Windows Analysis Report CGd7lq6RDL.dll

Overview

General Information

Sample Name: CGd7lq6RDL.dll (renamed file extension from dll to exe)
Analysis ID: 481103
MD5: c7b71f03f190a5da3e4976f37194419f
SHA1: 8e750d01e1a5edb2c320e1b0b703b5823f241587
SHA256: 930d54df724f1637f38d840e1822fa8f5cccedceb4b86d0e737e2311162e0921
Infos:

Most interesting Screenshot:

Detection

Ursnif Ursnif v3
Score: 80
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Ursnif
Detected unpacking (changes PE section rights)
Yara detected Ursnif
Writes or reads registry keys via WMI
Writes registry values via WMI
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
PE file contains an invalid checksum
PE file contains strange resources
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
PE / OLE file has an invalid certificate
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

AV Detection:

barindex
Machine Learning detection for sample
Source: CGd7lq6RDL.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.3.CGd7lq6RDL.exe.da9d7c.0.unpack Avira: Label: TR/Patched.Ren.Gen
Source: 1.2.CGd7lq6RDL.exe.1000000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen7

Compliance:

barindex
Uses 32bit PE files
Source: CGd7lq6RDL.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: Binary string: c:\Muchwin\WorkWhich\centstring\shinegray\WanthumanMarket.pdb source: CGd7lq6RDL.exe

Networking:

barindex
Performs DNS queries to domains with low reputation
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe DNS query: haverit.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe DNS query: haverit.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe DNS query: haverit.xyz
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe DNS query: haverit.xyz
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe DNS query: haverit.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe DNS query: haverit.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe DNS query: haverit.xyz
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe DNS query: haverit.xyz
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: haverit.xyz replaycode: Name error (3)
Source: msapplication.xml0.9.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xb5fcbe9d,0x01d7a66e</date><accdate>0xb5fcbe9d,0x01d7a66e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.9.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xb5fcbe9d,0x01d7a66e</date><accdate>0xb5fcbe9d,0x01d7a66e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.9.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xb603e652,0x01d7a66e</date><accdate>0xb603e652,0x01d7a66e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.9.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xb603e652,0x01d7a66e</date><accdate>0xb603e652,0x01d7a66e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.9.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xb603e652,0x01d7a66e</date><accdate>0xb603e652,0x01d7a66e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.9.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xb603e652,0x01d7a66e</date><accdate>0xb603e652,0x01d7a66e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: CGd7lq6RDL.exe, 00000001.00000003.385278956.0000000003610000.00000004.00000040.sdmp String found in binary or memory: http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;
Source: CGd7lq6RDL.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: CGd7lq6RDL.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: CGd7lq6RDL.exe String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: CGd7lq6RDL.exe String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: CGd7lq6RDL.exe String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: CGd7lq6RDL.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: CGd7lq6RDL.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: CGd7lq6RDL.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: CGd7lq6RDL.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: CGd7lq6RDL.exe String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: CGd7lq6RDL.exe String found in binary or memory: http://ocsp.comodoca.com0
Source: CGd7lq6RDL.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: CGd7lq6RDL.exe String found in binary or memory: http://ocsp.digicert.com0O
Source: CGd7lq6RDL.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: msapplication.xml.9.dr String found in binary or memory: http://www.amazon.com/
Source: CGd7lq6RDL.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: msapplication.xml1.9.dr String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.9.dr String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.9.dr String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.9.dr String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.9.dr String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.9.dr String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.9.dr String found in binary or memory: http://www.youtube.com/
Source: CGd7lq6RDL.exe String found in binary or memory: https://haverit.xyz
Source: ~DF849AFB3A04ECE3BF.TMP.9.dr String found in binary or memory: https://haverit.xyz/index.htm
Source: {E0443E1C-1261-11EC-90E5-ECF4BB2D2496}.dat.9.dr String found in binary or memory: https://haverit.xyz/index.htmRoot
Source: {E0443E1C-1261-11EC-90E5-ECF4BB2D2496}.dat.9.dr String found in binary or memory: https://haverit.xyz/index.htmdex.htm
Source: CGd7lq6RDL.exe String found in binary or memory: https://sectigo.com/CPS0
Source: CGd7lq6RDL.exe String found in binary or memory: https://www.digicert.com/CPS0
Source: unknown DNS traffic detected: queries for: haverit.xyz

