Loading ...

Play interactive tourEdit tour

Windows Analysis Report ixGWwYWQOV.exe

Overview

General Information

Sample Name:ixGWwYWQOV.exe
Analysis ID:481298
MD5:6c4e1328230fd65c2c8232e7b9f838ae
SHA1:9cfbf6477457d26555e37ad3717cccd3aadc7dbe
SHA256:31941577d287f7445f2791c78da17ffcd54baee40acf61dc0ff27a3f1d5253e6
Tags:exeGozi
Infos:

Most interesting Screenshot:

Detection

Ursnif Ursnif v3
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Ursnif
Multi AV Scanner detection for submitted file
Detected unpacking (changes PE section rights)
Yara detected Ursnif
Writes or reads registry keys via WMI
Writes registry values via WMI
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
PE file contains an invalid checksum
PE file contains strange resources
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
PE / OLE file has an invalid certificate
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

Process Tree

  • System is w10x64
  • ixGWwYWQOV.exe (PID: 5244 cmdline: 'C:\Users\user\Desktop\ixGWwYWQOV.exe' MD5: 6C4E1328230FD65C2C8232E7B9F838AE)
  • iexplore.exe (PID: 6264 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6312 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6264 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • iexplore.exe (PID: 5452 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 5608 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5452 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.299620365.0000000003510000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    00000000.00000003.299260696.0000000003510000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000000.00000003.299197344.0000000003510000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
        00000000.00000003.298965891.0000000003510000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000000.00000003.300025842.0000000003510000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 29 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.3.ixGWwYWQOV.exe.da9d7c.0.raw.unpackJoeSecurity_Ursnifv3Yara detected UrsnifJoe Security
              0.2.ixGWwYWQOV.exe.1000000.0.unpackJoeSecurity_Ursnifv3Yara detected UrsnifJoe Security

                Sigma Overview

                No Sigma rule has matched

                Jbx Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Multi AV Scanner detection for submitted fileShow sources
                Source: ixGWwYWQOV.exeVirustotal: Detection: 21%Perma Link
                Source: ixGWwYWQOV.exeReversingLabs: Detection: 26%
                Machine Learning detection for sampleShow sources
                Source: ixGWwYWQOV.exeJoe Sandbox ML: detected
                Source: 0.2.ixGWwYWQOV.exe.1000000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen7
                Source: 0.3.ixGWwYWQOV.exe.da9d7c.0.unpackAvira: Label: TR/Patched.Ren.Gen
                Source: ixGWwYWQOV.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
                Source: Binary string: c:\Muchwin\WorkWhich\centstring\shinegray\WanthumanMarket.pdb source: ixGWwYWQOV.exe

                Networking:

