Windows Analysis Report eZY2eXORIp

Overview

General Information

Sample Name: eZY2eXORIp (renamed file extension from none to exe)
Analysis ID: 481002
MD5: 8baf707c7afeb686ca13710762829052
SHA1: e4e5310572a5f15be59a84185d7bc999a47cef2f
SHA256: ad6d0f94a890ee4ef5b0a36ab1fa2845910d3b687ef7bc0c42f0dfc3e1952469
Tags: exeFORTHPROPERTYLTD
Infos:

Most interesting Screenshot:

Detection

Ursnif Ursnif v3
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Ursnif
Multi AV Scanner detection for submitted file
Detected unpacking (changes PE section rights)
Yara detected Ursnif
Writes or reads registry keys via WMI
Writes registry values via WMI
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
PE file contains an invalid checksum
PE file contains strange resources
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
PE / OLE file has an invalid certificate
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: eZY2eXORIp.exe ReversingLabs: Detection: 24%
Machine Learning detection for sample
Source: eZY2eXORIp.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.eZY2eXORIp.exe.1000000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen7
Source: 0.3.eZY2eXORIp.exe.619d7c.0.unpack Avira: Label: TR/Patched.Ren.Gen

Compliance:

barindex
Uses 32bit PE files
Source: eZY2eXORIp.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: Binary string: c:\Muchwin\WorkWhich\centstring\shinegray\WanthumanMarket.pdb source: eZY2eXORIp.exe

Networking:

barindex
Performs DNS queries to domains with low reputation
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe DNS query: haverit.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe DNS query: haverit.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe DNS query: haverit.xyz
Source: C:\Users\user\Desktop\eZY2eXORIp.exe DNS query: haverit.xyz
Source: C:\Users\user\Desktop\eZY2eXORIp.exe DNS query: haverit.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe DNS query: haverit.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe DNS query: haverit.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe DNS query: haverit.xyz
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: haverit.xyz replaycode: Name error (3)
Source: msapplication.xml0.14.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x9dce2b00,0x01d7a650</date><accdate>0x9dce2b00,0x01d7a650</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.14.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x9dce2b00,0x01d7a650</date><accdate>0x9dd5514f,0x01d7a650</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.14.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x9dd5514f,0x01d7a650</date><accdate>0x9dd5514f,0x01d7a650</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.14.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x9dd5514f,0x01d7a650</date><accdate>0x9ddc796c,0x01d7a650</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.14.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x9ddc796c,0x01d7a650</date><accdate>0x9ddc796c,0x01d7a650</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.14.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x9ddc796c,0x01d7a650</date><accdate>0x9ddc796c,0x01d7a650</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: eZY2eXORIp.exe, 00000000.00000003.292440254.00000000036F0000.00000004.00000040.sdmp String found in binary or memory: http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;
Source: eZY2eXORIp.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: eZY2eXORIp.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: eZY2eXORIp.exe String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: eZY2eXORIp.exe String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: eZY2eXORIp.exe String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: eZY2eXORIp.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: eZY2eXORIp.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: eZY2eXORIp.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: eZY2eXORIp.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: eZY2eXORIp.exe String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: eZY2eXORIp.exe String found in binary or memory: http://ocsp.comodoca.com0
Source: eZY2eXORIp.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: eZY2eXORIp.exe String found in binary or memory: http://ocsp.digicert.com0O
Source: eZY2eXORIp.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: msapplication.xml.14.dr String found in binary or memory: http://www.amazon.com/
Source: eZY2eXORIp.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: msapplication.xml1.14.dr String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.14.dr String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.14.dr String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.14.dr String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.14.dr String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.14.dr String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.14.dr String found in binary or memory: http://www.youtube.com/
Source: eZY2eXORIp.exe, eZY2eXORIp.exe, 00000000.00000002.510872632.00000000006B8000.00000004.00000020.sdmp String found in binary or memory: https://haverit.xyz
Source: eZY2eXORIp.exe, 00000000.00000002.510961640.00000000006FE000.00000004.00000001.sdmp String found in binary or memory: https://haverit.xyz/
Source: eZY2eXORIp.exe, 00000000.00000002.510872632.00000000006B8000.00000004.00000020.sdmp, eZY2eXORIp.exe, 00000000.00000003.493318612.00000000006FC000.00000004.00000001.sdmp, ~DF19831833E1675488.TMP.26.dr String found in binary or memory: https://haverit.xyz/index.htm
Source: eZY2eXORIp.exe, 00000000.00000002.510872632.00000000006B8000.00000004.00000020.sdmp String found in binary or memory: https://haverit.xyz/index.htm5
Source: {EE1A57EC-1243-11EC-90E5-ECF4BB570DC9}.dat.26.dr String found in binary or memory: https://haverit.xyz/index.htmRoot
Source: eZY2eXORIp.exe, 00000000.00000002.510872632.00000000006B8000.00000004.00000020.sdmp String found in binary or memory: https://haverit.xyz/index.htmbY
Source: {EE1A57EC-1243-11EC-90E5-ECF4BB570DC9}.dat.26.dr String found in binary or memory: https://haverit.xyz/index.htmdex.htm
Source: eZY2eXORIp.exe String found in binary or memory: https://sectigo.com/CPS0
Source: eZY2eXORIp.exe String found in binary or memory: https://www.digicert.com/CPS0
Source: unknown DNS traffic detected: queries for: haverit.xyz

