Windows Analysis Report PiSUfsy.exe

Overview

General Information

Sample Name: PiSUfsy.exe
Analysis ID: 481080
MD5: ddb8cc4e8e2ec81904a1407409d2e868
SHA1: 5f594f30bcf6b00213916e5aa987db98d764fbb2
SHA256: e0f81b847c0c02e0352607f852bdfb651925c35655ebf0be9b4fd2ef034661f3
Tags: exeFORTHPROPERTYLTDUrsnif
Infos:

Most interesting Screenshot:

Detection

Ursnif Ursnif v3
Score: 96
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Ursnif
Multi AV Scanner detection for submitted file
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for domain / URL
Yara detected Ursnif
Writes or reads registry keys via WMI
Writes registry values via WMI
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
PE file contains an invalid checksum
PE file contains strange resources
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
PE / OLE file has an invalid certificate
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: PiSUfsy.exe Virustotal: Detection: 20% Perma Link
Multi AV Scanner detection for domain / URL
Source: haverit.xyz Virustotal: Detection: 5% Perma Link
Machine Learning detection for sample
Source: PiSUfsy.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 0.2.PiSUfsy.exe.1000000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen7
Source: 0.3.PiSUfsy.exe.519d7c.0.unpack Avira: Label: TR/Patched.Ren.Gen

Compliance:

barindex
Uses 32bit PE files
Source: PiSUfsy.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: Binary string: c:\Muchwin\WorkWhich\centstring\shinegray\WanthumanMarket.pdb source: PiSUfsy.exe

Networking:

barindex
Performs DNS queries to domains with low reputation
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe DNS query: haverit.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe DNS query: haverit.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe DNS query: haverit.xyz
Source: C:\Users\user\Desktop\PiSUfsy.exe DNS query: haverit.xyz
Source: C:\Users\user\Desktop\PiSUfsy.exe DNS query: haverit.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe DNS query: haverit.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe DNS query: haverit.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe DNS query: haverit.xyz
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: haverit.xyz replaycode: Server failure (2)
Source: unknown DNS traffic detected: query: haverit.xyz replaycode: Name error (3)
Source: msapplication.xml0.9.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x18cc8a76,0x01d7a668</date><accdate>0x18cc8a76,0x01d7a668</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.9.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x18cc8a76,0x01d7a668</date><accdate>0x18cc8a76,0x01d7a668</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.9.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x18d3b2d8,0x01d7a668</date><accdate>0x18d3b2d8,0x01d7a668</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.9.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x18d3b2d8,0x01d7a668</date><accdate>0x18d3b2d8,0x01d7a668</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.9.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x18d3b2d8,0x01d7a668</date><accdate>0x18d3b2d8,0x01d7a668</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.9.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x18d3b2d8,0x01d7a668</date><accdate>0x18d3b2d8,0x01d7a668</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: PiSUfsy.exe, 00000000.00000003.264598600.00000000035D0000.00000004.00000040.sdmp String found in binary or memory: http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;
Source: PiSUfsy.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: PiSUfsy.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: PiSUfsy.exe String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: PiSUfsy.exe String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: PiSUfsy.exe String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: PiSUfsy.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: PiSUfsy.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: PiSUfsy.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: PiSUfsy.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: PiSUfsy.exe String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: PiSUfsy.exe String found in binary or memory: http://ocsp.comodoca.com0
Source: PiSUfsy.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: PiSUfsy.exe String found in binary or memory: http://ocsp.digicert.com0O
Source: PiSUfsy.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: msapplication.xml.9.dr String found in binary or memory: http://www.amazon.com/
Source: PiSUfsy.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: msapplication.xml1.9.dr String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.9.dr String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.9.dr String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.9.dr String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.9.dr String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.9.dr String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.9.dr String found in binary or memory: http://www.youtube.com/
Source: PiSUfsy.exe String found in binary or memory: https://haverit.xyz
Source: ~DF0F34E919A9CE89F7.TMP.25.dr String found in binary or memory: https://haverit.xyz/index.htm
Source: {435219D2-125B-11EC-90E4-ECF4BB862DED}.dat.9.dr String found in binary or memory: https://haverit.xyz/index.htmRoot
Source: {435219D2-125B-11EC-90E4-ECF4BB862DED}.dat.9.dr String found in binary or memory: https://haverit.xyz/index.htmdex.htm
Source: PiSUfsy.exe String found in binary or memory: https://sectigo.com/CPS0
Source: PiSUfsy.exe String found in binary or memory: https://www.digicert.com/CPS0
Source: unknown DNS traffic detected: queries for: haverit.xyz