                barindex
                Performs DNS queries to domains with low reputationShow sources
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: haverit.xyz
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: haverit.xyz
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: haverit.xyz
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeDNS query: haverit.xyz
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeDNS query: haverit.xyz
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: haverit.xyz
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: haverit.xyz
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeDNS query: haverit.xyz
                Source: unknownDNS traffic detected: query: haverit.xyz replaycode: Server failure (2)
                Source: unknownDNS traffic detected: query: haverit.xyz replaycode: Name error (3)
                Source: msapplication.xml0.14.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xeca8a590,0x01d7a69e</date><accdate>0xeca8a590,0x01d7a69e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
                Source: msapplication.xml0.14.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xeca8a590,0x01d7a69e</date><accdate>0xeca8a590,0x01d7a69e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
                Source: msapplication.xml5.14.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xecafcbfa,0x01d7a69e</date><accdate>0xecafcbfa,0x01d7a69e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
                Source: msapplication.xml5.14.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xecafcbfa,0x01d7a69e</date><accdate>0xecafcbfa,0x01d7a69e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
                Source: msapplication.xml7.14.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xecafcbfa,0x01d7a69e</date><accdate>0xecafcbfa,0x01d7a69e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
                Source: msapplication.xml7.14.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xecafcbfa,0x01d7a69e</date><accdate>0xecafcbfa,0x01d7a69e</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
                Source: ixGWwYWQOV.exe, 00000000.00000003.299926777.0000000003510000.00000004.00000040.sdmpString found in binary or memory: http://%s=%s&file://&os=%u.%u_%u_%u_x%uindex.html;
                Source: ixGWwYWQOV.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                Source: ixGWwYWQOV.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                Source: ixGWwYWQOV.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                Source: ixGWwYWQOV.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                Source: ixGWwYWQOV.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
                Source: ixGWwYWQOV.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                Source: ixGWwYWQOV.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                Source: ixGWwYWQOV.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                Source: ixGWwYWQOV.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                Source: ixGWwYWQOV.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
                Source: ixGWwYWQOV.exeString found in binary or memory: http://ocsp.comodoca.com0
                Source: ixGWwYWQOV.exeString found in binary or memory: http://ocsp.digicert.com0C
                Source: ixGWwYWQOV.exeString found in binary or memory: http://ocsp.digicert.com0O
                Source: ixGWwYWQOV.exeString found in binary or memory: http://ocsp.sectigo.com0
                Source: msapplication.xml.14.drString found in binary or memory: http://www.amazon.com/
                Source: ixGWwYWQOV.exeString found in binary or memory: http://www.digicert.com/CPS0
                Source: msapplication.xml1.14.drString found in binary or memory: http://www.google.com/
                Source: msapplication.xml2.14.drString found in binary or memory: http://www.live.com/
                Source: msapplication.xml3.14.drString found in binary or memory: http://www.nytimes.com/
                Source: msapplication.xml4.14.drString found in binary or memory: http://www.reddit.com/
                Source: msapplication.xml5.14.drString found in binary or memory: http://www.twitter.com/
                Source: msapplication.xml6.14.drString found in binary or memory: http://www.wikipedia.com/
                Source: msapplication.xml7.14.drString found in binary or memory: http://www.youtube.com/
                Source: ixGWwYWQOV.exeString found in binary or memory: https://haverit.xyz
                Source: ~DFB8A0D879113F03C7.TMP.28.drString found in binary or memory: https://haverit.xyz/index.htm
                Source: {16F18D8A-1292-11EC-90E6-ECF4BB82F7E0}.dat.14.drString found in binary or memory: https://haverit.xyz/index.htmRoot
                Source: {16F18D8A-1292-11EC-90E6-ECF4BB82F7E0}.dat.14.drString found in binary or memory: https://haverit.xyz/index.htmdex.htm
                Source: ixGWwYWQOV.exeString found in binary or memory: https://sectigo.com/CPS0
                Source: ixGWwYWQOV.exeString found in binary or memory: https://www.digicert.com/CPS0
                Source: unknownDNS traffic detected: queries for: haverit.xyz

                Key, Mouse, Clipboard, Microphone and Screen Capturing:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 0.3.ixGWwYWQOV.exe.da9d7c.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.ixGWwYWQOV.exe.1000000.0.unpack, type: UNPACKEDPE
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000000.00000003.299620365.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299260696.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299197344.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.298965891.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.300025842.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.300187569.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299926777.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299677009.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299128367.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.298447630.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.298720367.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299959474.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.522375595.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299054889.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.300165850.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299450851.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299720559.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.298639407.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.298803166.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.298555276.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.300135492.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.300105036.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299988986.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299384530.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299782953.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299827410.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.298884838.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.300078539.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.300048451.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299508546.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299863512.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299563221.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299326737.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: ixGWwYWQOV.exe PID: 5244, type: MEMORYSTR

                E-Banking Fraud:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 0.3.ixGWwYWQOV.exe.da9d7c.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.ixGWwYWQOV.exe.1000000.0.unpack, type: UNPACKEDPE
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000000.00000003.299620365.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299260696.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299197344.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.298965891.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.300025842.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.300187569.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299926777.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299677009.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299128367.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.298447630.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.298720367.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299959474.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.522375595.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299054889.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.300165850.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299450851.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299720559.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.298639407.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.298803166.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.298555276.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.300135492.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.300105036.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299988986.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299384530.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299782953.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299827410.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.298884838.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.300078539.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.300048451.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299508546.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299863512.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299563221.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299326737.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: ixGWwYWQOV.exe PID: 5244, type: MEMORYSTR