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 0.3.eZY2eXORIp.exe.619d7c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.eZY2eXORIp.exe.1000000.0.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.292866191.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291929905.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292913639.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291547643.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291632853.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291835576.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292487674.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292971089.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292333881.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292136155.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291360640.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.512177753.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292440254.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291279386.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291701567.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292984133.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292892828.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292791301.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292276017.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292076935.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292753214.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292948084.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292386062.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291458965.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291769273.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292670276.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291996066.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292712718.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292211990.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292930955.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292554837.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292619377.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292820042.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: eZY2eXORIp.exe PID: 4304, type: MEMORYSTR
Creates a DirectInput object (often for capturing keystrokes)
Source: eZY2eXORIp.exe, 00000000.00000002.510804819.000000000068A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 0.3.eZY2eXORIp.exe.619d7c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.eZY2eXORIp.exe.1000000.0.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.292866191.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291929905.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292913639.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291547643.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291632853.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291835576.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292487674.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292971089.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292333881.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292136155.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291360640.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.512177753.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292440254.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291279386.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291701567.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292984133.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292892828.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292791301.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292276017.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292076935.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292753214.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292948084.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292386062.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291458965.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291769273.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292670276.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291996066.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292712718.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292211990.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292930955.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292554837.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292619377.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292820042.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: eZY2eXORIp.exe PID: 4304, type: MEMORYSTR

