Windows Analysis Report p47bG25tTf

Overview

General Information

Sample Name: p47bG25tTf (renamed file extension from none to exe)
Analysis ID: 480999
MD5: d0cb3af3f2f9bbb89faba16f41585e7c
SHA1: 3a1006610fc6e98670cfd6f01744e4623eeedd9b
SHA256: 31f5ee68e7548cd1d49720492502877466b35241cd441b48eefbddffc74a5475
Tags: exeFORTHPROPERTYLTD
Infos:

Most interesting Screenshot:

Detection

Ursnif Ursnif v3
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Ursnif
Multi AV Scanner detection for submitted file
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for domain / URL
Yara detected Ursnif
Writes or reads registry keys via WMI
Writes registry values via WMI
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
PE file contains an invalid checksum
PE file contains strange resources
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
PE / OLE file has an invalid certificate
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: p47bG25tTf.exe Virustotal: Detection: 14% Perma Link
Source: p47bG25tTf.exe ReversingLabs: Detection: 17%
Multi AV Scanner detection for domain / URL
Source: haverit.xyz Virustotal: Detection: 5% Perma Link
Machine Learning detection for sample
Source: p47bG25tTf.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.3.p47bG25tTf.exe.db9d7c.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.p47bG25tTf.exe.1000000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen7

Compliance:

barindex
Uses 32bit PE files
Source: p47bG25tTf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: Binary string: c:\Muchwin\WorkWhich\centstring\shinegray\WanthumanMarket.pdb source: p47bG25tTf.exe

Networking:

barindex
Performs DNS queries to domains with low reputation
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe DNS query: haverit.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe DNS query: haverit.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe DNS query: haverit.xyz
Source: C:\Users\user\Desktop\p47bG25tTf.exe DNS query: haverit.xyz
Source: C:\Users\user\Desktop\p47bG25tTf.exe DNS query: haverit.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe DNS query: haverit.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe DNS query: haverit.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe DNS query: haverit.xyz
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: haverit.xyz replaycode: Name error (3)
Source: msapplication.xml0.8.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x2a9b72c5,0x01d7a650</date><accdate>0x2a9b72c5,0x01d7a650</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.8.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x2a9b72c5,0x01d7a650</date><accdate>0x2a9b72c5,0x01d7a650</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.8.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x2aa299ee,0x01d7a650</date><accdate>0x2aa299ee,0x01d7a650</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.8.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x2aa299ee,0x01d7a650</date><accdate>0x2aa299ee,0x01d7a650</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.8.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x2aaa0d44,0x01d7a650</date><accdate>0x2aaa0d44,0x01d7a650</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.8.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x2aaa0d44,0x01d7a650</date><accdate>0x2aaa0d44,0x01d7a650</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: p47bG25tTf.exe, 00000000.00000003.412774183.0000000003750000.00000004.00000040.sdmp String found in binary or memory: http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;
Source: p47bG25tTf.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: p47bG25tTf.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: p47bG25tTf.exe String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: p47bG25tTf.exe String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: p47bG25tTf.exe String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: p47bG25tTf.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: p47bG25tTf.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: p47bG25tTf.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: p47bG25tTf.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: p47bG25tTf.exe String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: p47bG25tTf.exe String found in binary or memory: http://ocsp.comodoca.com0
Source: p47bG25tTf.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: p47bG25tTf.exe String found in binary or memory: http://ocsp.digicert.com0O
Source: p47bG25tTf.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: msapplication.xml.8.dr String found in binary or memory: http://www.amazon.com/
Source: p47bG25tTf.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: msapplication.xml1.8.dr String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.8.dr String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.8.dr String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.8.dr String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.8.dr String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.8.dr String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.8.dr String found in binary or memory: http://www.youtube.com/
Source: p47bG25tTf.exe String found in binary or memory: https://haverit.xyz
Source: ~DF29513E450399A0E6.TMP.21.dr String found in binary or memory: https://haverit.xyz/index.htm
Source: {7B4B21B3-1243-11EC-90E5-ECF4BB2D2496}.dat.21.dr String found in binary or memory: https://haverit.xyz/index.htmRoot
Source: {7B4B21B3-1243-11EC-90E5-ECF4BB2D2496}.dat.21.dr String found in binary or memory: https://haverit.xyz/index.htmdex.htm
Source: p47bG25tTf.exe String found in binary or memory: https://sectigo.com/CPS0
Source: p47bG25tTf.exe String found in binary or memory: https://www.digicert.com/CPS0
Source: unknown DNS traffic detected: queries for: haverit.xyz