                System Summary:

                barindex
                Writes or reads registry keys via WMIShow sources
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetDWORDValue
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                Writes registry values via WMIShow sources
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                Source: ixGWwYWQOV.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
                Source: ixGWwYWQOV.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: ixGWwYWQOV.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                Source: ixGWwYWQOV.exeStatic PE information: invalid certificate
                Source: ixGWwYWQOV.exeVirustotal: Detection: 21%
                Source: ixGWwYWQOV.exeReversingLabs: Detection: 26%
                Source: ixGWwYWQOV.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\ixGWwYWQOV.exe 'C:\Users\user\Desktop\ixGWwYWQOV.exe'
                Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6264 CREDAT:17410 /prefetch:2
                Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
                Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5452 CREDAT:17410 /prefetch:2
                Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6264 CREDAT:17410 /prefetch:2Jump to behavior
                Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5452 CREDAT:17410 /prefetch:2Jump to behavior
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{674B6698-EE92-11D0-AD71-00C04FD8FDFF}\InprocServer32Jump to behavior
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeMutant created: \Sessions\1\BaseNamedObjects\Local\1978EE24-ED7A-8F95-C655-46BAE5CC03A0
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select * from win32_process
                Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{16F18D88-1292-11EC-90E6-ECF4BB82F7E0}.datJump to behavior
                Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user~1\AppData\Local\Temp\~DFA52BA84DB18EF3E4.TMPJump to behavior
                Source: classification engineClassification label: mal88.troj.evad.winEXE@7/29@8/0
                Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
                Source: ixGWwYWQOV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: ixGWwYWQOV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: ixGWwYWQOV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: ixGWwYWQOV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: ixGWwYWQOV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: ixGWwYWQOV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: ixGWwYWQOV.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: c:\Muchwin\WorkWhich\centstring\shinegray\WanthumanMarket.pdb source: ixGWwYWQOV.exe
                Source: ixGWwYWQOV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: ixGWwYWQOV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: ixGWwYWQOV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: ixGWwYWQOV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: ixGWwYWQOV.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                Data Obfuscation:

                barindex
                Detected unpacking (changes PE section rights)Show sources
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeUnpacked PE file: 0.2.ixGWwYWQOV.exe.1000000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.bss:W;.reloc:R;
                Source: ixGWwYWQOV.exeStatic PE information: real checksum: 0xe48d2 should be: 0xe2eb8
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeCode function: 0_3_0351198A push ds; retf 0_3_03511991
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeCode function: 0_3_0351198A push ds; retf 0_3_03511991
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeCode function: 0_3_0351198A push ds; retf 0_3_03511991
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeCode function: 0_3_0351198A push ds; retf 0_3_03511991
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeCode function: 0_3_0351198A push ds; retf 0_3_03511991
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeCode function: 0_3_0351198A push ds; retf 0_3_03511991
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeCode function: 0_3_0351198A push ds; retf 0_3_03511991
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeCode function: 0_3_0351198A push ds; retf 0_3_03511991
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeCode function: 0_3_0351198A push ds; retf 0_3_03511991
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeCode function: 0_3_0351198A push ds; retf 0_3_03511991
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeCode function: 0_3_0351198A push ds; retf 0_3_03511991
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeCode function: 0_3_0351198A push ds; retf 0_3_03511991
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeCode function: 0_3_0351198A push ds; retf 0_3_03511991
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeCode function: 0_3_0351198A push ds; retf 0_3_03511991
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeCode function: 0_3_0351198A push ds; retf 0_3_03511991
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeCode function: 0_3_0351198A push ds; retf 0_3_03511991
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeCode function: 0_3_0351198A push ds; retf 0_3_03511991
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeCode function: 0_3_0351198A push ds; retf 0_3_03511991
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeCode function: 0_3_0351198A push ds; retf 0_3_03511991
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeCode function: 0_3_0351198A push ds; retf 0_3_03511991
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeCode function: 0_3_0351198A push ds; retf 0_3_03511991
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeCode function: 0_3_0351198A push ds; retf 0_3_03511991
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeCode function: 0_3_0351198A push ds; retf 0_3_03511991
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeCode function: 0_3_0351198A push ds; retf 0_3_03511991
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeCode function: 0_3_0351198A push ds; retf 0_3_03511991
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeCode function: 0_3_0351198A push ds; retf 0_3_03511991
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeCode function: 0_3_0351198A push ds; retf 0_3_03511991
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeCode function: 0_3_0351198A push ds; retf 0_3_03511991
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeCode function: 0_3_0351198A push ds; retf 0_3_03511991
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeCode function: 0_3_0351198A push ds; retf 0_3_03511991
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeCode function: 0_3_0351198A push ds; retf 0_3_03511991
                Source: initial sampleStatic PE information: section name: .text entropy: 6.85142443524