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Users\user\Desktop\eZY2eXORIp.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetDWORDValue
Source: C:\Users\user\Desktop\eZY2eXORIp.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\eZY2eXORIp.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\eZY2eXORIp.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\eZY2eXORIp.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\eZY2eXORIp.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Users\user\Desktop\eZY2eXORIp.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\eZY2eXORIp.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\eZY2eXORIp.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\eZY2eXORIp.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\eZY2eXORIp.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Uses 32bit PE files
Source: eZY2eXORIp.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
PE file contains strange resources
Source: eZY2eXORIp.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: eZY2eXORIp.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
PE / OLE file has an invalid certificate
Source: eZY2eXORIp.exe Static PE information: invalid certificate
Source: eZY2eXORIp.exe ReversingLabs: Detection: 24%
Source: eZY2eXORIp.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\eZY2eXORIp.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\eZY2eXORIp.exe 'C:\Users\user\Desktop\eZY2eXORIp.exe'
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6212 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6496 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6212 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6496 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Users\user\Desktop\eZY2eXORIp.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\eZY2eXORIp.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\1978EE24-ED7A-8F95-C655-46BAE5CC03A0
Source: C:\Users\user\Desktop\eZY2eXORIp.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from win32_process
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C85B3E60-1243-11EC-90E5-ECF4BB570DC9}.dat Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF56A785732A2B1070.TMP Jump to behavior
Source: classification engine Classification label: mal88.troj.evad.winEXE@7/29@8/1
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\eZY2eXORIp.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\eZY2eXORIp.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: eZY2eXORIp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: eZY2eXORIp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: eZY2eXORIp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: eZY2eXORIp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: eZY2eXORIp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: eZY2eXORIp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: eZY2eXORIp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\Muchwin\WorkWhich\centstring\shinegray\WanthumanMarket.pdb source: eZY2eXORIp.exe
Source: eZY2eXORIp.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: eZY2eXORIp.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: eZY2eXORIp.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: eZY2eXORIp.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: eZY2eXORIp.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\eZY2eXORIp.exe Unpacked PE file: 0.2.eZY2eXORIp.exe.1000000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.reloc:R;
PE file contains an invalid checksum
Source: eZY2eXORIp.exe Static PE information: real checksum: 0xe0d1f should be: 0xe96d5
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\eZY2eXORIp.exe Code function: 0_3_036F198A push ds; retf 0_3_036F1991
Source: C:\Users\user\Desktop\eZY2eXORIp.exe Code function: 0_3_036F198A push ds; retf 0_3_036F1991
Source: C:\Users\user\Desktop\eZY2eXORIp.exe Code function: 0_3_036F198A push ds; retf 0_3_036F1991
Source: C:\Users\user\Desktop\eZY2eXORIp.exe Code function: 0_3_036F198A push ds; retf 0_3_036F1991
Source: C:\Users\user\Desktop\eZY2eXORIp.exe Code function: 0_3_036F198A push ds; retf 0_3_036F1991
Source: C:\Users\user\Desktop\eZY2eXORIp.exe Code function: 0_3_036F198A push ds; retf 0_3_036F1991
Source: C:\Users\user\Desktop\eZY2eXORIp.exe Code function: 0_3_036F198A push ds; retf 0_3_036F1991
Source: C:\Users\user\Desktop\eZY2eXORIp.exe Code function: 0_3_036F198A push ds; retf 0_3_036F1991
Source: C:\Users\user\Desktop\eZY2eXORIp.exe Code function: 0_3_036F198A push ds; retf 0_3_036F1991
Source: C:\Users\user\Desktop\eZY2eXORIp.exe Code function: 0_3_036F198A push ds; retf 0_3_036F1991
Source: C:\Users\user\Desktop\eZY2eXORIp.exe Code function: 0_3_036F198A push ds; retf 0_3_036F1991
Source: C:\Users\user\Desktop\eZY2eXORIp.exe Code function: 0_3_036F198A push ds; retf 0_3_036F1991
Source: C:\Users\user\Desktop\eZY2eXORIp.exe Code function: 0_3_036F198A push ds; retf 0_3_036F1991
Source: C:\Users\user\Desktop\eZY2eXORIp.exe Code function: 0_3_036F198A push ds; retf 0_3_036F1991
Source: C:\Users\user\Desktop\eZY2eXORIp.exe Code function: 0_3_036F198A push ds; retf 0_3_036F1991
Source: C:\Users\user\Desktop\eZY2eXORIp.exe Code function: 0_3_036F198A push ds; retf 0_3_036F1991
Source: C:\Users\user\Desktop\eZY2eXORIp.exe Code function: 0_3_036F198A push ds; retf 0_3_036F1991
Source: C:\Users\user\Desktop\eZY2eXORIp.exe Code function: 0_3_036F198A push ds; retf 0_3_036F1991
Source: C:\Users\user\Desktop\eZY2eXORIp.exe Code function: 0_3_036F198A push ds; retf 0_3_036F1991
Source: C:\Users\user\Desktop\eZY2eXORIp.exe Code function: 0_3_036F198A push ds; retf 0_3_036F1991
Source: C:\Users\user\Desktop\eZY2eXORIp.exe Code function: 0_3_036F198A push ds; retf 0_3_036F1991
Source: C:\Users\user\Desktop\eZY2eXORIp.exe Code function: 0_3_036F198A push ds; retf 0_3_036F1991
Source: C:\Users\user\Desktop\eZY2eXORIp.exe Code function: 0_3_036F198A push ds; retf 0_3_036F1991
Source: C:\Users\user\Desktop\eZY2eXORIp.exe Code function: 0_3_036F198A push ds; retf 0_3_036F1991
Source: C:\Users\user\Desktop\eZY2eXORIp.exe Code function: 0_3_036F198A push ds; retf 0_3_036F1991
Source: C:\Users\user\Desktop\eZY2eXORIp.exe Code function: 0_3_036F198A push ds; retf 0_3_036F1991
Source: C:\Users\user\Desktop\eZY2eXORIp.exe Code function: 0_3_036F198A push ds; retf 0_3_036F1991
Source: C:\Users\user\Desktop\eZY2eXORIp.exe Code function: 0_3_036F198A push ds; retf 0_3_036F1991
Source: C:\Users\user\Desktop\eZY2eXORIp.exe Code function: 0_3_036F198A push ds; retf 0_3_036F1991
Source: C:\Users\user\Desktop\eZY2eXORIp.exe Code function: 0_3_036F198A push ds; retf 0_3_036F1991
Source: C:\Users\user\Desktop\eZY2eXORIp.exe Code function: 0_3_036F198A push ds; retf 0_3_036F1991
Source: initial sample Static PE information: section name: .text entropy: 6.85142500946