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 1.3.CGd7lq6RDL.exe.da9d7c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.CGd7lq6RDL.exe.1000000.0.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.385018366.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384548084.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.383601456.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385072202.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384483225.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384261011.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385265307.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385224495.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384337083.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.383794745.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385278956.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.383290755.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385120189.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385245280.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384188109.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384802369.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.383702783.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.383888043.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384673722.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384849581.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385191377.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.383501926.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384938347.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.606209100.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384982348.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385155225.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384003623.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384615803.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384747658.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.383189063.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384415120.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384102374.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384895266.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CGd7lq6RDL.exe PID: 6948, type: MEMORYSTR

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 1.3.CGd7lq6RDL.exe.da9d7c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.CGd7lq6RDL.exe.1000000.0.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.385018366.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384548084.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.383601456.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385072202.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384483225.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384261011.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385265307.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385224495.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384337083.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.383794745.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385278956.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.383290755.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385120189.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385245280.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384188109.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384802369.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.383702783.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.383888043.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384673722.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384849581.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385191377.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.383501926.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384938347.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.606209100.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384982348.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385155225.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384003623.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384615803.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384747658.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.383189063.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384415120.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384102374.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384895266.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CGd7lq6RDL.exe PID: 6948, type: MEMORYSTR

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetDWORDValue
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Uses 32bit PE files
Source: CGd7lq6RDL.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
PE file contains strange resources
Source: CGd7lq6RDL.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CGd7lq6RDL.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
PE / OLE file has an invalid certificate
Source: CGd7lq6RDL.exe Static PE information: invalid certificate
Source: CGd7lq6RDL.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\CGd7lq6RDL.exe 'C:\Users\user\Desktop\CGd7lq6RDL.exe'
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17410 /prefetch:2
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5656 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6672 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5656 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\1978EE24-ED7A-8F95-C655-46BAE5CC03A0
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from win32_process
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E0443E1A-1261-11EC-90E5-ECF4BB2D2496}.dat Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF9956526A696EBC76.TMP Jump to behavior
Source: classification engine Classification label: mal80.troj.evad.winEXE@7/29@8/1
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: CGd7lq6RDL.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: CGd7lq6RDL.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: CGd7lq6RDL.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: CGd7lq6RDL.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: CGd7lq6RDL.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: CGd7lq6RDL.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: CGd7lq6RDL.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: c:\Muchwin\WorkWhich\centstring\shinegray\WanthumanMarket.pdb source: CGd7lq6RDL.exe
Source: CGd7lq6RDL.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: CGd7lq6RDL.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: CGd7lq6RDL.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: CGd7lq6RDL.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: CGd7lq6RDL.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe Unpacked PE file: 1.2.CGd7lq6RDL.exe.1000000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.reloc:R;
PE file contains an invalid checksum
Source: CGd7lq6RDL.exe Static PE information: real checksum: 0xe5cf6 should be: 0xdf042
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe Code function: 1_3_0361198A push ds; retf 1_3_03611991
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe Code function: 1_3_0361198A push ds; retf 1_3_03611991
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe Code function: 1_3_0361198A push ds; retf 1_3_03611991
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe Code function: 1_3_0361198A push ds; retf 1_3_03611991
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe Code function: 1_3_0361198A push ds; retf 1_3_03611991
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe Code function: 1_3_0361198A push ds; retf 1_3_03611991
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe Code function: 1_3_0361198A push ds; retf 1_3_03611991
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe Code function: 1_3_0361198A push ds; retf 1_3_03611991
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe Code function: 1_3_0361198A push ds; retf 1_3_03611991
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe Code function: 1_3_0361198A push ds; retf 1_3_03611991
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe Code function: 1_3_0361198A push ds; retf 1_3_03611991
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe Code function: 1_3_0361198A push ds; retf 1_3_03611991
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe Code function: 1_3_0361198A push ds; retf 1_3_03611991
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe Code function: 1_3_0361198A push ds; retf 1_3_03611991
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe Code function: 1_3_0361198A push ds; retf 1_3_03611991
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe Code function: 1_3_0361198A push ds; retf 1_3_03611991
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe Code function: 1_3_0361198A push ds; retf 1_3_03611991
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe Code function: 1_3_0361198A push ds; retf 1_3_03611991
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe Code function: 1_3_0361198A push ds; retf 1_3_03611991
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe Code function: 1_3_0361198A push ds; retf 1_3_03611991
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe Code function: 1_3_0361198A push ds; retf 1_3_03611991
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe Code function: 1_3_0361198A push ds; retf 1_3_03611991
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe Code function: 1_3_0361198A push ds; retf 1_3_03611991
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe Code function: 1_3_0361198A push ds; retf 1_3_03611991
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe Code function: 1_3_0361198A push ds; retf 1_3_03611991
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe Code function: 1_3_0361198A push ds; retf 1_3_03611991
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe Code function: 1_3_0361198A push ds; retf 1_3_03611991
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe Code function: 1_3_0361198A push ds; retf 1_3_03611991
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe Code function: 1_3_0361198A push ds; retf 1_3_03611991
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe Code function: 1_3_0361198A push ds; retf 1_3_03611991
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe Code function: 1_3_0361198A push ds; retf 1_3_03611991
Source: initial sample Static PE information: section name: .text entropy: 6.85142771967