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 0.2.p47bG25tTf.exe.1000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.p47bG25tTf.exe.db9d7c.0.raw.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000000.00000002.631812823.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411680498.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412285957.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411095451.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412774183.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412569620.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411978196.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411758460.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412426058.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412785825.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411605521.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412680066.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412607752.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412384175.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412743237.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411442677.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411526814.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411908339.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412640219.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.410999353.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412334976.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411184929.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412120238.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412463340.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412538373.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411360711.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412177885.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411273329.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412722714.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412702712.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412499004.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411834632.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412228113.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: p47bG25tTf.exe PID: 6576, type: MEMORYSTR

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 0.2.p47bG25tTf.exe.1000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.p47bG25tTf.exe.db9d7c.0.raw.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000000.00000002.631812823.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411680498.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412285957.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411095451.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412774183.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412569620.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411978196.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411758460.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412426058.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412785825.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411605521.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412680066.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412607752.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412384175.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412743237.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411442677.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411526814.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411908339.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412640219.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.410999353.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412334976.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411184929.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412120238.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412463340.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412538373.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411360711.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412177885.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411273329.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412722714.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412702712.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412499004.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411834632.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412228113.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: p47bG25tTf.exe PID: 6576, type: MEMORYSTR

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Users\user\Desktop\p47bG25tTf.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetDWORDValue
Source: C:\Users\user\Desktop\p47bG25tTf.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\p47bG25tTf.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\p47bG25tTf.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\p47bG25tTf.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\p47bG25tTf.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Users\user\Desktop\p47bG25tTf.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\p47bG25tTf.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\p47bG25tTf.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\p47bG25tTf.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\p47bG25tTf.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Uses 32bit PE files
Source: p47bG25tTf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
PE file contains strange resources
Source: p47bG25tTf.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: p47bG25tTf.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
PE / OLE file has an invalid certificate
Source: p47bG25tTf.exe Static PE information: invalid certificate
Source: p47bG25tTf.exe Virustotal: Detection: 14%
Source: p47bG25tTf.exe ReversingLabs: Detection: 17%
Source: p47bG25tTf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\p47bG25tTf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\p47bG25tTf.exe 'C:\Users\user\Desktop\p47bG25tTf.exe'
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5348 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2584 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5348 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2584 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Users\user\Desktop\p47bG25tTf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\p47bG25tTf.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\1978EE24-ED7A-8F95-C655-46BAE5CC03A0
Source: C:\Users\user\Desktop\p47bG25tTf.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from win32_process
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{54E1EBED-1243-11EC-90E5-ECF4BB2D2496}.dat Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF9DEA79CED7C13093.TMP Jump to behavior
Source: classification engine Classification label: mal96.troj.evad.winEXE@7/29@8/0
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\p47bG25tTf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\p47bG25tTf.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: p47bG25tTf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: p47bG25tTf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: p47bG25tTf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: p47bG25tTf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: p47bG25tTf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: p47bG25tTf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: p47bG25tTf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\Muchwin\WorkWhich\centstring\shinegray\WanthumanMarket.pdb source: p47bG25tTf.exe
Source: p47bG25tTf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: p47bG25tTf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: p47bG25tTf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: p47bG25tTf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: p47bG25tTf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\p47bG25tTf.exe Unpacked PE file: 0.2.p47bG25tTf.exe.1000000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.reloc:R;
PE file contains an invalid checksum
Source: p47bG25tTf.exe Static PE information: real checksum: 0xdbfab should be: 0xdee02
Source: initial sample Static PE information: section name: .text entropy: 6.85140338901

