551158.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313087674.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312317005.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313243229.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312902480.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.311981135.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313033304.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313650621.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313636918.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312584205.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313461705.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312495587.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313193145.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312229401.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312975464.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312836081.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312674731.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313595976.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312150380.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312065477.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: nheQqfaVcS.exe PID: 6572, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 0.2.nheQqfaVcS.exe.1000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.nheQqfaVcS.exe.ea9d7c.0.raw.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.313661419.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.533943454.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313428934.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313350824.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312765827.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313524102.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313391092.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313620745.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313575015.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312402940.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313494038.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313143533.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313289878.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313551158.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313087674.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312317005.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313243229.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312902480.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.311981135.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313033304.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313650621.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313636918.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312584205.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313461705.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312495587.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313193145.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312229401.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312975464.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312836081.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312674731.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.313595976.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312150380.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.312065477.00000000036D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: nheQqfaVcS.exe PID: 6572, type: MEMORYSTR
No contacted IP infos