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 0.3.PiSUfsy.exe.519d7c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PiSUfsy.exe.1000000.0.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.264598600.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.263576889.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.263664962.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.263998701.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264803904.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265069629.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264908364.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264991465.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.491537444.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264096930.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264335310.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264179756.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264748310.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264400907.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.263748838.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265030298.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264264868.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265133135.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.263486576.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265228562.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264483322.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265215776.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265171426.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264953421.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264543495.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264853737.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.263829043.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265202788.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265187906.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265153237.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.263907888.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264686483.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265106061.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PiSUfsy.exe PID: 6456, type: MEMORYSTR

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 0.3.PiSUfsy.exe.519d7c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PiSUfsy.exe.1000000.0.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.264598600.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.263576889.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.263664962.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.263998701.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264803904.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265069629.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264908364.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264991465.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.491537444.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264096930.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264335310.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264179756.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264748310.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264400907.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.263748838.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265030298.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264264868.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265133135.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.263486576.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265228562.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264483322.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265215776.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265171426.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264953421.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264543495.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264853737.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.263829043.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265202788.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265187906.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265153237.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.263907888.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264686483.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265106061.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PiSUfsy.exe PID: 6456, type: MEMORYSTR

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Users\user\Desktop\PiSUfsy.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetDWORDValue
Source: C:\Users\user\Desktop\PiSUfsy.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\PiSUfsy.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\PiSUfsy.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\PiSUfsy.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\PiSUfsy.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Users\user\Desktop\PiSUfsy.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\PiSUfsy.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\PiSUfsy.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\PiSUfsy.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\PiSUfsy.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Uses 32bit PE files
Source: PiSUfsy.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
PE file contains strange resources
Source: PiSUfsy.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: PiSUfsy.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
PE / OLE file has an invalid certificate
Source: PiSUfsy.exe Static PE information: invalid certificate
Source: PiSUfsy.exe Virustotal: Detection: 20%
Source: PiSUfsy.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PiSUfsy.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PiSUfsy.exe 'C:\Users\user\Desktop\PiSUfsy.exe'
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3040 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6724 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3040 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6724 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Users\user\Desktop\PiSUfsy.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\PiSUfsy.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\1978EE24-ED7A-8F95-C655-46BAE5CC03A0
Source: C:\Users\user\Desktop\PiSUfsy.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from win32_process
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DFEEC0DD00867AC61A.TMP Jump to behavior
Source: classification engine Classification label: mal96.troj.evad.winEXE@7/29@8/0
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\PiSUfsy.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\PiSUfsy.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: PiSUfsy.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: PiSUfsy.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: PiSUfsy.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: PiSUfsy.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: PiSUfsy.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: PiSUfsy.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: PiSUfsy.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\Muchwin\WorkWhich\centstring\shinegray\WanthumanMarket.pdb source: PiSUfsy.exe
Source: PiSUfsy.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: PiSUfsy.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: PiSUfsy.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: PiSUfsy.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: PiSUfsy.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\PiSUfsy.exe Unpacked PE file: 0.2.PiSUfsy.exe.1000000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.reloc:R;
PE file contains an invalid checksum
Source: PiSUfsy.exe Static PE information: real checksum: 0xe5347 should be: 0xe1814
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PiSUfsy.exe Code function: 0_3_035D198A push ds; retf 0_3_035D1991
Source: C:\Users\user\Desktop\PiSUfsy.exe Code function: 0_3_035D198A push ds; retf 0_3_035D1991
Source: C:\Users\user\Desktop\PiSUfsy.exe Code function: 0_3_035D198A push ds; retf 0_3_035D1991
Source: C:\Users\user\Desktop\PiSUfsy.exe Code function: 0_3_035D198A push ds; retf 0_3_035D1991
Source: C:\Users\user\Desktop\PiSUfsy.exe Code function: 0_3_035D198A push ds; retf 0_3_035D1991
Source: C:\Users\user\Desktop\PiSUfsy.exe Code function: 0_3_035D198A push ds; retf 0_3_035D1991
Source: C:\Users\user\Desktop\PiSUfsy.exe Code function: 0_3_035D198A push ds; retf 0_3_035D1991
Source: C:\Users\user\Desktop\PiSUfsy.exe Code function: 0_3_035D198A push ds; retf 0_3_035D1991
Source: C:\Users\user\Desktop\PiSUfsy.exe Code function: 0_3_035D198A push ds; retf 0_3_035D1991
Source: C:\Users\user\Desktop\PiSUfsy.exe Code function: 0_3_035D198A push ds; retf 0_3_035D1991
Source: C:\Users\user\Desktop\PiSUfsy.exe Code function: 0_3_035D198A push ds; retf 0_3_035D1991
Source: C:\Users\user\Desktop\PiSUfsy.exe Code function: 0_3_035D198A push ds; retf 0_3_035D1991
Source: C:\Users\user\Desktop\PiSUfsy.exe Code function: 0_3_035D198A push ds; retf 0_3_035D1991
Source: C:\Users\user\Desktop\PiSUfsy.exe Code function: 0_3_035D198A push ds; retf 0_3_035D1991
Source: C:\Users\user\Desktop\PiSUfsy.exe Code function: 0_3_035D198A push ds; retf 0_3_035D1991
Source: C:\Users\user\Desktop\PiSUfsy.exe Code function: 0_3_035D198A push ds; retf 0_3_035D1991
Source: C:\Users\user\Desktop\PiSUfsy.exe Code function: 0_3_035D198A push ds; retf 0_3_035D1991
Source: C:\Users\user\Desktop\PiSUfsy.exe Code function: 0_3_035D198A push ds; retf 0_3_035D1991
Source: C:\Users\user\Desktop\PiSUfsy.exe Code function: 0_3_035D198A push ds; retf 0_3_035D1991
Source: C:\Users\user\Desktop\PiSUfsy.exe Code function: 0_3_035D198A push ds; retf 0_3_035D1991
Source: C:\Users\user\Desktop\PiSUfsy.exe Code function: 0_3_035D198A push ds; retf 0_3_035D1991
Source: C:\Users\user\Desktop\PiSUfsy.exe Code function: 0_3_035D198A push ds; retf 0_3_035D1991
Source: C:\Users\user\Desktop\PiSUfsy.exe Code function: 0_3_035D198A push ds; retf 0_3_035D1991
Source: C:\Users\user\Desktop\PiSUfsy.exe Code function: 0_3_035D198A push ds; retf 0_3_035D1991
Source: C:\Users\user\Desktop\PiSUfsy.exe Code function: 0_3_035D198A push ds; retf 0_3_035D1991
Source: C:\Users\user\Desktop\PiSUfsy.exe Code function: 0_3_035D198A push ds; retf 0_3_035D1991
Source: C:\Users\user\Desktop\PiSUfsy.exe Code function: 0_3_035D198A push ds; retf 0_3_035D1991
Source: C:\Users\user\Desktop\PiSUfsy.exe Code function: 0_3_035D198A push ds; retf 0_3_035D1991
Source: C:\Users\user\Desktop\PiSUfsy.exe Code function: 0_3_035D198A push ds; retf 0_3_035D1991
Source: C:\Users\user\Desktop\PiSUfsy.exe Code function: 0_3_035D198A push ds; retf 0_3_035D1991
Source: C:\Users\user\Desktop\PiSUfsy.exe Code function: 0_3_035D198A push ds; retf 0_3_035D1991
Source: initial sample Static PE information: section name: .text entropy: 6.85141881321