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 1.3.CGd7lq6RDL.exe.da9d7c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.CGd7lq6RDL.exe.1000000.0.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.385018366.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384548084.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.383601456.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385072202.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384483225.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384261011.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385265307.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385224495.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384337083.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.383794745.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385278956.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.383290755.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385120189.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385245280.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384188109.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384802369.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.383702783.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.383888043.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384673722.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384849581.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385191377.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.383501926.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384938347.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.606209100.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384982348.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385155225.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384003623.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384615803.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384747658.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.383189063.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384415120.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384102374.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384895266.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CGd7lq6RDL.exe PID: 6948, type: MEMORYSTR
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe TID: 5976 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: CGd7lq6RDL.exe, 00000001.00000002.606098013.0000000001100000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: CGd7lq6RDL.exe, 00000001.00000002.606098013.0000000001100000.00000002.00020000.sdmp Binary or memory string: Progman
Source: CGd7lq6RDL.exe, 00000001.00000002.606098013.0000000001100000.00000002.00020000.sdmp Binary or memory string: &Program Manager
Source: CGd7lq6RDL.exe, 00000001.00000002.606098013.0000000001100000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\CGd7lq6RDL.exe WMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antispywareproduct

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 1.3.CGd7lq6RDL.exe.da9d7c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.CGd7lq6RDL.exe.1000000.0.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.385018366.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384548084.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.383601456.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385072202.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384483225.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384261011.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385265307.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385224495.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384337083.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.383794745.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385278956.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.383290755.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385120189.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385245280.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384188109.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384802369.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.383702783.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.383888043.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384673722.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384849581.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385191377.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.383501926.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384938347.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.606209100.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384982348.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385155225.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384003623.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384615803.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384747658.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.383189063.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384415120.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384102374.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384895266.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CGd7lq6RDL.exe PID: 6948, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 1.3.CGd7lq6RDL.exe.da9d7c.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.CGd7lq6RDL.exe.1000000.0.unpack, type: UNPACKEDPE
Yara detected Ursnif
Source: Yara match File source: 00000001.00000003.385018366.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384548084.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.383601456.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385072202.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384483225.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384261011.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385265307.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385224495.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384337083.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.383794745.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385278956.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.383290755.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385120189.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385245280.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384188109.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384802369.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.383702783.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.383888043.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384673722.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384849581.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385191377.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.383501926.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384938347.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.606209100.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384982348.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.385155225.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384003623.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384615803.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384747658.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.383189063.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384415120.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384102374.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000003.384895266.0000000003610000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: CGd7lq6RDL.exe PID: 6948, type: MEMORYSTR