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 0.2.p47bG25tTf.exe.1000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.p47bG25tTf.exe.db9d7c.0.raw.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000000.00000002.631812823.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411680498.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412285957.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411095451.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412774183.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412569620.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411978196.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411758460.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412426058.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412785825.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411605521.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412680066.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412607752.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412384175.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412743237.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411442677.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411526814.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411908339.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412640219.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.410999353.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412334976.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411184929.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412120238.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412463340.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412538373.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411360711.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412177885.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411273329.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412722714.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412702712.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412499004.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411834632.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412228113.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: p47bG25tTf.exe PID: 6576, type: MEMORYSTR
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\p47bG25tTf.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\p47bG25tTf.exe TID: 5992 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: p47bG25tTf.exe, 00000000.00000002.631733193.0000000001100000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: p47bG25tTf.exe, 00000000.00000002.631733193.0000000001100000.00000002.00020000.sdmp Binary or memory string: Progman
Source: p47bG25tTf.exe, 00000000.00000002.631733193.0000000001100000.00000002.00020000.sdmp Binary or memory string: &Program Manager
Source: p47bG25tTf.exe, 00000000.00000002.631733193.0000000001100000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: C:\Users\user\Desktop\p47bG25tTf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\p47bG25tTf.exe WMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antispywareproduct

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 0.2.p47bG25tTf.exe.1000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.p47bG25tTf.exe.db9d7c.0.raw.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000000.00000002.631812823.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411680498.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412285957.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411095451.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412774183.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412569620.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411978196.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411758460.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412426058.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412785825.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411605521.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412680066.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412607752.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412384175.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412743237.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411442677.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411526814.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411908339.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412640219.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.410999353.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412334976.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411184929.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412120238.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412463340.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412538373.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411360711.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412177885.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411273329.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412722714.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412702712.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412499004.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411834632.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412228113.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: p47bG25tTf.exe PID: 6576, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 0.2.p47bG25tTf.exe.1000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.p47bG25tTf.exe.db9d7c.0.raw.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000000.00000002.631812823.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411680498.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412285957.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411095451.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412774183.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412569620.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411978196.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411758460.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412426058.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412785825.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411605521.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412680066.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412607752.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412384175.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412743237.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411442677.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411526814.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411908339.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412640219.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.410999353.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412334976.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411184929.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412120238.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412463340.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412538373.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411360711.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412177885.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411273329.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412722714.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412702712.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412499004.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.411834632.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.412228113.0000000003750000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: p47bG25tTf.exe PID: 6576, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 480999 Sample: p47bG25tTf Startdate: 10/09/2021 Architecture: WINDOWS Score: 96 25 Multi AV Scanner detection for domain / URL 2->25 27 Multi AV Scanner detection for submitted file 2->27 29 Yara detected Ursnif 2->29 31 3 other signatures 2->31 6 p47bG25tTf.exe 2->6         started        10 iexplore.exe 1 73 2->10         started        12 iexplore.exe 1 50 2->12         started        process3 dnsIp4 19 haverit.xyz 6->19 33 Detected unpacking (changes PE section rights) 6->33 35 Performs DNS queries to domains with low reputation 6->35 37 Writes or reads registry keys via WMI 6->37 39 Writes registry values via WMI 6->39 14 iexplore.exe 29 10->14         started        17 iexplore.exe 29 12->17         started        signatures5 process6 dnsIp7 21 haverit.xyz 14->21 23 haverit.xyz 17->23
No contacted IP infos

Contacted Domains

Name IP Active
haverit.xyz unknown unknown