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 0.3.ixGWwYWQOV.exe.da9d7c.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.ixGWwYWQOV.exe.1000000.0.unpack, type: UNPACKEDPE
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000000.00000003.299620365.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299260696.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299197344.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.298965891.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.300025842.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.300187569.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299926777.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299677009.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299128367.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.298447630.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.298720367.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299959474.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.522375595.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299054889.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.300165850.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299450851.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299720559.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.298639407.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.298803166.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.298555276.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.300135492.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.300105036.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299988986.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299384530.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299782953.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299827410.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.298884838.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.300078539.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.300048451.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299508546.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299863512.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299563221.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299326737.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: ixGWwYWQOV.exe PID: 5244, type: MEMORYSTR
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exe TID: 6492Thread sleep time: -30000s >= -30000sJump to behavior
                Source: ixGWwYWQOV.exe, 00000000.00000002.521402829.0000000001100000.00000002.00020000.sdmpBinary or memory string: uProgram Manager
                Source: ixGWwYWQOV.exe, 00000000.00000002.521402829.0000000001100000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                Source: ixGWwYWQOV.exe, 00000000.00000002.521402829.0000000001100000.00000002.00020000.sdmpBinary or memory string: Progman
                Source: ixGWwYWQOV.exe, 00000000.00000002.521402829.0000000001100000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: C:\Users\user\Desktop\ixGWwYWQOV.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : select * from antispywareproduct

                Stealing of Sensitive Information:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 0.3.ixGWwYWQOV.exe.da9d7c.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.ixGWwYWQOV.exe.1000000.0.unpack, type: UNPACKEDPE
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000000.00000003.299620365.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299260696.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299197344.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.298965891.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.300025842.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.300187569.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299926777.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299677009.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299128367.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.298447630.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.298720367.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299959474.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.522375595.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299054889.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.300165850.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299450851.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299720559.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.298639407.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.298803166.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.298555276.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.300135492.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.300105036.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299988986.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299384530.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299782953.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299827410.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.298884838.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.300078539.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.300048451.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299508546.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299863512.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299563221.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299326737.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: ixGWwYWQOV.exe PID: 5244, type: MEMORYSTR

                Remote Access Functionality:

                barindex
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 0.3.ixGWwYWQOV.exe.da9d7c.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.ixGWwYWQOV.exe.1000000.0.unpack, type: UNPACKEDPE
                Yara detected UrsnifShow sources
                Source: Yara matchFile source: 00000000.00000003.299620365.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299260696.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299197344.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.298965891.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.300025842.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.300187569.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299926777.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299677009.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299128367.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.298447630.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.298720367.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299959474.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.522375595.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299054889.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.300165850.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299450851.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299720559.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.298639407.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.298803166.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.298555276.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.300135492.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.300105036.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299988986.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299384530.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299782953.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299827410.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.298884838.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.300078539.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.300048451.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299508546.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299863512.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299563221.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.299326737.0000000003510000.00000004.00000040.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: ixGWwYWQOV.exe PID: 5244, type: MEMORYSTR

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection2Masquerading1OS Credential DumpingQuery Registry1Remote ServicesData from Local SystemExfiltration Over Other Network MediumNon-Application Layer Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemorySecurity Software Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection2Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing12LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery3Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 481298 Sample: ixGWwYWQOV.exe Startdate: 10/09/2021 Architecture: WINDOWS Score: 88 25 Multi AV Scanner detection for submitted file 2->25 27 Yara detected Ursnif 2->27 29 Yara detected  Ursnif 2->29 31 2 other signatures 2->31 6 ixGWwYWQOV.exe 2->6         started        10 iexplore.exe 1 73 2->10         started        12 iexplore.exe 1 50 2->12         started        process3 dnsIp4 19 haverit.xyz 6->19 33 Detected unpacking (changes PE section rights) 6->33 35 Performs DNS queries to domains with low reputation 6->35 37 Writes or reads registry keys via WMI 6->37 39 Writes registry values via WMI 6->39 14 iexplore.exe 29 10->14         started        17 iexplore.exe 29 12->17         started        signatures5 process6 dnsIp7 21 haverit.xyz 14->21 23 haverit.xyz 17->23

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.