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 0.3.eZY2eXORIp.exe.619d7c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.eZY2eXORIp.exe.1000000.0.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.292866191.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291929905.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292913639.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291547643.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291632853.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291835576.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292487674.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292971089.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292333881.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292136155.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291360640.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.512177753.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292440254.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291279386.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291701567.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292984133.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292892828.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292791301.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292276017.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292076935.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292753214.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292948084.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292386062.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291458965.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291769273.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292670276.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291996066.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292712718.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292211990.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292930955.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292554837.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292619377.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292820042.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: eZY2eXORIp.exe PID: 4304, type: MEMORYSTR
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\eZY2eXORIp.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\eZY2eXORIp.exe TID: 6528 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: eZY2eXORIp.exe, 00000000.00000003.493460895.00000000006EA000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllxx
Source: eZY2eXORIp.exe, 00000000.00000002.512016519.0000000001100000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: eZY2eXORIp.exe, 00000000.00000002.512016519.0000000001100000.00000002.00020000.sdmp Binary or memory string: Progman
Source: eZY2eXORIp.exe, 00000000.00000002.512016519.0000000001100000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: eZY2eXORIp.exe, 00000000.00000002.512016519.0000000001100000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: eZY2eXORIp.exe, 00000000.00000002.512016519.0000000001100000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: C:\Users\user\Desktop\eZY2eXORIp.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\eZY2eXORIp.exe WMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antispywareproduct

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 0.3.eZY2eXORIp.exe.619d7c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.eZY2eXORIp.exe.1000000.0.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.292866191.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291929905.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292913639.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291547643.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291632853.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291835576.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292487674.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292971089.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292333881.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292136155.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291360640.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.512177753.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292440254.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291279386.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291701567.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292984133.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292892828.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292791301.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292276017.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292076935.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292753214.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292948084.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292386062.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291458965.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291769273.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292670276.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291996066.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292712718.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292211990.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292930955.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292554837.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292619377.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292820042.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: eZY2eXORIp.exe PID: 4304, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 0.3.eZY2eXORIp.exe.619d7c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.eZY2eXORIp.exe.1000000.0.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.292866191.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291929905.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292913639.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291547643.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291632853.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291835576.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292487674.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292971089.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292333881.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292136155.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291360640.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.512177753.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292440254.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291279386.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291701567.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292984133.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292892828.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292791301.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292276017.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292076935.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292753214.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292948084.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292386062.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291458965.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291769273.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292670276.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.291996066.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292712718.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292211990.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292930955.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292554837.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292619377.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.292820042.00000000036F0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: eZY2eXORIp.exe PID: 4304, type: MEMORYSTR