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 0.3.PiSUfsy.exe.519d7c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PiSUfsy.exe.1000000.0.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.264598600.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.263576889.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.263664962.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.263998701.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264803904.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265069629.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264908364.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264991465.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.491537444.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264096930.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264335310.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264179756.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264748310.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264400907.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.263748838.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265030298.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264264868.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265133135.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.263486576.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265228562.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264483322.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265215776.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265171426.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264953421.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264543495.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264853737.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.263829043.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265202788.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265187906.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265153237.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.263907888.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264686483.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265106061.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PiSUfsy.exe PID: 6456, type: MEMORYSTR
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\PiSUfsy.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\PiSUfsy.exe TID: 6528 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: PiSUfsy.exe, 00000000.00000002.491389061.0000000001100000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: PiSUfsy.exe, 00000000.00000002.491389061.0000000001100000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: PiSUfsy.exe, 00000000.00000002.491389061.0000000001100000.00000002.00020000.sdmp Binary or memory string: Progman
Source: PiSUfsy.exe, 00000000.00000002.491389061.0000000001100000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: C:\Users\user\Desktop\PiSUfsy.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\PiSUfsy.exe WMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antispywareproduct

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 0.3.PiSUfsy.exe.519d7c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PiSUfsy.exe.1000000.0.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.264598600.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.263576889.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.263664962.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.263998701.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264803904.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265069629.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264908364.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264991465.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.491537444.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264096930.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264335310.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264179756.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264748310.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264400907.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.263748838.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265030298.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264264868.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265133135.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.263486576.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265228562.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264483322.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265215776.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265171426.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264953421.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264543495.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264853737.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.263829043.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265202788.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265187906.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265153237.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.263907888.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264686483.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265106061.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PiSUfsy.exe PID: 6456, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 0.3.PiSUfsy.exe.519d7c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PiSUfsy.exe.1000000.0.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000000.00000003.264598600.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.263576889.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.263664962.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.263998701.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264803904.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265069629.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264908364.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264991465.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.491537444.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264096930.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264335310.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264179756.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264748310.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264400907.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.263748838.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265030298.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264264868.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265133135.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.263486576.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265228562.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264483322.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265215776.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265171426.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264953421.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264543495.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264853737.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.263829043.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265202788.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265187906.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265153237.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.263907888.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.264686483.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.265106061.00000000035D0000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: PiSUfsy.exe PID: 6456, type: MEMORYSTR